[selinux-policy/f15] - Backport F16 fixes - livecd fixes - systemd fixes
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Sep 6 11:42:27 UTC 2011
commit d1ab4f21cf7b4281a388ef7bfacd54a985f81e9b
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Sep 6 13:42:07 2011 +0200
- Backport F16 fixes
- livecd fixes
- systemd fixes
policy-F15.patch | 806 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 7 +-
2 files changed, 612 insertions(+), 201 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 8777a5f..225070e 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -2137,7 +2137,7 @@ index 0948921..f198119 100644
admin_pattern($1, shorewall_tmp_t)
')
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
-index c17b6a6..8ff5a96 100644
+index c17b6a6..0f28342 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
@@ -58,6 +58,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
@@ -2150,13 +2150,15 @@ index c17b6a6..8ff5a96 100644
kernel_read_kernel_sysctls(shorewall_t)
kernel_read_network_state(shorewall_t)
-@@ -80,13 +83,20 @@ fs_getattr_all_fs(shorewall_t)
+@@ -80,13 +83,22 @@ fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
+logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
++auth_use_nsswitch(shorewall_t)
++
miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
@@ -3049,10 +3051,10 @@ index 0000000..e921f24
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..22ddda5
+index 0000000..df2b2a9
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,125 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3137,6 +3139,7 @@ index 0000000..22ddda5
+
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
++ execmem_execmod(chrome_sandbox_t)
+')
+
+optional_policy(`
@@ -3269,10 +3272,10 @@ index 0000000..4540090
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..1bc60f7
+index 0000000..ddcbf4f
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,135 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -3389,6 +3392,25 @@ index 0000000..1bc60f7
+
+ domtrans_pattern($1, execmem_exec_t, $2)
+')
++
++########################################
++## <summary>
++## Execmod the execmem_exec applications
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`execmem_execmod',`
++ gen_require(`
++ type execmem_exec_t;
++ ')
++
++ allow $1 execmem_exec_t:chr_file execmod;
++')
++
diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
new file mode 100644
index 0000000..a7d37e2
@@ -4656,7 +4678,7 @@ index f5afe78..4c9bd12 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..f90ecb3 100644
+index 2505654..b908338 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0)
@@ -4731,7 +4753,7 @@ index 2505654..f90ecb3 100644
##############################
#
# Local Policy
-@@ -75,3 +110,167 @@ optional_policy(`
+@@ -75,3 +110,168 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -4861,6 +4883,7 @@ index 2505654..f90ecb3 100644
+files_search_pids(gkeyringd_domain)
+
+fs_getattr_xattr_fs(gkeyringd_domain)
++fs_getattr_tmpfs(gkeyringd_domain)
+
+selinux_getattr_fs(gkeyringd_domain)
+
@@ -4972,7 +4995,7 @@ index 40e0a2a..f4a103c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..af842c1 100644
+index 9050e8c..f2b17b1 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -5071,7 +5094,7 @@ index 9050e8c..af842c1 100644
########################################
#
-@@ -205,6 +229,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -5079,7 +5102,13 @@ index 9050e8c..af842c1 100644
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-@@ -245,6 +270,7 @@ userdom_search_user_home_dirs(gpg_agent_t)
+
+-allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
++allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
+ allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+ # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+@@ -245,13 +270,14 @@ userdom_search_user_home_dirs(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -5087,6 +5116,14 @@ index 9050e8c..af842c1 100644
')
tunable_policy(`gpg_agent_env_file',`
+ # write ~/.gpg-agent-info or a similar to the users home dir
+ # or subdir (gpg-agent --write-env-file option)
+ #
+- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
++ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
+ userdom_manage_user_home_content_dirs(gpg_agent_t)
+ userdom_manage_user_home_content_files(gpg_agent_t)
+ ')
@@ -332,6 +358,9 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
@@ -5614,10 +5651,10 @@ index 12b772f..b67cf26 100644
########################################
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
-index 49abe8e..47a193c 100644
+index 49abe8e..f37b1d4 100644
--- a/policy/modules/apps/livecd.te
+++ b/policy/modules/apps/livecd.te
-@@ -27,7 +27,7 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+@@ -27,9 +27,15 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
optional_policy(`
@@ -5626,6 +5663,14 @@ index 49abe8e..47a193c 100644
')
optional_policy(`
+ hal_dbus_chat(livecd_t)
+ ')
++
++optional_policy(`
++# Allow SELinux aware applications to request rpm_script execution
++ rpm_transition_script(livecd_t)
++ rpm_domtrans(livecd_t)
++')
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 2523758..113a08b 100644
--- a/policy/modules/apps/loadkeys.te
@@ -11381,7 +11426,7 @@ index 5a07a43..096bc60 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..a14fd0f 100644
+index 0757523..f5b78de 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -11477,7 +11522,7 @@ index 0757523..a14fd0f 100644
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
-+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
++network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -17789,14 +17834,14 @@ index e88b95f..69ade9e 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..f7a7a96 100644
+index 1bd5812..b3631d6 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
@@ -1,11 +1,9 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
@@ -19729,7 +19774,7 @@ index 6480167..04f38b8 100644
+ allow $1 httpd_t:unix_stream_socket { getattr ioctl };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..f6d4bab 100644
+index 3136c6a..294587c 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -20120,7 +20165,13 @@ index 3136c6a..f6d4bab 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +510,74 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -411,39 +505,80 @@ miscfiles_read_localization(httpd_t)
+ miscfiles_read_fonts(httpd_t)
+ miscfiles_read_public_files(httpd_t)
