[selinux-policy/f18] - Change default label of all files in /var/run/rpcbind - Allow sandbox domains (java) to read huget
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Oct 24 21:09:41 UTC 2012
commit 5f2e8784937bf2715a2bcebe46566360b22a2b58
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Oct 24 23:09:27 2012 +0200
- Change default label of all files in /var/run/rpcbind
- Allow sandbox domains (java) to read hugetlbfs_t
- Allow awstats cgi content to create tmp files and read apache log files
- Allow setuid/setgid for cupsd-config
- Allow setsched/sys_nice pro cupsd-config
- Fix /etc/localtime sym link to be labeled locale_t
- Allow sshd to search postgresql db t since this is a homedir
- Allow xwindows users to chat with realmd
- Allow unconfined domains to configure all files and null_device_t servic
policy-rawhide.patch | 381 +++++++++++++++++++++++++++--------------
policy_contrib-rawhide.patch | 112 +++++++++----
selinux-policy.spec | 13 ++-
3 files changed, 345 insertions(+), 161 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 8466fb9..14d84c2 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -113302,7 +113302,7 @@ index 02b7ac1..b30f7b8 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index d820975..bc8ec03 100644
+index d820975..6a4d016 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -113760,7 +113760,102 @@ index d820975..bc8ec03 100644
')
########################################
-@@ -3235,7 +3509,7 @@ interface(`dev_rw_printer',`
+@@ -3125,45 +3399,81 @@ interface(`dev_create_null_dev',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of the BIOS non-volatile RAM device.
++## Get the status of a null device service.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_getattr_nvram_dev',`
++interface(`dev_service_status_null_dev',`
+ gen_require(`
+- type nvram_device_t;
++ type null_device_t;
+ ')
+
+- dontaudit $1 nvram_device_t:chr_file getattr;
++ allow $1 null_device_t:service status;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write BIOS non-volatile RAM.
++## Configure null_device as a unit files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_rw_nvram',`
++interface(`dev_config_null_dev_service',`
+ gen_require(`
+- type nvram_device_t;
++ type null_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, nvram_device_t)
++ allow $1 null_device_t:service manage_service_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of the printer device nodes.
+-## </summary>
++## Do not audit attempts to get the attributes
++## of the BIOS non-volatile RAM device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_nvram_dev',`
++ gen_require(`
++ type nvram_device_t;
++ ')
++
++ dontaudit $1 nvram_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
++## Read and write BIOS non-volatile RAM.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_nvram',`
++ gen_require(`
++ type nvram_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, nvram_device_t)
++')
++
++########################################
++## <summary>
++## Get the attributes of the printer device nodes.
++## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+@@ -3235,7 +3545,7 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -113769,7 +113864,7 @@ index d820975..bc8ec03 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3243,12 +3517,31 @@ interface(`dev_rw_printer',`
+@@ -3243,12 +3553,31 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@@ -113804,7 +113899,7 @@ index d820975..bc8ec03 100644
')
########################################
-@@ -3836,6 +4129,42 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3836,6 +4165,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -113847,7 +113942,7 @@ index d820975..bc8ec03 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3885,6 +4214,7 @@ interface(`dev_list_sysfs',`
+@@ -3885,6 +4250,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -113855,7 +113950,7 @@ index d820975..bc8ec03 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3927,23 +4257,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3927,23 +4293,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -113909,7 +114004,7 @@ index d820975..bc8ec03 100644
