[selinux-policy/f17] * Tue Jul 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-141 - Allow samba_net to read /proc/net
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jul 24 13:16:38 UTC 2012
commit cc0c8060d6158afdd3e7b235417894d6746fda37
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jul 24 15:15:47 2012 +0200
* Tue Jul 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-141
- Allow samba_net to read /proc/net
- Allow hplip_t to send notification dbus messages to users
- Allow mailserver_deliver to read/write own pip
- Allow munin-plugin domains to read /etc/passwd
- Allow postfix_cleanup to use sockets create for smtpd
- Dovecot seems to be searching directories of every mountpoint, lets just dontaudit this
- Allow mozilla-plugin to read all kernel sysctls
- Allow jockey to read random/urandom
- Dontaudit dovecot to search all dirs
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- Add labelling and allow rules based on avc's from RHEL6 for amavis
policy-F16.patch | 266 +++++++++++++++++++++++++++++++--------------------
segendomainman | 26 +++++
selinux-policy.spec | 16 +++-
3 files changed, 204 insertions(+), 104 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 5648130..65efd2f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -65913,7 +65913,7 @@ index 40e0a2a..46cc164 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..9cbbfd4 100644
+index 9050e8c..e245bf2 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -66066,7 +66066,15 @@ index 9050e8c..9cbbfd4 100644
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
-@@ -239,34 +266,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+@@ -230,6 +257,7 @@ corecmd_read_bin_symlinks(gpg_agent_t)
+ corecmd_search_bin(gpg_agent_t)
+ corecmd_exec_shell(gpg_agent_t)
+
++dev_read_rand(gpg_agent_t)
+ dev_read_urand(gpg_agent_t)
+
+ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,34 +267,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
@@ -66105,7 +66113,7 @@ index 9050e8c..9cbbfd4 100644
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -301,6 +319,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+@@ -301,6 +320,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
@@ -66113,7 +66121,7 @@ index 9050e8c..9cbbfd4 100644
corecmd_exec_bin(gpg_pinentry_t)
corenet_all_recvfrom_netlabel(gpg_pinentry_t)
-@@ -332,13 +351,15 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -332,13 +352,15 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -66134,7 +66142,7 @@ index 9050e8c..9cbbfd4 100644
')
optional_policy(`
-@@ -347,6 +368,12 @@ optional_policy(`
+@@ -347,6 +369,12 @@ optional_policy(`
')
optional_policy(`
@@ -66147,7 +66155,7 @@ index 9050e8c..9cbbfd4 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +383,28 @@ optional_policy(`
+@@ -356,4 +384,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -66502,10 +66510,10 @@ index 0000000..fb58f33
+')
diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
new file mode 100644
-index 0000000..56b4856
+index 0000000..0316d53
--- /dev/null
+++ b/policy/modules/apps/jockey.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,52 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -66540,6 +66548,10 @@ index 0000000..56b4856
+logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
+
+corecmd_exec_bin(jockey_t)
++corecmd_exec_shell(jockey_t)
++
++dev_read_rand(jockey_t)
++dev_read_urand(jockey_t)
+
+dev_read_sysfs(jockey_t)
+
@@ -66549,6 +66561,11 @@ index 0000000..56b4856
+files_read_usr_files(jockey_t)
+
+miscfiles_read_localization(jockey_t)
++
++optional_policy(`
++ modutils_domtrans_insmod(jockey_t)
++ modutils_read_module_config(jockey_t)
++')
diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
new file mode 100644
index 0000000..25e4b68
@@ -67358,7 +67375,7 @@ index fbb5c5a..2c0357f 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..ab6f730 100644
+index 2e9318b..68d2dee 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -67530,7 +67547,7 @@ index 2e9318b..ab6f730 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,6 +347,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,31 +347,46 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -67540,8 +67557,11 @@ index 2e9318b..ab6f730 100644
+
can_exec(mozilla_plugin_t, mozilla_exec_t)
- kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -331,22 +360,33 @@ kernel_request_load_module(mozilla_plugin_t)
+-kernel_read_kernel_sysctls(mozilla_plugin_t)
++kernel_read_all_sysctls(mozilla_plugin_t)
+ kernel_read_system_state(mozilla_plugin_t)
+ kernel_read_network_state(mozilla_plugin_t)
+ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -77111,7 +77131,7 @@ index c19518a..57d0131 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..c0a4af6 100644