+ miscfiles_read_generic_certs(httpd_t)
++miscfiles_read_tetex_data(httpd_t)
+
+ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -20197,7 +20248,7 @@ index 3136c6a..f6d4bab 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +590,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +591,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -20208,7 +20259,7 @@ index 3136c6a..f6d4bab 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +604,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +605,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -20238,7 +20289,7 @@ index 3136c6a..f6d4bab 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +634,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +635,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -20255,7 +20306,7 @@ index 3136c6a..f6d4bab 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +659,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +660,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -20266,7 +20317,7 @@ index 3136c6a..f6d4bab 100644
')
optional_policy(`
-@@ -513,7 +674,13 @@ optional_policy(`
+@@ -513,7 +675,13 @@ optional_policy(`
')
optional_policy(`
@@ -20281,7 +20332,7 @@ index 3136c6a..f6d4bab 100644
')
optional_policy(`
-@@ -528,7 +695,18 @@ optional_policy(`
+@@ -528,7 +696,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -20301,7 +20352,7 @@ index 3136c6a..f6d4bab 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +715,13 @@ optional_policy(`
+@@ -537,8 +716,13 @@ optional_policy(`
')
optional_policy(`
@@ -20316,7 +20367,7 @@ index 3136c6a..f6d4bab 100644
')
')
-@@ -556,7 +739,13 @@ optional_policy(`
+@@ -556,7 +740,13 @@ optional_policy(`
')
optional_policy(`
@@ -20330,7 +20381,7 @@ index 3136c6a..f6d4bab 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +756,7 @@ optional_policy(`
+@@ -567,6 +757,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -20338,7 +20389,7 @@ index 3136c6a..f6d4bab 100644
')
optional_policy(`
-@@ -577,6 +767,16 @@ optional_policy(`
+@@ -577,6 +768,16 @@ optional_policy(`
')
optional_policy(`
@@ -20355,7 +20406,7 @@ index 3136c6a..f6d4bab 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +791,11 @@ optional_policy(`
+@@ -591,6 +792,11 @@ optional_policy(`
')
optional_policy(`
@@ -20367,7 +20418,7 @@ index 3136c6a..f6d4bab 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +808,12 @@ optional_policy(`
+@@ -603,6 +809,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -20380,7 +20431,7 @@ index 3136c6a..f6d4bab 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +829,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +830,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -20391,7 +20442,7 @@ index 3136c6a..f6d4bab 100644
########################################
#
# Apache PHP script local policy
-@@ -654,28 +869,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +870,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -20435,7 +20486,7 @@ index 3136c6a..f6d4bab 100644
')
########################################
-@@ -685,6 +902,8 @@ optional_policy(`
+@@ -685,6 +903,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -20444,7 +20495,7 @@ index 3136c6a..f6d4bab 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +918,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +919,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -20470,7 +20521,7 @@ index 3136c6a..f6d4bab 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +964,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +965,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -20503,7 +20554,7 @@ index 3136c6a..f6d4bab 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1011,25 @@ optional_policy(`
+@@ -769,6 +1012,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -20529,7 +20580,7 @@ index 3136c6a..f6d4bab 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1050,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1051,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -20547,7 +20598,7 @@ index 3136c6a..f6d4bab 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1069,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1070,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -20604,7 +20655,7 @@ index 3136c6a..f6d4bab 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1120,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1121,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -20635,7 +20686,7 @@ index 3136c6a..f6d4bab 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1155,20 @@ optional_policy(`
+@@ -842,10 +1156,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -20656,7 +20707,7 @@ index 3136c6a..f6d4bab 100644
')
########################################
-@@ -891,11 +1214,21 @@ optional_policy(`
+@@ -891,11 +1215,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -24016,10 +24067,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..ebad6da
+index 0000000..3d9234d
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,132 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -24048,6 +24099,7 @@ index 0000000..ebad6da
+#
+
+allow colord_t self:capability { dac_read_search dac_override };
++dontaudit colord_t self:capability sys_admin;
+allow colord_t self:process signal;
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -24066,6 +24118,7 @@ index 0000000..ebad6da
+manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+
++kernel_read_network_state(colord_t)
+kernel_read_system_state(colord_t)
+kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
@@ -24144,6 +24197,12 @@ index 0000000..ebad6da
+optional_policy(`
+ udev_read_db(colord_t)
+')
++
++optional_policy(`
++ xserver_dbus_chat_xdm(colord_t)
++ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
++ xserver_read_inherited_xdm_lib_files(colord_t)
++')
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index fd15dfe..ad224fa 100644
--- a/policy/modules/services/consolekit.if
@@ -24526,7 +24585,7 @@ index 2eefc08..34ab5ce 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..a75e22c 100644
+index 35241ed..372d2c1 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -24813,7 +24872,7 @@ index 35241ed..a75e22c 100644
')
########################################
-@@ -627,7 +678,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +678,66 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -24860,6 +24919,25 @@ index 35241ed..a75e22c 100644
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++')
++
++#######################################
