[selinux-policy/f16] +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Sep 23 11:58:11 UTC 2011
commit 513e3a104be1eab318c2ffbefa3740e812bc00fb
Author: Miroslav <mgrepl at redhat.com>
Date: Fri Sep 23 13:57:50 2011 +0200
+- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
+- Add SELinux support for ssh pre-auth net process in F17
+- Add logging_syslogd_can_sendmail boolean
policy-F16.patch | 945 ++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 7 +-
2 files changed, 724 insertions(+), 228 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 45d7e6a..ce2d8d9 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1663,10 +1663,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..bb587b1
+index 0000000..3008c85
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,228 @@
+@@ -0,0 +1,236 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
@@ -1766,6 +1766,14 @@ index 0000000..bb587b1
+')
+
+optional_policy(`
++ gen_require(`
++ type sshd_sandbox_t;
++ ')
++
++ permissive sshd_sandbox_t;
++')
++
++optional_policy(`
+ gen_require(`
+ type fail2ban_client_t;
+ ')
@@ -2291,18 +2299,20 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index b206bf6..b11df05 100644
+index b206bf6..de6d89b 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
-@@ -7,6 +7,7 @@
+@@ -6,7 +6,9 @@
+ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -24,9 +25,14 @@ ifdef(`distro_redhat', `
+@@ -24,9 +26,14 @@ ifdef(`distro_redhat', `
/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -2317,7 +2327,7 @@ index b206bf6..b11df05 100644
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-@@ -36,6 +42,8 @@ ifdef(`distro_redhat', `
+@@ -36,6 +43,8 @@ ifdef(`distro_redhat', `
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
@@ -3649,7 +3659,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..d3dd0b9 100644
+index 441cf22..4779a8d 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t)
@@ -3696,7 +3706,15 @@ index 441cf22..d3dd0b9 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -291,17 +293,18 @@ selinux_compute_create_context(passwd_t)
+@@ -277,6 +279,7 @@ kernel_read_kernel_sysctls(passwd_t)
+
+ # for SSP
+ dev_read_urand(passwd_t)
++dev_dontaudit_getattr_all(passwd_t)
+
+ fs_getattr_xattr_fs(passwd_t)
+ fs_search_auto_mountpoints(passwd_t)
+@@ -291,17 +294,18 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3719,7 +3737,16 @@ index 441cf22..d3dd0b9 100644
domain_use_interactive_fds(passwd_t)
-@@ -323,7 +326,7 @@ miscfiles_read_localization(passwd_t)
+@@ -311,6 +315,8 @@ files_search_var(passwd_t)
+ files_dontaudit_search_pids(passwd_t)
+ files_relabel_etc_files(passwd_t)
+
++term_search_ptys(passwd_t)
++
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(passwd_t)
+@@ -323,7 +329,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -3728,7 +3755,7 @@ index 441cf22..d3dd0b9 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3736,7 +3763,7 @@ index 441cf22..d3dd0b9 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,8 +385,7 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,8 +388,7 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3746,7 +3773,7 @@ index 441cf22..d3dd0b9 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
-@@ -426,7 +429,7 @@ optional_policy(`
+@@ -426,7 +432,7 @@ optional_policy(`
# Useradd local policy
#
@@ -3755,7 +3782,7 @@ index 441cf22..d3dd0b9 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,8 +451,12 @@ corecmd_exec_shell(useradd_t)
+@@ -448,8 +454,12 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3768,7 +3795,7 @@ index 441cf22..d3dd0b9 100644
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -460,6 +467,7 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,6 +470,7 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -3776,7 +3803,7 @@ index 441cf22..d3dd0b9 100644
# Allow access to context for shadow file
selinux_get_fs_mount(useradd_t)
-@@ -469,8 +477,7 @@ selinux_compute_create_context(useradd_t)
+@@ -469,8 +480,7 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -3786,15 +3813,15 @@ index 441cf22..d3dd0b9 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,21 +505,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,21 +508,11 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
@@ -4365,10 +4392,10 @@ index 0000000..6f3570a
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..e455bba
+index 0000000..fc9014f
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,133 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -4437,6 +4464,10 @@ index 0000000..e455bba
+
+ files_execmod_tmp($1_execmem_t)
+
++ optional_policy(`
++ execmem_execmod($1_execmem_t)
++ ')
++
+ # needed by plasma-desktop
+ optional_policy(`
+ gnome_read_usr_config($1_execmem_t)
@@ -4495,7 +4526,7 @@ index 0000000..e455bba
+ type execmem_exec_t;
+ ')
+
-+ allow $1 execmem_exec_t:chr_file execmod;
++ allow $1 execmem_exec_t:file execmod;
+')
+
diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
@@ -9990,17 +10021,61 @@ index c8254dd..340a2d7 100644
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index a57e81e..57519a4 100644
+index a57e81e..f9fbc60 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
-@@ -68,15 +68,16 @@ template(`screen_role_template',`
- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
-+ userdom_admin_home_dir_filetrans($1_screen_t, screen_home_t, dir)
- read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+@@ -25,6 +25,7 @@ template(`screen_role_template',`
+ gen_require(`
+ type screen_exec_t, screen_tmp_t;
+ type screen_home_t, screen_var_run_t;
++ attribute screen_domain;
+ ')
+ ########################################
+@@ -32,51 +33,18 @@ template(`screen_role_template',`
+ # Declarations
+ #
+
+- type $1_screen_t;
++ type $1_screen_t, screen_domain;
+ application_domain($1_screen_t, screen_exec_t)
+ domain_interactive_fd($1_screen_t)
+ ubac_constrained($1_screen_t)
+ role $2 types $1_screen_t;
+
+- ########################################
+- #
+- # Local policy
+- #
+-
+- allow $1_screen_t self:capability { setuid setgid fsetid };
+- allow $1_screen_t self:process signal_perms;
+- allow $1_screen_t self:fifo_file rw_fifo_file_perms;
+- allow $1_screen_t self:tcp_socket create_stream_socket_perms;
+- allow $1_screen_t self:udp_socket create_socket_perms;
+- # Internal screen networking
+- allow $1_screen_t self:fd use;
+- allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
+- allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+-
+- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+- manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+- manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+- files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
+-
+- # Create fifo
+- manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+- manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+- manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+- files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
+-
+- allow $1_screen_t screen_home_t:dir list_dir_perms;
+- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
+- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+- read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+-
- allow $1_screen_t $3:process signal;
-
domtrans_pattern($3, screen_exec_t, $1_screen_t)
@@ -10012,7 +10087,7 @@ index a57e81e..57519a4 100644
manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
-@@ -87,8 +88,6 @@ template(`screen_role_template',`
+@@ -87,77 +55,22 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -10020,15 +10095,191 @@ index a57e81e..57519a4 100644
- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
- kernel_read_system_state($1_screen_t)
-@@ -118,6 +117,7 @@ template(`screen_role_template',`
- # for SSP
- dev_read_urand($1_screen_t)
+- kernel_read_system_state($1_screen_t)
+- kernel_read_kernel_sysctls($1_screen_t)
+-
+- corecmd_list_bin($1_screen_t)
+- corecmd_read_bin_files($1_screen_t)
+- corecmd_read_bin_symlinks($1_screen_t)
+- corecmd_read_bin_pipes($1_screen_t)
+- corecmd_read_bin_sockets($1_screen_t)
+ # Revert to the user domain when a shell is executed.
