[selinux-policy] Make sure content created in the homedir by uncnfined domains get created with the corect label. spe
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Aug 8 15:20:35 UTC 2012
commit 5991fc804927b20ed6f86a1d107caba2d9c9fccd
Author: rhatdan <dwalsh at redhat.com>
Date: Wed Aug 8 11:20:07 2012 -0400
Make sure content created in the homedir by uncnfined domains get created with the corect label. specifically /.readahead
policy-rawhide.patch | 302 +++++++++++++++++++++++-------------------
policy_contrib-rawhide.patch | 24 ++--
selinux-policy.spec | 5 +-
3 files changed, 187 insertions(+), 144 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 803caa9..29ce9f6 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -62010,7 +62010,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..f2026cd 100644
+index 28802c5..c73c1d2 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@@ -62032,7 +62032,7 @@ index 28802c5..f2026cd 100644
}
#
-@@ -443,9 +448,10 @@ class capability
+@@ -443,10 +448,11 @@ class capability
class capability2
{
mac_override # unused by SELinux
@@ -62040,10 +62040,11 @@ index 28802c5..f2026cd 100644
+ mac_admin
syslog
wake_alarm
-+ epollwakeup
block_suspend
++ secure_firmware
}
+ #
@@ -862,3 +868,20 @@ inherits database
implement
execute
@@ -63491,7 +63492,7 @@ index 98b8b2d..da75471 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 673180c..1187de6 100644
+index 673180c..6274145 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0)
@@ -63859,13 +63860,14 @@ index 673180c..1187de6 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -507,31 +549,34 @@ logging_send_syslog_msg(useradd_t)
+@@ -507,31 +549,35 @@ logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
+seutil_semanage_policy(useradd_t)
+seutil_manage_file_contexts(useradd_t)
+seutil_manage_config(useradd_t)
++seutil_manage_login_config(useradd_t)
+seutil_manage_default_contexts(useradd_t)
+
seutil_read_config(useradd_t)
@@ -63907,7 +63909,7 @@ index 673180c..1187de6 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +587,8 @@ optional_policy(`
+@@ -542,7 +588,8 @@ optional_policy(`
')
optional_policy(`
@@ -63917,7 +63919,7 @@ index 673180c..1187de6 100644
')
optional_policy(`
-@@ -550,6 +596,11 @@ optional_policy(`
+@@ -550,6 +597,11 @@ optional_policy(`
')
optional_policy(`
@@ -63929,7 +63931,7 @@ index 673180c..1187de6 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +610,7 @@ optional_policy(`
+@@ -559,3 +611,7 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -80434,7 +80436,7 @@ index 28ad538..47fdb65 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..1409940 100644
+index f416ce9..2fa575e 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -80559,8 +80561,11 @@ index f416ce9..1409940 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,9 +198,91 @@ interface(`auth_login_pgm_domain',`
+@@ -153,11 +196,94 @@ interface(`auth_login_pgm_domain',`
+ logging_set_tty_audit($1)
+
seutil_read_config($1)
++ seutil_read_login_config($1)
seutil_read_default_contexts($1)
- tunable_policy(`allow_polyinstantiation',`
@@ -80653,7 +80658,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -231,6 +356,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +357,25 @@ interface(`auth_domtrans_login_program',`
########################################
## <summary>
@@ -80679,7 +80684,7 @@ index f416ce9..1409940 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -395,13 +539,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -395,13 +540,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -80696,7 +80701,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -448,6 +594,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +595,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -80722,7 +80727,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -467,7 +632,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +633,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -80730,7 +80735,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -664,6 +828,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +829,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -80741,7 +80746,7 @@ index f416ce9..1409940 100644
')
#######################################
-@@ -763,7 +931,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +932,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -80793,7 +80798,7 @@ index f416ce9..1409940 100644
')
#######################################