+index ff006ea..5bffba2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -78917,7 +78937,7 @@ index ff006ea..c0a4af6 100644
+ attribute non_security_file_type;
+ ')
+
-+ allow $1 non_security_file_type:file_class_set unlink;
++ allow $1 non_security_file_type:file_class_set delete_file_perms;
+')
+
+########################################
@@ -86075,10 +86095,10 @@ index 0000000..3d0fd88
+')
+
diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc
-index d96fdfa..75eab43 100644
+index d96fdfa..c50d3a0 100644
--- a/policy/modules/services/amavis.fc
+++ b/policy/modules/services/amavis.fc
-@@ -2,9 +2,10 @@
+@@ -2,14 +2,16 @@
/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
@@ -86090,6 +86110,12 @@ index d96fdfa..75eab43 100644
ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
+ ')
+
++/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+ /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+ /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+ /var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index e31d92a..1aa0718 100644
--- a/policy/modules/services/amavis.if
@@ -86118,7 +86144,7 @@ index e31d92a..1aa0718 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index deca9d3..f20cfea 100644
+index deca9d3..a25356f 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
@@ -86148,11 +86174,11 @@ index deca9d3..f20cfea 100644
+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
-+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir } )
++files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
# var/lib files for amavis
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
-@@ -125,9 +127,11 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t)
+@@ -125,11 +127,14 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t)
corenet_udp_bind_generic_port(amavis_t)
corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
@@ -86163,8 +86189,11 @@ index deca9d3..f20cfea 100644
+dev_read_sysfs(amavis_t)
domain_use_interactive_fds(amavis_t)
++domain_dontaudit_read_all_domains_state(amavis_t)
-@@ -137,8 +141,10 @@ files_read_usr_files(amavis_t)
+ files_read_etc_files(amavis_t)
+ files_read_etc_runtime_files(amavis_t)
+@@ -137,8 +142,10 @@ files_read_usr_files(amavis_t)
fs_getattr_xattr_fs(amavis_t)
@@ -86175,7 +86204,7 @@ index deca9d3..f20cfea 100644
# uses uptime which reads utmp - redhat bug 561383
init_read_utmp(amavis_t)
init_stream_connect_script(amavis_t)
-@@ -153,16 +159,17 @@ sysnet_use_ldap(amavis_t)
+@@ -153,16 +160,17 @@ sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
@@ -86200,7 +86229,7 @@ index deca9d3..f20cfea 100644
')
optional_policy(`
-@@ -171,11 +178,16 @@ optional_policy(`
+@@ -171,11 +179,16 @@ optional_policy(`
')
optional_policy(`
@@ -86217,7 +86246,7 @@ index deca9d3..f20cfea 100644
')
optional_policy(`
-@@ -188,6 +200,10 @@ optional_policy(`
+@@ -188,6 +201,10 @@ optional_policy(`
')
optional_policy(`
@@ -91059,7 +91088,7 @@ index 0000000..3b41945
+')
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
new file mode 100644
-index 0000000..e7d2a5b
+index 0000000..40fd0ad
--- /dev/null
+++ b/policy/modules/services/cachefilesd.te
@@ -0,0 +1,145 @@
@@ -91157,8 +91186,8 @@ index 0000000..e7d2a5b
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
+
+# Allow access to cache superstructure
-+allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
-+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
++manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
@@ -97884,7 +97913,7 @@ index 305ddf4..d1b97fb 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..58143ec 100644
+index 0f28095..41ce525 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -98160,9 +98189,11 @@ index 0f28095..58143ec 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +737,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -695,9 +736,12 @@ sysnet_read_config(hplip_t)
+ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
++userdom_dbus_send_all_users(hplip_t)
-lpd_read_config(hplip_t)
-lpd_manage_spool(hplip_t)
@@ -101448,7 +101479,7 @@ index e1d7dc5..13e4800 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..b2ed37a 100644
+index acf6d4f..f85a8a6 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,4 +1,4 @@
@@ -101530,15 +101561,20 @@ index acf6d4f..b2ed37a 100644
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -135,6 +143,7 @@ files_dontaudit_list_default(dovecot_t)
+@@ -132,9 +140,12 @@ files_read_etc_files(dovecot_t)
+ files_search_spool(dovecot_t)
+ files_search_tmp(dovecot_t)
+ files_dontaudit_list_default(dovecot_t)
++files_dontaudit_search_all_dirs(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
files_search_all_mountpoints(dovecot_t)
+files_read_var_lib_files(dovecot_t)
++files_dontaudit_search_all_dirs(dovecot_t)
init_getattr_utmp(dovecot_t)
-@@ -145,6 +154,7 @@ logging_send_syslog_msg(dovecot_t)