+ corecmd_shell_domtrans($1_screen_t, $3)
+ corecmd_bin_domtrans($1_screen_t, $3)
+
+- corenet_all_recvfrom_unlabeled($1_screen_t)
+- corenet_all_recvfrom_netlabel($1_screen_t)
+- corenet_tcp_sendrecv_generic_if($1_screen_t)
+- corenet_udp_sendrecv_generic_if($1_screen_t)
+- corenet_tcp_sendrecv_generic_node($1_screen_t)
+- corenet_udp_sendrecv_generic_node($1_screen_t)
+- corenet_tcp_sendrecv_all_ports($1_screen_t)
+- corenet_udp_sendrecv_all_ports($1_screen_t)
+- corenet_tcp_connect_all_ports($1_screen_t)
+-
+- dev_dontaudit_getattr_all_chr_files($1_screen_t)
+- dev_dontaudit_getattr_all_blk_files($1_screen_t)
+- # for SSP
+- dev_read_urand($1_screen_t)
+-
+- domain_use_interactive_fds($1_screen_t)
+-
+- files_search_tmp($1_screen_t)
+- files_search_home($1_screen_t)
+- files_list_home($1_screen_t)
+- files_read_usr_files($1_screen_t)
+- files_read_etc_files($1_screen_t)
+-
+- fs_search_auto_mountpoints($1_screen_t)
+- fs_getattr_xattr_fs($1_screen_t)
+-
+ auth_domtrans_chk_passwd($1_screen_t)
+ auth_use_nsswitch($1_screen_t)
+- auth_dontaudit_read_shadow($1_screen_t)
+- auth_dontaudit_exec_utempter($1_screen_t)
+-
+- # Write to utmp.
+- init_rw_utmp($1_screen_t)
+-
+- logging_send_syslog_msg($1_screen_t)
+-
+- miscfiles_read_localization($1_screen_t)
+-
+- seutil_read_config($1_screen_t)
+
+- userdom_use_user_terminals($1_screen_t)
+- userdom_create_user_pty($1_screen_t)
+ userdom_user_home_domtrans($1_screen_t, $3)
+- userdom_setattr_user_ptys($1_screen_t)
+- userdom_setattr_user_ttys($1_screen_t)
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_cifs_domtrans($1_screen_t, $3)
+- fs_read_cifs_symlinks($1_screen_t)
+- fs_list_cifs($1_screen_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_nfs_domtrans($1_screen_t, $3)
+- fs_list_nfs($1_screen_t)
+- fs_read_nfs_symlinks($1_screen_t)
+ ')
+ ')
+diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
+index 553bc73..b3b144c 100644
+--- a/policy/modules/apps/screen.te
++++ b/policy/modules/apps/screen.te
+@@ -5,6 +5,8 @@ policy_module(screen, 2.3.1)
+ # Declarations
+ #
-+ domain_sigchld_interactive_fds($1_screen_t)
- domain_use_interactive_fds($1_screen_t)
++attribute screen_domain;
++
+ type screen_exec_t;
+ application_executable_file(screen_exec_t)
- files_search_tmp($1_screen_t)
+@@ -24,3 +26,101 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t
+ typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
+ files_pid_file(screen_var_run_t)
+ ubac_constrained(screen_var_run_t)
++
++########################################
++#
++# Local policy
++#
++
++allow screen_domain self:capability { setuid setgid fsetid };
++allow screen_domain self:process signal_perms;
++allow screen_domain self:fifo_file rw_fifo_file_perms;
++allow screen_domain self:tcp_socket create_stream_socket_perms;
++allow screen_domain self:udp_socket create_socket_perms;
++# Internal screen networking
++allow screen_domain self:fd use;
++allow screen_domain self:unix_stream_socket { create_socket_perms connectto };
++allow screen_domain self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
++manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
++manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
++files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
++
++# Create fifo
++manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
++manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
++manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
++files_pid_filetrans(screen_domain, screen_var_run_t, dir)
++
++allow screen_domain screen_home_t:dir list_dir_perms;
++manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
++manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
++userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
++userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
++read_files_pattern(screen_domain, screen_home_t, screen_home_t)
++read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
++
++kernel_read_system_state(screen_domain)
++kernel_read_kernel_sysctls(screen_domain)
++
++corecmd_list_bin(screen_domain)
++corecmd_read_bin_files(screen_domain)
++corecmd_read_bin_symlinks(screen_domain)
++corecmd_read_bin_pipes(screen_domain)
++corecmd_read_bin_sockets(screen_domain)
++
++corenet_all_recvfrom_unlabeled(screen_domain)
++corenet_all_recvfrom_netlabel(screen_domain)
++corenet_tcp_sendrecv_generic_if(screen_domain)
++corenet_udp_sendrecv_generic_if(screen_domain)
++corenet_tcp_sendrecv_generic_node(screen_domain)
++corenet_udp_sendrecv_generic_node(screen_domain)
++corenet_tcp_sendrecv_all_ports(screen_domain)
++corenet_udp_sendrecv_all_ports(screen_domain)
++corenet_tcp_connect_all_ports(screen_domain)
++
++dev_dontaudit_getattr_all_chr_files(screen_domain)
++dev_dontaudit_getattr_all_blk_files(screen_domain)
++# for SSP
++dev_read_urand(screen_domain)
++
++domain_sigchld_interactive_fds(screen_domain)
++domain_use_interactive_fds(screen_domain)
++domain_read_all_domains_state(screen_domain)
++
++files_search_tmp(screen_domain)
++files_search_home(screen_domain)
++files_list_home(screen_domain)
++files_read_usr_files(screen_domain)
++files_read_etc_files(screen_domain)
++
++fs_search_auto_mountpoints(screen_domain)
++fs_getattr_xattr_fs(screen_domain)
++
++auth_dontaudit_read_shadow(screen_domain)
++auth_dontaudit_exec_utempter(screen_domain)
++
++# Write to utmp.