-@@ -959,9 +1170,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1171,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -80827,7 +80832,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -1040,6 +1272,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1273,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -80838,7 +80843,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -1157,6 +1393,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1394,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -80846,7 +80851,7 @@ index f416ce9..1409940 100644
')
#######################################
-@@ -1526,6 +1763,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1764,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -80872,7 +80877,7 @@ index f416ce9..1409940 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1676,24 +1932,7 @@ interface(`auth_manage_login_records',`
+@@ -1676,24 +1933,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -80898,7 +80903,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -1717,9 +1956,9 @@ interface(`auth_relabel_login_records',`
+@@ -1717,9 +1957,9 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -80911,7 +80916,7 @@ index f416ce9..1409940 100644
typeattribute $1 nsswitch_domain;
')
-@@ -1755,3 +1994,194 @@ interface(`auth_unconfined',`
+@@ -1755,3 +1995,194 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -82890,7 +82895,7 @@ index d26fe81..3f3a57f 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..582f563 100644
+index 4a88fa1..9895bfe 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -83126,7 +83131,7 @@ index 4a88fa1..582f563 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -196,16 +289,148 @@ tunable_policy(`init_upstart',`
+@@ -196,16 +289,151 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -83143,11 +83148,13 @@ index 4a88fa1..582f563 100644
+')
+
+tunable_policy(`init_systemd',`
++ allow init_t self:system all_system_perms;
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate setrlimit };
+ allow init_t self:process { getcap setcap };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
++ allow init_t self:netlink_selinux_socket create_socket_perms;
+ # Until systemd is fixed
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+ allow init_t self:udp_socket create_socket_perms;
@@ -83214,6 +83221,8 @@ index 4a88fa1..582f563 100644
+ fs_relabel_cgroup_dirs(init_t)
+ fs_search_cgroup_dirs(daemon)
+
++
++ selinux_compute_access_vector(init_t)
+ selinux_compute_create_context(init_t)
+ selinux_validate_context(init_t)
+ selinux_unmount_fs(init_t)
@@ -83235,6 +83244,9 @@ index 4a88fa1..582f563 100644
+ systemd_manage_unit_dirs(init_t)
+ systemd_manage_all_unit_files(init_t)
+ systemd_logger_stream_connect(init_t)
++ systemd_config_all_services(init_t)
++
++ systemd_config_all_services(initrc_t)
+
+ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
@@ -83243,20 +83255,16 @@ index 4a88fa1..582f563 100644
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
-+optional_policy(`
-+ systemd_filetrans_named_content(init_t)
-+')
-+
-+optional_policy(`
-+ lvm_rw_pipes(init_t)
-+')
-+
optional_policy(`
- auth_rw_login_records(init_t)
-+ consolekit_manage_log(init_t)
++ lvm_rw_pipes(init_t)
')
optional_policy(`
++ consolekit_manage_log(init_t)
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -83277,10 +83285,14 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -213,6 +438,18 @@ optional_policy(`
+@@ -213,6 +441,22 @@ optional_policy(`
')
optional_policy(`
++ systemd_filetrans_named_content(init_t)
++')
++
++optional_policy(`
+ udev_read_db(init_t)
+ udev_relabelto_db(init_t)
+ udev_create_kobject_uevent_socket(init_t)
@@ -83296,18 +83308,19 @@ index 4a88fa1..582f563 100644
unconfined_domain(init_t)
')
-@@ -222,8 +459,8 @@ optional_policy(`
+@@ -222,8 +466,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
++allow initrc_t self:capability2 block_suspend;
+dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +488,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +496,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -83323,7 +83336,7 @@ index 4a88fa1..582f563 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +512,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +520,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -83366,7 +83379,7 @@ index 4a88fa1..582f563 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,6 +549,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,6 +557,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -83374,7 +83387,7 @@ index 4a88fa1..582f563 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -306,8 +560,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +568,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -83385,7 +83398,7 @@ index 4a88fa1..582f563 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +571,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +579,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -83405,7 +83418,7 @@ index 4a88fa1..582f563 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +588,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +596,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -83413,7 +83426,7 @@ index 4a88fa1..582f563 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +596,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +604,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -83425,7 +83438,7 @@ index 4a88fa1..582f563 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +615,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +623,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -83439,7 +83452,7 @@ index 4a88fa1..582f563 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +630,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +638,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -83453,7 +83466,7 @@ index 4a88fa1..582f563 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +645,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +653,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -83461,7 +83474,7 @@ index 4a88fa1..582f563 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +657,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +665,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -83469,7 +83482,7 @@ index 4a88fa1..582f563 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -411,18 +678,17 @@ logging_read_audit_config(initrc_t)
+@@ -411,18 +686,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -83491,7 +83504,7 @@ index 4a88fa1..582f563 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +742,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +750,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -83502,7 +83515,7 @@ index 4a88fa1..582f563 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +766,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +774,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -83511,7 +83524,7 @@ index 4a88fa1..582f563 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +781,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +789,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -83519,7 +83532,7 @@ index 4a88fa1..582f563 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +802,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +810,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -83527,7 +83540,7 @@ index 4a88fa1..582f563 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +812,35 @@ ifdef(`distro_redhat',`
+@@ -540,8 +820,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -83563,7 +83576,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -549,14 +848,27 @@ ifdef(`distro_redhat',`
+@@ -549,14 +856,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -83591,7 +83604,7 @@ index 4a88fa1..582f563 100644
')
')
-@@ -567,6 +879,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +887,39 @@ ifdef(`distro_suse',`
')
')
@@ -83631,7 +83644,7 @@ index 4a88fa1..582f563 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +924,8 @@ optional_policy(`
+@@ -579,6 +932,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -83640,7 +83653,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -600,6 +947,7 @@ optional_policy(`
+@@ -600,6 +955,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -83648,7 +83661,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -612,6 +960,17 @@ optional_policy(`
+@@ -612,6 +968,17 @@ optional_policy(`
')
optional_policy(`
@@ -83666,7 +83679,7 @@ index 4a88fa1..582f563 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +987,13 @@ optional_policy(`
+@@ -628,9 +995,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -83680,7 +83693,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -655,6 +1018,10 @@ optional_policy(`
+@@ -655,6 +1026,10 @@ optional_policy(`
')
optional_policy(`
@@ -83691,7 +83704,7 @@ index 4a88fa1..582f563 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1039,15 @@ optional_policy(`
+@@ -672,6 +1047,15 @@ optional_policy(`
')
optional_policy(`
@@ -83707,7 +83720,7 @@ index 4a88fa1..582f563 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1088,7 @@ optional_policy(`
+@@ -712,6 +1096,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -83715,7 +83728,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -729,7 +1106,13 @@ optional_policy(`
