[selinux-policy/f17] * Tue Apr 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-119 - Allow logrotate to getattr on syst
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Apr 26 15:44:05 UTC 2012
commit 391ebb026f6365e85d2a38a471915cf99a8d4c94
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Apr 26 17:43:51 2012 +0200
* Tue Apr 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-119
- Allow logrotate to getattr on systemd unit files
- Add support for tor systemd unit file
- Allow apmd to create /var/run/pm-utils with the correct label
- Allow l2tpd to send sigkill to pppd
- Allow pppd to stream connect to l2tpd
- Add label for scripts in /etc/gdm/
- Allow systemd_logind_t to ignore mcs constraints on sigkill
- Fix files_filetrans_system_conf_named_files() interface
- Add labels for /usr/share/wordpress/wp-includes/*.php
- Allow cobbler to get SELinux mode and booleans
policy-F16.patch | 450 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 14 ++-
2 files changed, 318 insertions(+), 146 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 0299245..9bc97c9 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -75719,7 +75719,7 @@ index 6a1e4d1..ffaa90a 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..fd7e663 100644
+index fae1ab1..ee2a798 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -75820,7 +75820,7 @@ index fae1ab1..fd7e663 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,260 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,261 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -75832,6 +75832,7 @@ index fae1ab1..fd7e663 100644
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+files_filetrans_named_content(unconfined_domain_type)
++files_filetrans_system_conf_named_files(unconfined_domain_type)
+
+storage_filetrans_all_named_dev(unconfined_domain_type)
+
@@ -76204,7 +76205,7 @@ index c19518a..04ef731 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..c657fa9 100644
+index ff006ea..1dfeb37 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -76643,7 +76644,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -3900,82 +4115,195 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,82 +4115,223 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -76706,14 +76707,15 @@ index ff006ea..c657fa9 100644
- allow $1 tmp_t:dir getattr;
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
++ files_filetrans_system_conf_named_files($1)
')
-########################################
-+######################################
++#####################################
## <summary>
-## Do not audit attempts to get the
-## attributes of the tmp directory (/tmp).
-+## Relabel manageable system configuration files in /etc.
++## File name transition for system configuration files in /etc.
## </summary>
## <param name="domain">
-## <summary>
@@ -76728,13 +76730,22 @@ index ff006ea..c657fa9 100644
- gen_require(`
- type tmp_t;
- ')
-+interface(`files_relabelto_system_conf_files',`
++interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
-+ type usr_t;
++ type etc_t, system_conf_t;
+ ')
- dontaudit $1 tmp_t:dir getattr;
-+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
')
-########################################
@@ -76756,16 +76767,34 @@ index ff006ea..c657fa9 100644
- gen_require(`
- type tmp_t;
- ')
-+interface(`files_relabelfrom_system_conf_files',`
++interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
- allow $1 tmp_t:dir search_dir_perms;
-+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
++ relabelto_files_pattern($1, system_conf_t, system_conf_t)
')
-########################################
++######################################
++## <summary>
++## Relabel manageable system configuration files in /etc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelfrom_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
++')