++init_rw_utmp(screen_domain)
++
++logging_send_syslog_msg(screen_domain)
++
++miscfiles_read_localization(screen_domain)
++
++seutil_read_config(screen_domain)
++
++userdom_use_user_terminals(screen_domain)
++userdom_create_user_pty(screen_domain)
++userdom_setattr_user_ptys(screen_domain)
++userdom_setattr_user_ttys(screen_domain)
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_symlinks(screen_domain)
++ fs_list_cifs(screen_domain)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs(screen_domain)
++ fs_read_nfs_symlinks(screen_domain)
++')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..a01511f 100644
--- a/policy/modules/apps/seunshare.if
@@ -18174,10 +18425,15 @@ index 1700ef2..6b7eabb 100644
+ dev_filetrans($1, removable_device_t, chr_file, "rio500")
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..6727eb7 100644
+index 7d45d15..6d27fb3 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -19,6 +19,7 @@
+@@ -14,11 +14,11 @@
+ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+ /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -18185,7 +18441,7 @@ index 7d45d15..6727eb7 100644
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',`
+@@ -41,3 +41,5 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
@@ -22260,7 +22516,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..d7a8d41 100644
+index 9e39aa5..83dbd34 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -22342,7 +22598,7 @@ index 9e39aa5..d7a8d41 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,8 +85,10 @@ ifdef(`distro_suse', `
+@@ -73,20 +85,25 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -22354,7 +22610,11 @@ index 9e39aa5..d7a8d41 100644
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -84,9 +98,10 @@ ifdef(`distro_suse', `
+ /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
++/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+ /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
@@ -22366,7 +22626,7 @@ index 9e39aa5..d7a8d41 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +120,27 @@ ifdef(`distro_debian', `
+@@ -105,7 +122,27 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -22395,7 +22655,7 @@ index 9e39aa5..d7a8d41 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..6a02978 100644
+index 6480167..1b928cb 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -22727,7 +22987,7 @@ index 6480167..6a02978 100644
')
########################################
-@@ -802,6 +880,24 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -802,6 +880,43 @@ interface(`apache_domtrans_rotatelogs',`
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
@@ -22749,10 +23009,29 @@ index 6480167..6a02978 100644
+ can_exec($1, httpd_rotatelogs_exec_t)
+')
+
++#######################################
++## <summary>
++## Execute httpd system scripts in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`apache_exec_sys_script',`
++ gen_require(`
++ type httpd_sys_script_exec_t;
++ ')
++
++ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
++ can_exec($1, httpd_sys_script_exec_t;
++')
++
########################################
## <summary>
## Allow the specified domain to list
-@@ -819,6 +915,7 @@ interface(`apache_list_sys_content',`
+@@ -819,6 +934,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -22760,7 +23039,7 @@ index 6480167..6a02978 100644
files_search_var($1)
')
-@@ -846,6 +943,74 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +962,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -22835,7 +23114,7 @@ index 6480167..6a02978 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -862,7 +1027,12 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +1046,12 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -22849,7 +23128,7 @@ index 6480167..6a02978 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1091,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1110,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -22861,7 +23140,7 @@ index 6480167..6a02978 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1121,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1140,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -22870,7 +23149,7 @@ index 6480167..6a02978 100644
')
########################################
-@@ -1091,6 +1262,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1281,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -22896,7 +23175,7 @@ index 6480167..6a02978 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1107,7 +1297,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -22905,7 +23184,7 @@ index 6480167..6a02978 100644
')
########################################
-@@ -1150,12 +1340,6 @@ interface(`apache_cgi_domain',`
+@@ -1150,12 +1359,6 @@ interface(`apache_cgi_domain',`
## <summary>
## All of the rules required to administrate an apache environment
## </summary>
@@ -22918,7 +23197,7 @@ index 6480167..6a02978 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1170,17 +1354,15 @@ interface(`apache_cgi_domain',`
+@@ -1170,17 +1373,15 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -22941,7 +23220,7 @@ index 6480167..6a02978 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1191,10 +1373,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1392,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -22954,7 +23233,7 @@ index 6480167..6a02978 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1387,69 @@ interface(`apache_admin',`
+@@ -1205,14 +1406,69 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -30612,7 +30891,7 @@ index 1a1becd..d4357ec 100644
')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..c6db074 100644
+index 1bff6ee..fbfc5db 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -30694,7 +30973,7 @@ index 1bff6ee..c6db074 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +171,156 @@ optional_policy(`
+@@ -151,12 +171,166 @@ optional_policy(`
')
optional_policy(`
@@ -30715,7 +30994,7 @@ index 1bff6ee..c6db074 100644
#
-# Unconfined access to this module
+# system_bus_type rules
- #
++#
+role system_r types system_bus_type;
+
+fs_search_all(system_bus_type)
@@ -30727,7 +31006,7 @@ index 1bff6ee..c6db074 100644
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
+init_rw_stream_sockets(system_bus_type)
-
++
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
+userdom_dontaudit_search_admin_dir(system_bus_type)
@@ -30752,7 +31031,7 @@ index 1bff6ee..c6db074 100644
+########################################
+#
+# session_bus_type rules
-+#
+ #
+dontaudit session_bus_type self:capability sys_resource;
+allow session_bus_type self:process { getattr sigkill signal };
+dontaudit session_bus_type self:process { ptrace setrlimit };
@@ -30828,6 +31107,16 @@ index 1bff6ee..c6db074 100644
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
+
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(session_bus_type)
++ fs_manage_nfs_files(session_bus_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(session_bus_type)
++ fs_manage_cifs_files(session_bus_type)
++')
+
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
+')
@@ -33554,7 +33843,7 @@ index 298f066..b54de69 100644
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
-index 6bef7f8..464669c 100644
+index 6bef7f8..885cd43 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -5,9 +5,9 @@
@@ -33569,10 +33858,35 @@ index 6bef7f8..464669c 100644
## </param>
#
interface(`exim_domtrans',`
-@@ -20,6 +20,24 @@ interface(`exim_domtrans',`
+@@ -20,6 +20,49 @@ interface(`exim_domtrans',`
########################################
## <summary>
++## Execute the mailman program in the mailman domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to allow the mailman domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`exim_run',`
++ gen_require(`
++ type exim_t;
++ ')
++
++ exim_domtrans($1)
++ role $2 types exim_t;
++')