+@@ -145,6 +156,7 @@ logging_send_syslog_msg(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
@@ -101546,7 +101582,7 @@ index acf6d4f..b2ed37a 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -153,6 +163,7 @@ userdom_manage_user_home_content_pipes(dovecot_t)
+@@ -153,6 +165,7 @@ userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
@@ -101554,7 +101590,7 @@ index acf6d4f..b2ed37a 100644
mta_manage_spool(dovecot_t)
optional_policy(`
-@@ -160,10 +171,24 @@ optional_policy(`
+@@ -160,10 +173,24 @@ optional_policy(`
')
optional_policy(`
@@ -101579,7 +101615,7 @@ index acf6d4f..b2ed37a 100644
seutil_sigchld_newrole(dovecot_t)
')
-@@ -180,8 +205,8 @@ optional_policy(`
+@@ -180,8 +207,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -101590,7 +101626,7 @@ index acf6d4f..b2ed37a 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +217,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -101600,7 +101636,7 @@ index acf6d4f..b2ed37a 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +231,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -101613,7 +101649,7 @@ index acf6d4f..b2ed37a 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +247,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +249,8 @@ files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
@@ -101623,7 +101659,7 @@ index acf6d4f..b2ed37a 100644
init_rw_utmp(dovecot_auth_t)
-@@ -236,6 +268,8 @@ optional_policy(`
+@@ -236,6 +270,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -101632,7 +101668,7 @@ index acf6d4f..b2ed37a 100644
')
optional_policy(`
-@@ -243,6 +277,8 @@ optional_policy(`
+@@ -243,6 +279,8 @@ optional_policy(`
')
optional_policy(`
@@ -101641,7 +101677,7 @@ index acf6d4f..b2ed37a 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +286,43 @@ optional_policy(`
+@@ -250,23 +288,43 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -101687,7 +101723,7 @@ index acf6d4f..b2ed37a 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +339,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +341,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -112117,7 +112153,7 @@ index 343cee3..68e2429 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..da35763 100644
+index 64268e4..e95eb14 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,19 @@ files_type(etc_aliases_t)
@@ -112302,7 +112338,7 @@ index 64268e4..da35763 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,15 +216,16 @@ optional_policy(`
+@@ -199,20 +216,23 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -112323,7 +112359,14 @@ index 64268e4..da35763 100644
########################################
#
# Mailserver delivery local policy
-@@ -220,21 +238,13 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+ #
+
++allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms;
++
+ allow mailserver_delivery mail_spool_t:dir list_dir_perms;
+ create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+ read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,21 +240,13 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -112332,15 +112375,15 @@ index 64268e4..da35763 100644
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
-read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
--
++manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
++manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
- fs_manage_cifs_symlinks(mailserver_delivery)
-')
-+manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-+manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-
+-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mailserver_delivery)
- fs_manage_nfs_files(mailserver_delivery)
@@ -112350,7 +112393,7 @@ index 64268e4..da35763 100644
optional_policy(`
dovecot_manage_spool(mailserver_delivery)
-@@ -242,6 +252,10 @@ optional_policy(`
+@@ -242,6 +254,10 @@ optional_policy(`
')
optional_policy(`
@@ -112361,7 +112404,7 @@ index 64268e4..da35763 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +263,25 @@ optional_policy(`
+@@ -249,16 +265,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -112389,7 +112432,7 @@ index 64268e4..da35763 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -277,14 +300,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,14 +302,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files(mta_user_agent)
@@ -112406,7 +112449,7 @@ index 64268e4..da35763 100644
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
-@@ -292,3 +315,123 @@ optional_policy(`
+@@ -292,3 +317,123 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -112657,7 +112700,7 @@ index c358d8f..7c097ec 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..923fdfb 100644