++## <summary>
++## Search the directory containing user cron tables.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cron_manage_system_spool',`
++ gen_require(`
++ type cron_system_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index f7583ab..80426f1 100644
@@ -25355,7 +25433,7 @@ index 305ddf4..777091a 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..f54f6cc 100644
+index 0f28095..31b7d6e 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -25430,7 +25508,15 @@ index 0f28095..f54f6cc 100644
')
')
-@@ -315,6 +315,14 @@ optional_policy(`
+@@ -311,10 +311,22 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_manage_host_rcache(cupsd_t)
++')
++
++optional_policy(`
+ logrotate_domtrans(cupsd_t)
')
optional_policy(`
@@ -25445,7 +25531,7 @@ index 0f28095..f54f6cc 100644
mta_send_mail(cupsd_t)
')
-@@ -371,8 +379,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +383,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -25456,7 +25542,7 @@ index 0f28095..f54f6cc 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +402,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +406,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -25467,7 +25553,7 @@ index 0f28095..f54f6cc 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +438,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +442,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -25481,7 +25567,7 @@ index 0f28095..f54f6cc 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +466,10 @@ optional_policy(`
+@@ -453,6 +470,10 @@ optional_policy(`
')
optional_policy(`
@@ -25492,7 +25578,7 @@ index 0f28095..f54f6cc 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +484,10 @@ optional_policy(`
+@@ -467,6 +488,10 @@ optional_policy(`
')
optional_policy(`
@@ -25503,7 +25589,7 @@ index 0f28095..f54f6cc 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,13 +608,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +612,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -25523,7 +25609,7 @@ index 0f28095..f54f6cc 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +631,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +635,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -25534,7 +25620,7 @@ index 0f28095..f54f6cc 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +672,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -25543,7 +25629,7 @@ index 0f28095..f54f6cc 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -673,6 +702,9 @@ dev_read_rand(hplip_t)
+@@ -673,6 +706,9 @@ dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
dev_rw_usbfs(hplip_t)
@@ -25553,7 +25639,7 @@ index 0f28095..f54f6cc 100644
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
fs_rw_anon_inodefs_files(hplip_t)
-@@ -685,6 +717,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +721,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -25561,7 +25647,7 @@ index 0f28095..f54f6cc 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +729,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -28095,16 +28181,18 @@ index 0000000..3bca7b0
+
+sysnet_dns_name_resolve(drbd_t)
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
-index 298f066..c2570df 100644
+index 298f066..b54de69 100644
--- a/policy/modules/services/exim.fc
+++ b/policy/modules/services/exim.fc
-@@ -1,3 +1,6 @@
+@@ -1,4 +1,8 @@
+
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
++/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+ /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
index 6bef7f8..464669c 100644
--- a/policy/modules/services/exim.if
@@ -28710,7 +28798,7 @@ index ebad8c4..c02062c 100644
')
-
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
-index 7df52c7..899feaf 100644
+index 7df52c7..59dfe6b 100644
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
@@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t)
@@ -28725,7 +28813,16 @@ index 7df52c7..899feaf 100644
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -54,4 +54,5 @@ optional_policy(`
+@@ -40,6 +40,8 @@ fs_getattr_all_fs(fprintd_t)
+
+ auth_use_nsswitch(fprintd_t)
+
++init_dontaudit_rw_stream_socket(fprintd_t)
++
+ miscfiles_read_localization(fprintd_t)
+
+ userdom_use_user_ptys(fprintd_t)
+@@ -54,4 +56,5 @@ optional_policy(`
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
@@ -30954,7 +31051,7 @@ index 3525d24..d50a883 100644
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..65fdeb0 100644
+index 604f67b..820b1cc 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -30991,16 +31088,17 @@ index 604f67b..65fdeb0 100644
')
files_search_etc($1)
-@@ -103,7 +102,7 @@ interface(`kerberos_use',`
+@@ -103,7 +102,8 @@ interface(`kerberos_use',`
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
- allow $1 krb5_host_rcache_t:file getattr;
++ allow $1 krb5_host_rcache_t:dir search_dir_perms;
+ allow $1 krb5_host_rcache_t:file getattr_file_perms;
')
optional_policy(`
-@@ -218,6 +217,25 @@ interface(`kerberos_rw_keytab',`
+@@ -218,6 +218,25 @@ interface(`kerberos_rw_keytab',`
########################################
## <summary>
@@ -31026,7 +31124,7 @@ index 604f67b..65fdeb0 100644
## Create a derived type for kerberos keytab
## </summary>
## <param name="prefix">
-@@ -235,7 +253,7 @@ template(`kerberos_keytab_template',`
+@@ -235,7 +254,7 @@ template(`kerberos_keytab_template',`
type $1_keytab_t;
files_type($1_keytab_t)
@@ -31035,15 +31133,16 @@ index 604f67b..65fdeb0 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -289,6 +307,7 @@ interface(`kerberos_manage_host_rcache',`
+@@ -289,6 +308,8 @@ interface(`kerberos_manage_host_rcache',`
seutil_read_file_contexts($1)
+ files_rw_generic_tmp_dir($1)
++ allow $1 krb5_host_rcache_t:dir search_dir_perms;
allow $1 krb5_host_rcache_t:file manage_file_perms;
files_search_tmp($1)
')
-@@ -296,28 +315,6 @@ interface(`kerberos_manage_host_rcache',`
+@@ -296,28 +317,6 @@ interface(`kerberos_manage_host_rcache',`
########################################
## <summary>
@@ -31072,7 +31171,7 @@ index 604f67b..65fdeb0 100644
## All of the rules required to administrate
## an kerberos environment
## </summary>
-@@ -338,9 +335,8 @@ interface(`kerberos_admin',`
+@@ -338,9 +337,8 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -31083,7 +31182,7 @@ index 604f67b..65fdeb0 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +374,41 @@ interface(`kerberos_admin',`
+@@ -378,3 +376,41 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -34040,7 +34139,7 @@ index 343cee3..7de6f4d 100644