++
++########################################
++## <summary>
+## Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
@@ -33594,7 +33908,7 @@ index 6bef7f8..464669c 100644
## Do not audit attempts to read,
## exim tmp files
## </summary>
-@@ -101,9 +119,9 @@ interface(`exim_read_log',`
+@@ -101,9 +144,9 @@ interface(`exim_read_log',`
## exim log files.
## </summary>
## <param name="domain">
@@ -33606,7 +33920,7 @@ index 6bef7f8..464669c 100644
## </param>
#
interface(`exim_append_log',`
-@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',`
+@@ -194,3 +237,46 @@ interface(`exim_manage_spool_files',`
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
')
@@ -38950,7 +39264,7 @@ index 14ad189..2b8efd8 100644
/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
')
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
-index 67c7fdd..84b7626 100644
+index 67c7fdd..d7338be 100644
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@@ -16,7 +16,7 @@
@@ -38971,6 +39285,38 @@ index 67c7fdd..84b7626 100644
files_list_var(mailman_$1_t)
files_list_var_lib(mailman_$1_t)
files_read_var_lib_symlinks(mailman_$1_t)
+@@ -108,6 +108,31 @@ interface(`mailman_domtrans',`
+ domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
+ ')
+
++########################################
++## <summary>
++## Execute the mailman program in the mailman domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to allow the mailman domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mailman_run',`
++ gen_require(`
++ type mailman_mail_t;
++ ')
++
++ mailman_domtrans($1)
++ role $2 types mailman_mail_t;
++')
++
+ #######################################
+ ## <summary>
+ ## Execute mailman CGI scripts in the
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index af4d572..cea085e 100644
--- a/policy/modules/services/mailman.te
@@ -40656,7 +41002,7 @@ index 256166a..6321a93 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..f8c4fb6 100644
+index 343cee3..f6c92f9 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -40686,7 +41032,7 @@ index 343cee3..f8c4fb6 100644
#
interface(`mta_role',`
gen_require(`
-@@ -169,7 +171,7 @@ interface(`mta_role',`
+@@ -169,11 +171,19 @@ interface(`mta_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
@@ -40695,7 +41041,19 @@ index 343cee3..f8c4fb6 100644
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
-@@ -220,6 +222,25 @@ interface(`mta_agent_executable',`
+ allow mta_user_agent $2:fifo_file { read write };
++
++ optional_policy(`
++ exim_run($2, $1)
++ ')
++
++ optional_policy(`
++ mailman_run(mta_user_agent, $1)
++ ')
+ ')
+
+ ########################################
+@@ -220,6 +230,25 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
@@ -40721,7 +41079,7 @@ index 343cee3..f8c4fb6 100644
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -306,7 +327,6 @@ interface(`mta_mailserver_sender',`
+@@ -306,7 +335,6 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -40729,7 +41087,7 @@ index 343cee3..f8c4fb6 100644
')
typeattribute $1 mailserver_delivery;
-@@ -330,12 +350,6 @@ interface(`mta_mailserver_user_agent',`
+@@ -330,12 +358,6 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -40742,7 +41100,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -350,9 +364,8 @@ interface(`mta_mailserver_user_agent',`
+@@ -350,9 +372,8 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -40753,7 +41111,7 @@ index 343cee3..f8c4fb6 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -391,12 +404,17 @@ interface(`mta_send_mail',`
+@@ -391,12 +412,17 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -40773,7 +41131,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -409,7 +427,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +435,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -40781,7 +41139,7 @@ index 343cee3..f8c4fb6 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +437,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +445,24 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -40806,7 +41164,7 @@ index 343cee3..f8c4fb6 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +473,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +481,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -40833,7 +41191,7 @@ index 343cee3..f8c4fb6 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -474,7 +529,8 @@ interface(`mta_write_config',`
+@@ -474,7 +537,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -40843,7 +41201,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -494,6 +550,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +558,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -40851,7 +41209,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -532,7 +589,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +597,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -40860,7 +41218,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -552,7 +609,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +617,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -40869,7 +41227,7 @@ index 343cee3..f8c4fb6 100644
')
#######################################
-@@ -646,8 +703,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +711,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -40880,7 +41238,7 @@ index 343cee3..f8c4fb6 100644
')
#######################################
-@@ -697,8 +754,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +762,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -40891,7 +41249,7 @@ index 343cee3..f8c4fb6 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +895,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +903,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -40900,7 +41258,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -899,3 +956,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +964,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -50715,7 +51073,7 @@ index cda37bb..484e552 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..66a585d 100644
+index b1468ed..4bd5e3c 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -50793,7 +51151,7 @@ index b1468ed..66a585d 100644
########################################
#
# NFSD local policy
-@@ -120,9 +133,13 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,9 +133,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -50804,10 +51162,11 @@ index b1468ed..66a585d 100644
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
+corenet_tcp_bind_nfs_port(nfsd_t)
++corenet_udp_bind_nfs_port(nfsd_t)
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
-@@ -148,6 +165,8 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,6 +166,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -50816,7 +51175,7 @@ index b1468ed..66a585d 100644
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
-@@ -158,7 +177,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +178,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -50824,7 +51183,7 @@ index b1468ed..66a585d 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +188,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +189,7 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -50834,7 +51193,7 @@ index b1468ed..66a585d 100644
