[selinux-policy/f16] * Fri Apr 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0 - Add ~/.orc as a gstreamer_home_t - All
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Apr 20 21:57:44 UTC 2012
commit aba88ad09b916546f1fd229e71403b25eb3ada98
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Apr 20 23:57:28 2012 +0200
* Fri Apr 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0
- Add ~/.orc as a gstreamer_home_t
- Allow mcelog to exec shel
- Allow systemd_tmpfiles to manage printer devices
- Add definitions for jboss_messaging ports
- Fix labeling of log files for postgresql
- Allow firewalld to execute shell
- Fix /etc/wicd content files to get created with the corre
- tmpreaper should be able to list all file system labeled
- Allow sambagui to use ldap
- Lot of fixes for cfengine
- Allow pads to create socket
policy-F16.patch | 690 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 15 +-
2 files changed, 452 insertions(+), 253 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index eba5b86..441c676 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1591,7 +1591,7 @@ index 56c43c0..409bbfc 100644
+
+/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..034908d 100644
+index 5671977..48c8303 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
@@ -1610,7 +1610,7 @@ index 5671977..034908d 100644
########################################
#
-@@ -17,10 +23,22 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
+@@ -17,10 +23,23 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
allow mcelog_t self:capability sys_admin;
@@ -1625,6 +1625,7 @@ index 5671977..034908d 100644
+
kernel_read_system_state(mcelog_t)
++corecmd_exec_shell(mcelog_t)
+corecmd_exec_bin(mcelog_t)
+
dev_read_raw_memory(mcelog_t)
@@ -1633,7 +1634,7 @@ index 5671977..034908d 100644
files_read_etc_files(mcelog_t)
-@@ -30,3 +48,7 @@ mls_file_read_all_levels(mcelog_t)
+@@ -30,3 +49,7 @@ mls_file_read_all_levels(mcelog_t)
logging_send_syslog_msg(mcelog_t)
miscfiles_read_localization(mcelog_t)
@@ -4134,7 +4135,7 @@ index d5aaf0e..6b16aef 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..65681da 100644
+index 6a5004b..c687f14 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -4145,7 +4146,7 @@ index 6a5004b..65681da 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -18,6 +19,8 @@ role system_r types tmpreaper_t;
+@@ -18,18 +19,25 @@ role system_r types tmpreaper_t;
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
@@ -4154,7 +4155,8 @@ index 6a5004b..65681da 100644
dev_read_urand(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
-@@ -25,11 +28,15 @@ fs_getattr_xattr_fs(tmpreaper_t)
++fs_list_all(tmpreaper_t)
+
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
@@ -4170,7 +4172,7 @@ index 6a5004b..65681da 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -38,13 +45,17 @@ logging_send_syslog_msg(tmpreaper_t)
+@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -4192,7 +4194,7 @@ index 6a5004b..65681da 100644
')
optional_policy(`
-@@ -52,7 +63,9 @@ optional_policy(`
+@@ -52,7 +64,9 @@ optional_policy(`
')
optional_policy(`
@@ -4202,7 +4204,7 @@ index 6a5004b..65681da 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +79,13 @@ optional_policy(`
+@@ -66,9 +80,13 @@ optional_policy(`
')
optional_policy(`
@@ -5655,10 +5657,10 @@ index 6e4add5..10a2ce4 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(giftd_t)
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..9f6139c 100644
+index 00a19e3..ade1224 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,45 @@
+@@ -1,9 +1,46 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -5668,6 +5670,7 @@ index 00a19e3..9f6139c 100644
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -5707,7 +5710,7 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..eeeebbb 100644
+index f5afe78..5bd094e 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,879 @@
@@ -6799,7 +6802,7 @@ index f5afe78..eeeebbb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1046,299 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1046,303 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -7026,6 +7029,9 @@ index f5afe78..eeeebbb 100644
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ # ~/.color/icc: legacy
@@ -7066,6 +7072,7 @@ index f5afe78..eeeebbb 100644
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
++ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ # /root/.color/icc: legacy
@@ -10530,10 +10537,10 @@ index 4c091ca..a58f123 100644
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index f594e12..2025c1f 100644
+index f594e12..e8f731d 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
-@@ -27,11 +27,13 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,16 +27,20 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
