[selinux-policy/f18] * Wed Oct 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-40 - Additional requirements for disable
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Oct 17 14:43:05 UTC 2012
commit b104a7daaa8370487cdcbecedf90812c0a2825d4
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Oct 17 16:42:46 2012 +0200
* Wed Oct 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-40
- Additional requirements for disable unconfined module when booting
- Fix label of systemd script files
- semanage can use -F /dev/stdin to get input
- syslog now uses kerberos keytabs
- Allow xserver to compromise_kernel access
- Allow nfsd to write to mount_var_run_t when running the mount command
- Add filename transition rule for bin_t directories
- Allow files to read usr_t lnk_files
- dhcpc wants chown
- Add support for new openshift labeling
- Clean up for tunable+optional statements
- Add labeling for /usr/sbin/mkhomedir_helper
- Allow antivirus domain to managa amavis spool files
- Allow rpcbind_t to read passwd
- Allow pyzor running as spamc to manage amavis spool
policy-rawhide.patch | 279 ++++++++++++++++++++++++----------
policy_contrib-rawhide.patch | 339 +++++++++++++++++++++++++-----------------
selinux-policy.spec | 20 +++-
3 files changed, 418 insertions(+), 220 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index dfc2324..524a96f 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -108517,7 +108517,7 @@ index 98b8b2d..41f4994 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 673180c..04d88d5 100644
+index 673180c..17d6f72 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0)
@@ -108582,9 +108582,11 @@ index 673180c..04d88d5 100644
type sysadm_passwd_tmp_t;
files_tmp_file(sysadm_passwd_tmp_t)
-@@ -62,7 +66,8 @@ type useradd_t;
+@@ -61,8 +65,10 @@ files_tmp_file(sysadm_passwd_tmp_t)
+ type useradd_t;
type useradd_exec_t;
domain_obj_id_change_exemption(useradd_t)
++domain_system_change_exemption(useradd_t)
init_system_domain(useradd_t, useradd_exec_t)
-role useradd_roles types useradd_t;
+#role useradd_roles types useradd_t;
@@ -108592,7 +108594,7 @@ index 673180c..04d88d5 100644
########################################
#
-@@ -86,6 +91,7 @@ allow chfn_t self:unix_stream_socket connectto;
+@@ -86,6 +92,7 @@ allow chfn_t self:unix_stream_socket connectto;
kernel_read_system_state(chfn_t)
kernel_read_kernel_sysctls(chfn_t)
@@ -108600,7 +108602,7 @@ index 673180c..04d88d5 100644
selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
-@@ -94,25 +100,29 @@ selinux_compute_create_context(chfn_t)
+@@ -94,25 +101,29 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -108636,7 +108638,7 @@ index 673180c..04d88d5 100644
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)
-@@ -120,19 +130,29 @@ files_dontaudit_search_home(chfn_t)
+@@ -120,19 +131,29 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@@ -108669,7 +108671,7 @@ index 673180c..04d88d5 100644
########################################
#
# Crack local policy
-@@ -209,8 +229,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -209,8 +230,8 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -108680,7 +108682,7 @@ index 673180c..04d88d5 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -218,8 +238,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -218,8 +239,8 @@ init_dontaudit_write_utmp(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -108690,7 +108692,7 @@ index 673180c..04d88d5 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -229,14 +249,15 @@ corecmd_exec_bin(groupadd_t)
+@@ -229,14 +250,15 @@ corecmd_exec_bin(groupadd_t)
logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)
@@ -108709,7 +108711,7 @@ index 673180c..04d88d5 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -253,7 +274,8 @@ optional_policy(`
+@@ -253,7 +275,8 @@ optional_policy(`
')
optional_policy(`
@@ -108719,7 +108721,7 @@ index 673180c..04d88d5 100644
')
optional_policy(`
-@@ -285,6 +307,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -285,6 +308,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -108727,7 +108729,7 @@ index 673180c..04d88d5 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -293,6 +316,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -293,6 +317,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -108735,7 +108737,7 @@ index 673180c..04d88d5 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -307,26 +331,37 @@ selinux_compute_create_context(passwd_t)
+@@ -307,26 +332,38 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -108769,6 +108771,7 @@ index 673180c..04d88d5 100644
files_read_etc_runtime_files(passwd_t)
-files_manage_etc_files(passwd_t)
++files_read_usr_files(passwd_t)
files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
files_relabel_etc_files(passwd_t)
@@ -108778,7 +108781,7 @@ index 673180c..04d88d5 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -335,12 +370,11 @@ init_use_fds(passwd_t)
+@@ -335,12 +372,11 @@ init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -108792,7 +108795,7 @@ index 673180c..04d88d5 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -349,9 +383,11 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +385,11 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -108805,7 +108808,7 @@ index 673180c..04d88d5 100644
')
########################################
-@@ -398,9 +434,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +436,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -108818,7 +108821,7 @@ index 673180c..04d88d5 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +450,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +452,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -108826,7 +108829,7 @@ index 673180c..04d88d5 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -423,19 +459,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +461,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -108848,7 +108851,7 @@ index 673180c..04d88d5 100644
')
########################################
-@@ -443,7 +477,8 @@ optional_policy(`
+@@ -443,7 +479,8 @@ optional_policy(`