')
########################################
-@@ -181,7 +198,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -50843,7 +51202,7 @@ index b1468ed..66a585d 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +216,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -50851,7 +51210,7 @@ index b1468ed..66a585d 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +228,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -50868,7 +51227,7 @@ index b1468ed..66a585d 100644
')
optional_policy(`
-@@ -229,6 +247,10 @@ optional_policy(`
+@@ -229,6 +248,10 @@ optional_policy(`
')
optional_policy(`
@@ -52432,7 +52791,7 @@ index 7e94c7c..5700fb8 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..c3cf42a 100644
+index 22dac1f..1c27bd6 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -52471,7 +52830,17 @@ index 22dac1f..c3cf42a 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -149,7 +150,9 @@ optional_policy(`
+@@ -129,6 +130,9 @@ optional_policy(`
+
+ optional_policy(`
+ exim_domtrans(sendmail_t)
++ exim_manage_spool_files(sendmail_t)
++ exim_manage_spool_dirs(sendmail_t)
++ exim_read_log(sendmail_t)
+ ')
+
+ optional_policy(`
+@@ -149,7 +153,9 @@ optional_policy(`
')
optional_policy(`
@@ -52481,7 +52850,7 @@ index 22dac1f..c3cf42a 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +171,13 @@ optional_policy(`
+@@ -168,20 +174,13 @@ optional_policy(`
')
optional_policy(`
@@ -52863,7 +53232,7 @@ index 275f9fb..4f4a192 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..633e4ce 100644
+index 3d8d1b3..9509742 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -52904,7 +53273,11 @@ index 3d8d1b3..633e4ce 100644
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
-@@ -97,12 +100,15 @@ fs_search_auto_mountpoints(snmpd_t)
+@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
+ fs_getattr_all_dirs(snmpd_t)
+ fs_getattr_all_fs(snmpd_t)
+ fs_search_auto_mountpoints(snmpd_t)
++files_search_all_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
@@ -52921,7 +53294,7 @@ index 3d8d1b3..633e4ce 100644
logging_send_syslog_msg(snmpd_t)
-@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -53812,7 +54185,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..0d987fd 100644
+index 22adaca..3b7fec1 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -53874,7 +54247,37 @@ index 22adaca..0d987fd 100644
dev_read_urand($1_ssh_t)
-@@ -168,7 +166,7 @@ template(`ssh_basic_client_template',`
+@@ -148,6 +146,29 @@ template(`ssh_basic_client_template',`
+ ')
+ ')
+
++######################################
++## <summary>
++## The template to define a domain to which sshd dyntransition.
++## </summary>
++## <param name="domain">
++## <summary>
++## The prefix of the dyntransition domain
++## </summary>
++## </param>
++#
++template(`ssh_dyntransition_domain_template',`
++ gen_require(`
++ attribute ssh_dyntransition_domain;
++ ')
++
++ type $1, ssh_dyntransition_domain;
++ domain_type($1)
++ role system_r types $1;
++
++ optional_policy(`
++ ssh_dyntransition_to($1)
++ ')
++')
+ #######################################
+ ## <summary>
+ ## The template to define a ssh server.
+@@ -168,7 +189,7 @@ template(`ssh_basic_client_template',`
## </summary>
## </param>
#
@@ -53883,7 +54286,7 @@ index 22adaca..0d987fd 100644
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
-@@ -181,16 +179,18 @@ template(`ssh_server_template', `
+@@ -181,16 +202,18 @@ template(`ssh_server_template', `
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -53905,7 +54308,7 @@ index 22adaca..0d987fd 100644
term_create_pty($1_t, $1_devpts_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-@@ -206,6 +206,7 @@ template(`ssh_server_template', `
+@@ -206,6 +229,7 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
kernel_read_network_state($1_t)
@@ -53913,7 +54316,7 @@ index 22adaca..0d987fd 100644
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
-@@ -220,8 +221,11 @@ template(`ssh_server_template', `
+@@ -220,8 +244,11 @@ template(`ssh_server_template', `
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
@@ -53926,7 +54329,7 @@ index 22adaca..0d987fd 100644
fs_dontaudit_getattr_all_fs($1_t)
-@@ -234,6 +238,7 @@ template(`ssh_server_template', `
+@@ -234,6 +261,7 @@ template(`ssh_server_template', `
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
@@ -53934,7 +54337,7 @@ index 22adaca..0d987fd 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -243,13 +248,17 @@ template(`ssh_server_template', `
+@@ -243,13 +271,17 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
@@ -53954,7 +54357,7 @@ index 22adaca..0d987fd 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
fs_read_nfs_symlinks($1_t)
-@@ -268,6 +277,14 @@ template(`ssh_server_template', `
+@@ -268,6 +300,14 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
@@ -53969,7 +54372,7 @@ index 22adaca..0d987fd 100644
')
########################################
-@@ -290,11 +307,11 @@ template(`ssh_server_template', `
+@@ -290,11 +330,11 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
@@ -53982,7 +54385,7 @@ index 22adaca..0d987fd 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,7 +344,7 @@ template(`ssh_role_template',`
+@@ -327,7 +367,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -53991,7 +54394,7 @@ index 22adaca..0d987fd 100644
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +355,7 @@ template(`ssh_role_template',`
+@@ -338,6 +378,7 @@ template(`ssh_role_template',`
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
@@ -53999,7 +54402,7 @@ index 22adaca..0d987fd 100644
##############################
#
-@@ -359,7 +377,7 @@ template(`ssh_role_template',`
+@@ -359,7 +400,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -54008,7 +54411,7 @@ index 22adaca..0d987fd 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +399,6 @@ template(`ssh_role_template',`
+@@ -381,7 +422,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -54016,7 +54419,7 @@ index 22adaca..0d987fd 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +410,13 @@ template(`ssh_role_template',`
+@@ -393,14 +433,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -54034,13 +54437,13 @@ index 22adaca..0d987fd 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +493,27 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +516,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
- allow $1 sshd_t:fifo_file { getattr read };
+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
- ')
++')
+
+######################################
+## <summary>
@@ -54058,12 +54461,12 @@ index 22adaca..0d987fd 100644
+ ')
+
+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
-+')
+ ')
+
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +529,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +552,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -54072,7 +54475,7 @@ index 22adaca..0d987fd 100644
')
########################################