@@ -10547,7 +10554,14 @@ index f594e12..2025c1f 100644
logging_send_syslog_msg(sambagui_t)
-@@ -56,6 +58,7 @@ optional_policy(`
+ miscfiles_read_localization(sambagui_t)
+
++sysnet_use_ldap(sambagui_t)
++
+ optional_policy(`
+ consoletype_exec(sambagui_t)
+ ')
+@@ -56,6 +60,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
@@ -14652,7 +14666,7 @@ index 4f3b542..f4e36ee 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..8c780d2 100644
+index 99b71cb..688d361 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14794,7 +14808,7 @@ index 99b71cb..8c780d2 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +173,27 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +173,29 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -14802,7 +14816,9 @@ index 99b71cb..8c780d2 100644
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
-+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0)
++network_port(jboss_debug, tcp,8787,s0)
++network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
++network_port(jboss_management, tcp,4712,s0, tcp,4447,s0, udp,4712,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
@@ -14825,7 +14841,7 @@ index 99b71cb..8c780d2 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +203,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +205,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -14858,7 +14874,7 @@ index 99b71cb..8c780d2 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,34 +240,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,34 +242,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -14905,7 +14921,7 @@ index 99b71cb..8c780d2 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +283,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +285,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -14919,7 +14935,7 @@ index 99b71cb..8c780d2 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +300,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +302,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14927,7 +14943,7 @@ index 99b71cb..8c780d2 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +310,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +312,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14940,7 +14956,7 @@ index 99b71cb..8c780d2 100644
########################################
#
-@@ -282,9 +360,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +362,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -15069,7 +15085,7 @@ index 6cf8784..c384d6f 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..2cad8ee 100644
+index f820f3b..0060905 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -15507,32 +15523,33 @@ index f820f3b..2cad8ee 100644
')
########################################
-@@ -3210,24 +3466,6 @@ interface(`dev_rw_printer',`
+@@ -3210,7 +3466,7 @@ interface(`dev_rw_printer',`
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Read and write the printer device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3218,12 +3474,13 @@ interface(`dev_rw_printer',`
+ ## </summary>
+ ## </param>
+ #
-interface(`dev_read_printk',`
-- gen_require(`
++interface(`dev_manage_printer',`
+ gen_require(`
- type device_t, printk_device_t;
-- ')
--
++ type device_t, printer_device_t;
+ ')
+
- read_chr_files_pattern($1, device_t, printk_device_t)
--')
--
--########################################
--## <summary>
- ## Get the attributes of the QEMU
- ## microcode and id interfaces.
- ## </summary>
-@@ -3811,6 +4049,42 @@ interface(`dev_getattr_sysfs_dirs',`
++ manage_chr_files_pattern($1, device_t, printer_device_t)
++ dev_filetrans_printer_named_dev($1)
+ ')
+
+ ########################################
+@@ -3811,6 +4068,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -15575,7 +15592,7 @@ index f820f3b..2cad8ee 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3860,6 +4134,7 @@ interface(`dev_list_sysfs',`
+@@ -3860,6 +4153,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -15583,7 +15600,7 @@ index f820f3b..2cad8ee 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3902,25 +4177,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3902,25 +4196,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -15609,7 +15626,7 @@ index f820f3b..2cad8ee 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -3972,6 +4228,42 @@ interface(`dev_rw_sysfs',`
+@@ -3972,6 +4247,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -15629,6 +15646,26 @@ index f820f3b..2cad8ee 100644
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
++#######################################
++## <summary>
++## Relabel hardware state files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_relabel_all_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++')
++
+########################################
+## <summary>
+## Allow caller to modify hardware state information.