# Useradd local policy
#
@@ -108858,7 +108861,7 @@ index 673180c..04d88d5 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -465,36 +500,35 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +502,35 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -108906,7 +108909,7 @@ index 673180c..04d88d5 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +539,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +541,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -108957,7 +108960,7 @@ index 673180c..04d88d5 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +579,8 @@ optional_policy(`
+@@ -542,7 +581,8 @@ optional_policy(`
')
optional_policy(`
@@ -108967,7 +108970,7 @@ index 673180c..04d88d5 100644
')
optional_policy(`
-@@ -550,6 +588,11 @@ optional_policy(`
+@@ -550,6 +590,11 @@ optional_policy(`
')
optional_policy(`
@@ -108979,7 +108982,7 @@ index 673180c..04d88d5 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +602,7 @@ optional_policy(`
+@@ -559,3 +604,7 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -109150,7 +109153,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..0b6597c 100644
+index db981df..94ae2a8 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -109231,7 +109234,7 @@ index db981df..0b6597c 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -174,53 +184,77 @@ ifdef(`distro_gentoo',`
+@@ -174,53 +184,78 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -109317,6 +109320,7 @@ index db981df..0b6597c 100644
+/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/systemd/system-sleep/(.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
@@ -109326,7 +109330,7 @@ index db981df..0b6597c 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +269,15 @@ ifdef(`distro_gentoo',`
+@@ -235,10 +270,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -109342,7 +109346,7 @@ index db981df..0b6597c 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +290,17 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +291,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -109364,7 +109368,7 @@ index db981df..0b6597c 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',`
+@@ -271,6 +317,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -109375,7 +109379,7 @@ index db981df..0b6597c 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',`
+@@ -290,15 +340,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -109396,7 +109400,7 @@ index db981df..0b6597c 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +367,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +368,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -109409,7 +109413,7 @@ index db981df..0b6597c 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +382,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +383,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -109421,7 +109425,7 @@ index db981df..0b6597c 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +435,14 @@ ifdef(`distro_suse', `
+@@ -376,11 +436,14 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -109437,7 +109441,7 @@ index db981df..0b6597c 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +452,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +453,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -109451,7 +109455,7 @@ index db981df..0b6597c 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..4c513c1 100644
+index 9e9263a..87d577e 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
@@ -109599,6 +109603,43 @@ index 9e9263a..4c513c1 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
+@@ -1091,3 +1143,36 @@ interface(`corecmd_mmap_all_executables',`
+
+ mmap_files_pattern($1, bin_t, exec_type)
+ ')
++
++########################################
++## <summary>
++## Create objects in the /bin directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`corecmd_bin_filetrans',`
++ gen_require(`
++ type bin_t;
++ ')
++
++ filetrans_pattern($1, bin_t, $2, $3, $4)
++')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 1dd0427..6d6f456 100644
--- a/policy/modules/kernel/corecommands.te
@@ -125097,7 +125138,7 @@ index 130ced9..af3532c 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..f41e39b 100644
+index d40f750..e088d08 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -125943,7 +125984,7 @@ index d40f750..f41e39b 100644
+allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+
dontaudit xserver_t self:capability chown;
-+#allow xserver_t self:capability2 compromise_kernel;
++allow xserver_t self:capability2 compromise_kernel;
+
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
@@ -129381,7 +129422,7 @@ index d26fe81..29f6683 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..a9a155b 100644
+index 4a88fa1..24e1d33 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -130060,7 +130101,7 @@ index 4a88fa1..a9a155b 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +825,39 @@ ifdef(`distro_redhat',`
+@@ -540,8 +825,40 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -130080,6 +130121,7 @@ index 4a88fa1..a9a155b 100644
+
+ optional_policy(`
+ devicekit_append_inherited_log_files(initrc_t)
++ devicekit_dbus_chat_power(initrc_t)
+ ')
+
+ optional_policy(`
@@ -130100,7 +130142,7 @@ index 4a88fa1..a9a155b 100644
')
optional_policy(`
-@@ -549,14 +865,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +866,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -130132,7 +130174,7 @@ index 4a88fa1..a9a155b 100644
')
')
-@@ -567,6 +900,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +901,39 @@ ifdef(`distro_suse',`
')
')
@@ -130172,7 +130214,7 @@ index 4a88fa1..a9a155b 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +945,8 @@ optional_policy(`
+@@ -579,6 +946,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -130181,7 +130223,7 @@ index 4a88fa1..a9a155b 100644
')
optional_policy(`
-@@ -600,6 +968,7 @@ optional_policy(`
+@@ -600,6 +969,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -130189,7 +130231,7 @@ index 4a88fa1..a9a155b 100644
')
optional_policy(`
-@@ -612,6 +981,17 @@ optional_policy(`
+@@ -612,6 +982,17 @@ optional_policy(`
')
optional_policy(`
@@ -130207,7 +130249,7 @@ index 4a88fa1..a9a155b 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1008,13 @@ optional_policy(`
+@@ -628,9 +1009,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -130221,7 +130263,7 @@ index 4a88fa1..a9a155b 100644