+@@ -729,7 +1114,13 @@ optional_policy(`
')
optional_policy(`
@@ -83729,7 +83742,7 @@ index 4a88fa1..582f563 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1135,10 @@ optional_policy(`
+@@ -752,6 +1143,10 @@ optional_policy(`
')
optional_policy(`
@@ -83740,7 +83753,7 @@ index 4a88fa1..582f563 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1148,20 @@ optional_policy(`
+@@ -761,10 +1156,20 @@ optional_policy(`
')
optional_policy(`
@@ -83761,7 +83774,7 @@ index 4a88fa1..582f563 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1170,10 @@ optional_policy(`
+@@ -773,6 +1178,10 @@ optional_policy(`
')
optional_policy(`
@@ -83772,7 +83785,7 @@ index 4a88fa1..582f563 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1195,6 @@ optional_policy(`
+@@ -794,8 +1203,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -83781,7 +83794,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -804,6 +1203,10 @@ optional_policy(`
+@@ -804,6 +1211,10 @@ optional_policy(`
')
optional_policy(`
@@ -83792,7 +83805,7 @@ index 4a88fa1..582f563 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1216,12 @@ optional_policy(`
+@@ -813,10 +1224,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -83805,7 +83818,7 @@ index 4a88fa1..582f563 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1233,6 @@ optional_policy(`
+@@ -828,8 +1241,6 @@ optional_policy(`
')
optional_policy(`
@@ -83814,7 +83827,7 @@ index 4a88fa1..582f563 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1243,30 @@ optional_policy(`
+@@ -840,12 +1251,30 @@ optional_policy(`
')
optional_policy(`
@@ -83847,7 +83860,7 @@ index 4a88fa1..582f563 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1276,18 @@ optional_policy(`
+@@ -855,6 +1284,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -83866,7 +83879,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -870,6 +1303,10 @@ optional_policy(`
+@@ -870,6 +1311,10 @@ optional_policy(`
')
optional_policy(`
@@ -83877,7 +83890,7 @@ index 4a88fa1..582f563 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1317,165 @@ optional_policy(`
+@@ -880,3 +1325,164 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -84042,7 +84055,6 @@ index 4a88fa1..582f563 100644
+#ifdef(`enable_mls',`
+# mls_rangetrans_target(systemprocess)
+#')
-+
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index ec85acb..662e79b 100644
--- a/policy/modules/system/ipsec.fc
@@ -86241,7 +86253,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index f8eeecd..310893f 100644
+index f8eeecd..7b9437a 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -86433,7 +86445,7 @@ index f8eeecd..310893f 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,14 +364,27 @@ optional_policy(`
+@@ -331,14 +364,26 @@ optional_policy(`
')
optional_policy(`
@@ -86453,7 +86465,6 @@ index f8eeecd..310893f 100644
')
optional_policy(`
-+ #systemd_passwd_agent_dev_template(lvm)
+ systemd_manage_passwd_run(lvm_t)
+')
+
@@ -87762,7 +87773,7 @@ index d43f3b1..c4182e8 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..beae2dc 100644
+index 3822072..239ab62 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@@ -87919,7 +87930,7 @@ index 3822072..beae2dc 100644
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -680,10 +776,94 @@ interface(`seutil_manage_config',`
+@@ -680,10 +776,115 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -87928,6 +87939,27 @@ index 3822072..beae2dc 100644
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
++######################################
++## <summary>
++## Create, read, write, and delete
++## the general selinux configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`seutil_manage_config_dirs',`
++ gen_require(`
++ type selinux_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir manage_dir_perms;
++')
++
+########################################
+## <summary>
+## Do not audit attempts to search the SELinux
@@ -88014,7 +88046,7 @@ index 3822072..beae2dc 100644
#######################################
## <summary>
## Create, read, write, and delete
-@@ -694,15 +874,62 @@ interface(`seutil_manage_config',`
+@@ -694,15 +895,62 @@ interface(`seutil_manage_config',`
## Domain allowed access.
## </summary>
## </param>
@@ -88080,7 +88112,7 @@ index 3822072..beae2dc 100644
')
########################################
-@@ -746,6 +973,29 @@ interface(`seutil_read_default_contexts',`
+@@ -746,6 +994,29 @@ interface(`seutil_read_default_contexts',`
read_files_pattern($1, default_context_t, default_context_t)
')