@@ -15652,7 +15689,7 @@ index f820f3b..2cad8ee 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4069,6 +4361,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4400,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -15678,7 +15715,7 @@ index f820f3b..2cad8ee 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4103,6 +4414,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4103,6 +4453,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -15703,7 +15740,7 @@ index f820f3b..2cad8ee 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4495,6 +4824,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4863,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -15728,7 +15765,7 @@ index f820f3b..2cad8ee 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4695,6 +5042,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4695,6 +5081,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -15755,7 +15792,7 @@ index f820f3b..2cad8ee 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4784,3 +5151,843 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5190,861 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -15789,6 +15826,64 @@ index f820f3b..2cad8ee 100644
+## </summary>
+## </param>
+#
++interface(`dev_filetrans_printer_named_dev',`
++
++ gen_require(`
++ type printer_device_t;
++
++ ')
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
++')
++
++########################################
++## <summary>
++## Create all named devices with the correct label
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`dev_filetrans_all_named_dev',`
+
+gen_require(`
@@ -15810,7 +15905,6 @@ index f820f3b..2cad8ee 100644
+ type random_device_t;
+ type dri_device_t;
+ type ipmi_device_t;
-+ type printer_device_t;
+ type memory_device_t;
+ type kmsg_device_t;
+ type qemu_device_t;
@@ -15837,6 +15931,7 @@ index f820f3b..2cad8ee 100644
+ type mtrr_device_t;
+')
+
++ dev_filetrans_printer_named_dev($1)
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
@@ -16074,16 +16169,6 @@ index f820f3b..2cad8ee 100644
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
@@ -16132,16 +16217,6 @@ index f820f3b..2cad8ee 100644
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
@@ -16205,16 +16280,6 @@ index f820f3b..2cad8ee 100644
+ filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
+ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
@@ -16320,16 +16385,6 @@ index f820f3b..2cad8ee 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
@@ -26098,7 +26153,7 @@ index 6480167..e12bbc0 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..ad1e64f 100644
+index 3136c6a..e8e4fa6 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,232 @@ policy_module(apache, 2.2.1)
@@ -26517,7 +26572,7 @@ index 3136c6a..ad1e64f 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +501,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +501,17 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -26527,6 +26582,7 @@ index 3136c6a..ad1e64f 100644
corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
++corenet_tcp_bind_jboss_messaging_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
# Signal self for shutdown
@@ -26535,7 +26591,7 @@ index 3136c6a..ad1e64f 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +519,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +520,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -26551,7 +26607,7 @@ index 3136c6a..ad1e64f 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +532,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +533,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26559,7 +26615,7 @@ index 3136c6a..ad1e64f 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +544,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +545,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26663,7 +26719,7 @@ index 3136c6a..ad1e64f 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -454,27 +649,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +650,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -26727,7 +26783,7 @@ index 3136c6a..ad1e64f 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +713,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +714,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -26750,7 +26806,7 @@ index 3136c6a..ad1e64f 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +743,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +744,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -26771,7 +26827,7 @@ index 3136c6a..ad1e64f 100644
')
optional_policy(`
-@@ -513,7 +767,13 @@ optional_policy(`
+@@ -513,7 +768,13 @@ optional_policy(`
')
optional_policy(`
@@ -26786,7 +26842,7 @@ index 3136c6a..ad1e64f 100644
')
optional_policy(`
-@@ -528,7 +788,19 @@ optional_policy(`
+@@ -528,7 +789,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -26807,7 +26863,7 @@ index 3136c6a..ad1e64f 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +809,13 @@ optional_policy(`
+@@ -537,8 +810,13 @@ optional_policy(`
')
optional_policy(`
@@ -26822,7 +26878,7 @@ index 3136c6a..ad1e64f 100644
')
')
-@@ -556,7 +833,21 @@ optional_policy(`
+@@ -556,7 +834,21 @@ optional_policy(`
')