')
optional_policy(`
-@@ -655,6 +1039,10 @@ optional_policy(`
+@@ -655,6 +1040,10 @@ optional_policy(`
')
optional_policy(`
@@ -130232,7 +130274,7 @@ index 4a88fa1..a9a155b 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1060,15 @@ optional_policy(`
+@@ -672,6 +1061,15 @@ optional_policy(`
')
optional_policy(`
@@ -130248,7 +130290,7 @@ index 4a88fa1..a9a155b 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1109,7 @@ optional_policy(`
+@@ -712,6 +1110,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -130256,7 +130298,7 @@ index 4a88fa1..a9a155b 100644
')
optional_policy(`
-@@ -729,7 +1127,14 @@ optional_policy(`
+@@ -729,7 +1128,14 @@ optional_policy(`
')
optional_policy(`
@@ -130271,7 +130313,7 @@ index 4a88fa1..a9a155b 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1157,10 @@ optional_policy(`
+@@ -752,6 +1158,10 @@ optional_policy(`
')
optional_policy(`
@@ -130282,7 +130324,7 @@ index 4a88fa1..a9a155b 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1170,20 @@ optional_policy(`
+@@ -761,10 +1171,20 @@ optional_policy(`
')
optional_policy(`
@@ -130303,7 +130345,7 @@ index 4a88fa1..a9a155b 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1192,10 @@ optional_policy(`
+@@ -773,6 +1193,10 @@ optional_policy(`
')
optional_policy(`
@@ -130314,7 +130356,7 @@ index 4a88fa1..a9a155b 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1217,6 @@ optional_policy(`
+@@ -794,8 +1218,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -130323,7 +130365,7 @@ index 4a88fa1..a9a155b 100644
')
optional_policy(`
-@@ -804,6 +1225,10 @@ optional_policy(`
+@@ -804,6 +1226,10 @@ optional_policy(`
')
optional_policy(`
@@ -130334,7 +130376,7 @@ index 4a88fa1..a9a155b 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1238,12 @@ optional_policy(`
+@@ -813,10 +1239,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -130347,7 +130389,7 @@ index 4a88fa1..a9a155b 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1255,6 @@ optional_policy(`
+@@ -828,8 +1256,6 @@ optional_policy(`
')
optional_policy(`
@@ -130356,7 +130398,7 @@ index 4a88fa1..a9a155b 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1265,30 @@ optional_policy(`
+@@ -840,12 +1266,30 @@ optional_policy(`
')
optional_policy(`
@@ -130389,7 +130431,7 @@ index 4a88fa1..a9a155b 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1298,18 @@ optional_policy(`
+@@ -855,6 +1299,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -130408,7 +130450,7 @@ index 4a88fa1..a9a155b 100644
')
optional_policy(`
-@@ -870,6 +1325,10 @@ optional_policy(`
+@@ -870,6 +1326,10 @@ optional_policy(`
')
optional_policy(`
@@ -130419,7 +130461,7 @@ index 4a88fa1..a9a155b 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1339,177 @@ optional_policy(`
+@@ -880,3 +1340,177 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -131737,7 +131779,7 @@ index 0e3c2a9..40adf5a 100644
+')
+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 9fd5be7..41d3117 100644
+index 9fd5be7..7e2a02e 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -131752,7 +131794,20 @@ index 9fd5be7..41d3117 100644
type sulogin_t;
type sulogin_exec_t;
-@@ -32,9 +31,8 @@ role system_r types sulogin_t;
+@@ -27,14 +26,21 @@ init_domain(sulogin_t, sulogin_exec_t)
+ init_system_domain(sulogin_t, sulogin_exec_t)
+ role system_r types sulogin_t;
+
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mcs_systemhigh)
++')
++
++ifdef(`enable_mls',`
++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh)
++')
++
+ ########################################
+ #
# Local login local policy
#
@@ -131764,7 +131819,7 @@ index 9fd5be7..41d3117 100644
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
-@@ -51,9 +49,7 @@ allow local_login_t self:key { search write link };
+@@ -51,9 +57,7 @@ allow local_login_t self:key { search write link };
allow local_login_t local_login_lock_t:file manage_file_perms;
files_lock_filetrans(local_login_t, local_login_lock_t, file)
@@ -131775,7 +131830,7 @@ index 9fd5be7..41d3117 100644
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctls(local_login_t)
-@@ -73,6 +69,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
+@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
@@ -131784,7 +131839,7 @@ index 9fd5be7..41d3117 100644
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
-@@ -117,16 +115,19 @@ term_relabel_unallocated_ttys(local_login_t)
+@@ -117,16 +123,19 @@ term_relabel_unallocated_ttys(local_login_t)
term_relabel_all_ttys(local_login_t)
term_setattr_all_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)
@@ -131806,7 +131861,7 @@ index 9fd5be7..41d3117 100644
userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
-@@ -141,19 +142,19 @@ ifdef(`distro_ubuntu',`
+@@ -141,19 +150,19 @@ ifdef(`distro_ubuntu',`
')
')
@@ -131834,7 +131889,7 @@ index 9fd5be7..41d3117 100644
')
optional_policy(`
-@@ -177,14 +178,6 @@ optional_policy(`
+@@ -177,14 +186,6 @@ optional_policy(`
')
optional_policy(`
@@ -131849,7 +131904,7 @@ index 9fd5be7..41d3117 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,6 +208,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,6 +216,7 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -131857,7 +131912,7 @@ index 9fd5be7..41d3117 100644
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +217,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+@@ -223,13 +225,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -131874,7 +131929,7 @@ index 9fd5be7..41d3117 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +235,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +243,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -131901,7 +131956,7 @@ index 9fd5be7..41d3117 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +263,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -132376,7 +132431,7 @@ index 321bb13..267fa2a 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 0034021..be3c1b1 100644
+index 0034021..ef34ce4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.0)
@@ -132647,9 +132702,11 @@ index 0034021..be3c1b1 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -442,13 +509,16 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -441,14 +508,18 @@ files_dontaudit_search_isid_type_dirs(syslogd_t)