########################################
## <summary>
## Read hardware state information.
-@@ -3997,6 +4353,62 @@ interface(`dev_rw_sysfs',`
+@@ -3997,6 +4389,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -113972,7 +114067,7 @@ index d820975..bc8ec03 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4094,6 +4506,25 @@ interface(`dev_write_urand',`
+@@ -4094,6 +4542,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -113998,7 +114093,7 @@ index d820975..bc8ec03 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4128,6 +4559,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4128,6 +4595,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -114023,7 +114118,7 @@ index d820975..bc8ec03 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4520,6 +4969,24 @@ interface(`dev_rw_vhost',`
+@@ -4520,6 +5005,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -114048,7 +114143,7 @@ index d820975..bc8ec03 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4725,6 +5192,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4725,6 +5228,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -114075,7 +114170,7 @@ index d820975..bc8ec03 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4814,3 +5301,917 @@ interface(`dev_unconfined',`
+@@ -4814,3 +5337,917 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -115215,7 +115310,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..bfbf93f 100644
+index cf04cb5..a8f9817 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.11.0)
@@ -115332,7 +115427,7 @@ index cf04cb5..bfbf93f 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +218,256 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +218,258 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -115345,6 +115440,8 @@ index cf04cb5..bfbf93f 100644
+
+files_filetrans_named_content(unconfined_domain_type)
+files_filetrans_system_conf_named_files(unconfined_domain_type)
++files_config_all_files(unconfined_domain_type)
++dev_config_null_dev_service(unconfined_domain_type)
+
+storage_filetrans_all_named_dev(unconfined_domain_type)
+
@@ -115590,7 +115687,7 @@ index cf04cb5..bfbf93f 100644
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 8796ca3..0cabe1f 100644
+index 8796ca3..c2055b3 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -115626,10 +115723,11 @@ index 8796ca3..0cabe1f 100644
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -53,12 +54,16 @@ ifdef(`distro_suse',`
+@@ -52,13 +53,16 @@ ifdef(`distro_suse',`
+ /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
+-/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -115647,7 +115745,7 @@ index 8796ca3..0cabe1f 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -70,7 +75,10 @@ ifdef(`distro_suse',`
+@@ -70,7 +74,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -115659,7 +115757,7 @@ index 8796ca3..0cabe1f 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -78,10 +86,6 @@ ifdef(`distro_gentoo', `
+@@ -78,10 +85,6 @@ ifdef(`distro_gentoo', `
/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -115670,7 +115768,7 @@ index 8796ca3..0cabe1f 100644
ifdef(`distro_suse',`
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +108,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -104,7 +107,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -115679,7 +115777,7 @@ index 8796ca3..0cabe1f 100644
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-@@ -129,6 +133,8 @@ ifdef(`distro_debian',`
+@@ -129,6 +132,8 @@ ifdef(`distro_debian',`
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/media/[^/]*/.* <<none>>
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
@@ -115688,7 +115786,7 @@ index 8796ca3..0cabe1f 100644
#
# /misc
-@@ -150,10 +156,10 @@ ifdef(`distro_debian',`
+@@ -150,10 +155,10 @@ ifdef(`distro_debian',`
#
# /opt
#
@@ -115701,7 +115799,7 @@ index 8796ca3..0cabe1f 100644
#
# /proc
-@@ -161,6 +167,12 @@ ifdef(`distro_debian',`
+@@ -161,6 +166,12 @@ ifdef(`distro_debian',`
/proc -d <<none>>
/proc/.* <<none>>
@@ -115714,7 +115812,7 @@ index 8796ca3..0cabe1f 100644
#
# /run
#
-@@ -169,6 +181,7 @@ ifdef(`distro_debian',`
+@@ -169,6 +180,7 @@ ifdef(`distro_debian',`
/run/.*\.*pid <<none>>
/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
@@ -115722,7 +115820,7 @@ index 8796ca3..0cabe1f 100644
#
# /selinux
#
-@@ -178,13 +191,13 @@ ifdef(`distro_debian',`
+@@ -178,13 +190,13 @@ ifdef(`distro_debian',`
#
# /srv
#
@@ -115738,7 +115836,7 @@ index 8796ca3..0cabe1f 100644
/tmp/.* <<none>>
/tmp/\.journal <<none>>
-@@ -194,9 +207,10 @@ ifdef(`distro_debian',`
+@@ -194,9 +206,10 @@ ifdef(`distro_debian',`