++
+###################################
+## <summary>
+## Create files in /etc with the type used for
@@ -76884,7 +76913,7 @@ index ff006ea..c657fa9 100644
## <summary>
## Do not audit attempts to search the tmp directory (/tmp).
## </summary>
-@@ -4017,7 +4345,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4373,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -76893,7 +76922,7 @@ index ff006ea..c657fa9 100644
## </summary>
## </param>
#
-@@ -4029,6 +4357,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4385,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -76918,7 +76947,7 @@ index ff006ea..c657fa9 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4431,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4459,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -76951,7 +76980,7 @@ index ff006ea..c657fa9 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,6 +4511,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4539,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -76994,7 +77023,7 @@ index ff006ea..c657fa9 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4202,7 +4610,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4638,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -77003,7 +77032,7 @@ index ff006ea..c657fa9 100644
## </summary>
## </param>
#
-@@ -4262,7 +4670,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4698,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -77012,7 +77041,7 @@ index ff006ea..c657fa9 100644
## </summary>
## </param>
#
-@@ -4318,7 +4726,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4754,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -77021,7 +77050,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -4342,6 +4750,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4778,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -77038,7 +77067,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -4681,7 +5099,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5127,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -77047,7 +77076,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -4914,6 +5332,24 @@ interface(`files_list_var',`
+@@ -4914,6 +5360,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -77072,7 +77101,7 @@ index ff006ea..c657fa9 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5084,7 +5520,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5548,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -77081,7 +77110,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -5219,7 +5655,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5683,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -77090,7 +77119,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -5259,6 +5695,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5723,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -77116,7 +77145,7 @@ index ff006ea..c657fa9 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5759,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5787,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -77142,7 +77171,7 @@ index ff006ea..c657fa9 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5791,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5819,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -77151,7 +77180,7 @@ index ff006ea..c657fa9 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5812,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5840,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -77167,7 +77196,7 @@ index ff006ea..c657fa9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5827,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5855,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -77179,8 +77208,7 @@ index ff006ea..c657fa9 100644
+ files_search_locks($1)
+ allow $1 var_lock_t:dir create_dir_perms;
+')
-
-- list_dirs_pattern($1, var_t, var_lock_t)
++
+########################################
+## <summary>
+## Set the attributes of the /var/lock directory.
@@ -77195,12 +77223,13 @@ index ff006ea..c657fa9 100644
+ gen_require(`
+ type var_lock_t;
+ ')
-+
+
+- list_dirs_pattern($1, var_t, var_lock_t)
+ allow $1 var_lock_t:dir setattr;
')
########################################
-@@ -5373,6 +5869,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5897,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -77208,7 +77237,7 @@ index ff006ea..c657fa9 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5882,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5910,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -77216,7 +77245,7 @@ index ff006ea..c657fa9 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5908,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5936,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -77225,7 +77254,7 @@ index ff006ea..c657fa9 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5924,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5952,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -77242,7 +77271,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -5452,7 +5948,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5976,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -77251,7 +77280,7 @@ index ff006ea..c657fa9 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5989,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +6017,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -77260,7 +77289,7 @@ index ff006ea..c657fa9 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +6011,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6039,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -77269,7 +77298,7 @@ index ff006ea..c657fa9 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6043,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6071,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -77280,7 +77309,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -5608,32 +6104,88 @@ interface(`files_search_pids',`
+@@ -5608,19 +6132,56 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -77302,26 +77331,19 @@ index ff006ea..c657fa9 100644
#
-interface(`files_dontaudit_search_pids',`
- gen_require(`
-- type var_run_t;
-- ')
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
-
-- dontaudit $1 var_run_t:dir search_dir_perms;
++
+ allow $1 var_run_t:dir rw_dir_perms;
- ')
-
--########################################
++')
++
+#######################################
- ## <summary>
--## List the contents of the runtime process
--## ID directories (/var/run).
++## <summary>
+## Create generic pid directory.
- ## </summary>
- ## <param name="domain">
--## <summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -77349,14 +77371,13 @@ index ff006ea..c657fa9 100644
+#
+interface(`files_dontaudit_search_pids',`
+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ type var_run_t;
+ ')
+
+@@ -5629,6 +6190,25 @@ interface(`files_dontaudit_search_pids',`
+
+ ########################################
+ ## <summary>
+## Do not audit attempts to search
+## the all /var/run directory.
+## </summary>
@@ -77376,15 +77397,10 @@ index ff006ea..c657fa9 100644
+
+########################################
+## <summary>
-+## List the contents of the runtime process
-+## ID directories (/var/run).