+ files_read_kernel_symbol_table(syslogd_t)
fs_getattr_all_fs(syslogd_t)
++fs_rw_tmpfs_files(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
+fs_search_cgroup_dirs(syslogd_t)
@@ -132664,7 +132721,7 @@ index 0034021..be3c1b1 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -460,8 +530,8 @@ init_use_fds(syslogd_t)
+@@ -460,8 +531,8 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -132674,10 +132731,16 @@ index 0034021..be3c1b1 100644
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
-@@ -493,15 +563,29 @@ optional_policy(`
+@@ -493,15 +564,35 @@ optional_policy(`
')
optional_policy(`
++ kerberos_keytab_template(syslogd, syslogd_t)
++ kerberos_manage_host_rcache(syslogd_t)
++ kerberos_read_config(syslogd_t)
++')
++
++optional_policy(`
+ mysql_read_config(syslogd_t)
mysql_stream_connect(syslogd_t)
')
@@ -132704,7 +132767,7 @@ index 0034021..be3c1b1 100644
')
optional_policy(`
-@@ -512,3 +596,24 @@ optional_policy(`
+@@ -512,3 +603,24 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -133775,7 +133838,7 @@ index 72c746e..f035d9f 100644
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..0b81a4b 100644
+index 4584457..300c3f7 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -133792,7 +133855,7 @@ index 4584457..0b81a4b 100644
')
########################################
-@@ -38,11 +45,84 @@ interface(`mount_domtrans',`
+@@ -38,11 +45,103 @@ interface(`mount_domtrans',`
#
interface(`mount_run',`
gen_require(`
@@ -133876,10 +133939,29 @@ index 4584457..0b81a4b 100644
+
+ allow $1 mount_var_run_t:file read_file_perms;
+ files_search_pids($1)
++')
++
++########################################
++## <summary>
++## Manage mount PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mount_manage_pid_files',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ allow $1 mount_var_run_t:file manage_file_perms;
++ files_search_pids($1)
')
########################################
-@@ -91,7 +171,7 @@ interface(`mount_signal',`
+@@ -91,7 +190,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
## <summary>
@@ -133888,7 +133970,7 @@ index 4584457..0b81a4b 100644
## </summary>
## </param>
#
-@@ -131,45 +211,138 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +230,138 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
@@ -135091,7 +135173,7 @@ index 3822072..702e0e0 100644
+ logging_send_syslog_msg($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..b28ba84 100644
+index ec01d0b..fd0967d 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@@ -135594,7 +135676,7 @@ index ec01d0b..b28ba84 100644
')
########################################
-@@ -522,108 +599,172 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +599,173 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -135852,6 +135934,7 @@ index ec01d0b..b28ba84 100644
+seutil_get_semanage_read_lock(policy_manager_domain)
+
+userdom_dontaudit_write_user_home_content_files(policy_manager_domain)
++userdom_use_user_ptys(policy_manager_domain)
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index bea4629..06e2834 100644
--- a/policy/modules/system/setrans.fc
@@ -139380,7 +139463,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..c614a1a 100644
+index e720dcd..b106336 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -141893,7 +141976,7 @@ index e720dcd..c614a1a 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4126,1331 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4126,1361 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -143225,6 +143308,36 @@ index e720dcd..c614a1a 100644
+ fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3)
+')
+
++
++#######################################
++## <summary>
++## Create objects in the temporary filesystem directory
++## with an automatic type transition to
++## the user temporary filesystem type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`userdom_tmpfs_filetrans_to',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
++')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 6a4bd85..662afd7 100644
--- a/policy/modules/system/userdomain.te
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 1c7e27e..367a19d 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -2031,10 +2031,10 @@ index 0000000..fe0cdf0
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..d37aa42
+index 0000000..feabdf3
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,36 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2062,6 +2062,10 @@ index 0000000..d37aa42
+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+
++optional_policy(`
++ amavis_manage_spool_files(antivirus_domain)
++')
++
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
@@ -3000,7 +3004,7 @@ index 6480167..e77ad76 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..6b3a61b 100644
+index 0833afb..08c3720 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3709,10 +3713,14 @@ index 0833afb..6b3a61b 100644
')
optional_policy(`
-@@ -594,6 +927,32 @@ optional_policy(`
+@@ -594,6 +927,36 @@ optional_policy(`
')
optional_policy(`
++ openshift_search_lib(httpd_t)
++')
++
++optional_policy(`
+ passenger_exec(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+')
@@ -3742,7 +3750,7 @@ index 0833afb..6b3a61b 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +967,11 @@ optional_policy(`
+@@ -608,6 +971,11 @@ optional_policy(`
')
optional_policy(`
@@ -3754,7 +3762,7 @@ index 0833afb..6b3a61b 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +984,12 @@ optional_policy(`
+@@ -620,6 +988,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3767,7 +3775,7 @@ index 0833afb..6b3a61b 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1003,38 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1007,38 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3807,7 +3815,7 @@ index 0833afb..6b3a61b 100644
########################################
#
-@@ -671,28 +1072,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1076,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3851,7 +3859,7 @@ index 0833afb..6b3a61b 100644
')
########################################
-@@ -702,6 +1105,7 @@ optional_policy(`