-@@ -586,6 +621,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +644,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -54097,7 +54500,7 @@ index 22adaca..0d987fd 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +671,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +694,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -54106,7 +54509,7 @@ index 22adaca..0d987fd 100644
files_search_pids($1)
')
-@@ -680,6 +733,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +756,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -54139,7 +54542,7 @@ index 22adaca..0d987fd 100644
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +774,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +797,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -54148,7 +54551,7 @@ index 22adaca..0d987fd 100644
')
######################################
-@@ -735,3 +814,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +837,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -54181,13 +54584,13 @@ index 22adaca..0d987fd 100644
+## </summary>
+## </param>
+#
-+interface(`ssh_dyntransition_chroot_user',`
++interface(`ssh_dyntransition_to',`
+ gen_require(`
-+ type chroot_user_t;
++ type sshd_t;
+ ')
+
-+ allow $1 chroot_user_t:process dyntransition;
-+ allow chroot_user_t $1:process sigchld;
++ allow sshd_t $1:process dyntransition;
++ allow $1 sshd_t:process sigchld;
+')
+
+########################################
@@ -54231,7 +54634,7 @@ index 22adaca..0d987fd 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..28ef6ae 100644
+index 2dad3c8..a6e2e1e 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -54271,12 +54674,12 @@ index 2dad3c8..28ef6ae 100644
-gen_tunable(ssh_sysadm_login, false)
+gen_tunable(ssh_chroot_rw_homedirs, false)
++attribute ssh_dyntransition_domain;
attribute ssh_server;
attribute ssh_agent_type;
-+type chroot_user_t;
-+domain_type(chroot_user_t)
-+role system_r types chroot_user_t;
++ssh_dyntransition_domain_template(chroot_user_t)
++ssh_dyntransition_domain_template(sshd_sandbox_t)
+
type ssh_keygen_t;
type ssh_keygen_exec_t;
@@ -54531,14 +54934,10 @@ index 2dad3c8..28ef6ae 100644
')
optional_policy(`
-@@ -284,6 +337,19 @@ optional_policy(`
+@@ -284,6 +337,15 @@ optional_policy(`
')
optional_policy(`
-+ ssh_dyntransition_chroot_user(sshd_t)
-+')
-+
-+optional_policy(`
+ systemd_exec_systemctl(sshd_t)
+')
+
@@ -54551,7 +54950,7 @@ index 2dad3c8..28ef6ae 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +358,26 @@ optional_policy(`
+@@ -292,26 +354,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -54597,7 +54996,7 @@ index 2dad3c8..28ef6ae 100644
') dnl endif TODO
########################################
-@@ -322,19 +388,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +384,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -54625,7 +55024,7 @@ index 2dad3c8..28ef6ae 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,15 +424,63 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,15 +420,83 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -54639,16 +55038,39 @@ index 2dad3c8..28ef6ae 100644
optional_policy(`
- seutil_sigchld_newrole(ssh_keygen_t)
+ udev_read_db(ssh_keygen_t)
+ ')
+
++####################################
++#
++# ssh_dyntransition domain local policy
++#
++
++allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
++
++allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
++
+ optional_policy(`
+- udev_read_db(ssh_keygen_t)
++ ssh_rw_stream_sockets(ssh_dyntransition_domain)
++ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
+')
+
++#####################################
++#
++# ssh_sandbox local policy
++#
++
++allow sshd_t sshd_sandbox_t:process signal;
++
++init_ioctl_stream_sockets(sshd_sandbox_t)
++
++logging_send_audit_msgs(sshd_sandbox_t)
++
+######################################
+#
+# chroot_user_t local policy
+#
+
-+allow chroot_user_t self:capability { setuid sys_chroot setgid };
-+
-+allow chroot_user_t self:fifo_file rw_fifo_file_perms;
+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
@@ -54684,12 +55106,9 @@ index 2dad3c8..28ef6ae 100644
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(chroot_user_t)
+ fs_read_nfs_symlinks(chroot_user_t)
- ')
-
- optional_policy(`
-- udev_read_db(ssh_keygen_t)
-+ ssh_rw_stream_sockets(chroot_user_t)
-+ ssh_rw_tcp_sockets(chroot_user_t)
++')
++
++optional_policy(`
+ ssh_rw_dgram_sockets(chroot_user_t)
')
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
@@ -54750,7 +55169,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..69e86c3 100644
+index 8ffa257..7d5a298 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -54776,7 +55195,7 @@ index 8ffa257..69e86c3 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,8 +50,12 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,11 +50,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -54789,7 +55208,11 @@ index 8ffa257..69e86c3 100644
corecmd_exec_bin(sssd_t)
dev_read_urand(sssd_t)
-@@ -60,6 +66,7 @@ domain_obj_id_change_exemption(sssd_t)
++dev_read_sysfs(sssd_t)
+
+ domain_read_all_domains_state(sssd_t)
+ domain_obj_id_change_exemption(sssd_t)
+@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
@@ -54797,7 +55220,7 @@ index 8ffa257..69e86c3 100644
fs_list_inotifyfs(sssd_t)
-@@ -69,7 +76,7 @@ seutil_read_file_contexts(sssd_t)
+@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
@@ -54806,7 +55229,7 @@ index 8ffa257..69e86c3 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-@@ -79,6 +86,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -54819,7 +55242,7 @@ index 8ffa257..69e86c3 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +100,28 @@ optional_policy(`
+@@ -87,4 +101,28 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -56706,7 +57129,7 @@ index 7c5d8d8..72e3065 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..c0d1ec6 100644
+index 3eca020..1eb165e 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@@ -57076,9 +57499,9 @@ index 3eca020..c0d1ec6 100644
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -57232,7 +57655,7 @@ index 3eca020..c0d1ec6 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +624,177 @@ optional_policy(`
+@@ -457,8 +624,188 @@ optional_policy(`
')
optional_policy(`
@@ -57356,11 +57779,12 @@ index 3eca020..c0d1ec6 100644
+#
+# virt_lxc local policy
+#
-+allow virt_lxc_t self:capability { net_admin setpcap chown sys_admin };
++allow virt_lxc_t self:capability { net_admin net_raw setpcap chown sys_admin };
+allow virt_lxc_t self:process { setsched getcap setcap signal_perms };
+allow virt_lxc_t self:fifo_file rw_fifo_file_perms;
+allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms;
++allow virt_lxc_t self:packet_socket create_socket_perms;
+
+allow virt_lxc_t virt_image_type:dir mounton;
+
@@ -57376,6 +57800,7 @@ index 3eca020..c0d1ec6 100644
+
+kernel_read_network_state(virt_lxc_t)
+kernel_search_network_sysctl(virt_lxc_t)
++kernel_read_sysctl(virt_lxc_t)
+
+dev_read_sysfs(virt_lxc_t)
+
@@ -57385,12 +57810,14 @@ index 3eca020..c0d1ec6 100644