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..8b9a0a4 100644
+index 64268e4..fe56f9b 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -34156,7 +34255,7 @@ index 64268e4..8b9a0a4 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +167,6 @@ optional_policy(`
+@@ -158,22 +167,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -34175,7 +34274,14 @@ index 64268e4..8b9a0a4 100644
')
optional_policy(`
-@@ -189,6 +186,10 @@ optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
++ qmail_manage_spool_dirs(system_mail_t)
++ qmail_manage_spool_files(system_mail_t)
++ qmail_rw_spool_pipes(system_mail_t)
+ ')
+
+ optional_policy(`
+@@ -189,6 +189,10 @@ optional_policy(`
')
optional_policy(`
@@ -34186,7 +34292,7 @@ index 64268e4..8b9a0a4 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +200,7 @@ optional_policy(`
+@@ -199,7 +203,7 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -34195,7 +34301,7 @@ index 64268e4..8b9a0a4 100644
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
-@@ -220,7 +221,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +224,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -34205,7 +34311,7 @@ index 64268e4..8b9a0a4 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +244,10 @@ optional_policy(`
+@@ -242,6 +247,10 @@ optional_policy(`
')
optional_policy(`
@@ -34216,7 +34322,7 @@ index 64268e4..8b9a0a4 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,11 +255,20 @@ optional_policy(`
+@@ -249,11 +258,20 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -34237,7 +34343,7 @@ index 64268e4..8b9a0a4 100644
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +307,44 @@ optional_policy(`
+@@ -292,3 +310,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -35178,7 +35284,7 @@ index 2324d9e..8069487 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..863ba2d 100644
+index 0619395..4362791 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -35310,7 +35416,7 @@ index 0619395..863ba2d 100644
')
')
-@@ -202,6 +239,17 @@ optional_policy(`
+@@ -202,10 +239,25 @@ optional_policy(`
')
optional_policy(`
@@ -35328,7 +35434,15 @@ index 0619395..863ba2d 100644
iptables_domtrans(NetworkManager_t)
')
-@@ -219,6 +267,11 @@ optional_policy(`
+ optional_policy(`
++ netutils_exec_ping(NetworkManager_t)
++')
++
++optional_policy(`
+ nscd_domtrans(NetworkManager_t)
+ nscd_signal(NetworkManager_t)
+ nscd_signull(NetworkManager_t)
+@@ -219,6 +271,11 @@ optional_policy(`
')
optional_policy(`
@@ -35340,7 +35454,7 @@ index 0619395..863ba2d 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +316,7 @@ optional_policy(`
+@@ -263,6 +320,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -35776,7 +35890,7 @@ index e80f8c0..be0d107 100644
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
-index c61adc8..666425b 100644
+index c61adc8..1125e12 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
@@ -35789,7 +35903,7 @@ index c61adc8..666425b 100644
type ntpd_key_t;
files_type(ntpd_key_t)
-@@ -96,9 +99,12 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
+@@ -96,11 +99,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
dev_read_sysfs(ntpd_t)
# for SSP
dev_read_urand(ntpd_t)
@@ -35801,8 +35915,11 @@ index c61adc8..666425b 100644
+fs_rw_tmpfs_files(ntpd_t)
term_use_ptmx(ntpd_t)
++term_use_unallocated_ttys(ntpd_t)
-@@ -148,6 +154,10 @@ optional_policy(`
+ auth_use_nsswitch(ntpd_t)
+
+@@ -148,6 +155,10 @@ optional_policy(`
')
optional_policy(`
@@ -36448,10 +36565,10 @@ index 0000000..9ef0492
+')
diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
new file mode 100644
-index 0000000..c695d1d
+index 0000000..aa9b047
--- /dev/null
+++ b/policy/modules/services/passenger.te
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,82 @@
+policy_module(passenger, 1.0.0)
+
+########################################
@@ -36520,6 +36637,8 @@ index 0000000..c695d1d
+
+auth_use_nsswitch(passenger_t)
+
++logging_send_syslog_msg(passenger_t)
++
+miscfiles_read_localization(passenger_t)
+
+userdom_dontaudit_use_user_terminals(passenger_t)
@@ -36528,6 +36647,10 @@ index 0000000..c695d1d
+ apache_append_log(passenger_t)
+ apache_read_sys_content(passenger_t)
+')
++
++optional_policy(`
++ puppet_manage_lib(passenger_t)
++')
diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
index 1c2a091..ea5ae69 100644
--- a/policy/modules/services/pcscd.if
@@ -36573,7 +36696,7 @@ index ceafba6..9eb6967 100644
+ udev_read_db(pcscd_t)
+')
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
-index 3185114..514e127 100644
+index 3185114..d44142e 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -16,7 +16,7 @@ type pegasus_tmp_t;
@@ -36590,7 +36713,7 @@ index 3185114..514e127 100644
#
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
-+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
++allow pegasus_t self:capability { chown ipc_lock kill sys_nice setuid setgid dac_override net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -36599,7 +36722,7 @@ index 3185114..514e127 100644
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
-+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms };
++allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -38337,7 +38460,7 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..c28b1b3 100644
+index 06e37d4..e15434a 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,10 +1,18 @@
@@ -38649,7 +38772,18 @@ index 06e37d4..c28b1b3 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +658,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -565,6 +635,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dovecot_stream_connect(postfix_smtp_t)
++')
++
++optional_policy(`
+ milter_stream_connect_all(postfix_smtp_t)
+ ')
+
+@@ -588,10 +662,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -38666,7 +38800,7 @@ index 06e37d4..c28b1b3 100644
')
optional_policy(`
-@@ -611,8 +687,8 @@ optional_policy(`
+@@ -611,8 +691,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -38676,7 +38810,7 @@ index 06e37d4..c28b1b3 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +706,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +710,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -38722,7 +38856,7 @@ index 7257526..7d73656 100644
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 09aeffa..dd70b14 100644
+index 09aeffa..5223327 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
@@ -38776,7 +38910,7 @@ index 09aeffa..dd70b14 100644
')