+@@ -702,6 +1109,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3859,7 +3867,7 @@ index 0833afb..6b3a61b 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1120,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1124,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3888,7 +3896,7 @@ index 0833afb..6b3a61b 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1150,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1154,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -3906,7 +3914,7 @@ index 0833afb..6b3a61b 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1168,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1172,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3939,7 +3947,7 @@ index 0833afb..6b3a61b 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1215,25 @@ optional_policy(`
+@@ -786,6 +1219,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3965,7 +3973,7 @@ index 0833afb..6b3a61b 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1254,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1258,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3983,7 +3991,7 @@ index 0833afb..6b3a61b 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1273,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1277,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4042,7 +4050,7 @@ index 0833afb..6b3a61b 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1324,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1328,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4083,7 +4091,7 @@ index 0833afb..6b3a61b 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -859,10 +1369,20 @@ optional_policy(`
+@@ -859,10 +1373,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -4104,7 +4112,7 @@ index 0833afb..6b3a61b 100644
')
########################################
-@@ -878,11 +1398,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1402,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4116,7 +4124,7 @@ index 0833afb..6b3a61b 100644
########################################
#
-@@ -908,11 +1426,138 @@ optional_policy(`
+@@ -908,11 +1430,138 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -8965,7 +8973,7 @@ index bbac14a..99c5cca 100644
+
')
diff --git a/clamav.te b/clamav.te
-index a10350e..789ac95 100644
+index a10350e..c67bb4d 100644
--- a/clamav.te
+++ b/clamav.te
@@ -1,9 +1,23 @@
@@ -9228,7 +9236,7 @@ index a10350e..789ac95 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -259,15 +336,19 @@ files_search_var_lib(clamscan_t)
+@@ -259,15 +336,15 @@ files_search_var_lib(clamscan_t)
init_read_utmp(clamscan_t)
init_dontaudit_write_utmp(clamscan_t)
@@ -9239,15 +9247,11 @@ index a10350e..789ac95 100644
-mta_send_mail(clamscan_t)
+sysnet_read_config(clamscan_t)
-+
-+optional_policy(`
-+ mta_send_mail(clamscan_t)
-+ mta_read_queue(clamscan_t)
-+')
optional_policy(`
- amavis_read_spool_files(clamscan_t)
-+ amavis_manage_spool_files(clamscan_t)
++ mta_send_mail(clamscan_t)
++ mta_read_queue(clamscan_t)
')
optional_policy(`
@@ -14015,7 +14019,7 @@ index 0000000..33656de
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/cups.fc b/cups.fc
-index 848bb92..e6ecaa5 100644
+index 848bb92..108b23c 100644
--- a/cups.fc
+++ b/cups.fc
@@ -19,7 +19,10 @@
@@ -14029,7 +14033,7 @@ index 848bb92..e6ecaa5 100644
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -52,18 +55,30 @@
+@@ -52,18 +55,31 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -14056,13 +14060,14 @@ index 848bb92..e6ecaa5 100644
+
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 305ddf4..236f5ba 100644
+index 305ddf4..f3cd95f 100644
--- a/cups.if
+++ b/cups.if
@@ -9,6 +9,11 @@
@@ -14147,7 +14152,7 @@ index 305ddf4..236f5ba 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -341,18 +375,49 @@ interface(`cups_admin',`
+@@ -341,18 +375,53 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
@@ -14199,6 +14204,10 @@ index 305ddf4..236f5ba 100644
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
++ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
++ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
')
diff --git a/cups.te b/cups.te
index e5a8924..c5c823c 100644
@@ -16786,7 +16795,7 @@ index 5e2cea8..2ab8a14 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index ed07b26..c57c350 100644
+index ed07b26..bed6b0d 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -19,6 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -16804,7 +16813,7 @@ index ed07b26..c57c350 100644
#
-allow dhcpd_t self:capability { net_raw sys_resource };
-+allow dhcpd_t self:capability { dac_override sys_chroot net_raw setgid setuid sys_resource };
++allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
-allow dhcpd_t self:process signal_perms;
+allow dhcpd_t self:process { getcap setcap signal_perms };
@@ -17983,7 +17992,7 @@ index 9bd812b..53f895e 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index fdaeeba..2b18093 100644
+index fdaeeba..a29af29 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -18031,7 +18040,7 @@ index fdaeeba..2b18093 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +98,20 @@ optional_policy(`
+@@ -96,7 +98,21 @@ optional_policy(`
')
optional_policy(`
@@ -18044,6 +18053,7 @@ index fdaeeba..2b18093 100644
+')
+
+optional_policy(`
++ networkmanager_read_conf(dnsmasq_t)
+ networkmanager_read_pid_files(dnsmasq_t)
+')
+
@@ -18052,7 +18062,7 @@ index fdaeeba..2b18093 100644
')
optional_policy(`
-@@ -113,5 +128,7 @@ optional_policy(`
+@@ -113,5 +129,7 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -21082,7 +21092,7 @@ index 9d3201b..6e75e3d 100644
+ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/ftp.te b/ftp.te
-index 80026bb..988e85c 100644
+index 80026bb..30968b3 100644
--- a/ftp.te
+++ b/ftp.te
@@ -12,7 +12,7 @@ policy_module(ftp, 1.14.0)
@@ -21388,7 +21398,7 @@ index 80026bb..988e85c 100644
########################################
#
-@@ -365,18 +430,32 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +430,34 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -21404,8 +21414,10 @@ index 80026bb..988e85c 100644
+ files_manage_non_security_files(sftpd_t)
+')
+
-+tunable_policy(`sftpd_write_ssh_home',`
-+ ssh_manage_home_files(sftpd_t)
++optional_policy(`