optional_policy(`
@@ -26844,7 +26900,7 @@ index 3136c6a..ad1e64f 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +858,7 @@ optional_policy(`
+@@ -567,6 +859,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -26852,7 +26908,7 @@ index 3136c6a..ad1e64f 100644
')
optional_policy(`
-@@ -577,6 +869,20 @@ optional_policy(`
+@@ -577,6 +870,20 @@ optional_policy(`
')
optional_policy(`
@@ -26873,7 +26929,7 @@ index 3136c6a..ad1e64f 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +897,11 @@ optional_policy(`
+@@ -591,6 +898,11 @@ optional_policy(`
')
optional_policy(`
@@ -26885,7 +26941,7 @@ index 3136c6a..ad1e64f 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +914,12 @@ optional_policy(`
+@@ -603,6 +915,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -26898,7 +26954,7 @@ index 3136c6a..ad1e64f 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +933,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +934,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -26911,7 +26967,7 @@ index 3136c6a..ad1e64f 100644
########################################
#
-@@ -654,28 +975,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +976,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -26955,7 +27011,7 @@ index 3136c6a..ad1e64f 100644
')
########################################
-@@ -685,6 +1008,8 @@ optional_policy(`
+@@ -685,6 +1009,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -26964,7 +27020,7 @@ index 3136c6a..ad1e64f 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1024,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1025,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -26990,7 +27046,7 @@ index 3136c6a..ad1e64f 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1070,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1071,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27023,7 +27079,7 @@ index 3136c6a..ad1e64f 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1117,25 @@ optional_policy(`
+@@ -769,6 +1118,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27049,7 +27105,7 @@ index 3136c6a..ad1e64f 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1156,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1157,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27067,7 +27123,7 @@ index 3136c6a..ad1e64f 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1175,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1176,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27124,7 +27180,7 @@ index 3136c6a..ad1e64f 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1226,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1227,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27165,7 +27221,7 @@ index 3136c6a..ad1e64f 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1271,20 @@ optional_policy(`
+@@ -842,10 +1272,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27186,7 +27242,7 @@ index 3136c6a..ad1e64f 100644
')
########################################
-@@ -891,11 +1330,49 @@ optional_policy(`
+@@ -891,11 +1331,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -29622,10 +29678,10 @@ index c3e3f79..3e78d4e 100644
+
diff --git a/policy/modules/services/cfengine.fc b/policy/modules/services/cfengine.fc
new file mode 100644
-index 0000000..4ec83df
+index 0000000..4c52fa3
--- /dev/null
+++ b/policy/modules/services/cfengine.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,12 @@
+
+/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
+/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
@@ -29636,15 +29692,45 @@ index 0000000..4ec83df
+/etc/rc\.d/init\.d/cf-execd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
+
+/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0)
++/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_var_log_t,s0)
++
diff --git a/policy/modules/services/cfengine.if b/policy/modules/services/cfengine.if
new file mode 100644
-index 0000000..883b697
+index 0000000..f076cff
--- /dev/null
+++ b/policy/modules/services/cfengine.if
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,145 @@
+
+## <summary>policy for cfengine</summary>
+
++######################################
++## <summary>
++## Creates types and rules for a basic
++## cfengine init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`cfengine_domain_template',`
++ gen_require(`
++ attribute cfengine_domain;
++ ')
++
++ ##############################
++ #
++ # Declarations
++ #
++
++ type cfengine_$1_t, cfengine_domain;
++ type cfengine_$1_exec_t;
++ init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
++
++ auth_use_nsswitch(cfengine_$1_t)
++
++')
+
+########################################
+## <summary>
@@ -29665,6 +29751,24 @@ index 0000000..883b697
+ domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t)
+')
+
++#######################################
++## <summary>
++## Search cfengine lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_search_lib_files',`
++ gen_require(`
++ type cfengine_var_lib_t;
++ ')
++
++ allow $1 cfengine_var_lib_t:dir search_dir_perms;
++')
++
+########################################
+## <summary>
+## Read cfengine lib files.