########################################
-@@ -298,6 +299,7 @@ interface(`postgresql_search_db',`
+@@ -298,14 +299,15 @@ interface(`postgresql_search_db',`
## Domain allowed access.
## </summary>
## </param>
@@ -38784,12 +38918,14 @@ index 09aeffa..dd70b14 100644
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
-@@ -305,7 +307,7 @@ interface(`postgresql_manage_db',`
+ ')
- allow $1 postgresql_db_t:dir rw_dir_perms;
- allow $1 postgresql_db_t:file rw_file_perms;
+- allow $1 postgresql_db_t:dir rw_dir_perms;
+- allow $1 postgresql_db_t:file rw_file_perms;
- allow $1 postgresql_db_t:lnk_file { getattr read };
-+ allow $1 postgresql_db_t:lnk_file read_lnk_file_perms;
++ manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t)
++ manage_files_pattern($1, postgresql_db_t, postgresql_db_t)
++ manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t)
')
########################################
@@ -39610,7 +39746,7 @@ index d4000e0..f35afa4 100644
mta_read_queue(psad_t)
')
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
-index 2855a44..0456b11 100644
+index 2855a44..b1a3fed 100644
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@@ -21,7 +21,7 @@
@@ -39622,6 +39758,48 @@ index 2855a44..0456b11 100644
gen_require(`
type puppet_tmp_t;
')
+@@ -29,3 +29,41 @@ interface(`puppet_rw_tmp', `
+ allow $1 puppet_tmp_t:file rw_file_perms;
+ files_search_tmp($1)
+ ')
++
++################################################
++## <summary>
++## Read Puppet lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_read_lib',`
++ gen_require(`
++ type puppet_var_lib_t;
++ ')
++
++ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
++ files_search_var_lib($1)
++')
++
++###############################################
++## <summary>
++## Manage Puppet lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_manage_lib',`
++ gen_require(`
++ type puppet_var_lib_t;
++ ')
++
++ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
++ files_search_var_lib($1)
++')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 64c5f95..3fdd4b4 100644
--- a/policy/modules/services/puppet.te
@@ -39969,8 +40147,20 @@ index cd683f9..a272112 100644
kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)
+diff --git a/policy/modules/services/qmail.fc b/policy/modules/services/qmail.fc
+index 0055e54..6f1da41 100644
+--- a/policy/modules/services/qmail.fc
++++ b/policy/modules/services/qmail.fc
+@@ -17,6 +17,7 @@
+ /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+ /var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
++/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+ /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
-index a55bf44..77a25f5 100644
+index a55bf44..8cb4449 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -62,14 +62,13 @@ interface(`qmail_domtrans_inject',`
@@ -40005,6 +40195,67 @@ index a55bf44..77a25f5 100644
')
')
+@@ -149,3 +147,60 @@ interface(`qmail_smtpd_service_domain',`
+
+ domtrans_pattern(qmail_smtpd_t, $2, $1)
+ ')
++
++########################################
++## <summary>
++## Create, read, write, and delete qmail
++## spool directories.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qmail_manage_spool_dirs',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete qmail
++## spool files.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qmail_manage_spool_files',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
++')
++
++########################################
++## <summary>
++## Read and write to qmail spool pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`qmail_rw_spool_pipes',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
++')
++
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 355b2a2..54329f9 100644
--- a/policy/modules/services/qmail.te
@@ -40404,10 +40655,10 @@ index 0000000..c403abc
+')
diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te
new file mode 100644
-index 0000000..4c6848c
+index 0000000..02ca5ed
--- /dev/null
+++ b/policy/modules/services/qpidd.te
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,70 @@
+policy_module(qpidd, 1.0.0)
+
+########################################
@@ -40462,6 +40713,7 @@ index 0000000..4c6848c
+dev_read_urand(qpidd_t)
+
+files_read_etc_files(qpidd_t)
++files_read_usr_files(qpidd_t)
+
+logging_send_syslog_msg(qpidd_t)
+
@@ -43990,10 +44242,10 @@ index 93fe7bf..4a15633 100644
allow $1 soundd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
-index 6b3abf9..d445f78 100644
+index 6b3abf9..a785741 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
-@@ -1,15 +1,27 @@
+@@ -1,15 +1,28 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -44006,6 +44258,7 @@ index 6b3abf9..d445f78 100644
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
@@ -44197,10 +44450,10 @@ index c954f31..7f57f22 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..14832cf 100644
+index ec1eb1e..37677b9 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
-@@ -6,54 +6,93 @@ policy_module(spamassassin, 2.4.0)
+@@ -6,54 +6,101 @@ policy_module(spamassassin, 2.4.0)
#
## <desc>
@@ -44313,6 +44566,14 @@ index ec1eb1e..14832cf 100644
+ files_tmp_file(spamc_tmp_t)
+ ubac_constrained(spamc_tmp_t)
+')
++
++type spamd_update_t;
++type spamd_update_exec_t;
++application_domain(spamd_update_t, spamd_update_exec_t)
++cron_system_entry(spamd_update_t, spamd_update_exec_t)
++role system_r types spamd_update_t;
++
++permissive spamd_update_t;
type spamd_t;
type spamd_exec_t;
@@ -44330,7 +44591,7 @@ index ec1eb1e..14832cf 100644
type spamd_spool_t;
files_type(spamd_spool_t)
-@@ -108,6 +147,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
+@@ -108,6 +155,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
@@ -44338,7 +44599,7 @@ index ec1eb1e..14832cf 100644
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -148,6 +188,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -148,6 +196,9 @@ tunable_policy(`spamassassin_can_network',`
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -44348,7 +44609,7 @@ index ec1eb1e..14832cf 100644
sysnet_read_config(spamassassin_t)
')
-@@ -184,6 +227,8 @@ optional_policy(`
+@@ -184,6 +235,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -44357,7 +44618,7 @@ index ec1eb1e..14832cf 100644
')
########################################
-@@ -206,15 +251,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +259,32 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -44390,7 +44651,7 @@ index ec1eb1e..14832cf 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +288,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +296,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -44398,7 +44659,7 @@ index ec1eb1e..14832cf 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -244,9 +307,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +315,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -44413,7 +44674,7 @@ index ec1eb1e..14832cf 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +322,41 @@ seutil_read_config(spamc_t)
+@@ -254,27 +330,41 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -44461,7 +44722,7 @@ index ec1eb1e..14832cf 100644
')