++ tunable_policy(`sftpd_write_ssh_home',`
++ ssh_manage_home_files(sftpd_t)
++ ')
+')
tunable_policy(`sftpd_enable_homedirs',`
@@ -21424,21 +21436,21 @@ index 80026bb..988e85c 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +473,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +475,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
- files_manage_non_auth_files(sftpd_t)
--')
--
++ files_manage_non_security_files(sftpd_t)
+ ')
+
-tunable_policy(`use_samba_home_dirs',`
- # allow read access to /home by default
- fs_list_cifs(sftpd_t)
- fs_read_cifs_files(sftpd_t)
- fs_read_cifs_symlinks(sftpd_t)
-+ files_manage_non_security_files(sftpd_t)
- ')
-
+-')
+-
-tunable_policy(`use_nfs_home_dirs',`
- # allow read access to /home by default
- fs_list_nfs(sftpd_t)
@@ -27721,10 +27733,10 @@ index 0000000..868c7d0
+')
diff --git a/jockey.te b/jockey.te
new file mode 100644
-index 0000000..6a0bb3e
+index 0000000..c847302
--- /dev/null
+++ b/jockey.te
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,60 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -27770,6 +27782,8 @@ index 0000000..6a0bb3e
+files_read_etc_files(jockey_t)
+files_read_usr_files(jockey_t)
+
++auth_read_passwd(jockey_t)
++
+optional_policy(`
+ dbus_system_domain(jockey_t, jockey_exec_t)
+')
@@ -33373,7 +33387,7 @@ index b397fde..c7c031d 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..e5a1662 100644
+index d4fcb75..1c81b41 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -33536,7 +33550,7 @@ index d4fcb75..e5a1662 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,25 +317,35 @@ optional_policy(`
+@@ -297,57 +317,88 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -33580,14 +33594,15 @@ index d4fcb75..e5a1662 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -323,31 +353,51 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
-
++userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++
+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-+
+
can_exec(mozilla_plugin_t, mozilla_exec_t)
-kernel_read_kernel_sysctls(mozilla_plugin_t)
@@ -33639,7 +33654,7 @@ index d4fcb75..e5a1662 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -356,6 +406,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -356,6 +407,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -33647,7 +33662,7 @@ index d4fcb75..e5a1662 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +414,57 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +415,57 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -33726,7 +33741,7 @@ index d4fcb75..e5a1662 100644
')
optional_policy(`
-@@ -422,24 +475,39 @@ optional_policy(`
+@@ -422,24 +476,39 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -33770,7 +33785,7 @@ index d4fcb75..e5a1662 100644
')
optional_policy(`
-@@ -447,10 +515,113 @@ optional_policy(`
+@@ -447,10 +516,113 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -37062,7 +37077,7 @@ index 386543b..8fe1d63 100644
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 2324d9e..da61d01 100644
+index 2324d9e..b03e0f2 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -37137,7 +37152,32 @@ index 2324d9e..da61d01 100644
## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
-@@ -191,3 +236,90 @@ interface(`networkmanager_read_pid_files',`
+@@ -173,6 +218,24 @@ interface(`networkmanager_read_lib_files',`
+ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ ')
+
++#######################################
++## <summary>
++## Read NetworkManager conf files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_read_conf',`
++ gen_require(`
++ type NetworkManager_etc_t;
++ ')
++
++ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read NetworkManager PID files.
+@@ -191,3 +254,90 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -38378,7 +38418,7 @@ index 85188dc..2b37836 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index 7936e09..a505c8f 100644
+index 7936e09..2814186 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,6 +4,13 @@ gen_require(`
@@ -38459,7 +38499,7 @@ index 7936e09..a505c8f 100644
cron_read_system_job_tmp_files(nscd_t)
')
-@@ -127,3 +141,17 @@ optional_policy(`
+@@ -127,3 +141,19 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -38469,7 +38509,9 @@ index 7936e09..a505c8f 100644
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
++')
+
++optional_policy(`
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
@@ -40209,13 +40251,14 @@ index 0000000..e9f259e
+ dbus_system_bus_client(obex_t)
+')
diff --git a/oddjob.fc b/oddjob.fc
-index 9c272c2..0132b08 100644
+index 9c272c2..7e2287c 100644
--- a/oddjob.fc
+++ b/oddjob.fc
-@@ -1,7 +1,6 @@
+@@ -1,7 +1,7 @@
/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
@@ -40720,7 +40763,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..8283601
+index 0000000..817a3a9
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,23 @@
@@ -40739,10 +40782,10 @@ index 0000000..8283601
+
+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
+
-+/usr/bin/rhc-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
++/usr/bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
-+/usr/bin/rhc-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/bin/rhc-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
+/usr/bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
@@ -52813,7 +52856,7 @@ index de37806..3578975 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/rhcs.te b/rhcs.te
-index 93c896a..1f44a24 100644
+index 93c896a..4277383 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0)
@@ -52907,7 +52950,7 @@ index 93c896a..1f44a24 100644
files_read_usr_symlinks(fenced_t)
storage_raw_read_fixed_disk(fenced_t)
-@@ -97,16 +124,35 @@ storage_raw_read_removable_device(fenced_t)
+@@ -97,16 +124,37 @@ storage_raw_read_removable_device(fenced_t)
term_getattr_pty_fs(fenced_t)
term_use_ptmx(fenced_t)
@@ -52925,11 +52968,13 @@ index 93c896a..1f44a24 100644
+ allow fenced_t self:capability { setuid setgid };
+
+ corenet_tcp_connect_ssh_port(fenced_t)
++ ')
++')
+
++optional_policy(`
+ ssh_exec(fenced_t)
+ ssh_read_user_home_files(fenced_t)
+ ')
-+')
+
+# needed by fence_scsi
+optional_policy(`
@@ -52946,7 +52991,7 @@ index 93c896a..1f44a24 100644