-+## </summary>
-+## <param name="domain">
-+## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-@@ -5736,7 +6288,7 @@ interface(`files_pid_filetrans',`
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ## </summary>
+@@ -5736,7 +6316,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -77393,7 +77409,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -5815,6 +6367,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6395,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -77510,7 +77526,7 @@ index ff006ea..c657fa9 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6494,62 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6522,62 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -77573,7 +77589,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -5900,6 +6618,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6646,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -77664,7 +77680,7 @@ index ff006ea..c657fa9 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6042,7 +6844,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6872,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -77673,7 +77689,7 @@ index ff006ea..c657fa9 100644
')
########################################
-@@ -6117,3 +6919,324 @@ interface(`files_unconfined',`
+@@ -6117,3 +6947,324 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -84883,7 +84899,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..1812916 100644
+index 9e39aa5..8ec7232 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,33 @@
@@ -84959,7 +84975,7 @@ index 9e39aa5..1812916 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,11 +69,14 @@ ifdef(`distro_suse', `
+@@ -54,11 +69,15 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -84968,13 +84984,14 @@ index 9e39aa5..1812916 100644
/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/jetty(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,28 +91,41 @@ ifdef(`distro_suse', `
+@@ -73,28 +92,41 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -85020,7 +85037,7 @@ index 9e39aa5..1812916 100644
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -104,8 +135,29 @@ ifdef(`distro_debian', `
+@@ -104,8 +136,29 @@ ifdef(`distro_debian', `
/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -92316,7 +92333,7 @@ index 116d60f..e2c6ec6 100644
+ allow $1 cobblerd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..f114e78 100644
+index 0258b48..5f685a0 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -92460,7 +92477,7 @@ index 0258b48..f114e78 100644
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
-+selinux_dontaudit_read_fs(cobblerd_t)
++selinux_get_enforce_mode(cobblerd_t)
+
sysnet_read_config(cobblerd_t)
sysnet_rw_dhcp_config(cobblerd_t)
@@ -97687,7 +97704,7 @@ index 418a5a0..de67309 100644
+/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..d41e4fe 100644
+index f706b99..9b9f4ad 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -97836,7 +97853,7 @@ index f706b99..d41e4fe 100644
########################################
## <summary>
## Read devicekit PID files.
-@@ -139,22 +252,92 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +252,93 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
@@ -97879,6 +97896,7 @@ index f706b99..d41e4fe 100644
+ files_search_pids($1)
+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+')
+
+#######################################
@@ -97935,7 +97953,7 @@ index f706b99..d41e4fe 100644
## </summary>
## </param>
## <rolecap/>
-@@ -165,21 +348,46 @@ interface(`devicekit_admin',`
+@@ -165,21 +349,46 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -106066,10 +106084,10 @@ index 0000000..6b27066
+/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if
new file mode 100644
-index 0000000..2021c49
+index 0000000..8bc2c6d
--- /dev/null
+++ b/policy/modules/services/l2tpd.if
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,178 @@
+## <summary>Layer 2 Tunneling Protocol daemons.</summary>
+
+########################################
@@ -106165,6 +106183,27 @@ index 0000000..2021c49
+ allow $1 l2tpd_var_run_t:file read_file_perms;
+')
+
++#####################################
++## <summary>
++## Connect to l2tpd over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_stream_connect',`
++ gen_require(`
++ type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
++ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
++')
++
+########################################
+## <summary>
+## Read and write l2tpd unnamed pipes.
@@ -106229,10 +106268,10 @@ index 0000000..2021c49
+')
diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644
-index 0000000..ebef23f
+index 0000000..e3b2bab
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,98 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -106307,6 +106346,7 @@ index 0000000..ebef23f
+kernel_request_load_module(l2tpd_t)
+
+term_use_ptmx(l2tpd_t)
++term_use_generic_ptys(l2tpd_t)
+
+# prol2tpc
+corecmd_exec_bin(l2tpd_t)
@@ -106328,6 +106368,7 @@ index 0000000..ebef23f
+optional_policy(`
+ ppp_domtrans(l2tpd_t)
+ ppp_signal(l2tpd_t)
++ ppp_kill(l2tpd_t)
+')
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index c62f23e..276a021 100644
@@ -118131,7 +118172,7 @@ index b524673..1cca3d2 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..3b8e0fb 100644
+index 2af42e7..b489ca6 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -118215,7 +118256,7 @@ index 2af42e7..3b8e0fb 100644
allow pppd_t pptp_t:process signal;
-@@ -143,6 +147,7 @@ fs_getattr_all_fs(pppd_t)
+@@ -143,10 +147,12 @@ fs_getattr_all_fs(pppd_t)
fs_search_auto_mountpoints(pppd_t)
term_use_unallocated_ttys(pppd_t)
@@ -118223,7 +118264,12 @@ index 2af42e7..3b8e0fb 100644
term_setattr_unallocated_ttys(pppd_t)
term_ioctl_generic_ptys(pppd_t)
# for pppoe
-@@ -166,6 +171,8 @@ init_dontaudit_write_utmp(pppd_t)
+ term_create_pty(pppd_t, pppd_devpts_t)
++term_use_generic_ptys(pppd_t)
+
+ # allow running ip-up and ip-down scripts and running chat.
