[selinux-policy/f18] - Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remot
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Dec 27 19:34:50 UTC 2012
commit ce79212872acfb4e5aa698b2bc931e1d00bdc9fd
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Dec 27 20:33:39 2012 +0100
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Dontaudit leaked ps content to mozilla plugin
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- init scripts are creating systemd_unit_file_t directories
policy-f18-base.patch | 182 ++++++++++++++++++++++++++--------------------
policy-f18-contrib.patch | 112 ++++++++++++++++-------------
selinux-policy.spec | 12 +++-
3 files changed, 175 insertions(+), 131 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index d9a6df5..72e3179 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -124389,10 +124389,10 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..2fdb49f 100644
+index e5aee97..ead35b9 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,67 @@ policy_module(staff, 2.3.0)
+@@ -8,12 +8,68 @@ policy_module(staff, 2.3.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -124441,6 +124441,7 @@ index e5aee97..2fdb49f 100644
+
+init_dbus_chat(staff_t)
+init_dbus_chat_script(staff_t)
++init_status(staff_t)
+
+miscfiles_read_hwdata(staff_t)
+
@@ -124460,7 +124461,7 @@ index e5aee97..2fdb49f 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +78,110 @@ optional_policy(`
+@@ -23,11 +79,110 @@ optional_policy(`
')
optional_policy(`
@@ -124572,7 +124573,7 @@ index e5aee97..2fdb49f 100644
')
optional_policy(`
-@@ -35,15 +189,31 @@ optional_policy(`
+@@ -35,15 +190,31 @@ optional_policy(`
')
optional_policy(`
@@ -124606,7 +124607,7 @@ index e5aee97..2fdb49f 100644
')
optional_policy(`
-@@ -52,10 +222,59 @@ optional_policy(`
+@@ -52,10 +223,59 @@ optional_policy(`
')
optional_policy(`
@@ -124666,7 +124667,7 @@ index e5aee97..2fdb49f 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +284,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +285,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124677,7 +124678,7 @@ index e5aee97..2fdb49f 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -93,18 +308,10 @@ ifndef(`distro_redhat',`
+@@ -93,18 +309,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124696,7 +124697,7 @@ index e5aee97..2fdb49f 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +332,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +333,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124707,7 +124708,7 @@ index e5aee97..2fdb49f 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +344,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +345,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124718,7 +124719,7 @@ index e5aee97..2fdb49f 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +375,20 @@ ifndef(`distro_redhat',`
+@@ -176,3 +376,20 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -126376,7 +126377,7 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 9f6d4c3..23a78b4 100644
+index 9f6d4c3..07ceee0 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@@ -126392,7 +126393,7 @@ index 9f6d4c3..23a78b4 100644
# this module should be named user, but that is
# a compile error since user is a keyword.
-@@ -12,12 +19,97 @@ role user_r;
+@@ -12,12 +19,99 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -126405,6 +126406,8 @@ index 9f6d4c3..23a78b4 100644
+storage_read_scsi_generic(user_t)
+storage_write_scsi_generic(user_t)
+
++init_status(user_t)
++
+tunable_policy(`selinuxuser_execmod',`
+ userdom_execmod_user_home_files(user_t)
+')
@@ -126491,7 +126494,7 @@ index 9f6d4c3..23a78b4 100644
')
optional_policy(`
-@@ -25,6 +117,18 @@ optional_policy(`
+@@ -25,6 +119,18 @@ optional_policy(`
')
optional_policy(`
@@ -126510,7 +126513,7 @@ index 9f6d4c3..23a78b4 100644
vlock_run(user_t, user_r)
')
-@@ -66,10 +170,6 @@ ifndef(`distro_redhat',`
+@@ -66,10 +172,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -126521,7 +126524,7 @@ index 9f6d4c3..23a78b4 100644
gpg_role(user_r, user_t)
')
-@@ -102,10 +202,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +204,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -126532,7 +126535,7 @@ index 9f6d4c3..23a78b4 100644
postgresql_role(user_r, user_t)
')
-@@ -128,7 +224,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +226,6 @@ ifndef(`distro_redhat',`
optional_policy(`
ssh_role_template(user, user_r, user_t)
')
@@ -126540,7 +126543,7 @@ index 9f6d4c3..23a78b4 100644
optional_policy(`
su_role_template(user, user_r, user_t)
')
-@@ -161,3 +256,15 @@ ifndef(`distro_redhat',`
+@@ -161,3 +258,15 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -126938,7 +126941,7 @@ index 078bcd7..022c7db 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..6395fe1 100644