#
# /usr
#
@@ -115750,7 +115848,7 @@ index 8796ca3..0cabe1f 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +218,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +217,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -115767,7 +115865,7 @@ index 8796ca3..0cabe1f 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +228,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +227,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -115776,7 +115874,7 @@ index 8796ca3..0cabe1f 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -229,7 +235,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +234,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@@ -115785,7 +115883,7 @@ index 8796ca3..0cabe1f 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +243,21 @@ ifndef(`distro_redhat',`
+@@ -237,11 +242,21 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -115807,7 +115905,7 @@ index 8796ca3..0cabe1f 100644
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
-@@ -264,3 +280,5 @@ ifndef(`distro_redhat',`
+@@ -264,3 +279,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -124866,7 +124964,7 @@ index fe0c682..6395fe1 100644
+ allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..d31a7ee 100644
+index b17e27a..58103d7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
@@ -124879,15 +124977,15 @@ index b17e27a..d31a7ee 100644
+## <p>
+## allow host key based authentication
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(allow_ssh_keysign, false)
+gen_tunable(ssh_keysign, false)
+
+## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
- ## </desc>
--gen_tunable(allow_ssh_keysign, false)
++## </desc>
+gen_tunable(ssh_sysadm_login, false)
## <desc>
@@ -125198,7 +125296,7 @@ index b17e27a..d31a7ee 100644
')
optional_policy(`
-@@ -283,6 +329,24 @@ optional_policy(`
+@@ -283,6 +329,28 @@ optional_policy(`
')
optional_policy(`
@@ -125220,10 +125318,14 @@ index b17e27a..d31a7ee 100644
+')
+
+optional_policy(`
++ postgresql_search_db(sshd_t)
++')
++
++optional_policy(`
unconfined_shell_domtrans(sshd_t)
')
-@@ -290,6 +354,29 @@ optional_policy(`
+@@ -290,6 +358,29 @@ optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@@ -125253,7 +125355,7 @@ index b17e27a..d31a7ee 100644
########################################
#
# ssh_keygen local policy
-@@ -298,19 +385,26 @@ optional_policy(`
+@@ -298,19 +389,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -125281,7 +125383,7 @@ index b17e27a..d31a7ee 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -327,9 +421,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -327,9 +425,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -125295,7 +125397,7 @@ index b17e27a..d31a7ee 100644
')
optional_policy(`
-@@ -339,3 +435,122 @@ optional_policy(`
+@@ -339,3 +439,122 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -130054,7 +130156,7 @@ index d2e40b8..3ba2e4c 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..29f6683 100644
+index d26fe81..98fad18 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -106,6 +106,8 @@ interface(`init_domain',`
@@ -130856,7 +130958,7 @@ index d26fe81..29f6683 100644
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
## </summary>
-@@ -1792,3 +2202,286 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1792,3 +2202,283 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -130904,10 +131006,7 @@ index d26fe81..29f6683 100644
+ type initrc_t;
+ ')
+
-+ dontaudit $1 initrc_t:tcp_socket { read write };
-+ dontaudit $1 initrc_t:udp_socket { read write };
-+ dontaudit $1 initrc_t:unix_dgram_socket { read write };
-+ dontaudit $1 initrc_t:unix_stream_socket { read write };
++ dontaudit $1 initrc_t:socket_class_set { read write };
+ dontaudit $1 initrc_t:shm rw_shm_perms;
+ init_dontaudit_use_script_ptys($1)
+ init_dontaudit_use_script_fds($1)
@@ -131144,7 +131243,7 @@ index d26fe81..29f6683 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..24e1d33 100644
+index 4a88fa1..52b1afc 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -132183,7 +132282,7 @@ index 4a88fa1..24e1d33 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1340,177 @@ optional_policy(`
+@@ -880,3 +1340,178 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -132225,6 +132324,7 @@ index 4a88fa1..24e1d33 100644
+')
+
+init_rw_stream_sockets(daemon)
++init_dontaudit_script_leaks(daemon)
+
+allow init_t var_run_t:dir relabelto;
+
@@ -134957,7 +135057,7 @@ index f8eeecd..65b0010 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index fe3427d..b7d45f7 100644
+index fe3427d..2a501db 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
@@ -134965,8 +135065,9 @@ index fe3427d..b7d45f7 100644
#
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
- /etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
++/etc/localtime gen_context(system_u:object_r:locale_t,s0)
+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
@@ -134992,7 +135093,7 @@ index fe3427d..b7d45f7 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..d540a56 100644
+index 926ba65..1c044d6 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@@ -135020,7 +135121,23 @@ index 926ba65..d540a56 100644