+ corecmd_exec_bin(pppd_t)
+@@ -166,6 +172,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -118232,7 +118278,7 @@ index 2af42e7..3b8e0fb 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -176,7 +183,7 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,7 +184,7 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -118241,13 +118287,14 @@ index 2af42e7..3b8e0fb 100644
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
-@@ -187,13 +194,20 @@ optional_policy(`
+@@ -187,13 +195,21 @@ optional_policy(`
')
optional_policy(`
- tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
+ l2tpd_dgram_send(pppd_t)
+ l2tpd_rw_socket(pppd_t)
++ l2tpd_stream_connect(pppd_t)
+')
+
+optional_policy(`
@@ -118263,7 +118310,7 @@ index 2af42e7..3b8e0fb 100644
')
optional_policy(`
-@@ -243,14 +257,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +259,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -118283,7 +118330,7 @@ index 2af42e7..3b8e0fb 100644
dev_read_sysfs(pptp_t)
-@@ -265,9 +283,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
+@@ -265,9 +285,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_generic_node(pptp_t)
@@ -129331,12 +129378,59 @@ index 665bf7c..a1ea37a 100644
+optional_policy(`
+ iscsi_manage_semaphores(tgtd_t)
+')
+diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
+index e2e06b2..e210bd0 100644
+--- a/policy/modules/services/tor.fc
++++ b/policy/modules/services/tor.fc
+@@ -4,6 +4,8 @@
+ /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+ /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+
++/lib/systemd/system/tor\.service -- gen_context(system_u:object_r:tor_unit_file_t,s0)
++
+ /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+ /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
-index 904f13e..f9d007b 100644
+index 904f13e..26f16dd 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
-@@ -42,8 +42,11 @@ interface(`tor_admin',`
+@@ -18,6 +18,30 @@ interface(`tor_domtrans',`
+ domtrans_pattern($1, tor_exec_t, tor_t)
+ ')
+
++#######################################
++## <summary>
++## Execute tor server in the tor domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tor_systemctl',`
++ gen_require(`
++ type tor_t;
++ type tor_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 tor_unit_file_t:file read_file_perms;
++ allow $1 tor_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, tor_t)
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -40,10 +64,14 @@ interface(`tor_admin',`
+ type tor_t, tor_var_log_t, tor_etc_t;
+ type tor_var_lib_t, tor_var_run_t;
type tor_initrc_exec_t;
++ type tor_unit_file_t;
')
- allow $1 tor_t:process { ptrace signal_perms getattr };
@@ -129348,11 +129442,34 @@ index 904f13e..f9d007b 100644
init_labeled_script_domtrans($1, tor_initrc_exec_t)
domain_system_change_exemption($1)
+@@ -61,4 +89,13 @@ interface(`tor_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, tor_var_run_t)
++
++ tor_systemctl($1)
++ admin_pattern($1, tor_unit_file_t)
++ allow $1 tor_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+ ')
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
-index c842cad..037dd90 100644
+index c842cad..799fac3 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
-@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t)
+@@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t)
+ type tor_var_run_t;
+ files_pid_file(tor_var_run_t)
+
++type tor_unit_file_t;
++systemd_unit_file(tor_unit_file_t)
++
+ ########################################
+ #
+ # tor local policy
#
allow tor_t self:capability { setgid setuid sys_tty_config };
@@ -129360,7 +129477,7 @@ index c842cad..037dd90 100644
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -87,6 +88,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+@@ -87,6 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
corenet_tcp_bind_tor_port(tor_t)
@@ -129368,7 +129485,7 @@ index c842cad..037dd90 100644
corenet_udp_bind_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_sendrecv_dns_server_packets(tor_t)
-@@ -95,9 +97,11 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -95,9 +100,11 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -132366,7 +132483,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..bc7b581 100644
+index 4966c94..23df3ea 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,34 @@
@@ -132404,16 +132521,20 @@ index 4966c94..bc7b581 100644
#
# /dev
-@@ -21,6 +42,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -21,6 +42,12 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/etc/gdm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
++/etc/gdm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/gdm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/gdm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/gdm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
+
/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
-@@ -33,11 +56,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -33,11 +60,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -132425,7 +132546,7 @@ index 4966c94..bc7b581 100644
#
# /opt
#
-@@ -48,28 +66,35 @@ ifdef(`distro_redhat',`
+@@ -48,28 +70,35 @@ ifdef(`distro_redhat',`
# /tmp
#
@@ -132469,7 +132590,7 @@ index 4966c94..bc7b581 100644
