[selinux-policy/f17] * Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-115 - Allow condor domains to connect to
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Apr 16 11:47:00 UTC 2012
commit eacf2a2227a4518d2fc344c56271a789cec6477a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Apr 16 13:46:47 2012 +0200
* Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-115
- Allow condor domains to connect to ephemeral ports
- More fixes for condor policy
- Allow keystone to stream connect to mysqld
- Allow mozilla_plugin_t to read generic USB device to support GPS devices
- Allow thum to file name transition gstreamer home content
- Allow thum to read all non security files
- Allow glance_api_t to connect to ephemeral ports
- Allow nagios plugins to read /dev/urandom
- Allow syslogd to search postfix spool to support postfix chroot env
- Fix labeling for /var/spool/postfix/dev
- Allow wdmd chown
- Label .esd_auth as pulseaudio_home_t
- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now
policy-F16.patch | 359 ++++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 17 +++-
2 files changed, 271 insertions(+), 105 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 79bf778..a9e1e08 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -63807,7 +63807,7 @@ index 00a19e3..3681873 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..a68d325 100644
+index f5afe78..50068d6 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,900 @@
@@ -64898,7 +64898,7 @@ index f5afe78..a68d325 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1049,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1049,38 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -64911,6 +64911,27 @@ index f5afe78..a68d325 100644
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
++ gnome_filetrans_gstreamer_home_content($1)
++')
++
++#######################################
++## <summary>
++## file name transition gstreamer home content files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_filetrans_gstreamer_home_content',`
++ gen_require(`
++ type gstreamer_home_t;
++ ')
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
')
########################################
@@ -64920,7 +64941,7 @@ index f5afe78..a68d325 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1067,301 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1088,301 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -65239,7 +65260,7 @@ index f5afe78..a68d325 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..9c48ce6 100644
+index 2505654..7a11c30 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0)
@@ -65310,7 +65331,7 @@ index 2505654..9c48ce6 100644
##############################
#
# Local Policy
-@@ -75,3 +116,155 @@ optional_policy(`
+@@ -75,3 +116,157 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -65411,6 +65432,8 @@ index 2505654..9c48ce6 100644
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
+
++dontaudit gkeyringd_domain config_home_t:file write;
++
+userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
+
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
@@ -66796,7 +66819,7 @@ index fbb5c5a..637eb37 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..ef0498e 100644
+index 2e9318b..d6f54c3 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -66969,7 +66992,7 @@ index 2e9318b..ef0498e 100644
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +359,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,9 +359,15 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
@@ -66981,7 +67004,11 @@ index 2e9318b..ef0498e 100644
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
-@@ -355,6 +375,7 @@ dev_write_sound(mozilla_plugin_t)
++dev_read_generic_usb_dev(mozilla_plugin_t)
+ dev_read_video_dev(mozilla_plugin_t)
+ dev_write_video_dev(mozilla_plugin_t)
+ dev_read_sysfs(mozilla_plugin_t)
+@@ -355,6 +376,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -66989,7 +67016,7 @@ index 2e9318b..ef0498e 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -383,35 +404,34 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,35 +405,34 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -67039,7 +67066,7 @@ index 2e9318b..ef0498e 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,11 +441,19 @@ optional_policy(`
+@@ -421,11 +442,19 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -67059,7 +67086,7 @@ index 2e9318b..ef0498e 100644
')
optional_policy(`
-@@ -438,18 +466,98 @@ optional_policy(`
+@@ -438,18 +467,98 @@ optional_policy(`
')
optional_policy(`
@@ -68346,14 +68373,16 @@ index ccc15ab..9f88c3a 100644
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
-index 84f23dc..af5b87d 100644
+index 84f23dc..5be2738 100644
--- a/policy/modules/apps/pulseaudio.fc
+++ b/policy/modules/apps/pulseaudio.fc
-@@ -1,6 +1,9 @@
+@@ -1,6 +1,11 @@
-HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
++HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
++/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
@@ -68361,7 +68390,7 @@ index 84f23dc..af5b87d 100644