## Manage generic SSL certificates.
## </summary>
## <param name="domain">
-@@ -470,7 +488,6 @@ interface(`miscfiles_legacy_read_localization',`
+@@ -434,6 +452,7 @@ interface(`miscfiles_rw_localization',`
+ files_search_usr($1)
+ allow $1 locale_t:dir list_dir_perms;
+ rw_files_pattern($1, locale_t, locale_t)
++ manage_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+
+ ########################################
+@@ -453,6 +472,7 @@ interface(`miscfiles_relabel_localization',`
+
+ files_search_usr($1)
+ relabel_files_pattern($1, locale_t, locale_t)
++ relabel_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+
+ ########################################
+@@ -470,7 +490,6 @@ interface(`miscfiles_legacy_read_localization',`
type locale_t;
')
@@ -135028,7 +135145,7 @@ index 926ba65..d540a56 100644
allow $1 locale_t:file execute;
')
-@@ -531,6 +548,10 @@ interface(`miscfiles_read_man_pages',`
+@@ -531,6 +550,10 @@ interface(`miscfiles_read_man_pages',`
allow $1 man_t:dir list_dir_perms;
read_files_pattern($1, man_t, man_t)
read_lnk_files_pattern($1, man_t, man_t)
@@ -135039,7 +135156,7 @@ index 926ba65..d540a56 100644
')
########################################
-@@ -557,6 +578,11 @@ interface(`miscfiles_delete_man_pages',`
+@@ -557,6 +580,11 @@ interface(`miscfiles_delete_man_pages',`
delete_dirs_pattern($1, man_t, man_t)
delete_files_pattern($1, man_t, man_t)
delete_lnk_files_pattern($1, man_t, man_t)
@@ -135051,7 +135168,7 @@ index 926ba65..d540a56 100644
')
########################################
-@@ -582,6 +608,30 @@ interface(`miscfiles_manage_man_pages',`
+@@ -582,6 +610,30 @@ interface(`miscfiles_manage_man_pages',`
########################################
## <summary>
@@ -135082,15 +135199,19 @@ index 926ba65..d540a56 100644
## Read public files used for file
## transfer services.
## </summary>
-@@ -745,7 +795,6 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -744,8 +796,9 @@ interface(`miscfiles_etc_filetrans_localization',`
+ type locale_t;
')
- files_etc_filetrans($1, locale_t, file)
+- files_etc_filetrans($1, locale_t, file)
-
++ files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
++ files_etc_filetrans($1, locale_t, file, "locale.conf" )
++ files_etc_filetrans($1, locale_t, file, "timezone" )
')
########################################
-@@ -769,3 +818,43 @@ interface(`miscfiles_manage_localization',`
+@@ -769,3 +822,43 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -135116,7 +135237,7 @@ index 926ba65..d540a56 100644
+ type public_content_t;
+ ')
+
-+ files_etc_filetrans($1, locale_t, file, "localtime")
++ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
+ files_etc_filetrans($1, locale_t, file, "locale.conf")
+ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
+ files_var_filetrans($1, man_t, dir, "man")
@@ -138487,10 +138608,10 @@ index 0000000..6d7c302
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..f332422
+index 0000000..20432cf
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,908 @@
+@@ -0,0 +1,907 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -139398,7 +139519,6 @@ index 0000000..f332422
+ systemd_exec_systemctl($1)
+ allow $1 systemd_unit_file_type:service start;
+')
-+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..538bb15
@@ -141202,7 +141322,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..b106336 100644
+index e720dcd..1c8d838 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -142267,7 +142387,7 @@ index e720dcd..b106336 100644
##############################
#
# Local policy
-@@ -874,46 +1103,114 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,46 +1103,118 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -142353,17 +142473,21 @@ index e720dcd..b106336 100644
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
++ ')
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
++ fprintd_dbus_chat($1_t)
')
optional_policy(`
- cups_dbus_chat($1_t)
-+ fprintd_dbus_chat($1_t)
++ realmd_dbus_chat($1_t)
')
')
@@ -142395,7 +142519,7 @@ index e720dcd..b106336 100644
')
')
-@@ -948,27 +1245,33 @@ template(`userdom_unpriv_user_template', `
+@@ -948,27 +1249,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -142433,7 +142557,7 @@ index e720dcd..b106336 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -979,23 +1282,56 @@ template(`userdom_unpriv_user_template', `
+@@ -979,23 +1286,56 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -142500,7 +142624,7 @@ index e720dcd..b106336 100644
')
# Run pppd in pppd_t by default for user
-@@ -1004,7 +1340,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1004,7 +1344,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -142511,7 +142635,7 @@ index e720dcd..b106336 100644
')
')
-@@ -1040,7 +1378,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1040,7 +1382,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -142520,7 +142644,7 @@ index e720dcd..b106336 100644
')
##############################
-@@ -1067,6 +1405,7 @@ template(`userdom_admin_user_template',`
+@@ -1067,6 +1409,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -142528,7 +142652,7 @@ index e720dcd..b106336 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1075,6 +1414,9 @@ template(`userdom_admin_user_template',`
+@@ -1075,6 +1418,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -142538,7 +142662,7 @@ index e720dcd..b106336 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1431,7 @@ template(`userdom_admin_user_template',`
+@@ -1089,6 +1435,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -142546,7 +142670,7 @@ index e720dcd..b106336 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,10 +1449,14 @@ template(`userdom_admin_user_template',`
+@@ -1106,10 +1453,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -142561,7 +142685,7 @@ index e720dcd..b106336 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1120,30 +1467,39 @@ template(`userdom_admin_user_template',`