+index fe0c682..2b21421 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -127065,7 +127068,7 @@ index fe0c682..6395fe1 100644
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
++ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
@@ -127114,12 +127117,12 @@ index fe0c682..6395fe1 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -241,35 +272,34 @@ template(`ssh_server_template', `
+@@ -241,35 +272,33 @@ template(`ssh_server_template', `
logging_search_logs($1_t)
- miscfiles_read_localization($1_t)
-
+-
- userdom_create_all_users_keys($1_t)
userdom_dontaudit_relabelfrom_user_ptys($1_t)
- userdom_search_user_home_dirs($1_t)
@@ -127161,7 +127164,7 @@ index fe0c682..6395fe1 100644
')
########################################
-@@ -292,14 +322,15 @@ template(`ssh_server_template', `
+@@ -292,14 +321,15 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
@@ -127178,7 +127181,7 @@ index fe0c682..6395fe1 100644
')
##############################
-@@ -328,103 +359,56 @@ template(`ssh_role_template',`
+@@ -328,103 +358,56 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -127292,7 +127295,7 @@ index fe0c682..6395fe1 100644
')
########################################
-@@ -496,8 +480,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -127321,7 +127324,7 @@ index fe0c682..6395fe1 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -513,7 +516,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -127330,7 +127333,7 @@ index fe0c682..6395fe1 100644
')
########################################
-@@ -605,6 +608,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +607,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -127355,7 +127358,7 @@ index fe0c682..6395fe1 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -637,7 +658,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -127364,7 +127367,7 @@ index fe0c682..6395fe1 100644
files_search_pids($1)
')
-@@ -662,6 +683,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',`
########################################
## <summary>
@@ -127407,7 +127410,7 @@ index fe0c682..6395fe1 100644
## Read ssh home directory content
## </summary>
## <param name="domain">
-@@ -701,6 +758,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +757,50 @@ interface(`ssh_domtrans_keygen',`
########################################
## <summary>
@@ -127458,7 +127461,7 @@ index fe0c682..6395fe1 100644
## Read ssh server keys
## </summary>
## <param name="domain">
-@@ -714,7 +815,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +814,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -127467,7 +127470,7 @@ index fe0c682..6395fe1 100644
')
######################################
-@@ -754,3 +855,101 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +854,101 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -132372,10 +132375,10 @@ index a97a096..f65892c 100644
+
+/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
-index 016a770..927f4b8 100644
+index 016a770..1effeb4 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
-@@ -154,3 +154,23 @@ interface(`fstools_getattr_swap_files',`
+@@ -154,3 +154,24 @@ interface(`fstools_getattr_swap_files',`
allow $1 swapfile_t:file getattr;
')
@@ -132396,6 +132399,7 @@ index 016a770..927f4b8 100644
+ ')
+
+ files_search_pids($1)
++ manage_dirs_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
+ manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
@@ -133934,7 +133938,7 @@ index d26fe81..95c1bd8 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..c57afad 100644
+index 4a88fa1..fe91700 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -134170,7 +134174,7 @@ index 4a88fa1..c57afad 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -183,29 +269,177 @@ ifdef(`distro_gentoo',`
+@@ -183,29 +269,176 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -134227,9 +134231,7 @@ index 4a88fa1..c57afad 100644
+
+kernel_list_unlabeled(init_t)
+kernel_read_network_state(init_t)
-+kernel_rw_kernel_sysctl(init_t)
-+kernel_rw_net_sysctls(init_t)
-+kernel_read_all_sysctls(init_t)
++kernel_rw_all_sysctls(init_t)
+kernel_read_software_raid_state(init_t)
+kernel_unmount_debugfs(init_t)
+kernel_setsched(init_t)
@@ -134317,6 +134319,7 @@ index 4a88fa1..c57afad 100644
+systemd_relabelto_fifo_file_passwd_run(init_t)
+systemd_relabel_unit_dirs(init_t)
+systemd_relabel_unit_files(init_t)
++systemd_create_unit_dirs(initrc_t)
+systemd_config_all_services(initrc_t)
+systemd_read_unit_files(initrc_t)
+
@@ -134356,7 +134359,7 @@ index 4a88fa1..c57afad 100644
')
optional_policy(`
-@@ -213,6 +447,27 @@ optional_policy(`
+@@ -213,6 +446,27 @@ optional_policy(`
')
optional_policy(`
@@ -134384,7 +134387,7 @@ index 4a88fa1..c57afad 100644
unconfined_domain(init_t)
')
-@@ -222,8 +477,9 @@ optional_policy(`