+files_mounton_all_mountpoints(virt_lxc_t)
+files_mount_all_file_type_fs(virt_lxc_t)
+files_unmount_all_file_type_fs(virt_lxc_t)
++files_list_isid_type_dirs(virt_lxc_t)
+
+fs_manage_tmpfs_dirs(virt_lxc_t)
+fs_manage_tmpfs_chr_files(virt_lxc_t)
+fs_manage_tmpfs_symlinks(virt_lxc_t)
+fs_manage_cgroup_dirs(virt_lxc_t)
+fs_rw_cgroup_files(virt_lxc_t)
++fs_remount_all_fs(virt_lxc_t)
+
+selinux_mount_fs(virt_lxc_t)
+selinux_unmount_fs(virt_lxc_t)
@@ -57404,7 +57831,14 @@ index 3eca020..c0d1ec6 100644
+
+miscfiles_read_localization(virt_lxc_t)
+
-+sysnet_exec_ifconfig(virt_lxc_t)
++sysnet_domtrans_ifconfig(virt_lxc_t)
++
++type lxc_t;
++domain_type(lxc_t);
++
++optional_policy(`
++ unconfined_domain(lxc_t)
++')
+
+optional_policy(`
+ unconfined_shell_domtrans(virt_lxc_t)
@@ -61556,10 +61990,10 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..6794869 100644
+index 94fd8dd..b5e5c70 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
-@@ -79,6 +79,42 @@ interface(`init_script_domain',`
+@@ -79,6 +79,44 @@ interface(`init_script_domain',`
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
')
@@ -61594,15 +62028,17 @@ index 94fd8dd..6794869 100644
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $1:unix_dgram_socket create_socket_perms;
-+ allow $1 init_t:unix_stream_socket ioctl;
++ allow $1 init_t:unix_stream_socket ioctl;
+ allow $1 init_t:unix_dgram_socket sendto;
++ # need write to /var/run/systemd/notify
++ init_write_pid_socket($1)
+ ')
+')
+
########################################
## <summary>
## Create a domain which can be started by init.
-@@ -105,7 +141,11 @@ interface(`init_domain',`
+@@ -105,7 +143,11 @@ interface(`init_domain',`
role system_r types $1;
@@ -61615,7 +62051,7 @@ index 94fd8dd..6794869 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -193,8 +233,10 @@ interface(`init_daemon_domain',`
+@@ -193,8 +235,10 @@ interface(`init_daemon_domain',`
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
@@ -61626,7 +62062,7 @@ index 94fd8dd..6794869 100644
')
typeattribute $1 daemon;
-@@ -202,39 +244,20 @@ interface(`init_daemon_domain',`
+@@ -202,39 +246,20 @@ interface(`init_daemon_domain',`
domain_type($1)
domain_entry_file($1, $2)
@@ -61652,17 +62088,17 @@ index 94fd8dd..6794869 100644
typeattribute $2 direct_init_entry;
- userdom_dontaudit_use_user_terminals($1)
-- ')
--
++# userdom_dontaudit_use_user_terminals($1)
+ ')
+
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-+# userdom_dontaudit_use_user_terminals($1)
- ')
-
+- ')
+-
- optional_policy(`
- nscd_socket_use($1)
+ tunable_policy(`init_upstart || init_systemd',`
@@ -61671,7 +62107,7 @@ index 94fd8dd..6794869 100644
')
')
-@@ -283,17 +306,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +308,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -61693,7 +62129,7 @@ index 94fd8dd..6794869 100644
')
')
-@@ -336,22 +362,23 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,22 +364,23 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -61724,7 +62160,7 @@ index 94fd8dd..6794869 100644
')
')
-@@ -401,20 +428,41 @@ interface(`init_system_domain',`
+@@ -401,20 +430,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -61766,7 +62202,7 @@ index 94fd8dd..6794869 100644
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
-@@ -451,6 +499,10 @@ interface(`init_exec',`
+@@ -451,6 +501,10 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -61777,7 +62213,7 @@ index 94fd8dd..6794869 100644
')
########################################
-@@ -509,6 +561,24 @@ interface(`init_sigchld',`
+@@ -509,6 +563,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -61802,7 +62238,7 @@ index 94fd8dd..6794869 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +589,66 @@ interface(`init_sigchld',`
+@@ -519,10 +591,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -61871,7 +62307,7 @@ index 94fd8dd..6794869 100644
')
########################################
-@@ -688,19 +814,25 @@ interface(`init_telinit',`
+@@ -688,19 +816,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -61898,7 +62334,7 @@ index 94fd8dd..6794869 100644
')
')
-@@ -730,7 +862,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +864,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -61907,7 +62343,7 @@ index 94fd8dd..6794869 100644
## </summary>
## </param>
#
-@@ -773,18 +905,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -61931,7 +62367,7 @@ index 94fd8dd..6794869 100644
')
')
-@@ -800,19 +933,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -61977,7 +62413,7 @@ index 94fd8dd..6794869 100644
')
########################################
-@@ -868,9 +1023,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -61992,7 +62428,7 @@ index 94fd8dd..6794869 100644
files_search_etc($1)
')
-@@ -1079,6 +1239,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -62017,7 +62453,7 @@ index 94fd8dd..6794869 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1308,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -62031,7 +62467,7 @@ index 94fd8dd..6794869 100644
')
########################################
-@@ -1375,6 +1548,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -62059,7 +62495,7 @@ index 94fd8dd..6794869 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1655,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -62085,7 +62521,7 @@ index 94fd8dd..6794869 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1732,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -62110,7 +62546,7 @@ index 94fd8dd..6794869 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1586,6 +1817,24 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1819,24 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -62135,7 +62571,7 @@ index 94fd8dd..6794869 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1674,7 +1923,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1925,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -62144,7 +62580,7 @@ index 94fd8dd..6794869 100644
')
########################################
-@@ -1715,6 +1964,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1966,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -62273,7 +62709,7 @@ index 94fd8dd..6794869 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2120,175 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2122,194 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -62330,6 +62766,25 @@ index 94fd8dd..6794869 100644
+ init_dontaudit_use_script_fds($1)
+')
+
++#######################################
++## <summary>
++## Allow the specified domain to ioctl an
++## init with a unix domain stream sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_ioctl_stream_sockets',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_stream_socket ioctl;
++')
++
+########################################
+## <summary>
+## Allow the specified domain to read/write to
@@ -64817,10 +65272,24 @@ index 831b909..efe1038 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..0c27f81 100644
+index b6ec597..5684c8a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -20,6 +20,7 @@ files_security_file(auditd_log_t)