+@@ -1120,29 +1471,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -142597,16 +142721,14 @@ index e720dcd..b106336 100644
logging_send_syslog_msg($1_t)
- modutils_domtrans_insmod($1_t)
--
+ optional_policy(`
+ modutils_domtrans_insmod($1_t)
+ modutils_domtrans_depmod($1_t)
+ ')
-+
+
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
- # cannot directly manipulate policy files with arbitrary programs.
-@@ -1152,6 +1508,8 @@ template(`userdom_admin_user_template',`
+@@ -1152,6 +1512,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -142615,7 +142737,7 @@ index e720dcd..b106336 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1159,13 +1517,17 @@ template(`userdom_admin_user_template',`
+@@ -1159,13 +1521,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -142634,7 +142756,7 @@ index e720dcd..b106336 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1573,8 @@ template(`userdom_security_admin_template',`
+@@ -1211,6 +1577,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -142643,7 +142765,7 @@ index e720dcd..b106336 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1223,8 +1587,10 @@ template(`userdom_security_admin_template',`
+@@ -1223,8 +1591,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -142655,7 +142777,7 @@ index e720dcd..b106336 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,29 +1601,31 @@ template(`userdom_security_admin_template',`
+@@ -1235,29 +1605,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -142698,7 +142820,7 @@ index e720dcd..b106336 100644
')
optional_policy(`
-@@ -1317,12 +1685,15 @@ interface(`userdom_user_application_domain',`
+@@ -1317,12 +1689,15 @@ interface(`userdom_user_application_domain',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -142715,7 +142837,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -1363,6 +1734,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1363,6 +1738,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -142767,7 +142889,7 @@ index e720dcd..b106336 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1467,11 +1883,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1467,11 +1887,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -142799,7 +142921,7 @@ index e720dcd..b106336 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1949,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1513,6 +1953,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -142814,7 +142936,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -1528,9 +1972,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1528,9 +1976,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -142826,7 +142948,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -1587,6 +2033,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1587,6 +2037,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -142869,7 +142991,7 @@ index e720dcd..b106336 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2148,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1666,6 +2152,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -142878,7 +143000,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -1680,10 +2164,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1680,10 +2168,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -142893,7 +143015,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -1726,6 +2212,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1726,6 +2216,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -142937,7 +143059,7 @@ index e720dcd..b106336 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1745,6 +2268,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1745,6 +2272,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -142963,7 +143085,7 @@ index e720dcd..b106336 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2317,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1775,14 +2321,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -143001,7 +143123,7 @@ index e720dcd..b106336 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2357,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1793,11 +2361,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -143019,7 +143141,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -1856,6 +2423,78 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,6 +2427,78 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -143098,7 +143220,7 @@ index e720dcd..b106336 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1887,8 +2526,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1887,8 +2530,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -143108,7 +143230,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -1904,20 +2542,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1904,21 +2546,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -143122,18 +143244,19 @@ index e720dcd..b106336 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -2018,6 +2650,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -2018,6 +2654,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -143158,7 +143281,7 @@ index e720dcd..b106336 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2900,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2904,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -143173,7 +143296,7 @@ index e720dcd..b106336 100644
files_search_tmp($1)
')
-@@ -2274,7 +2924,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2928,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -143182,7 +143305,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -2521,13 +3171,32 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,12 +3175,31 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -143194,7 +143317,6 @@ index e720dcd..b106336 100644
## </summary>
## <param name="domain">
-## <summary>
--## Domain allowed access.