@@ -88110,7 +88142,7 @@ index 3822072..beae2dc 100644
########################################
## <summary>
## Create, read, write, and delete the default_contexts files.
-@@ -999,6 +1249,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1270,26 @@ interface(`seutil_domtrans_semanage',`
########################################
## <summary>
@@ -88137,7 +88169,7 @@ index 3822072..beae2dc 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1287,66 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1308,66 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -88206,7 +88238,7 @@ index 3822072..beae2dc 100644
')
########################################
-@@ -1044,6 +1369,9 @@ interface(`seutil_manage_module_store',`
+@@ -1044,6 +1390,9 @@ interface(`seutil_manage_module_store',`
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
@@ -88216,7 +88248,7 @@ index 3822072..beae2dc 100644
')
#######################################
-@@ -1137,3 +1465,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1486,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -89816,10 +89848,10 @@ index 0000000..7da5bf6
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..40fe8f5
+index 0000000..6d1582c
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,734 @@
+@@ -0,0 +1,735 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -89877,6 +89909,7 @@ index 0000000..40fe8f5
+
+ systemd_login_list_pid_dirs($1)
+ systemd_login_read_pid_files($1)
++ systemd_passwd_agent_exec($1)
+')
+
+#######################################
@@ -90177,11 +90210,12 @@ index 0000000..40fe8f5
+## </param>
+#
+interface(`systemd_passwd_agent_exec',`
-+ gen_require(`
-+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
-+ ')
++ gen_require(`
++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
++ ')
+
+ can_exec($1, systemd_passwd_agent_exec_t)
++ systemd_manage_passwd_run($1)
+')
+
+########################################
@@ -90309,8 +90343,7 @@ index 0000000..40fe8f5
+ ')
+
+ init_search_pid_dirs($1)
-+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
-+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++ manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+ allow systemd_passwd_agent_t $1:process signull;
+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
@@ -92347,7 +92380,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..c4ae660 100644
+index e720dcd..512678a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -93775,7 +93808,7 @@ index e720dcd..c4ae660 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,13 +1592,18 @@ template(`userdom_security_admin_template',`
+@@ -1235,13 +1592,19 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -93786,6 +93819,7 @@ index e720dcd..c4ae660 100644
+ seutil_manage_file_contexts($1)
+ seutil_manage_module_store($1)
+ seutil_manage_config($1)
++ seutil_manage_login_config($1)
+ seutil_run_checkpolicy($1,$2)
+ seutil_run_loadpolicy($1,$2)
+ seutil_run_semanage($1,$2)
@@ -93798,7 +93832,7 @@ index e720dcd..c4ae660 100644
')
optional_policy(`
-@@ -1252,12 +1614,12 @@ template(`userdom_security_admin_template',`
+@@ -1252,12 +1615,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -93814,7 +93848,7 @@ index e720dcd..c4ae660 100644
')
optional_policy(`
-@@ -1317,12 +1679,15 @@ interface(`userdom_user_application_domain',`
+@@ -1317,12 +1680,15 @@ interface(`userdom_user_application_domain',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -93831,7 +93865,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1363,13 +1728,58 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1363,13 +1729,58 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -93893,7 +93927,7 @@ index e720dcd..c4ae660 100644
gen_require(`
attribute admindomain;
')
-@@ -1467,11 +1877,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1467,11 +1878,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -93925,7 +93959,7 @@ index e720dcd..c4ae660 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1943,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1513,6 +1944,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -93940,7 +93974,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1528,9 +1966,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1528,9 +1967,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -93952,7 +93986,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1587,6 +2027,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1587,6 +2028,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -93995,7 +94029,7 @@ index e720dcd..c4ae660 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2142,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1666,6 +2143,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -94004,7 +94038,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1680,10 +2158,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1680,10 +2159,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -94019,7 +94053,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1726,6 +2206,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1726,6 +2207,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -94063,7 +94097,7 @@ index e720dcd..c4ae660 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1745,6 +2262,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1745,6 +2263,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -94089,7 +94123,7 @@ index e720dcd..c4ae660 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2311,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1775,14 +2312,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -94127,7 +94161,7 @@ index e720dcd..c4ae660 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2351,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1793,11 +2352,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -94145,7 +94179,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1856,6 +2417,78 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,6 +2418,78 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -94224,7 +94258,7 @@ index e720dcd..c4ae660 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1887,8 +2520,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1887,8 +2521,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -94234,7 +94268,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1904,20 +2536,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1904,20 +2537,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -94259,7 +94293,7 @@ index e720dcd..c4ae660 100644
########################################
## <summary>
-@@ -2018,6 +2644,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -2018,6 +2645,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -94284,7 +94318,7 @@ index e720dcd..c4ae660 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2894,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2895,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -94299,7 +94333,7 @@ index e720dcd..c4ae660 100644