+@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2)
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow syslogd daemon to send mail
++## </p>
++## </desc>
++gen_tunable(logging_syslogd_can_sendmail, false)
++
+ attribute logfile;
+
+ type auditctl_t;
+@@ -20,6 +27,7 @@ files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
type audit_spool_t;
@@ -64828,7 +65297,7 @@ index b6ec597..0c27f81 100644
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
-@@ -64,6 +65,7 @@ files_config_file(syslog_conf_t)
+@@ -64,6 +72,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -64836,7 +65305,7 @@ index b6ec597..0c27f81 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -111,7 +113,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +120,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -64845,7 +65314,7 @@ index b6ec597..0c27f81 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -183,16 +185,19 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +192,19 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -64866,7 +65335,7 @@ index b6ec597..0c27f81 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,10 +242,17 @@ corecmd_exec_shell(audisp_t)
+@@ -237,10 +249,17 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -64884,7 +65353,7 @@ index b6ec597..0c27f81 100644
logging_send_syslog_msg(audisp_t)
-@@ -250,6 +262,10 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -250,6 +269,10 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -64895,7 +65364,7 @@ index b6ec597..0c27f81 100644
')
########################################
-@@ -280,11 +296,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,11 +303,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -64916,7 +65385,7 @@ index b6ec597..0c27f81 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -354,11 +379,12 @@ optional_policy(`
+@@ -354,11 +386,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -64931,7 +65400,7 @@ index b6ec597..0c27f81 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -376,6 +402,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -376,6 +409,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -64939,7 +65408,7 @@ index b6ec597..0c27f81 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -385,9 +412,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -385,9 +419,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -64955,8 +65424,15 @@ index b6ec597..0c27f81 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -428,8 +461,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -426,10 +466,20 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+ corenet_sendrecv_postgresql_client_packets(syslogd_t)
+ corenet_sendrecv_mysqld_client_packets(syslogd_t)
++tunable_policy(`logging_syslogd_can_sendmail',`
++ # support for ommail module to send logs via mail
++ corenet_tcp_connect_smtp_port(syslogd_t)
++')
++
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
+dev_read_rand(syslogd_t)
@@ -64969,7 +65445,7 @@ index b6ec597..0c27f81 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -448,6 +486,7 @@ term_write_console(syslogd_t)
+@@ -448,6 +498,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -64977,7 +65453,7 @@ index b6ec597..0c27f81 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +498,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +510,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -64985,7 +65461,7 @@ index b6ec597..0c27f81 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +536,20 @@ optional_policy(`
+@@ -496,11 +548,20 @@ optional_policy(`
')
optional_policy(`
@@ -66986,7 +67462,7 @@ index 170e2c7..b85fc73 100644
+ ')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..4e8cb38 100644
+index 7ed9819..f2b7643 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -67257,17 +67733,17 @@ index 7ed9819..4e8cb38 100644
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+-
+-allow semanage_t policy_config_t:file rw_file_perms;
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--allow semanage_t policy_config_t:file rw_file_perms;
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
@@ -67296,13 +67772,13 @@ index 7ed9819..4e8cb38 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
-
+-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -67319,7 +67795,20 @@ index 7ed9819..4e8cb38 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +498,72 @@ ifdef(`distro_debian',`
+@@ -482,123 +493,85 @@ seutil_manage_default_contexts(semanage_t)
+ userdom_read_user_home_content_files(semanage_t)
+ userdom_read_user_tmp_files(semanage_t)
+
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(semanage_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(semanage_t)
++')
++
+ ifdef(`distro_debian',`
+ files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
')
@@ -67384,23 +67873,23 @@ index 7ed9819..4e8cb38 100644
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
--term_use_all_ttys(setfiles_t)
--term_use_all_ptys(setfiles_t)
--term_use_unallocated_ttys(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
+-term_use_all_ttys(setfiles_t)
+-term_use_all_ptys(setfiles_t)
+-term_use_unallocated_ttys(setfiles_t)
+-
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
@@ -68514,10 +69003,10 @@ index 0000000..eb3673d
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..e50a989
+index 0000000..411793e
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,359 @@
+@@ -0,0 +1,360 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -68623,6 +69112,7 @@ index 0000000..e50a989
+# /run/user/.*
+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
+auth_manage_var_auth(systemd_logind_t)
++auth_use_nsswitch(systemd_logind_t)
+
+authlogin_read_state(systemd_logind_t)
+
@@ -73483,7 +73973,7 @@ index 4b2878a..fe5913a 100644
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..02686f5 100644
+index 9b4a930..5cd0c45 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -73536,7 +74026,7 @@ index 9b4a930..02686f5 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +98,73 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,74 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -73593,6 +74083,7 @@ index 9b4a930..02686f5 100644
+
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;
++allow unpriv_userdomain self:key manage_key_perms;
+
+optional_policy(`
+ alsa_read_rw_config(unpriv_userdomain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f1c7240..f8a3bd6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 32%{?dist}
+Release: 33%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -468,6 +468,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Sep 23 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-33
+- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
+- Add SELinux support for ssh pre-auth net process in F17
+- Add logging_syslogd_can_sendmail boolean
+
* Wed Sep 21 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-32
- Allow pwupdate to send mail
- Fix execmem_execmod() interface
More information about the scm-commits
mailing list