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -143215,11 +143337,10 @@ index e720dcd..b106336 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
- #
-@@ -2537,13 +3206,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3210,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -143235,7 +143356,7 @@ index e720dcd..b106336 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3234,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3238,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -143244,7 +143365,7 @@ index e720dcd..b106336 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,14 +3242,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,14 +3246,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -143279,7 +143400,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -2674,6 +3360,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2674,6 +3364,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -143304,7 +143425,7 @@ index e720dcd..b106336 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3396,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3400,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -143347,7 +143468,7 @@ index e720dcd..b106336 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3432,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3436,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -143385,7 +143506,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -2742,8 +3477,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3481,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -143415,7 +143536,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -2815,69 +3569,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3573,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -143516,7 +143637,7 @@ index e720dcd..b106336 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3638,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3642,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -143531,7 +143652,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -2954,7 +3707,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3711,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -143540,7 +143661,7 @@ index e720dcd..b106336 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3723,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3727,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -143574,7 +143695,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -3074,7 +3811,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3815,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -143583,7 +143704,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -3129,7 +3866,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,7 +3870,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -143630,7 +143751,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -3147,7 +3922,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3147,7 +3926,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -143639,7 +143760,7 @@ index e720dcd..b106336 100644
')
########################################
-@@ -3166,6 +3941,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3166,6 +3945,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -143647,7 +143768,7 @@ index e720dcd..b106336 100644
kernel_search_proc($1)
')
-@@ -3242,6 +4018,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4022,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -143690,7 +143811,7 @@ index e720dcd..b106336 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4074,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4078,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -143715,7 +143836,7 @@ index e720dcd..b106336 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4126,1361 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4130,1361 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 68a97cd..10b8b78 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -5209,10 +5209,19 @@ index 283ff0d..53f9ba1 100644
## </summary>
## <param name="domain">
diff --git a/awstats.te b/awstats.te
-index 6bd3ad3..5f88742 100644
+index 6bd3ad3..155e785 100644
--- a/awstats.te
+++ b/awstats.te
-@@ -55,7 +55,6 @@ libs_read_lib_files(awstats_t)
+@@ -17,8 +17,6 @@ files_tmp_file(awstats_tmp_t)
+ type awstats_var_lib_t;
+ files_type(awstats_var_lib_t)
+
+-apache_content_template(awstats)
+-
+ ########################################
+ #
+ # awstats policy
+@@ -55,7 +53,6 @@ libs_read_lib_files(awstats_t)
logging_read_generic_logs(awstats_t)
@@ -5220,6 +5229,19 @@ index 6bd3ad3..5f88742 100644
sysnet_dns_name_resolve(awstats_t)
+@@ -78,6 +75,12 @@ optional_policy(`
+ #
+ # awstats cgi script policy
+ #
++apache_content_template(awstats)
++apache_read_log(httpd_awstats_script_t)