@@ -29684,12 +29788,69 @@ index 0000000..883b697
+ read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
+')
+
++######################################
++## <summary>
++## Allow the specified domain to read cfengine's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_read_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ files_search_var_lib($1)
++ cfengine_search_lib_files($1)
++ read_files_pattern($1, cfengine_var_log_t, cfengine_var_log_t)
++')
++
++#####################################
++## <summary>
++## Allow the specified domain to append cfengine's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_append_inherited_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ cfengine_search_lib_files($1)
++ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
++')
++
++####################################
++## <summary>
++## Dontaudit the specified domain to write cfengine's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_dontaudit_write_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ dontaudit $1 cfengine_var_log_t:file write;
++')
diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te
new file mode 100644
-index 0000000..1ba0484
+index 0000000..65aa04c
--- /dev/null
+++ b/policy/modules/services/cfengine.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,94 @@
+policy_module(cfengine, 1.0.0)
+
+########################################
@@ -29697,9 +29858,11 @@ index 0000000..1ba0484
+# Declarations
+#
+
-+type cfengine_serverd_t;
-+type cfengine_serverd_exec_t;
-+init_daemon_domain(cfengine_serverd_t, cfengine_serverd_exec_t)
++attribute cfengine_domain;
++
++cfengine_domain_template(serverd)
++cfengine_domain_template(execd)
++cfengine_domain_template(monitord)
+
+type cfengine_initrc_exec_t;
+init_script_file(cfengine_initrc_exec_t)
@@ -29707,116 +29870,81 @@ index 0000000..1ba0484
+type cfengine_var_lib_t;
+files_type(cfengine_var_lib_t)
+
-+type cfengine_execd_t;
-+type cfengine_execd_exec_t;
-+init_daemon_domain(cfengine_execd_t, cfengine_execd_exec_t)
-+
-+type cfengine_monitord_t;
-+type cfengine_monitord_exec_t;
-+init_daemon_domain(cfengine_monitord_t, cfengine_monitord_exec_t)
++type cfengine_var_log_t;
++logging_log_file(cfengine_var_log_t)
+
-+########################################
++#######################################
+#
-+# cfengine-server local policy
++# cfengine domain local policy
+#
-+allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_serverd_t self:process { fork setfscreate signal };
+
-+allow cfengine_serverd_t self:fifo_file rw_fifo_file_perms;
-+allow cfengine_serverd_t self:unix_stream_socket create_stream_socket_perms;
++allow cfengine_domain self:fifo_file rw_fifo_file_perms;
++allow cfengine_domain self:unix_stream_socket create_stream_socket_perms;
+
-+manage_dirs_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+files_var_lib_filetrans(cfengine_serverd_t, cfengine_var_lib_t, { dir file })
++manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, { dir file })
+
-+kernel_read_system_state(cfengine_serverd_t)
++manage_files_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
++manage_dirs_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
++logging_log_filetrans(cfengine_domain,cfengine_var_log_t,{ dir file })
+
-+corecmd_exec_bin(cfengine_serverd_t)
-+corecmd_exec_shell(cfengine_serverd_t)
++kernel_read_system_state(cfengine_domain)
+
-+dev_read_urand(cfengine_serverd_t)
-+dev_read_sysfs(cfengine_serverd_t)
++corecmd_exec_bin(cfengine_domain)
++corecmd_exec_shell(cfengine_domain)
+
-+domain_use_interactive_fds(cfengine_serverd_t)
++dev_read_urand(cfengine_domain)
++dev_read_sysfs(cfengine_domain)
+
-+files_read_etc_files(cfengine_serverd_t)
++#auth_use_nsswitch(cfengine_domain)
+
-+auth_use_nsswitch(cfengine_serverd_t)
++logging_send_syslog_msg(cfengine_domain)