+index f17583b..fb0b1ac 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -112867,7 +112910,7 @@ index f17583b..923fdfb 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +341,35 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +341,37 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -112889,6 +112932,8 @@ index f17583b..923fdfb 100644
+
+kernel_read_system_state(munin_plugin_domain)
+
++auth_read_passwd(munin_plugin_domain)
++
+corecmd_exec_bin(munin_plugin_domain)
+corecmd_exec_shell(munin_plugin_domain)
+
@@ -119784,7 +119829,7 @@ index 46bee12..eccdc20 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..57dde1e 100644
+index a32c4b3..5dfcad7 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.12.1)
@@ -119940,7 +119985,14 @@ index a32c4b3..57dde1e 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -243,12 +269,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
+@@ -237,18 +263,24 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+ #
+
+ allow postfix_cleanup_t self:process setrlimit;
++allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
+
+ # connect to master process
+ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
@@ -119958,7 +120010,7 @@ index a32c4b3..57dde1e 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,7 +295,6 @@ optional_policy(`
+@@ -264,7 +296,6 @@ optional_policy(`
# Postfix local local policy
#
@@ -119966,7 +120018,7 @@ index a32c4b3..57dde1e 100644
allow postfix_local_t self:process { setsched setrlimit };
# connect to master process
-@@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +304,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -119975,7 +120027,7 @@ index a32c4b3..57dde1e 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,16 +318,30 @@ mta_read_aliases(postfix_local_t)
+@@ -286,16 +319,30 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -120009,7 +120061,7 @@ index a32c4b3..57dde1e 100644
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
-@@ -304,9 +350,22 @@ optional_policy(`
+@@ -304,9 +351,22 @@ optional_policy(`
')
optional_policy(`
@@ -120032,7 +120084,7 @@ index a32c4b3..57dde1e 100644
########################################
#
# Postfix map local policy
-@@ -379,18 +438,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +439,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -120058,7 +120110,7 @@ index a32c4b3..57dde1e 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +466,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +467,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -120067,7 +120119,7 @@ index a32c4b3..57dde1e 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +487,7 @@ optional_policy(`
+@@ -420,6 +488,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -120075,7 +120127,7 @@ index a32c4b3..57dde1e 100644
')
optional_policy(`
-@@ -436,11 +504,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +505,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -120093,7 +120145,7 @@ index a32c4b3..57dde1e 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +561,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +562,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -120104,7 +120156,7 @@ index a32c4b3..57dde1e 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +593,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +594,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -120117,7 +120169,7 @@ index a32c4b3..57dde1e 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +617,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +618,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -120128,7 +120180,7 @@ index a32c4b3..57dde1e 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +638,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +639,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -120137,7 +120189,7 @@ index a32c4b3..57dde1e 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +647,14 @@ optional_policy(`
+@@ -565,6 +648,14 @@ optional_policy(`
')
optional_policy(`
@@ -120152,7 +120204,7 @@ index a32c4b3..57dde1e 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +671,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +672,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -120179,7 +120231,7 @@ index a32c4b3..57dde1e 100644
')
optional_policy(`
-@@ -599,6 +697,12 @@ optional_policy(`
+@@ -599,6 +698,12 @@ optional_policy(`
')
optional_policy(`
@@ -120192,7 +120244,7 @@ index a32c4b3..57dde1e 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +715,6 @@ optional_policy(`
+@@ -611,7 +716,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -120200,7 +120252,7 @@ index a32c4b3..57dde1e 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +733,76 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +734,76 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -127215,7 +127267,7 @@ index 82cb169..9642fe3 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..a874aa4 100644