++
++manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
+
+ allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+
diff --git a/backup.te b/backup.te
index 0bfc958..81fc8bd 100644
--- a/backup.te
@@ -14227,7 +14249,7 @@ index 305ddf4..f3cd95f 100644
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
')
diff --git a/cups.te b/cups.te
-index e5a8924..cd3c7de 100644
+index e5a8924..196238b 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -14409,7 +14431,21 @@ index e5a8924..cd3c7de 100644
')
optional_policy(`
-@@ -371,8 +395,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -341,9 +365,11 @@ optional_policy(`
+ # Cups configuration daemon local policy
+ #
+
+-allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
++allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+-allow cupsd_config_t self:process { getsched signal_perms };
++allow cupsd_config_t self:capability sys_nice;
++allow cupsd_config_t self:process setsched;
++allow cupsd_config_t self:process { setsched signal_perms };
+ allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
+ allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+ allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+@@ -371,8 +397,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -14420,7 +14456,7 @@ index e5a8924..cd3c7de 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -381,7 +406,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+@@ -381,7 +408,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
@@ -14428,7 +14464,7 @@ index e5a8924..cd3c7de 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -407,7 +431,6 @@ domain_use_interactive_fds(cupsd_config_t)
+@@ -407,7 +433,6 @@ domain_use_interactive_fds(cupsd_config_t)
domain_dontaudit_search_all_domains_state(cupsd_config_t)
files_read_usr_files(cupsd_config_t)
@@ -14436,7 +14472,7 @@ index e5a8924..cd3c7de 100644
files_read_etc_runtime_files(cupsd_config_t)
files_read_var_symlinks(cupsd_config_t)
-@@ -418,18 +441,15 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -418,18 +443,15 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -14457,7 +14493,7 @@ index e5a8924..cd3c7de 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +473,10 @@ optional_policy(`
+@@ -453,6 +475,10 @@ optional_policy(`
')
optional_policy(`
@@ -14468,7 +14504,7 @@ index e5a8924..cd3c7de 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +491,10 @@ optional_policy(`
+@@ -467,6 +493,10 @@ optional_policy(`
')
optional_policy(`
@@ -14479,7 +14515,7 @@ index e5a8924..cd3c7de 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -526,7 +554,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+@@ -526,7 +556,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
@@ -14487,7 +14523,7 @@ index e5a8924..cd3c7de 100644
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
-@@ -537,19 +564,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,19 +566,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -14508,7 +14544,7 @@ index e5a8924..cd3c7de 100644
miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
cups_stream_connect(cupsd_lpd_t)
-@@ -577,7 +603,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
+@@ -577,7 +605,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -14516,7 +14552,7 @@ index e5a8924..cd3c7de 100644
files_read_usr_files(cups_pdf_t)
corecmd_exec_shell(cups_pdf_t)
-@@ -585,25 +610,23 @@ corecmd_exec_bin(cups_pdf_t)
+@@ -585,25 +612,23 @@ corecmd_exec_bin(cups_pdf_t)
auth_use_nsswitch(cups_pdf_t)
@@ -14551,7 +14587,7 @@ index e5a8924..cd3c7de 100644
')
########################################
-@@ -613,6 +636,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -613,6 +638,10 @@ tunable_policy(`use_samba_home_dirs',`
# Needed for USB Scanneer and xsane
allow hplip_t self:capability { dac_override dac_read_search net_raw };
@@ -14562,7 +14598,7 @@ index e5a8924..cd3c7de 100644
dontaudit hplip_t self:capability sys_tty_config;
allow hplip_t self:fifo_file rw_fifo_file_perms;
allow hplip_t self:process signal_perms;
-@@ -635,9 +662,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+@@ -635,9 +664,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -14579,7 +14615,7 @@ index e5a8924..cd3c7de 100644
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -647,7 +681,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -647,7 +683,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
@@ -14590,7 +14626,7 @@ index e5a8924..cd3c7de 100644
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +697,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +699,10 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -14604,7 +14640,7 @@ index e5a8924..cd3c7de 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -673,31 +709,34 @@ dev_read_rand(hplip_t)