+
-+logging_send_syslog_msg(cfengine_serverd_t)
++miscfiles_read_localization(cfengine_domain)
+
-+miscfiles_read_localization(cfengine_serverd_t)
++sysnet_dns_name_resolve(cfengine_domain)
++sysnet_domtrans_ifconfig(cfengine_domain)
+
-+sysnet_dns_name_resolve(cfengine_serverd_t)
-+sysnet_domtrans_ifconfig(cfengine_serverd_t)
++files_read_etc_files(cfengine_domain)
+
+########################################
+#
-+# cfengine_exec local policy
++# cfengine-server local policy
+#
-+allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_execd_t self:process { fork setfscreate signal };
-+
-+allow cfengine_execd_t self:fifo_file rw_fifo_file_perms;
-+allow cfengine_execd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+
-+domain_use_interactive_fds(cfengine_execd_t)
+
-+files_read_etc_files(cfengine_execd_t)
-+
-+kernel_read_system_state(cfengine_execd_t)
-+
-+corecmd_exec_bin(cfengine_execd_t)
-+corecmd_exec_shell(cfengine_execd_t)
-+
-+dev_read_urand(cfengine_execd_t)
-+dev_read_sysfs(cfengine_execd_t)
++allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot };
++allow cfengine_serverd_t self:process { fork setfscreate signal };
+
-+auth_use_nsswitch(cfengine_execd_t)
++domain_use_interactive_fds(cfengine_serverd_t)
+
-+logging_send_syslog_msg(cfengine_execd_t)
++########################################
++#
++# cfengine_exec local policy
++#
+
-+miscfiles_read_localization(cfengine_execd_t)
++allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
++allow cfengine_execd_t self:process { fork setfscreate signal };
+
-+sysnet_dns_name_resolve(cfengine_execd_t)
-+sysnet_domtrans_ifconfig(cfengine_execd_t)
++domain_read_all_domains_state(cfengine_execd_t)
++domain_use_interactive_fds(cfengine_execd_t)
+
+########################################
+#
+# cfengine_monitord local policy
+#
++
+allow cfengine_monitord_t self:capability { chown kill setgid setuid sys_chroot };
+allow cfengine_monitord_t self:process { fork setfscreate signal };
+
-+allow cfengine_monitord_t self:fifo_file rw_fifo_file_perms;
-+allow cfengine_monitord_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+
-+corecmd_exec_bin(cfengine_monitord_t)
-+
-+dev_read_sysfs(cfengine_monitord_t)
-+dev_read_urand(cfengine_monitord_t)
++kernel_read_hotplug_sysctls(cfengine_monitord_t)
++kernel_read_network_state(cfengine_monitord_t)
+
++domain_read_all_domains_state(cfengine_monitord_t)
+domain_use_interactive_fds(cfengine_monitord_t)
+
-+files_read_etc_files(cfengine_monitord_t)
-+
-+auth_use_nsswitch(cfengine_monitord_t)
-+
-+logging_send_syslog_msg(cfengine_monitord_t)
-+
-+miscfiles_read_localization(cfengine_monitord_t)
-+
-+sysnet_dns_name_resolve(cfengine_monitord_t)
-+sysnet_domtrans_ifconfig(cfengine_monitord_t)
++fs_getattr_xattr_fs(cfengine_monitord_t)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
index 33facaf..e5cbcef 100644
--- a/policy/modules/services/cgroup.if
@@ -38582,10 +38710,10 @@ index 0000000..84d1768
+')
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
new file mode 100644
-index 0000000..8dcd6e4
+index 0000000..fa63e2d
--- /dev/null
+++ b/policy/modules/services/firewalld.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,69 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -38629,6 +38757,7 @@ index 0000000..8dcd6e4
+kernel_read_system_state(firewalld_t)
+
+corecmd_exec_bin(firewalld_t)
++corecmd_exec_shell(firewalld_t)
+
+domain_use_interactive_fds(firewalld_t)
+
@@ -47425,10 +47554,10 @@ index 74da57f..b94bb3b 100644
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..8e8f911 100644
+index 386543b..9cb5afa 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
-@@ -1,6 +1,15 @@
+@@ -1,6 +1,19 @@
/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -47437,6 +47566,10 @@ index 386543b..8e8f911 100644