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-@@ -90,17 +115,45 @@ ifdef(`distro_debian', `
+@@ -90,17 +119,45 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -133787,7 +133908,7 @@ index 130ced9..c0a4891 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..2659b5c 100644
+index 143c893..479bf53 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -133907,7 +134028,14 @@ index 143c893..2659b5c 100644
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
-@@ -161,15 +194,21 @@ type xdm_t;
+@@ -157,19 +190,28 @@ files_type(xconsole_device_t)
+ fs_associate_tmpfs(xconsole_device_t)
+ files_associate_tmp(xconsole_device_t)
+
++type xdm_unconfined_exec_t;
++application_executable_file(xdm_unconfined_exec_t)
++
+ type xdm_t;
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
@@ -133931,7 +134059,7 @@ index 143c893..2659b5c 100644
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -177,13 +216,27 @@ files_type(xdm_var_lib_t)
+@@ -177,13 +219,27 @@ files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -133960,7 +134088,7 @@ index 143c893..2659b5c 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -196,15 +249,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -196,15 +252,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -133978,7 +134106,7 @@ index 143c893..2659b5c 100644
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -234,17 +281,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -234,17 +284,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -134017,7 +134145,7 @@ index 143c893..2659b5c 100644
')
########################################
-@@ -252,45 +312,78 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -252,45 +315,78 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -134106,7 +134234,7 @@ index 143c893..2659b5c 100644
')
optional_policy(`
-@@ -304,20 +397,37 @@ optional_policy(`
+@@ -304,20 +400,37 @@ optional_policy(`
# XDM Local policy
#
@@ -134148,7 +134276,7 @@ index 143c893..2659b5c 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +435,63 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +438,63 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -134218,7 +134346,7 @@ index 143c893..2659b5c 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +500,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +503,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -134246,7 +134374,7 @@ index 143c893..2659b5c 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +531,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +534,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -134299,7 +134427,7 @@ index 143c893..2659b5c 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +583,25 @@ files_list_mnt(xdm_t)
+@@ -435,9 +586,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -134325,7 +134453,7 @@ index 143c893..2659b5c 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +610,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +613,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -134367,7 +134495,7 @@ index 143c893..2659b5c 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +650,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +653,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -134417,7 +134545,7 @@ index 143c893..2659b5c 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +700,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +703,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -134439,7 +134567,7 @@ index 143c893..2659b5c 100644
')
optional_policy(`
-@@ -519,12 +722,63 @@ optional_policy(`
+@@ -519,12 +725,63 @@ optional_policy(`
')
optional_policy(`
@@ -134503,7 +134631,7 @@ index 143c893..2659b5c 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +796,69 @@ optional_policy(`
+@@ -542,28 +799,69 @@ optional_policy(`
')
optional_policy(`
@@ -134582,7 +134710,7 @@ index 143c893..2659b5c 100644
')
optional_policy(`
-@@ -575,6 +870,14 @@ optional_policy(`
+@@ -575,6 +873,14 @@ optional_policy(`
')
optional_policy(`
@@ -134597,7 +134725,7 @@ index 143c893..2659b5c 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +902,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +905,8 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -134607,7 +134735,7 @@ index 143c893..2659b5c 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +917,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +920,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -134623,7 +134751,7 @@ index 143c893..2659b5c 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +944,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +947,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -134645,7 +134773,7 @@ index 143c893..2659b5c 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +964,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +967,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -134653,7 +134781,7 @@ index 143c893..2659b5c 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +991,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +994,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -134684,7 +134812,7 @@ index 143c893..2659b5c 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1026,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -134698,7 +134826,7 @@ index 143c893..2659b5c 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1042,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1045,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -134707,7 +134835,7 @@ index 143c893..2659b5c 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1049,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1052,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -134722,7 +134850,7 @@ index 143c893..2659b5c 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1108,40 @@ optional_policy(`