+index e30bb63..3496da1 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,4 +1,4 @@
@@ -127267,7 +127319,15 @@ index e30bb63..a874aa4 100644
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
-@@ -215,22 +223,31 @@ miscfiles_read_localization(samba_net_t)
+@@ -184,6 +192,7 @@ manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+
+ kernel_read_proc_symlinks(samba_net_t)
+ kernel_read_system_state(samba_net_t)
++kernel_read_network_state(samba_net_t)
+
+ corenet_all_recvfrom_unlabeled(samba_net_t)
+ corenet_all_recvfrom_netlabel(samba_net_t)
+@@ -215,22 +224,31 @@ miscfiles_read_localization(samba_net_t)
samba_read_var_files(samba_net_t)
@@ -127301,7 +127361,7 @@ index e30bb63..a874aa4 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -249,6 +266,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -249,6 +267,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow smbd_t nmbd_t:process { signal signull };
allow smbd_t nmbd_var_run_t:file rw_file_perms;
@@ -127309,7 +127369,7 @@ index e30bb63..a874aa4 100644
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-@@ -263,12 +281,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -263,12 +282,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -127324,7 +127384,7 @@ index e30bb63..a874aa4 100644
allow smbd_t smbcontrol_t:process { signal signull };
-@@ -279,7 +298,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -279,7 +299,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -127333,7 +127393,7 @@ index e30bb63..a874aa4 100644
allow smbd_t swat_t:process signal;
-@@ -316,6 +335,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
+@@ -316,6 +336,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
@@ -127341,7 +127401,7 @@ index e30bb63..a874aa4 100644
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
# For redhat bug 566984
-@@ -323,15 +343,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,15 +344,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -127360,7 +127420,7 @@ index e30bb63..a874aa4 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +366,7 @@ files_read_usr_files(smbd_t)
+@@ -343,6 +367,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -127368,7 +127428,7 @@ index e30bb63..a874aa4 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -354,6 +378,8 @@ logging_send_syslog_msg(smbd_t)
+@@ -354,6 +379,8 @@ logging_send_syslog_msg(smbd_t)
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -127377,7 +127437,7 @@ index e30bb63..a874aa4 100644
userdom_use_unpriv_users_fds(smbd_t)
userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
-@@ -372,6 +398,11 @@ tunable_policy(`allow_smbd_anon_write',`
+@@ -372,6 +399,11 @@ tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
')
@@ -127389,7 +127449,7 @@ index e30bb63..a874aa4 100644
tunable_policy(`samba_domain_controller',`
gen_require(`
class passwd passwd;
-@@ -385,12 +416,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +417,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -127403,7 +127463,7 @@ index e30bb63..a874aa4 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +436,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +437,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -127414,7 +127474,7 @@ index e30bb63..a874aa4 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -422,6 +452,11 @@ optional_policy(`
+@@ -422,6 +453,11 @@ optional_policy(`
')
optional_policy(`
@@ -127426,7 +127486,7 @@ index e30bb63..a874aa4 100644
lpd_exec_lpr(smbd_t)
')
-@@ -445,26 +480,26 @@ optional_policy(`
+@@ -445,26 +481,26 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -127461,7 +127521,7 @@ index e30bb63..a874aa4 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +520,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -127474,7 +127534,7 @@ index e30bb63..a874aa4 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -497,8 +535,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+@@ -497,8 +536,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
allow nmbd_t smbcontrol_t:process signal;
@@ -127483,7 +127543,7 @@ index e30bb63..a874aa4 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -555,18 +591,21 @@ optional_policy(`
+@@ -555,18 +592,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -127509,7 +127569,7 @@ index e30bb63..a874aa4 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +613,21 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +614,21 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -127532,7 +127592,7 @@ index e30bb63..a874aa4 100644
########################################