+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
++/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
@@ -47445,7 +47578,7 @@ index 386543b..8e8f911 100644
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-@@ -16,11 +25,13 @@
+@@ -16,11 +29,13 @@
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
@@ -49138,7 +49271,7 @@ index bd76ec2..ca6517b 100644
## <summary>
## Execute a domain transition to run oddjob_mkhomedir.
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
-index cadfc63..c8f4d64 100644
+index cadfc63..e056e78 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -7,7 +7,6 @@ policy_module(oddjob, 1.7.0)
@@ -49157,7 +49290,16 @@ index cadfc63..c8f4d64 100644
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-@@ -99,8 +97,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
+@@ -53,6 +51,8 @@ selinux_compute_create_context(oddjob_t)
+
+ files_read_etc_files(oddjob_t)
+
++auth_use_nsswitch(oddjob_t)
++
+ miscfiles_read_localization(oddjob_t)
+
+ locallogin_dontaudit_use_fds(oddjob_t)
+@@ -99,8 +99,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
@@ -49489,7 +49631,7 @@ index 8ac407e..8235fb6 100644
admin_pattern($1, pads_config_t)
')
diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
-index b246bdd..07baada 100644
+index b246bdd..84afa7a 100644
--- a/policy/modules/services/pads.te
+++ b/policy/modules/services/pads.te
@@ -1,4 +1,4 @@
@@ -49506,7 +49648,7 @@ index b246bdd..07baada 100644
type pads_initrc_exec_t;
init_script_file(pads_initrc_exec_t)
-@@ -25,10 +24,10 @@ files_pid_file(pads_var_run_t)
+@@ -25,10 +24,11 @@ files_pid_file(pads_var_run_t)
#
allow pads_t self:capability { dac_override net_raw };
@@ -49516,12 +49658,13 @@ index b246bdd..07baada 100644
-allow pads_t self:unix_dgram_socket { write create connect };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
+allow pads_t self:packet_socket create_socket_perms;
++allow pads_t self:socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
-@@ -48,6 +47,7 @@ corenet_tcp_connect_prelude_port(pads_t)
+@@ -48,6 +48,7 @@ corenet_tcp_connect_prelude_port(pads_t)
dev_read_rand(pads_t)
dev_read_urand(pads_t)
@@ -52406,7 +52549,7 @@ index 7257526..7d73656 100644
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index f03fad4..1865d8f 100644
+index f03fad4..d693956 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -11,9 +11,9 @@
@@ -52422,6 +52565,15 @@ index f03fad4..1865d8f 100644
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+@@ -30,7 +30,7 @@ ifdef(`distro_redhat', `
+
+ /var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 09aeffa..f8a0d88 100644
--- a/policy/modules/services/postgresql.if
@@ -59362,7 +59514,7 @@ index 7e94c7c..5700fb8 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..75081a5 100644
+index 22dac1f..e2f2d7d 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -59401,7 +59553,18 @@ index 22dac1f..75081a5 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -128,7 +129,14 @@ optional_policy(`
+@@ -115,6 +116,10 @@ mta_manage_spool(sendmail_t)
+ mta_sendmail_exec(sendmail_t)
+
+ optional_policy(`
++ cfengine_dontaudit_write_log(sendmail_t)
++')
++
++optional_policy(`
+ cron_read_pipes(sendmail_t)
+ ')
+
+@@ -128,7 +133,14 @@ optional_policy(`
')
optional_policy(`
@@ -59416,7 +59579,7 @@ index 22dac1f..75081a5 100644
')
optional_policy(`
-@@ -149,7 +157,9 @@ optional_policy(`
+@@ -149,7 +161,9 @@ optional_policy(`
')
optional_policy(`
@@ -59426,7 +59589,7 @@ index 22dac1f..75081a5 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +178,13 @@ optional_policy(`
+@@ -168,20 +182,13 @@ optional_policy(`
')
optional_policy(`
@@ -68300,10 +68463,10 @@ index 1b6619e..3aed6ad 100644
+ allow $1 application_domain_type:socket_class_set getattr;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..41198a4 100644
+index c6fdab7..32f45fa 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
-@@ -6,6 +6,24 @@ attribute application_domain_type;
+@@ -6,6 +6,28 @@ attribute application_domain_type;
# Executables to be run by user
attribute application_exec_type;
@@ -68321,6 +68484,10 @@ index c6fdab7..41198a4 100644
+')
+
+optional_policy(`
++ cfengine_append_inherited_log(application_domain_type)
++')
++
++optional_policy(`
+ cron_rw_inherited_user_spool_files(application_domain_type)
+ cron_sigchld(application_domain_type)
+')
@@ -70310,7 +70477,7 @@ index 94fd8dd..82d8769 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..f87bb28 100644
+index 29a9565..44fa94d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -70513,8 +70680,8 @@ index 29a9565..f87bb28 100644
optional_policy(`
- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
-+')
-+
+ ')
+
+tunable_policy(`init_systemd',`
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate setrlimit };
@@ -70617,30 +70784,30 @@ index 29a9565..f87bb28 100644
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
-+optional_policy(`