+@@ -222,8 +476,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -134396,7 +134399,7 @@ index 4a88fa1..c57afad 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +507,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +506,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -134413,7 +134416,7 @@ index 4a88fa1..c57afad 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +532,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +531,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -134456,7 +134459,7 @@ index 4a88fa1..c57afad 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,9 +569,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,9 +568,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -134468,7 +134471,7 @@ index 4a88fa1..c57afad 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -306,8 +581,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +580,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -134479,7 +134482,7 @@ index 4a88fa1..c57afad 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +592,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +591,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -134499,7 +134502,7 @@ index 4a88fa1..c57afad 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +609,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +608,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -134507,7 +134510,7 @@ index 4a88fa1..c57afad 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +617,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +616,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -134519,7 +134522,7 @@ index 4a88fa1..c57afad 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +636,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +635,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -134533,7 +134536,7 @@ index 4a88fa1..c57afad 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +651,13 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +650,13 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -134548,7 +134551,7 @@ index 4a88fa1..c57afad 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +667,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +666,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -134556,7 +134559,7 @@ index 4a88fa1..c57afad 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +679,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +678,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -134564,7 +134567,7 @@ index 4a88fa1..c57afad 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -409,20 +698,18 @@ logging_read_all_logs(initrc_t)
+@@ -409,20 +697,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -134588,7 +134591,7 @@ index 4a88fa1..c57afad 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +763,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +762,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -134599,7 +134602,7 @@ index 4a88fa1..c57afad 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +787,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +786,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -134608,7 +134611,7 @@ index 4a88fa1..c57afad 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +802,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +801,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -134616,7 +134619,7 @@ index 4a88fa1..c57afad 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +823,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +822,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -134624,7 +134627,7 @@ index 4a88fa1..c57afad 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +833,40 @@ ifdef(`distro_redhat',`
+@@ -540,8 +832,40 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -134665,7 +134668,7 @@ index 4a88fa1..c57afad 100644
')
optional_policy(`
-@@ -549,14 +874,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +873,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -134697,7 +134700,7 @@ index 4a88fa1..c57afad 100644
')
')
-@@ -567,6 +909,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +908,39 @@ ifdef(`distro_suse',`
')
')
@@ -134737,7 +134740,7 @@ index 4a88fa1..c57afad 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +954,8 @@ optional_policy(`
+@@ -579,6 +953,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -134746,7 +134749,7 @@ index 4a88fa1..c57afad 100644
')
optional_policy(`
-@@ -600,6 +977,7 @@ optional_policy(`
+@@ -600,6 +976,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -134754,7 +134757,7 @@ index 4a88fa1..c57afad 100644
')
optional_policy(`
-@@ -612,6 +990,17 @@ optional_policy(`
+@@ -612,6 +989,17 @@ optional_policy(`
')
optional_policy(`
@@ -134772,7 +134775,7 @@ index 4a88fa1..c57afad 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1017,13 @@ optional_policy(`
+@@ -628,9 +1016,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -134786,7 +134789,7 @@ index 4a88fa1..c57afad 100644
')