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index f40c64d..aa9e8e2 100644
+index f40c64d..a830fa3 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -35,6 +35,9 @@ interface(`pulseaudio_role',`
@@ -68374,7 +68403,7 @@ index f40c64d..aa9e8e2 100644
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
-@@ -257,4 +260,66 @@ interface(`pulseaudio_manage_home_files',`
+@@ -257,4 +260,68 @@ interface(`pulseaudio_manage_home_files',`
userdom_search_user_home_dirs($1)
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
@@ -68420,6 +68449,7 @@ index f40c64d..aa9e8e2 100644
+
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
+')
+
+########################################
@@ -68440,6 +68470,7 @@ index f40c64d..aa9e8e2 100644
+
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
++ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index d1eace5..add9f38 100644
@@ -70736,10 +70767,10 @@ index 0000000..9127cec
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..62dd2ef
+index 0000000..28f7212
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,101 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -70783,9 +70814,12 @@ index 0000000..62dd2ef
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
-+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
++files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
++userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
++xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file)
++
+can_exec(thumb_t, thumb_exec_t)
+
+kernel_read_system_state(thumb_t)
@@ -70803,6 +70837,7 @@ index 0000000..62dd2ef
+
+files_read_etc_files(thumb_t)
+files_read_usr_files(thumb_t)
++files_read_non_security_files(thumb_t)
+
+fs_read_dos_files(thumb_t)
+
@@ -73787,7 +73822,7 @@ index 35fed4f..51ad69a 100644
#
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..2354089 100644
+index 6cf8784..21a5923 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,12 +15,14 @@
@@ -73832,7 +73867,7 @@ index 6cf8784..2354089 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -187,8 +193,6 @@ ifdef(`distro_suse', `
+@@ -187,12 +193,22 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -73841,9 +73876,10 @@ index 6cf8784..2354089 100644
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +200,14 @@ ifdef(`distro_redhat',`
+ /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
++/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0)
')
+
+#
@@ -77961,7 +77997,7 @@ index cda5588..e89e4bf 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..610924d 100644
+index 97fcdac..b131b1b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -78673,7 +78709,32 @@ index 97fcdac..610924d 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4251,6 +4697,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4232,6 +4678,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
+
+ ########################################
+ ## <summary>
++## Delete generic files in tmpfs directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_delete_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:file unlink;
++')
++
++########################################
++## <summary>
+ ## Read and write, create and delete generic
+ ## files on tmpfs filesystems.
+ ## </summary>
+@@ -4251,6 +4715,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -78699,7 +78760,7 @@ index 97fcdac..610924d 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4922,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4940,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -78708,7 +78769,7 @@ index 97fcdac..610924d 100644
')
########################################
-@@ -4503,7 +4970,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4988,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -78717,7 +78778,7 @@ index 97fcdac..610924d 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5333,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5351,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -84751,14 +84812,14 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..8166ed1 100644
+index 9e39aa5..7d2d411 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,33 @@
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_content_ra_t,s0)
++HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -93174,10 +93235,10 @@ index 0000000..d509142
+')
diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
new file mode 100644
-index 0000000..0878667
+index 0000000..1237d07
--- /dev/null
+++ b/policy/modules/services/condor.te
-@@ -0,0 +1,204 @@
+@@ -0,0 +1,226 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -93204,6 +93265,9 @@ index 0000000..0878667
+condor_domain_template(startd)
+condor_domain_template(procd)
+
++type condor_schedd_tmp_t;
++files_tmp_file(condor_schedd_tmp_t)
++
+type condor_startd_tmp_t;
+files_tmp_file(condor_startd_tmp_t)
+
@@ -93294,10 +93358,13 @@ index 0000000..0878667
+# condor master local policy
+#
+
-+allow condor_master_t self:capability { setuid setgid dac_override };
++allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+
+allow condor_master_t condor_domain:process signal;
+
++corenet_tcp_bind_condor_port(condor_master_t)
++corenet_udp_bind_condor_port(condor_master_t)
++
+domain_read_all_domains_state(condor_master_t)
+
+auth_use_nsswitch(condor_master_t)
@@ -93309,8 +93376,8 @@ index 0000000..0878667
+
+allow condor_collector_t self:capability { setuid setgid };
+
-+allow condor_collector_t condor_master_t:tcp_socket { getopt getattr setopt accept };
-+allow condor_collector_t condor_master_t:udp_socket { getopt getattr setopt };
++allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms;
++allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+
+kernel_read_network_state(condor_collector_t)
+
@@ -93321,6 +93388,10 @@ index 0000000..0878667
+# condor negotiator local policy
+#
+allow condor_negotiator_t self:capability { setuid setgid };
++allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
++allow condor_negotiator_t condor_master_t:udp_socket getattr;
++
++corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
+
+auth_use_nsswitch(condor_negotiator_t)
+
@@ -93329,7 +93400,7 @@ index 0000000..0878667
+# condor procd local policy
+#
+
-+allow condor_procd_t self:capability { fowner chown dac_override };
++allow condor_procd_t self:capability { fowner chown dac_override sys_ptrace };
+
+domain_read_all_domains_state(condor_procd_t)
+
@@ -93342,6 +93413,19 @@ index 0000000..0878667
+
+# dac_override because of /var/log/condor
+allow condor_schedd_t self:capability { setuid chown setgid dac_override };
++allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
++allow condor_schedd_t condor_master_t:udp_socket getattr;
++
++allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
++
++manage_dirs_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
++manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
++files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
++allow condor_schedd_t condor_schedd_tmp_t:file { relabelfrom relabelto };
++
++kernel_read_kernel_sysctls(condor_schedd_t)
++
++corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
+auth_use_nsswitch(condor_schedd_t)
+
@@ -93381,7 +93465,6 @@ index 0000000..0878667
+optional_policy(`
+ unconfined_domain(condor_startd_t)
+')
-+
diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc
index 32233ab..8a073d1 100644
--- a/policy/modules/services/consolekit.fc
@@ -103094,10 +103177,10 @@ index 0000000..ebe1dde
+')
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..4afb81f
+index 0000000..941c652
--- /dev/null
+++ b/policy/modules/services/glance.te
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,105 @@
+policy_module(glance, 1.0.0)
+
+########################################
@@ -103196,6 +103279,7 @@ index 0000000..4afb81f
+corenet_tcp_bind_generic_node(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
+corenet_tcp_connect_glance_registry_port(glance_api_t)
++corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+
+dev_read_urand(glance_api_t)
+
@@ -105637,10 +105721,10 @@ index 0000000..c7a5aeb
+')
diff --git a/policy/modules/services/keystone.te b/policy/modules/services/keystone.te
new file mode 100644
-index 0000000..bd47cdc
+index 0000000..d73c319
--- /dev/null
+++ b/policy/modules/services/keystone.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,69 @@
+policy_module(keystone, 1.0.0)
+
+########################################
@@ -105706,6 +105790,10 @@ index 0000000..bd47cdc
+libs_exec_ldconfig(keystone_t)
+
+miscfiles_read_localization(keystone_t)
++
++optional_policy(`
++ mysql_stream_connect(keystone_t)
++')
diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc
index 9c0c835..8360166 100644
--- a/policy/modules/services/ksmtuned.fc
@@ -110903,7 +110991,7 @@ index 8581040..7d8e93b 100644
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..57dfbca 100644
+index bf64a4c..11d96f9 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -5,6 +5,8 @@ policy_module(nagios, 1.10.0)
@@ -111021,7 +111109,15 @@ index bf64a4c..57dfbca 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -270,12 +287,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -251,7 +268,6 @@ optional_policy(`
+ corecmd_read_bin_files(nagios_admin_plugin_t)
+ corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+
+-dev_read_urand(nagios_admin_plugin_t)
+ dev_getattr_all_chr_files(nagios_admin_plugin_t)
+ dev_getattr_all_blk_files(nagios_admin_plugin_t)
+
+@@ -270,19 +286,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -111034,7 +111130,14 @@ index bf64a4c..57dfbca 100644
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
-@@ -299,7 +314,7 @@ optional_policy(`
+ corecmd_read_bin_symlinks(nagios_mail_plugin_t)
+
+-dev_read_urand(nagios_mail_plugin_t)
+-
+ files_read_etc_files(nagios_mail_plugin_t)
+
+ logging_send_syslog_msg(nagios_mail_plugin_t)
+@@ -299,7 +311,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
@@ -111043,7 +111146,7 @@ index bf64a4c..57dfbca 100644
')
######################################