+ optional_policy(`
+ lvm_rw_pipes(init_t)
+')
+
+optional_policy(`
+ consolekit_manage_log(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
@@ -71147,7 +71314,7 @@ index 29a9565..f87bb28 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1172,26 @@ optional_policy(`
+@@ -815,11 +1172,30 @@ optional_policy(`
')
optional_policy(`
@@ -71160,6 +71327,10 @@ index 29a9565..f87bb28 100644
+optional_policy(`
+ cron_rw_pipes(daemon)
+ cron_rw_inherited_user_spool_files(daemon)
++')
++
++optional_policy(`
++ cfengine_append_inherited_log(daemon)
')
optional_policy(`
@@ -71175,7 +71346,7 @@ index 29a9565..f87bb28 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1201,25 @@ optional_policy(`
+@@ -829,6 +1205,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -71201,7 +71372,7 @@ index 29a9565..f87bb28 100644
')
optional_policy(`
-@@ -844,6 +1235,10 @@ optional_policy(`
+@@ -844,6 +1239,10 @@ optional_policy(`
')
optional_policy(`
@@ -71212,7 +71383,7 @@ index 29a9565..f87bb28 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1249,157 @@ optional_policy(`
+@@ -854,3 +1253,161 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -71344,6 +71515,10 @@ index 29a9565..f87bb28 100644
+')
+
+optional_policy(`
++ cfengine_append_inherited_log(systemprocess)
++')
++
++optional_policy(`
+ cron_rw_pipes(systemprocess)
+')
+
@@ -72689,7 +72864,7 @@ index a0b379d..bf90918 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..fe034f7 100644
+index 02f4c97..5ad8b48 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,13 @@
@@ -72706,7 +72881,12 @@ index 02f4c97..fe034f7 100644
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -38,7 +45,7 @@ ifdef(`distro_suse', `
+@@ -34,11 +41,11 @@ ifdef(`distro_suse', `
+
+ /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+-/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++#/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -76036,7 +76216,7 @@ index ff80d0a..be800df 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..a9ce01d 100644
+index 34d0ec5..249c952 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -76262,7 +76442,7 @@ index 34d0ec5..a9ce01d 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +370,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +370,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -76271,6 +76451,10 @@ index 34d0ec5..a9ce01d 100644
+')
+
+optional_policy(`
++ cfengine_dontaudit_write_log(ifconfig_t)
++')
++
++optional_policy(`
+ ctdbd_read_lib_files(ifconfig_t)
+')
+
@@ -76281,7 +76465,7 @@ index 34d0ec5..a9ce01d 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +392,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +396,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -76296,7 +76480,7 @@ index 34d0ec5..a9ce01d 100644
')
optional_policy(`
-@@ -335,6 +408,22 @@ optional_policy(`
+@@ -335,6 +412,22 @@ optional_policy(`
')
optional_policy(`
@@ -76319,7 +76503,7 @@ index 34d0ec5..a9ce01d 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +445,9 @@ optional_policy(`
+@@ -356,3 +449,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -76866,10 +77050,10 @@ index 0000000..1688a39
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..c52e7dc
+index 0000000..75fc546
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,389 @@
+@@ -0,0 +1,391 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -77072,7 +77256,7 @@ index 0000000..c52e7dc
+# Local policy
+#
+
-+allow systemd_tmpfiles_t self:capability { dac_override fowner chown fsetid };
++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@@ -77080,6 +77264,8 @@ index 0000000..c52e7dc
+kernel_read_network_state(systemd_tmpfiles_t)
+
+dev_write_kmsg(systemd_tmpfiles_t)
++dev_relabel_all_sysfs(systemd_tmpfiles_t)
++dev_manage_printer(systemd_tmpfiles_t)
+
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
+
@@ -77187,7 +77373,7 @@ index 0000000..c52e7dc
+#
+# systemd_notify local policy
+#
-+allow systemd_notify_t self:capability { chown };
++allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 17a027c..d8628b2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 84%{?dist}
+Release: 85%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Apr 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-85
+- Add ~/.orc as a gstreamer_home_t
+- Allow mcelog to exec shel
+- Allow systemd_tmpfiles to manage printer devices
+- Add definitions for jboss_messaging ports
+- Fix labeling of log files for postgresql
+- Allow firewalld to execute shell
+- Fix /etc/wicd content files to get created with the correct label
+- tmpreaper should be able to list all file system labeled directories
+- Allow sambagui to use ldap
+- Lot of fixes for cfengine
+- Allow pads to create socket
+
* Wed Apr 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-84
- Make sure /var/spool/postfix/lib64 is labeled as /var/spool/postfix/lib
- Nagios fixes
More information about the scm-commits
mailing list