optional_policy(`
-@@ -655,6 +1048,10 @@ optional_policy(`
+@@ -655,6 +1047,10 @@ optional_policy(`
')
optional_policy(`
@@ -134797,7 +134800,7 @@ index 4a88fa1..c57afad 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1069,15 @@ optional_policy(`
+@@ -672,6 +1068,15 @@ optional_policy(`
')
optional_policy(`
@@ -134813,7 +134816,7 @@ index 4a88fa1..c57afad 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1118,7 @@ optional_policy(`
+@@ -712,6 +1117,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -134821,7 +134824,7 @@ index 4a88fa1..c57afad 100644
')
optional_policy(`
-@@ -729,7 +1136,14 @@ optional_policy(`
+@@ -729,7 +1135,14 @@ optional_policy(`
')
optional_policy(`
@@ -134836,7 +134839,7 @@ index 4a88fa1..c57afad 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1166,10 @@ optional_policy(`
+@@ -752,6 +1165,10 @@ optional_policy(`
')
optional_policy(`
@@ -134847,7 +134850,7 @@ index 4a88fa1..c57afad 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1179,20 @@ optional_policy(`
+@@ -761,10 +1178,20 @@ optional_policy(`
')
optional_policy(`
@@ -134868,7 +134871,7 @@ index 4a88fa1..c57afad 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1201,10 @@ optional_policy(`
+@@ -773,6 +1200,10 @@ optional_policy(`
')
optional_policy(`
@@ -134879,7 +134882,7 @@ index 4a88fa1..c57afad 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1226,6 @@ optional_policy(`
+@@ -794,8 +1225,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -134888,7 +134891,7 @@ index 4a88fa1..c57afad 100644
')
optional_policy(`
-@@ -804,6 +1234,10 @@ optional_policy(`
+@@ -804,6 +1233,10 @@ optional_policy(`
')
optional_policy(`
@@ -134899,7 +134902,7 @@ index 4a88fa1..c57afad 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1247,12 @@ optional_policy(`
+@@ -813,10 +1246,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -134912,7 +134915,7 @@ index 4a88fa1..c57afad 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1264,6 @@ optional_policy(`
+@@ -828,8 +1263,6 @@ optional_policy(`
')
optional_policy(`
@@ -134921,7 +134924,7 @@ index 4a88fa1..c57afad 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1274,30 @@ optional_policy(`
+@@ -840,12 +1273,30 @@ optional_policy(`
')
optional_policy(`
@@ -134954,7 +134957,7 @@ index 4a88fa1..c57afad 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1307,18 @@ optional_policy(`
+@@ -855,6 +1306,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -134973,7 +134976,7 @@ index 4a88fa1..c57afad 100644
')
optional_policy(`
-@@ -870,6 +1334,10 @@ optional_policy(`
+@@ -870,6 +1333,10 @@ optional_policy(`
')
optional_policy(`
@@ -134984,7 +134987,7 @@ index 4a88fa1..c57afad 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1348,185 @@ optional_policy(`
+@@ -880,3 +1347,185 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -141397,10 +141400,10 @@ index 0000000..6d7c302
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..5d53f08
+index 0000000..059885e
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,924 @@
+@@ -0,0 +1,943 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -141518,6 +141521,25 @@ index 0000000..5d53f08
+ allow $1 systemd_unit_file_type:dir list_dir_perms;
+')
+
++######################################
++## <summary>
++## Allow domain to list systemd unit dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_create_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:dir create;
++')
++
+#####################################
+## <summary>
+## Allow domain to getattr all systemd unit files.
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 916914e..5fa2677 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -17084,7 +17084,7 @@ index f706b99..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index 1819518..1363f96 100644
+index 1819518..2cd919b 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0)
@@ -17202,7 +17202,15 @@ index 1819518..1363f96 100644
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -170,6 +182,10 @@ optional_policy(`
+@@ -156,6 +168,7 @@ optional_policy(`
+
+ optional_policy(`
+ mount_domtrans(devicekit_disk_t)
++ mount_read_pid_files(devicekit_disk_t)
+ ')
+
+ optional_policy(`
+@@ -170,6 +183,10 @@ optional_policy(`
')
optional_policy(`
@@ -17213,7 +17221,7 @@ index 1819518..1363f96 100644
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
')
-@@ -178,55 +194,84 @@ optional_policy(`
+@@ -178,55 +195,84 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -17305,7 +17313,7 @@ index 1819518..1363f96 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,10 +280,16 @@ optional_policy(`
+@@ -235,10 +281,16 @@ optional_policy(`
')
optional_policy(`
@@ -17322,7 +17330,7 @@ index 1819518..1363f96 100644
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -261,14 +312,21 @@ optional_policy(`
+@@ -261,14 +313,21 @@ optional_policy(`
')