+@@ -778,16 +1111,40 @@ optional_policy(`
')
optional_policy(`
@@ -134764,7 +134892,7 @@ index 143c893..2659b5c 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1150,10 @@ optional_policy(`
+@@ -796,6 +1153,10 @@ optional_policy(`
')
optional_policy(`
@@ -134775,7 +134903,7 @@ index 143c893..2659b5c 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1169,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1172,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -134789,7 +134917,7 @@ index 143c893..2659b5c 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1180,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1183,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -134798,7 +134926,7 @@ index 143c893..2659b5c 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,26 +1193,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1196,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -134833,7 +134961,7 @@ index 143c893..2659b5c 100644
')
optional_policy(`
-@@ -862,6 +1215,10 @@ optional_policy(`
+@@ -862,6 +1218,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -134844,7 +134972,7 @@ index 143c893..2659b5c 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1262,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1265,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -134853,7 +134981,7 @@ index 143c893..2659b5c 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1316,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1319,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -134885,7 +135013,7 @@ index 143c893..2659b5c 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1362,31 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1365,43 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -134932,6 +135060,18 @@ index 143c893..2659b5c 100644
+ unconfined_signal(xserver_t)
+ unconfined_getpgid(xserver_t)
+')
++
++can_exec(xdm_t, xdm_unconfined_exec_t)
++
++optional_policy(`
++ type xdm_unconfined_t;
++ domain_type(xdm_unconfined_t)
++ domain_entry_file(xdm_unconfined_t, xdm_unconfined_exec_t)
++ role system_r types xdm_unconfined_t;
++
++ domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t)
++ unconfined_domain(xdm_unconfined_t)
++')
diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc
index 664cd7a..e3eaec5 100644
--- a/policy/modules/services/zabbix.fc
@@ -145183,10 +145323,10 @@ index 0000000..0d3e625
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..a7e3666
+index 0000000..3b0ab09
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,675 @@
+@@ -0,0 +1,694 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -145303,6 +145443,25 @@ index 0000000..a7e3666
+ allow $1 systemd_unit_file_type:dir list_dir_perms;
+')
+
++#####################################
++## <summary>
++## Allow domain to getattr all systemd unit files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_getattr_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:file getattr_file_perms;
++')
++
+######################################
+## <summary>
+## Allow domain to read all systemd unit files.
@@ -145864,10 +146023,10 @@ index 0000000..a7e3666
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..f60f034
+index 0000000..12e4001
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,414 @@
+@@ -0,0 +1,415 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -145956,7 +146115,6 @@ index 0000000..f60f034
+dev_setattr_video_dev(systemd_logind_t)
+dev_write_kmsg(systemd_logind_t)
+
-+
+domain_read_all_domains_state(systemd_logind_t)
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
@@ -145968,6 +146126,8 @@ index 0000000..f60f034
+# write getattr open setattr
+fs_manage_cgroup_files(systemd_logind_t)
+
++mcs_killall(systemd_logind_t)
++
+storage_setattr_removable_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 83653a7..f6145c7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 118%{?dist}
+Release: 119%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -490,6 +490,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-119
+- Allow logrotate to getattr on systemd unit files
+- Add support for tor systemd unit file
+- Allow apmd to create /var/run/pm-utils with the correct label
+- Allow l2tpd to send sigkill to pppd
+- Allow pppd to stream connect to l2tpd
+- Add label for scripts in /etc/gdm/
+- Allow systemd_logind_t to ignore mcs constraints on sigkill
+- Fix files_filetrans_system_conf_named_files() interface
+- Add labels for /usr/share/wordpress/wp-includes/*.php
+- Allow cobbler to get SELinux mode and booleans
+
* Mon Apr 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-118
- Add unconfined_execmem_exec_t as an alias to bin_t
- Allow fenced to read snmp var lib files, also allow it to read usr_t
More information about the scm-commits
mailing list