-@@ -310,6 +325,9 @@ optional_policy(`
+@@ -310,6 +322,9 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@@ -111053,7 +111156,7 @@ index bf64a4c..57dfbca 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -321,11 +339,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -321,11 +336,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# local policy for service check plugins
#
@@ -111067,7 +111170,7 @@ index bf64a4c..57dfbca 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -340,6 +358,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +355,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -111076,7 +111179,7 @@ index bf64a4c..57dfbca 100644
')
optional_policy(`
-@@ -363,6 +383,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +380,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -111085,7 +111188,13 @@ index bf64a4c..57dfbca 100644
kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
-@@ -376,6 +398,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
+@@ -370,12 +389,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
+ corecmd_exec_shell(nagios_system_plugin_t)
+
+ dev_read_sysfs(nagios_system_plugin_t)
+-dev_read_urand(nagios_system_plugin_t)
+
+ domain_read_all_domains_state(nagios_system_plugin_t)
files_read_etc_files(nagios_system_plugin_t)
@@ -111094,7 +111203,7 @@ index bf64a4c..57dfbca 100644
# needed by check_users plugin
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
-@@ -389,3 +413,49 @@ optional_policy(`
+@@ -389,3 +409,52 @@ optional_policy(`
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -111138,6 +111247,9 @@ index bf64a4c..57dfbca 100644
+
+kernel_read_system_state(nagios_plugin_domain)
+
++dev_read_urand(nagios_plugin_domain)
++dev_read_rand(nagios_plugin_domain)
++
+files_read_usr_files(nagios_plugin_domain)
+
+miscfiles_read_localization(nagios_plugin_domain)
@@ -113691,7 +113803,7 @@ index d883214..d6afa87 100644
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..117a7ac 100644
+index 8b550f4..3075607 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -113766,8 +113878,12 @@ index 8b550f4..117a7ac 100644
corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
-@@ -102,6 +110,8 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -100,8 +108,12 @@ dev_read_urand(openvpn_t)
+ files_read_etc_files(openvpn_t)
+ files_read_etc_runtime_files(openvpn_t)
++fs_getattr_xattr_fs(openvpn_t)
++
auth_use_pam(openvpn_t)
+init_read_utmp(openvpn_t)
@@ -113775,7 +113891,7 @@ index 8b550f4..117a7ac 100644
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
-@@ -112,21 +122,23 @@ sysnet_exec_ifconfig(openvpn_t)
+@@ -112,21 +124,23 @@ sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
@@ -113807,7 +113923,7 @@ index 8b550f4..117a7ac 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +150,7 @@ optional_policy(`
+@@ -138,3 +152,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -131887,10 +132003,10 @@ index 0000000..8e3570d
+')
diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
new file mode 100644
-index 0000000..b6db3b3
+index 0000000..df9a759
--- /dev/null
+++ b/policy/modules/services/wdmd.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,46 @@
+policy_module(wdmd,1.0.0)
+
+########################################
@@ -131912,8 +132028,7 @@ index 0000000..b6db3b3
+#
+# wdmd local policy
+#
-+allow wdmd_t self:capability { sys_nice ipc_lock };
-+dontaudit wdmd_t self:capability chown;
++allow wdmd_t self:capability { chown sys_nice ipc_lock };
+allow wdmd_t self:process { setsched signal };
+
+allow wdmd_t self:fifo_file rw_fifo_file_perms;
@@ -132102,7 +132217,7 @@ index 4966c94..bc7b581 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..4a0455e 100644
+index 130ced9..c0a4891 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -132851,7 +132966,7 @@ index 130ced9..4a0455e 100644
')
########################################
-@@ -1243,10 +1540,483 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1540,515 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -133337,6 +133452,38 @@ index 130ced9..4a0455e 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
++
++########################################
++## <summary>
++## Create objects in a xdm temporary directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`xserver_xdm_tmp_filetrans',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
++ files_search_tmp($1)
++')
++
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 143c893..2659b5c 100644
--- a/policy/modules/services/xserver.te
@@ -138082,7 +138229,7 @@ index 94fd8dd..6acffdb 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..a8f3c90 100644
+index 29a9565..cfdbceb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -138479,7 +138626,7 @@ index 29a9565..a8f3c90 100644
init_write_initctl(initrc_t)
-@@ -258,20 +475,33 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +475,34 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -138500,6 +138647,7 @@ index 29a9565..a8f3c90 100644
+
+fs_manage_tmpfs_dirs(initrc_t)