optional_policy(`
@@ -17345,7 +17353,7 @@ index 1819518..1363f96 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +334,31 @@ optional_policy(`
+@@ -276,9 +335,31 @@ optional_policy(`
')
optional_policy(`
@@ -21279,10 +21287,10 @@ index 0000000..c4c7510
+')
diff --git a/firewalld.te b/firewalld.te
new file mode 100644
-index 0000000..a7fcf3c
+index 0000000..97cb441
--- /dev/null
+++ b/firewalld.te
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,95 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -21329,7 +21337,8 @@ index 0000000..a7fcf3c
+
+# should be fixed to cooperate with systemd to create /var/run/firewalld directory
+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
-+files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file })
++files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
++can_exec(firewalld_t, firewalld_var_run_t)
+
+kernel_read_network_state(firewalld_t)
+kernel_read_system_state(firewalld_t)
@@ -34369,7 +34378,7 @@ index 3a73e74..60e7237 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index b397fde..17b14ad 100644
+index b397fde..9ba2af3 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -18,10 +18,11 @@
@@ -34420,7 +34429,7 @@ index b397fde..17b14ad 100644
')
########################################
-@@ -193,11 +211,38 @@ interface(`mozilla_domtrans',`
+@@ -193,11 +211,35 @@ interface(`mozilla_domtrans',`
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
@@ -34434,13 +34443,10 @@ index b397fde..17b14ad 100644
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+ allow mozilla_plugin_t $1:process signull;
++ dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms;
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:fd use;
+
-+ #tunable_policy(`deny_ptrace',`',`
-+ # allow $1 mozilla_plugin_t:process ptrace;
-+ #')
-+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
@@ -34460,7 +34466,7 @@ index b397fde..17b14ad 100644
allow mozilla_plugin_t $1:process signull;
')
-@@ -224,6 +269,32 @@ interface(`mozilla_run_plugin',`
+@@ -224,6 +266,32 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
@@ -34493,7 +34499,7 @@ index b397fde..17b14ad 100644
')
########################################
-@@ -265,9 +336,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -265,9 +333,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -34522,7 +34528,7 @@ index b397fde..17b14ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -275,28 +364,118 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -275,28 +361,118 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -34553,8 +34559,9 @@ index b397fde..17b14ad 100644
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_t;
-+ ')
-+
+ ')
+
+- allow $1 mozilla_plugin_tmpfs_t:file unlink;
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
+
@@ -34574,7 +34581,7 @@ index b397fde..17b14ad 100644
+ ')
+
+ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
-+')
+ ')
+
+########################################
+## <summary>
@@ -34609,11 +34616,10 @@ index b397fde..17b14ad 100644
+interface(`mozilla_plugin_read_rw_files',`
+ gen_require(`
+ type mozilla_plugin_rw_t;
- ')
-
-- allow $1 mozilla_plugin_tmpfs_t:file unlink;
++ ')
++
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
- ')
++')
+
+########################################
+## <summary>
@@ -62140,7 +62146,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..08ef0c7 100644
+index 086cd5f..ab3ba4d 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -62283,7 +62289,7 @@ index 086cd5f..08ef0c7 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,7 +192,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -162,9 +192,19 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -62300,7 +62306,10 @@ index 086cd5f..08ef0c7 100644
+')
optional_policy(`
++ rpm_exec(setroubleshoot_fixit_t)
rpm_signull(setroubleshoot_fixit_t)
+ rpm_read_db(setroubleshoot_fixit_t)
+ rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
diff --git a/sge.fc b/sge.fc
new file mode 100644
index 0000000..160ddc2
@@ -70997,7 +71006,7 @@ index 6f0736b..408a20a 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..d17661a 100644
+index 947bbc6..609bc32 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -71242,12 +71251,13 @@ index 947bbc6..d17661a 100644
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
-@@ -131,67 +223,69 @@ corenet_udp_bind_all_ports(svirt_t)
+@@ -131,67 +223,71 @@ corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
-dev_list_sysfs(svirt_t)
--
++miscfiles_read_generic_certs(svirt_t)
+
-userdom_search_user_home_content(svirt_t)
-userdom_read_user_home_content_symlinks(svirt_t)
-userdom_read_all_users_state(svirt_t)