########################################
-@@ -286,7 +368,7 @@ optional_policy(`
+@@ -286,7 +376,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -44470,7 +44731,7 @@ index ec1eb1e..14832cf 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +384,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +392,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -44489,7 +44750,7 @@ index ec1eb1e..14832cf 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +403,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +411,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -44507,7 +44768,7 @@ index ec1eb1e..14832cf 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +460,27 @@ files_read_var_lib_files(spamd_t)
+@@ -367,22 +468,27 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -44539,7 +44800,7 @@ index ec1eb1e..14832cf 100644
fs_manage_cifs_files(spamd_t)
')
-@@ -399,24 +497,24 @@ optional_policy(`
+@@ -399,24 +505,24 @@ optional_policy(`
')
optional_policy(`
@@ -44571,7 +44832,7 @@ index ec1eb1e..14832cf 100644
')
optional_policy(`
-@@ -424,9 +522,7 @@ optional_policy(`
+@@ -424,9 +530,7 @@ optional_policy(`
')
optional_policy(`
@@ -44582,7 +44843,7 @@ index ec1eb1e..14832cf 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +533,10 @@ optional_policy(`
+@@ -437,6 +541,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -44593,6 +44854,50 @@ index ec1eb1e..14832cf 100644
')
optional_policy(`
+@@ -451,3 +559,43 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(spamd_t)
+ ')
++
++########################################
++#
++# spamd_update local policy
++#
++
++allow spamd_update_t self:fifo_file manage_fifo_file_perms;
++allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
++dontaudit spamd_update_t self:capability dac_override;
++
++manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
++manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
++files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
++
++allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
++manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
++manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
++
++corecmd_exec_bin(spamd_update_t)
++
++dev_read_urand(spamd_update_t)
++
++domain_use_interactive_fds(spamd_update_t)
++
++files_read_etc_files(spamd_update_t)
++files_read_usr_files(spamd_update_t)
++
++auth_use_nsswitch(spamd_update_t)
++auth_dontaudit_read_shadow(spamd_update_t)
++
++miscfiles_read_localization(spamd_update_t)
++
++mta_read_config(spamd_update_t)
++
++userdom_use_inherited_user_ptys(spamd_update_t)
++
++optional_policy(`
++ gpg_domtrans(spamd_update_t)
++')
++
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index d2496bd..1d0c078 100644
--- a/policy/modules/services/squid.if
@@ -48058,7 +48363,7 @@ index 6f1e3c7..ecfe665 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..dc521f4 100644
+index 130ced9..72b855e 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -48501,7 +48806,32 @@ index 130ced9..dc521f4 100644
')
########################################
-@@ -897,7 +1002,7 @@ interface(`xserver_getattr_log',`
+@@ -826,6 +931,24 @@ interface(`xserver_read_xdm_lib_files',`
+ allow $1 xdm_var_lib_t:file read_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Read inherited XDM var lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_read_inherited_xdm_lib_files',`
++ gen_require(`
++ type xdm_var_lib_t;
++ ')
++
++ allow $1 xdm_var_lib_t:file read_inherited_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Make an X session script an entrypoint for the specified domain.
+@@ -897,7 +1020,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -48510,7 +48840,7 @@ index 130ced9..dc521f4 100644
')
########################################
-@@ -916,7 +1021,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1039,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -48519,7 +48849,7 @@ index 130ced9..dc521f4 100644
')
########################################
-@@ -963,6 +1068,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1086,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -48565,7 +48895,7 @@ index 130ced9..dc521f4 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1120,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1138,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -48574,7 +48904,7 @@ index 130ced9..dc521f4 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1182,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1200,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -48617,7 +48947,7 @@ index 130ced9..dc521f4 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1232,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1250,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -48626,7 +48956,7 @@ index 130ced9..dc521f4 100644
')
########################################
-@@ -1070,8 +1250,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1268,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -48638,7 +48968,7 @@ index 130ced9..dc521f4 100644
')
########################################
-@@ -1185,6 +1367,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1385,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -48665,7 +48995,7 @@ index 130ced9..dc521f4 100644
')
########################################
-@@ -1210,7 +1412,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1430,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -48674,7 +49004,7 @@ index 130ced9..dc521f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1422,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1440,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -48699,7 +49029,7 @@ index 130ced9..dc521f4 100644
')
########################################
-@@ -1243,10 +1455,392 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1473,392 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -50918,7 +51248,7 @@ index 88df85d..2fa3974 100644
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 2952cef..d845132 100644
+index 2952cef..a6cb01f 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -10,6 +10,7 @@
@@ -50929,15 +51259,17 @@ index 2952cef..d845132 100644
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', `
-@@ -27,6 +28,7 @@ ifdef(`distro_gentoo', `
+@@ -27,7 +28,9 @@ ifdef(`distro_gentoo', `
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-@@ -39,6 +41,7 @@ ifdef(`distro_gentoo', `
+ /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
+@@ -39,6 +42,7 @@ ifdef(`distro_gentoo', `
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
@@ -51896,10 +52228,10 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..e33701e 100644
+index cc83689..fc87c2c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
-@@ -79,6 +79,41 @@ interface(`init_script_domain',`
+@@ -79,6 +79,42 @@ interface(`init_script_domain',`
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
')
@@ -51934,6 +52266,7 @@ index cc83689..e33701e 100644
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $1:unix_dgram_socket create_socket_perms;
++ allow $1 init_t:unix_stream_socket ioctl;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
+')