+fs_manage_tmpfs_symlinks(initrc_t)
++fs_delete_tmpfs_files(initrc_t)
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
corecmd_exec_all_executables(initrc_t)
@@ -138517,7 +138665,7 @@ index 29a9565..a8f3c90 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +509,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +510,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -138525,7 +138673,7 @@ index 29a9565..a8f3c90 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +520,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +521,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -138536,7 +138684,7 @@ index 29a9565..a8f3c90 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,17 +531,16 @@ dev_manage_generic_files(initrc_t)
+@@ -298,17 +532,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -138556,7 +138704,7 @@ index 29a9565..a8f3c90 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -316,6 +548,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +549,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -138564,7 +138712,7 @@ index 29a9565..a8f3c90 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +556,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +557,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -138576,7 +138724,7 @@ index 29a9565..a8f3c90 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +575,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +576,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -138590,7 +138738,7 @@ index 29a9565..a8f3c90 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,9 +590,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,9 +591,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -138604,7 +138752,7 @@ index 29a9565..a8f3c90 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +605,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +606,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -138612,7 +138760,7 @@ index 29a9565..a8f3c90 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +617,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +618,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -138620,7 +138768,7 @@ index 29a9565..a8f3c90 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +638,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +639,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -138642,7 +138790,7 @@ index 29a9565..a8f3c90 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +701,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +702,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -138653,7 +138801,7 @@ index 29a9565..a8f3c90 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +725,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +726,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -138662,7 +138810,7 @@ index 29a9565..a8f3c90 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +740,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +741,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -138670,7 +138818,7 @@ index 29a9565..a8f3c90 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -513,6 +761,7 @@ ifdef(`distro_redhat',`
+@@ -513,6 +762,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -138678,7 +138826,7 @@ index 29a9565..a8f3c90 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -522,8 +771,35 @@ ifdef(`distro_redhat',`
+@@ -522,8 +772,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -138714,7 +138862,7 @@ index 29a9565..a8f3c90 100644
')
optional_policy(`
-@@ -531,14 +807,27 @@ ifdef(`distro_redhat',`
+@@ -531,14 +808,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -138742,7 +138890,7 @@ index 29a9565..a8f3c90 100644
')
')
-@@ -549,6 +838,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +839,39 @@ ifdef(`distro_suse',`
')
')
@@ -138782,7 +138930,7 @@ index 29a9565..a8f3c90 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +883,8 @@ optional_policy(`
+@@ -561,6 +884,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -138791,7 +138939,7 @@ index 29a9565..a8f3c90 100644
')
optional_policy(`
-@@ -577,6 +901,7 @@ optional_policy(`
+@@ -577,6 +902,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -138799,7 +138947,7 @@ index 29a9565..a8f3c90 100644
')
optional_policy(`
-@@ -589,6 +914,17 @@ optional_policy(`
+@@ -589,6 +915,17 @@ optional_policy(`
')
optional_policy(`
@@ -138817,7 +138965,7 @@ index 29a9565..a8f3c90 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +941,13 @@ optional_policy(`
+@@ -605,9 +942,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -138831,7 +138979,7 @@ index 29a9565..a8f3c90 100644
')
optional_policy(`
-@@ -632,6 +972,10 @@ optional_policy(`
+@@ -632,6 +973,10 @@ optional_policy(`
')
optional_policy(`
@@ -138842,7 +138990,7 @@ index 29a9565..a8f3c90 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +993,15 @@ optional_policy(`
+@@ -649,6 +994,15 @@ optional_policy(`
')
optional_policy(`
@@ -138858,7 +139006,7 @@ index 29a9565..a8f3c90 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1042,7 @@ optional_policy(`