')
optional_policy(`
-@@ -114,13 +160,46 @@ optional_policy(`
+@@ -114,13 +162,46 @@ optional_policy(`
lvm_read_config(fenced_t)
')
@@ -52994,7 +53039,7 @@ index 93c896a..1f44a24 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +218,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +220,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -53005,7 +53050,7 @@ index 93c896a..1f44a24 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,12 +229,12 @@ optional_policy(`
+@@ -154,12 +231,12 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -53020,7 +53065,7 @@ index 93c896a..1f44a24 100644
init_rw_script_tmp_files(groupd_t)
-@@ -168,8 +243,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +245,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -53030,7 +53075,7 @@ index 93c896a..1f44a24 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -182,7 +256,7 @@ kernel_read_system_state(qdiskd_t)
+@@ -182,7 +258,7 @@ kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
@@ -53039,7 +53084,7 @@ index 93c896a..1f44a24 100644
corecmd_exec_shell(qdiskd_t)
dev_read_sysfs(qdiskd_t)
-@@ -197,19 +271,16 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -197,19 +273,16 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
@@ -53063,7 +53108,7 @@ index 93c896a..1f44a24 100644
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +294,24 @@ optional_policy(`
+@@ -223,18 +296,24 @@ optional_policy(`
# rhcs domains common policy
#
@@ -54727,7 +54772,7 @@ index dddabcf..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index 330d01f..344759b 100644
+index 330d01f..fd96b3c 100644
--- a/rpc.te
+++ b/rpc.te
@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
@@ -54900,7 +54945,7 @@ index 330d01f..344759b 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +210,11 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +210,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -54911,10 +54956,11 @@ index 330d01f..344759b 100644
+
+optional_policy(`
+ mount_exec(nfsd_t)
++ mount_manage_pid_files(nfsd_t)
')
########################################
-@@ -181,7 +224,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +225,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -54923,7 +54969,7 @@ index 330d01f..344759b 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +242,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +243,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -54931,7 +54977,7 @@ index 330d01f..344759b 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +254,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +255,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -54949,7 +54995,7 @@ index 330d01f..344759b 100644
')
optional_policy(`
-@@ -226,6 +270,11 @@ optional_policy(`
+@@ -226,6 +271,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -55038,7 +55084,7 @@ index a96249c..5f38427 100644
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/rpcbind.te b/rpcbind.te
-index a63e9ee..8910c44 100644
+index a63e9ee..e4a0c9b 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -43,7 +43,8 @@ kernel_read_system_state(rpcbind_t)
@@ -55051,12 +55097,16 @@ index a63e9ee..8910c44 100644
corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_generic_if(rpcbind_t)
corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -64,6 +65,12 @@ files_read_etc_runtime_files(rpcbind_t)
+@@ -62,8 +63,16 @@ domain_use_interactive_fds(rpcbind_t)
+ files_read_etc_files(rpcbind_t)
+ files_read_etc_runtime_files(rpcbind_t)
- logging_send_syslog_msg(rpcbind_t)
+-logging_send_syslog_msg(rpcbind_t)
++auth_read_passwd(rpcbind_t)
-miscfiles_read_localization(rpcbind_t)
--
++logging_send_syslog_msg(rpcbind_t)
+
sysnet_dns_name_resolve(rpcbind_t)
+
+ifdef(`hide_broken_symptoms',`
@@ -56420,7 +56470,7 @@ index 82cb169..9bb5db2 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 905883f..12a4581 100644
+index 905883f..88c12b7 100644
--- a/samba.te
+++ b/samba.te
@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
@@ -56810,13 +56860,13 @@ index 905883f..12a4581 100644
+dev_read_urand(smbcontrol_t)
+
+files_read_usr_files(smbcontrol_t)
++
++term_use_console(smbcontrol_t)
-miscfiles_read_localization(smbcontrol_t)
-+term_use_console(smbcontrol_t)
++sysnet_use_ldap(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
-+sysnet_use_ldap(smbcontrol_t)
-+
+userdom_use_inherited_user_terminals(smbcontrol_t)
+
+optional_policy(`
@@ -57015,7 +57065,7 @@ index 905883f..12a4581 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -871,6 +928,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -871,6 +928,15 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -57024,10 +57074,14 @@ index 905883f..12a4581 100644
+')
+
+optional_policy(`
++ dirsrv_stream_connect(winbind_t)
++')
++
++optional_policy(`
kerberos_use(winbind_t)
')
-@@ -909,9 +971,7 @@ auth_use_nsswitch(winbind_helper_t)
+@@ -909,9 +975,7 @@ auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -57038,7 +57092,7 @@ index 905883f..12a4581 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -929,19 +989,34 @@ optional_policy(`
+@@ -929,19 +993,34 @@ optional_policy(`
#
optional_policy(`
@@ -57052,11 +57106,11 @@ index 905883f..12a4581 100644
+ domain_type(samba_unconfined_net_t)
+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
+ role system_r types samba_unconfined_net_t;
-+
-+ unconfined_domain(samba_unconfined_net_t)
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++ unconfined_domain(samba_unconfined_net_t)
+
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
@@ -57068,7 +57122,7 @@ index 905883f..12a4581 100644
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
-
++
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
@@ -60528,10 +60582,15 @@ index 8265278..017b923 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
-index 740994a..9f1f74a 100644
+index 740994a..205cec5 100644
--- a/smokeping.te
+++ b/smokeping.te
-@@ -40,7 +40,6 @@ corecmd_read_bin_symlinks(smokeping_t)
+@@ -36,11 +36,10 @@ manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+ manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+ files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } )
+
+-corecmd_read_bin_symlinks(smokeping_t)