#
-@@ -644,19 +693,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +694,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -127557,7 +127617,7 @@ index e30bb63..a874aa4 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +728,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +729,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -127567,7 +127627,7 @@ index e30bb63..a874aa4 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +744,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +745,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -127582,7 +127642,7 @@ index e30bb63..a874aa4 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +764,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +765,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -127590,7 +127650,7 @@ index e30bb63..a874aa4 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -752,8 +807,12 @@ logging_send_syslog_msg(swat_t)
+@@ -752,8 +808,12 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -127603,7 +127663,7 @@ index e30bb63..a874aa4 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +842,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +843,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -127613,7 +127673,7 @@ index e30bb63..a874aa4 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +866,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +867,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -127638,7 +127698,7 @@ index e30bb63..a874aa4 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +897,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +898,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -127646,7 +127706,7 @@ index e30bb63..a874aa4 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +915,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +916,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -127661,7 +127721,7 @@ index e30bb63..a874aa4 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -864,6 +933,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -864,6 +934,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -127673,7 +127733,7 @@ index e30bb63..a874aa4 100644
kerberos_use(winbind_t)
')
-@@ -904,7 +978,8 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +979,8 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -127683,7 +127743,7 @@ index e30bb63..a874aa4 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,19 +997,34 @@ optional_policy(`
+@@ -922,19 +998,34 @@ optional_policy(`
#
optional_policy(`
diff --git a/segendomainman b/segendomainman
index 9f10254..a5daf08 100755
--- a/segendomainman
+++ b/segendomainman
@@ -49,6 +49,8 @@ try:
except IOError, e:
pass
+all_attributes = map(lambda x: x['name'], setools.seinfo(setools.ATTRIBUTE))
+
entrypoints = setools.seinfo(setools.ATTRIBUTE,"entry_type")[0]["types"]
alldomains = setools.seinfo(setools.ATTRIBUTE,"domain")[0]["types"]
@@ -102,8 +104,11 @@ control.
self.anon_list = []
self.fd = open("%s/%s_selinux.8" % (path, domainname), 'w')
+ self.attributes = setools.seinfo(setools.TYPE,("httpd_t"))[0]["attributes"]
+
self.header()
self.booleans()
+ self.nsswitch_domain()
self.public_content()
self.file_context()
self.port_types()
@@ -238,6 +243,27 @@ SELinux policy is customizable based on least access required. %s policy is ext
self.fd.write(self.booltext)
+ def nsswitch_domain(self):
+ nsswitch_booleans = ['authlogin_nsswitch_use_ldap', 'allow_kerberos','allow_ypbind']
+ nsswitchbooltext = ""
+ if "nsswitch_domain" in all_attributes:
+ self.fd.write("""
+.SH NSSWITCH DOMAIN
+""")
+ if "nsswitch_domain" in self.attributes:
+ for i in nsswitch_booleans:
+ desc = seobject.booleans_dict[i][2][0].lower() + seobject.booleans_dict[i][2][1:-1]
+ nsswitchbooltext += """
+.PP
+If you want to %s, you must turn on the %s boolean.
+
+.EX
+setsebool -P %s 1
+.EE
+""" % (desc, i, i)
+
+ self.fd.write(nsswitchbooltext)
+
def process_types(self):
ptypes = []
for f in alldomains:
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 50543d0..9e50ae9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 140%{?dist}
+Release: 141%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jul 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-141
+- Allow samba_net to read /proc/net
+- Allow hplip_t to send notification dbus messages to users
+- Allow mailserver_deliver to read/write own pip
+- Allow munin-plugin domains to read /etc/passwd
+- Allow postfix_cleanup to use sockets create for smtpd
+- Dovecot seems to be searching directories of every mountpoint, lets just dontaudit this
+- Allow mozilla-plugin to read all kernel sysctls
+- Allow jockey to read random/urandom
+- Dontaudit dovecot to search all dirs
+- Add aditional params to allow cachedfiles to manage its content
+- gpg agent needs to read /dev/random
+- Add labelling and allow rules based on avc's from RHEL6 for amavis
+
* Wed Jul 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-140
- Add support for rhnsd daemon
- Allow cgclear to read cgconfig
More information about the scm-commits
mailing list