+@@ -689,6 +1043,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -138866,7 +139014,7 @@ index 29a9565..a8f3c90 100644
')
optional_policy(`
-@@ -706,7 +1060,13 @@ optional_policy(`
+@@ -706,7 +1061,13 @@ optional_policy(`
')
optional_policy(`
@@ -138880,7 +139028,7 @@ index 29a9565..a8f3c90 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1089,10 @@ optional_policy(`
+@@ -729,6 +1090,10 @@ optional_policy(`
')
optional_policy(`
@@ -138891,7 +139039,7 @@ index 29a9565..a8f3c90 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1102,20 @@ optional_policy(`
+@@ -738,10 +1103,20 @@ optional_policy(`
')
optional_policy(`
@@ -138912,7 +139060,7 @@ index 29a9565..a8f3c90 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1124,10 @@ optional_policy(`
+@@ -750,6 +1125,10 @@ optional_policy(`
')
optional_policy(`
@@ -138923,7 +139071,7 @@ index 29a9565..a8f3c90 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1149,6 @@ optional_policy(`
+@@ -771,8 +1150,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -138932,7 +139080,7 @@ index 29a9565..a8f3c90 100644
')
optional_policy(`
-@@ -781,6 +1157,10 @@ optional_policy(`
+@@ -781,6 +1158,10 @@ optional_policy(`
')
optional_policy(`
@@ -138943,7 +139091,7 @@ index 29a9565..a8f3c90 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -790,10 +1170,12 @@ optional_policy(`
+@@ -790,10 +1171,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -138956,7 +139104,7 @@ index 29a9565..a8f3c90 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1187,6 @@ optional_policy(`
+@@ -805,7 +1188,6 @@ optional_policy(`
')
optional_policy(`
@@ -138964,7 +139112,7 @@ index 29a9565..a8f3c90 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1196,29 @@ optional_policy(`
+@@ -815,11 +1197,29 @@ optional_policy(`
')
optional_policy(`
@@ -138995,7 +139143,7 @@ index 29a9565..a8f3c90 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1228,18 @@ optional_policy(`
+@@ -829,6 +1229,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -139014,7 +139162,7 @@ index 29a9565..a8f3c90 100644
')
optional_policy(`
-@@ -844,6 +1255,10 @@ optional_policy(`
+@@ -844,6 +1256,10 @@ optional_policy(`
')
optional_policy(`
@@ -139025,7 +139173,7 @@ index 29a9565..a8f3c90 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1269,165 @@ optional_policy(`
+@@ -854,3 +1270,165 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -140625,7 +140773,7 @@ index a0b379d..95bf920 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..8520fb2 100644
+index 02f4c97..56e3f71 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -6,6 +6,8 @@
@@ -140689,16 +140837,15 @@ index 02f4c97..8520fb2 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,6 +73,8 @@ ifndef(`distro_gentoo',`
+@@ -54,6 +73,7 @@ ifndef(`distro_gentoo',`
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
-+/var/spool/postfix/dev -d gen_context(system_u:object_r:var_log_t,s0)
+/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -66,6 +87,7 @@ ifdef(`distro_redhat',`
+@@ -66,6 +86,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -140706,7 +140853,7 @@ index 02f4c97..8520fb2 100644
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-@@ -73,4 +95,9 @@ ifdef(`distro_redhat',`
+@@ -73,4 +94,9 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -141035,7 +141182,7 @@ index 831b909..b9cff6d 100644
+ files_spool_filetrans($1, audit_spool_t, dir, "audit")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..9c495b2 100644
+index b6ec597..9759103 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2)
@@ -141267,7 +141414,7 @@ index b6ec597..9c495b2 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +569,20 @@ optional_policy(`
+@@ -496,11 +569,24 @@ optional_policy(`
')
optional_policy(`
@@ -141275,6 +141422,10 @@ index b6ec597..9c495b2 100644
+')
+
+optional_policy(`
++ postfix_search_spool(syslogd_t)
++')
++
++optional_policy(`
postgresql_stream_connect(syslogd_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c9bb991..478fcd2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 114%{?dist}
+Release: 115%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -489,6 +489,21 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-115
+- Allow condor domains to connect to ephemeral ports
+- More fixes for condor policy
+- Allow keystone to stream connect to mysqld
+- Allow mozilla_plugin_t to read generic USB device to support GPS devices
+- Allow thum to file name transition gstreamer home content
+- Allow thum to read all non security files
+- Allow glance_api_t to connect to ephemeral ports
+- Allow nagios plugins to read /dev/urandom
+- Allow syslogd to search postfix spool to support postfix chroot env
+- Fix labeling for /var/spool/postfix/dev
+- Allow wdmd chown
+- Label .esd_auth as pulseaudio_home_t
+- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now
+
* Fri Apr 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-114
- Add support for clamd+systemd
- Allow fresclam to execute systemctl to handle clamd
More information about the scm-commits
mailing list