@@ -51941,7 +52274,7 @@ index cc83689..e33701e 100644
########################################
## <summary>
## Create a domain which can be started by init.
-@@ -105,7 +140,11 @@ interface(`init_domain',`
+@@ -105,7 +141,11 @@ interface(`init_domain',`
role system_r types $1;
@@ -51954,7 +52287,7 @@ index cc83689..e33701e 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -193,8 +232,10 @@ interface(`init_daemon_domain',`
+@@ -193,8 +233,10 @@ interface(`init_daemon_domain',`
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
@@ -51965,7 +52298,7 @@ index cc83689..e33701e 100644
')
typeattribute $1 daemon;
-@@ -204,7 +245,23 @@ interface(`init_daemon_domain',`
+@@ -204,7 +246,23 @@ interface(`init_daemon_domain',`
role system_r types $1;
@@ -51990,7 +52323,7 @@ index cc83689..e33701e 100644
# daemons started from init will
# inherit fds from init for the console
-@@ -231,6 +288,8 @@ interface(`init_daemon_domain',`
+@@ -231,6 +289,8 @@ interface(`init_daemon_domain',`
ifdef(`distro_rhel4',`
kernel_dontaudit_use_fds($1)
')
@@ -51999,7 +52332,7 @@ index cc83689..e33701e 100644
')
optional_policy(`
-@@ -283,17 +342,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +343,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -52021,7 +52354,7 @@ index cc83689..e33701e 100644
')
')
-@@ -336,15 +398,32 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,15 +399,32 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -52055,7 +52388,7 @@ index cc83689..e33701e 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -353,6 +432,37 @@ interface(`init_system_domain',`
+@@ -353,6 +433,37 @@ interface(`init_system_domain',`
kernel_dontaudit_use_fds($1)
')
')
@@ -52093,7 +52426,7 @@ index cc83689..e33701e 100644
')
########################################
-@@ -401,16 +511,19 @@ interface(`init_system_domain',`
+@@ -401,16 +512,19 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -52113,7 +52446,7 @@ index cc83689..e33701e 100644
mls_rangetrans_target($1)
')
')
-@@ -451,6 +564,10 @@ interface(`init_exec',`
+@@ -451,6 +565,10 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -52124,7 +52457,7 @@ index cc83689..e33701e 100644
')
########################################
-@@ -509,6 +626,24 @@ interface(`init_sigchld',`
+@@ -509,6 +627,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -52149,7 +52482,7 @@ index cc83689..e33701e 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +654,30 @@ interface(`init_sigchld',`
+@@ -519,10 +655,48 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -52179,10 +52512,28 @@ index cc83689..e33701e 100644
+ ')
+
+ dontaudit $1 init_t:unix_stream_socket connectto;
++')
++
++######################################
++## <summary>
++## Dontaudit read and write to init with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_rw_stream_socket',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket { read write };
')
########################################
-@@ -688,19 +843,25 @@ interface(`init_telinit',`
+@@ -688,19 +862,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -52209,7 +52560,7 @@ index cc83689..e33701e 100644
')
')
-@@ -773,18 +934,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +953,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -52233,7 +52584,7 @@ index cc83689..e33701e 100644
')
')
-@@ -800,19 +962,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +981,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -52256,11 +52607,11 @@ index cc83689..e33701e 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -52273,13 +52624,17 @@ index cc83689..e33701e 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -868,9 +1052,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +1071,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -52294,7 +52649,7 @@ index cc83689..e33701e 100644
files_search_etc($1)
')
-@@ -1079,6 +1268,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1287,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -52319,7 +52674,7 @@ index cc83689..e33701e 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1337,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1356,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -52333,7 +52688,7 @@ index cc83689..e33701e 100644
')
########################################
-@@ -1375,6 +1577,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1596,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -52361,7 +52716,7 @@ index cc83689..e33701e 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1684,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1703,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -52387,7 +52742,7 @@ index cc83689..e33701e 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1761,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1780,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -52412,7 +52767,7 @@ index cc83689..e33701e 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1674,7 +1934,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1953,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -52421,7 +52776,7 @@ index cc83689..e33701e 100644
')
########################################
-@@ -1715,6 +1975,92 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1994,92 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -52514,7 +52869,7 @@ index cc83689..e33701e 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2095,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2114,156 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -52672,7 +53027,7 @@ index cc83689..e33701e 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..7cb9e99 100644
+index ea29513..b9f4fce 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -53280,7 +53635,7 @@ index ea29513..7cb9e99 100644
')
optional_policy(`
-@@ -589,6 +856,11 @@ optional_policy(`
+@@ -589,6 +856,16 @@ optional_policy(`
')
optional_policy(`
@@ -53289,10 +53644,15 @@ index ea29513..7cb9e99 100644
+')
+
+optional_policy(`
++ cron_read_pipes(initrc_t)
++ cron_manage_system_spool(initrc_t)
++')
++
++optional_policy(`
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +877,13 @@ optional_policy(`
+@@ -605,9 +882,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -53306,7 +53666,7 @@ index ea29513..7cb9e99 100644
')
optional_policy(`
-@@ -649,6 +925,11 @@ optional_policy(`
+@@ -649,6 +930,11 @@ optional_policy(`
')
optional_policy(`
@@ -53318,7 +53678,7 @@ index ea29513..7cb9e99 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +987,13 @@ optional_policy(`
+@@ -706,7 +992,13 @@ optional_policy(`
')
optional_policy(`
@@ -53332,7 +53692,7 @@ index ea29513..7cb9e99 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1016,10 @@ optional_policy(`
+@@ -729,6 +1021,10 @@ optional_policy(`