@@ -71353,7 +71363,7 @@ index 947bbc6..d17661a 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +296,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +298,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -71388,7 +71398,7 @@ index 947bbc6..d17661a 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +328,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +330,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -71412,7 +71422,7 @@ index 947bbc6..d17661a 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +356,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +358,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -71446,7 +71456,7 @@ index 947bbc6..d17661a 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +388,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +390,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -71465,7 +71475,7 @@ index 947bbc6..d17661a 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +414,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +416,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -71475,7 +71485,7 @@ index 947bbc6..d17661a 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +424,36 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +426,36 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -71512,7 +71522,7 @@ index 947bbc6..d17661a 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +472,10 @@ optional_policy(`
+@@ -322,6 +474,10 @@ optional_policy(`
')
optional_policy(`
@@ -71523,7 +71533,7 @@ index 947bbc6..d17661a 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +489,34 @@ optional_policy(`
+@@ -335,19 +491,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -71559,7 +71569,7 @@ index 947bbc6..d17661a 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +531,12 @@ optional_policy(`
+@@ -362,6 +533,12 @@ optional_policy(`
')
optional_policy(`
@@ -71572,7 +71582,7 @@ index 947bbc6..d17661a 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +544,11 @@ optional_policy(`
+@@ -369,11 +546,11 @@ optional_policy(`
')
optional_policy(`
@@ -71589,7 +71599,7 @@ index 947bbc6..d17661a 100644
')
optional_policy(`
-@@ -384,6 +559,7 @@ optional_policy(`
+@@ -384,6 +561,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -71597,7 +71607,7 @@ index 947bbc6..d17661a 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +578,85 @@ optional_policy(`
+@@ -402,35 +580,85 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -71692,7 +71702,7 @@ index 947bbc6..d17661a 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +664,627 @@ dev_write_sound(virt_domain)
+@@ -438,34 +666,628 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -71714,12 +71724,12 @@ index 947bbc6..d17661a 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+sysnet_read_config(virt_domain)
+
+term_use_all_inherited_terms(virt_domain)
@@ -71755,7 +71765,7 @@ index 947bbc6..d17661a 100644
+
+optional_policy(`
+ xserver_rw_shm(virt_domain)
-+')
+ ')
+
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(virt_domain)
@@ -71905,7 +71915,7 @@ index 947bbc6..d17661a 100644
+ fs_manage_nfs_dirs(virsh_t)
+ fs_manage_nfs_files(virsh_t)
+ fs_read_nfs_symlinks(virsh_t)
- ')
++')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files(virsh_t)
@@ -72004,6 +72014,7 @@ index 947bbc6..d17661a 100644
+kernel_read_all_sysctls(virtd_lxc_t)
+kernel_read_network_state(virtd_lxc_t)
+kernel_read_system_state(virtd_lxc_t)
++kernel_request_load_module(virtd_lxc_t)
+
+corecmd_exec_bin(virtd_lxc_t)
+corecmd_exec_shell(virtd_lxc_t)
@@ -75010,10 +75021,10 @@ index 0000000..b34b8b4
+
diff --git a/zoneminder.te b/zoneminder.te
new file mode 100644
-index 0000000..3708d3c
+index 0000000..a98b795
--- /dev/null
+++ b/zoneminder.te
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,122 @@
+policy_module(zoneminder, 1.0.0)
+
+########################################
@@ -75091,6 +75102,7 @@ index 0000000..3708d3c
+
+corenet_tcp_bind_http_cache_port(zoneminder_t)
+corenet_tcp_bind_transproxy_port(zoneminder_t)
++corenet_tcp_connect_http_port(zoneminder_t)
+
+dev_read_sysfs(zoneminder_t)
+dev_read_rand(zoneminder_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3f2ca5b..654ac5a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 67%{?dist}
+Release: 68%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Dec 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-68
+- Allow setroubleshoot_fixit to execute rpm
+- zoneminder needs to connect to httpd ports where remote cameras are listening
+- Allow firewalld to execute content created in /run directory
+- Allow svirt_t to read generic certs
+- Dontaudit leaked ps content to mozilla plugin
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- init scripts are creating systemd_unit_file_t directories
+
* Fri Dec 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-67
- systemd_logind_t is looking at all files under /run/user/apache
- Allow systemd to manage all user tmp files
More information about the scm-commits
mailing list