+@@ -673,31 +711,34 @@ dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
dev_rw_usbfs(hplip_t)
@@ -14650,7 +14686,7 @@ index e5a8924..cd3c7de 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -743,7 +782,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,7 +784,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -14658,7 +14694,7 @@ index e5a8924..cd3c7de 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +798,10 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -760,13 +800,10 @@ fs_search_auto_mountpoints(ptal_t)
domain_use_interactive_fds(ptal_t)
@@ -41426,10 +41462,10 @@ index 0000000..681f8a0
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..2c81ee4
+index 0000000..1eecd0e
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,355 @@
+@@ -0,0 +1,362 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -41462,6 +41498,9 @@ index 0000000..2c81ee4
+type openshift_initrc_tmp_t;
+files_tmp_file(openshift_initrc_tmp_t)
+
++type openshift_tmpfs_t;
++files_tmpfs_file(openshift_tmpfs_t)
++
+type openshift_tmp_t, openshift_file_type;
+files_tmp_file(openshift_tmp_t)
+files_mountpoint(openshift_tmp_t)
@@ -41566,6 +41605,10 @@ index 0000000..2c81ee4
+dontaudit openshift_domain openshift_file_type:dir search_dir_perms
+;
+
++manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
++
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
@@ -52186,10 +52229,10 @@ index 0000000..e38693b
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..2d27770
+index 0000000..2f0d32d
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,85 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -52232,6 +52275,9 @@ index 0000000..2d27770
+sysnet_dns_name_resolve(realmd_t)
+systemd_exec_systemctl(realmd_t)
+
++#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
++#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
++
+optional_policy(`
+ dbus_system_domain(realmd_t, realmd_exec_t)
+')
@@ -52254,6 +52300,8 @@ index 0000000..2d27770
+ gnome_read_config(realmd_t)
+ gnome_read_generic_cache_files(realmd_t)
+ gnome_write_generic_cache_files(realmd_t)
++ gnome_manage_cache_home_dir(realmd_t)
++
+')
+
+optional_policy(`
@@ -55164,10 +55212,10 @@ index 330d01f..fd96b3c 100644
optional_policy(`
diff --git a/rpcbind.fc b/rpcbind.fc
-index f5c47d6..482b584 100644
+index f5c47d6..164ce1f 100644
--- a/rpcbind.fc
+++ b/rpcbind.fc
-@@ -2,6 +2,9 @@
+@@ -2,8 +2,10 @@
/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
@@ -55177,6 +55225,9 @@ index f5c47d6..482b584 100644
/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+-/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+-/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
++/var/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/rpcbind.if b/rpcbind.if
index a96249c..5f38427 100644
--- a/rpcbind.if
@@ -57962,10 +58013,10 @@ index 0000000..f00e5c5
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..152eddf
+index 0000000..6b8775a
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,455 @@
+@@ -0,0 +1,456 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -58219,6 +58270,7 @@ index 0000000..152eddf
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
+
+fs_search_auto_mountpoints(sandbox_x_domain)
++fs_read_hugetlbfs_files(sandbox_x_domain)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(sandbox_x_domain)
@@ -64808,7 +64860,7 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..2ac25e3
+index 0000000..10465bf
--- /dev/null
+++ b/thumb.te
@@ -0,0 +1,122 @@
@@ -64840,7 +64892,7 @@ index 0000000..2ac25e3
+# thumb local policy
+#
+
-+allow thumb_t self:process { setsched signal setrlimit };
++allow thumb_t self:process { setsched signal signull setrlimit };
+
+tunable_policy(`deny_execmem',`',`
+ allow thumb_t self:process execmem;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5be8f90..e7f0b9d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 43%{?dist}
+Release: 44%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -522,6 +522,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Oct 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-44
+- Change default label of all files in /var/run/rpcbind
+- Allow sandbox domains (java) to read hugetlbfs_t
+- Allow awstats cgi content to create tmp files and read apache log files
+- Allow setuid/setgid for cupsd-config
+- Allow setsched/sys_nice pro cupsd-config
+- Fix /etc/localtime sym link to be labeled locale_t
+- Allow sshd to search postgresql db t since this is a homedir
+- Allow xwindows users to chat with realmd
+- Allow unconfined domains to configure all files and null_device_t service
+
* Tue Oct 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-43
- Adopt pki-selinux policy
More information about the scm-commits
mailing list