')
optional_policy(`
@@ -53343,7 +53703,7 @@ index ea29513..7cb9e99 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1029,20 @@ optional_policy(`
+@@ -738,10 +1034,20 @@ optional_policy(`
')
optional_policy(`
@@ -53364,7 +53724,7 @@ index ea29513..7cb9e99 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1051,10 @@ optional_policy(`
+@@ -750,6 +1056,10 @@ optional_policy(`
')
optional_policy(`
@@ -53375,7 +53735,7 @@ index ea29513..7cb9e99 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1076,6 @@ optional_policy(`
+@@ -771,8 +1081,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -53384,7 +53744,7 @@ index ea29513..7cb9e99 100644
')
optional_policy(`
-@@ -781,14 +1084,21 @@ optional_policy(`
+@@ -781,14 +1089,21 @@ optional_policy(`
')
optional_policy(`
@@ -53406,7 +53766,7 @@ index ea29513..7cb9e99 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1110,6 @@ optional_policy(`
+@@ -800,7 +1115,6 @@ optional_policy(`
')
optional_policy(`
@@ -53414,7 +53774,7 @@ index ea29513..7cb9e99 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1119,24 @@ optional_policy(`
+@@ -810,11 +1124,24 @@ optional_policy(`
')
optional_policy(`
@@ -53440,7 +53800,7 @@ index ea29513..7cb9e99 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1146,25 @@ optional_policy(`
+@@ -824,6 +1151,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -53466,7 +53826,7 @@ index ea29513..7cb9e99 100644
')
optional_policy(`
-@@ -849,3 +1190,42 @@ optional_policy(`
+@@ -849,3 +1195,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -56218,21 +56578,24 @@ index 4d06ae3..a9918e0 100644
seutil_sigchld_newrole(cardmgr_t)
')
diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
-index ed9c70d..b961d53 100644
+index ed9c70d..7a6f23a 100644
--- a/policy/modules/system/raid.fc
+++ b/policy/modules/system/raid.fc
-@@ -1,4 +1,10 @@
+@@ -1,6 +1,13 @@
-/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
+/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
+/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
-+
+
+#669402
+/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
+ /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
++
++/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index c817fda..8bcb1fd 100644
--- a/policy/modules/system/raid.if
@@ -56263,7 +56626,7 @@ index c817fda..8bcb1fd 100644
## </summary>
## <desc>
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index 73cc8cf..bf6a0b6 100644
+index 73cc8cf..4c24b25 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -56280,9 +56643,12 @@ index 73cc8cf..bf6a0b6 100644
########################################
#
-@@ -25,13 +23,13 @@ allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+@@ -23,15 +21,15 @@ files_pid_file(mdadm_var_run_t)
+
+ allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
- allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+-allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
++allow mdadm_t self:process { setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
+allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -56325,6 +56691,17 @@ index 73cc8cf..bf6a0b6 100644
term_dontaudit_list_ptys(mdadm_t)
+@@ -84,6 +86,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
+ mta_send_mail(mdadm_t)
+
+ optional_policy(`
++ cron_system_entry(mdadm_t, mdadm_exec_t)
++')
++
++optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mdadm_t)
+ ')
+
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..9e81136 100644
--- a/policy/modules/system/selinuxutil.fc
@@ -57824,10 +58201,10 @@ index 0000000..c7476cb
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..de940a5
+index 0000000..da83870
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,263 @@
+@@ -0,0 +1,264 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -57850,9 +58227,10 @@ index 0000000..de940a5
+ gen_require(`
+ type systemd_systemctl_exec_t;
+ role system_r;
++ attribute systemctl_domain;
+ ')
+
-+ type $1_systemctl_t;
++ type $1_systemctl_t, systemctl_domain;
+ domain_type($1_systemctl_t)
+ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)
+
@@ -58093,10 +58471,10 @@ index 0000000..de940a5
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..e7b669f
+index 0000000..2e1f7a0
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,224 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -58106,6 +58484,7 @@ index 0000000..e7b669f
+#
+
+attribute systemd_unit_file_type;
++attribute systemctl_domain;
+
+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
+# systemd components
@@ -58197,6 +58576,8 @@ index 0000000..e7b669f
+fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
+
++files_delete_kernel_modules(systemd_tmpfiles_t)
++
+files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
+files_getattr_all_files(systemd_tmpfiles_t)
@@ -58209,6 +58590,8 @@ index 0000000..e7b669f
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
+files_delete_all_pid_sockets(systemd_tmpfiles_t)
+files_delete_all_pid_pipes(systemd_tmpfiles_t)
++files_delete_usr_dirs(systemd_tmpfiles_t)
++files_delete_usr_files(systemd_tmpfiles_t)
+files_delete_boot_flag(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
@@ -58252,6 +58635,14 @@ index 0000000..e7b669f
+')
+
+optional_policy(`
++ apache_delete_sys_content_rw(systemd_tmpfiles_t)
++ apache_list_cache(systemd_tmpfiles_t)
++ apache_delete_cache_dirs(systemd_tmpfiles_t)
++ apache_delete_cache_files(systemd_tmpfiles_t)
++ apache_setattr_cache_dirs(systemd_tmpfiles_t)
++')
++
++optional_policy(`
+ auth_rw_login_records(systemd_tmpfiles_t)
+')
+
@@ -58293,6 +58684,21 @@ index 0000000..e7b669f
+optional_policy(`
+ readahead_manage_pid_files(systemd_notify_t)
+')
++
++#######################################
++#
++# systemd_sysctl domains local policy
++#
++fs_list_cgroup_dirs(systemctl_domain)
++fs_read_cgroup_files(systemctl_domain)
++
++# needed by systemctl
++init_stream_connect(systemctl_domain)
++init_read_state(systemctl_domain)
++init_list_pid_dirs(systemctl_domain)
++init_use_fds(systemctl_domain)
++
++miscfiles_read_localization(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 0291685..7e94f4b 100644
--- a/policy/modules/system/udev.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9f5c531..8bd4efe 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 38%{?dist}
+Release: 39%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ exit 0
%endif
%changelog
+* Tue Sep 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-39
+- Backport F16 fixes
+- livecd fixes
+- systemd fixes
+
* Thu Aug 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-38
- Allow hostname read network state
- Allow syslog to manage all log files
More information about the scm-commits
mailing list