++corecmd_exec_bin(smokeping_t)
dev_read_urand(smokeping_t)
@@ -61352,7 +61411,7 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..583a704 100644
+index 1bbf73b..50322c7 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -6,52 +6,41 @@ policy_module(spamassassin, 2.5.0)
@@ -61654,7 +61713,7 @@ index 1bbf73b..583a704 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -234,21 +317,24 @@ corecmd_read_bin_sockets(spamc_t)
+@@ -234,43 +317,52 @@ corecmd_read_bin_sockets(spamc_t)
domain_use_interactive_fds(spamc_t)
@@ -61683,20 +61742,24 @@ index 1bbf73b..583a704 100644
+')
optional_policy(`
- # Allow connection to spamd socket above
-@@ -256,21 +342,23 @@ optional_policy(`
+- # Allow connection to spamd socket above
+- evolution_stream_connect(spamc_t)
++ amavis_manage_spool_files(spamc_t)
')
optional_policy(`
- # Needed for pyzor/razor called from spamd
- milter_manage_spamass_state(spamc_t)
+- milter_manage_spamass_state(spamc_t)
++ # Allow connection to spamd socket above
++ evolution_stream_connect(spamc_t)
')
optional_policy(`
- nis_use_ypbind(spamc_t)
--')
--
--optional_policy(`
++ milter_manage_spamass_state(spamc_t)
+ ')
+
+ optional_policy(`
- nscd_socket_use(spamc_t)
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
@@ -61714,7 +61777,7 @@ index 1bbf73b..583a704 100644
')
########################################
-@@ -282,7 +370,7 @@ optional_policy(`
+@@ -282,7 +374,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -61723,7 +61786,7 @@ index 1bbf73b..583a704 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -298,10 +386,20 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -298,10 +390,20 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -61745,7 +61808,7 @@ index 1bbf73b..583a704 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -310,16 +408,21 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -310,16 +412,21 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -61770,7 +61833,7 @@ index 1bbf73b..583a704 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -356,30 +459,30 @@ corecmd_exec_bin(spamd_t)
+@@ -356,30 +463,30 @@ corecmd_exec_bin(spamd_t)
domain_use_interactive_fds(spamd_t)
files_read_usr_files(spamd_t)
@@ -61811,7 +61874,7 @@ index 1bbf73b..583a704 100644
')
optional_policy(`
-@@ -395,7 +498,9 @@ optional_policy(`
+@@ -395,7 +502,9 @@ optional_policy(`
')
optional_policy(`
@@ -61821,7 +61884,7 @@ index 1bbf73b..583a704 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -404,25 +509,17 @@ optional_policy(`
+@@ -404,25 +513,17 @@ optional_policy(`
')
optional_policy(`
@@ -61849,18 +61912,21 @@ index 1bbf73b..583a704 100644
postgresql_stream_connect(spamd_t)
')
-@@ -433,6 +530,10 @@ optional_policy(`
+@@ -433,6 +534,13 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
+ razor_read_lib_files(spamd_t)
++')
++
++optional_policy(`
+ tunable_policy(`spamd_enable_home_dirs',`
+ razor_manage_user_home_files(spamd_t)
+ ')
')
optional_policy(`
-@@ -440,6 +541,7 @@ optional_policy(`
+@@ -440,6 +548,7 @@ optional_policy(`
')
optional_policy(`
@@ -61868,7 +61934,7 @@ index 1bbf73b..583a704 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -447,3 +549,48 @@ optional_policy(`
+@@ -447,3 +556,48 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -70256,7 +70322,7 @@ index 11c1b12..fc5d128 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index e88b95f..b5d743a 100644
+index e88b95f..3dd3d9a 100644
--- a/xguest.te
+++ b/xguest.te
@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
@@ -70321,7 +70387,7 @@ index e88b95f..b5d743a 100644
')
')
-@@ -76,23 +87,96 @@ optional_policy(`
+@@ -76,23 +87,97 @@ optional_policy(`
')
optional_policy(`
@@ -70346,9 +70412,10 @@ index e88b95f..b5d743a 100644
+
+optional_policy(`
+ gnome_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
@@ -70359,19 +70426,23 @@ index e88b95f..b5d743a 100644
+optional_policy(`
+ pcscd_read_pub_files(xguest_t)
+ pcscd_stream_connect(xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
')
optional_policy(`
tunable_policy(`xguest_connect_network',`
+ networkmanager_dbus_chat(xguest_t)
++ networkmanager_read_lib_files(xguest_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_t)
+
- networkmanager_dbus_chat(xguest_t)
-+ networkmanager_read_lib_files(xguest_t)
corenet_tcp_connect_pulseaudio_port(xguest_t)
+ corenet_tcp_sendrecv_generic_if(xguest_t)
+ corenet_raw_sendrecv_generic_if(xguest_t)
@@ -70404,12 +70475,9 @@ index e88b95f..b5d743a 100644
+ corenet_tcp_sendrecv_transproxy_port(xguest_t)
+ corenet_tcp_connect_transproxy_port(xguest_t)
')
-+
-+ #optional_policy(`
-+ # telepathy_dbus_session_role(xguest_r, xguest_t)
-+ #')
-+')
-+
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
@@ -70417,9 +70485,8 @@ index e88b95f..b5d743a 100644
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
- ')
-
--#gen_user(xguest_u,, xguest_r, s0, s0)
++')
++
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/xprint.te b/xprint.te
index 68d13e5..4fe8668 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 985edd5..c7cc941 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 39%{?dist}
+Release: 40%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,24 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Oct 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-40
+- Additional requirements for disable unconfined module when booting
+- Fix label of systemd script files
+- semanage can use -F /dev/stdin to get input
+- syslog now uses kerberos keytabs
+- Allow xserver to compromise_kernel access
+- Allow nfsd to write to mount_var_run_t when running the mount command
+- Add filename transition rule for bin_t directories
+- Allow files to read usr_t lnk_files
+- dhcpc wants chown
+- Add support for new openshift labeling
+- Clean up for tunable+optional statements
+- Add labeling for /usr/sbin/mkhomedir_helper
+- Allow antivirus domain to managa amavis spool files
+- Allow rpcbind_t to read passwd
+- Allow pyzor running as spamc to manage amavis spool
+
+
* Tue Oct 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-39
- Add interfaces to read kernel_t proc info
- Missed this version of exec_all
More information about the scm-commits
mailing list