files_search_tmp($1)
')
-@@ -2274,7 +2918,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2919,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -94308,7 +94342,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -2521,6 +3165,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,6 +3166,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -94334,7 +94368,7 @@ index e720dcd..c4ae660 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3200,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3201,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -94350,7 +94384,7 @@ index e720dcd..c4ae660 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3228,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3229,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -94359,7 +94393,7 @@ index e720dcd..c4ae660 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,19 +3236,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,19 +3237,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -94382,7 +94416,7 @@ index e720dcd..c4ae660 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2592,9 +3254,27 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2592,9 +3255,27 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -94412,7 +94446,7 @@ index e720dcd..c4ae660 100644
')
allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
-@@ -2674,6 +3354,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2674,6 +3355,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -94437,7 +94471,7 @@ index e720dcd..c4ae660 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3390,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3391,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -94480,7 +94514,7 @@ index e720dcd..c4ae660 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3426,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3427,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -94518,7 +94552,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -2742,8 +3471,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3472,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -94548,7 +94582,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -2815,69 +3563,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3564,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -94649,7 +94683,7 @@ index e720dcd..c4ae660 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3632,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3633,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -94664,7 +94698,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -2954,7 +3701,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3702,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -94673,7 +94707,7 @@ index e720dcd..c4ae660 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3717,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3718,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -94707,7 +94741,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -3074,7 +3805,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3806,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -94716,7 +94750,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -3129,7 +3860,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,7 +3861,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -94763,7 +94797,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -3147,7 +3916,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3147,7 +3917,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -94772,7 +94806,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -3166,6 +3935,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3166,6 +3936,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -94780,7 +94814,7 @@ index e720dcd..c4ae660 100644
kernel_search_proc($1)
')
-@@ -3242,6 +4012,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4013,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -94823,7 +94857,7 @@ index e720dcd..c4ae660 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4068,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4069,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -94848,7 +94882,7 @@ index e720dcd..c4ae660 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4120,1282 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4121,1282 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 0bafcb3..78e36a3 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -47944,10 +47944,10 @@ index 0000000..48ea717
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..3f5f701
+index 0000000..314e17e
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,44 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -47958,7 +47958,6 @@ index 0000000..3f5f701
+type realmd_t;
+type realmd_exec_t;
+application_domain(realmd_t, realmd_exec_t)
-+role system_r types realmd_t;
+
+########################################
+#
@@ -52468,20 +52467,19 @@ index 905883f..564240d 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
-index 1898dbd..eec2a5a 100644
+index 1898dbd..43fcb73 100644
--- a/sambagui.te
+++ b/sambagui.te
-@@ -7,7 +7,8 @@ policy_module(sambagui, 1.1.0)
+@@ -7,7 +7,7 @@ policy_module(sambagui, 1.1.0)
type sambagui_t;
type sambagui_exec_t;
-dbus_system_domain(sambagui_t, sambagui_exec_t)
+application_domain(sambagui_t, sambagui_exec_t)
-+role system_r types sambagui_t;
########################################
#
-@@ -27,21 +28,30 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,21 +27,30 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
@@ -52513,7 +52511,7 @@ index 1898dbd..eec2a5a 100644
nscd_dontaudit_search_pid(sambagui_t)
')
-@@ -56,6 +66,7 @@ optional_policy(`
+@@ -56,6 +65,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
@@ -63450,7 +63448,7 @@ index 0000000..14c5c0a
+
+miscfiles_read_localization(wdmd_t)
diff --git a/webadm.te b/webadm.te
-index 0ecc786..e0f21c3 100644
+index 0ecc786..3e7e984 100644
--- a/webadm.te
+++ b/webadm.te
@@ -28,7 +28,7 @@ userdom_base_user_template(webadm)
@@ -63462,6 +63460,14 @@ index 0ecc786..e0f21c3 100644
files_dontaudit_search_all_dirs(webadm_t)
files_manage_generic_locks(webadm_t)
+@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
+ seutil_domtrans_setfiles(webadm_t)
+
+ logging_send_syslog_msg(webadm_t)
++logging_send_audit_msgs(webadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(webadm_t)
+
diff --git a/webalizer.te b/webalizer.te
index 32b4f76..ea008d8 100644
--- a/webalizer.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4d986fe..93de10b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 3%{?dist}
+Release: 3.1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 8 2012 Dan Walsh <dwalshl at redhat.com> 3.11.1-3.1
+- Update with fixes for SECure linux containers
+
* Tue Aug 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-3
- Add role rules for realmd, sambagui
More information about the scm-commits
mailing list