[selinux-policy/f18] * Mon Sep 17 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-21 - Add interfaces to ignore setattr u
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Sep 17 11:05:13 UTC 2012
commit 5f05f7455d8a89a9f0ea43ccfb50778a5c0b9dbb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Sep 17 13:04:58 2012 +0200
* Mon Sep 17 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-21
- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC ch
- Change pam_t to pam_timestamp_t
- Add dovecot_domain attribute and allow this attribute block_suspend capability2
- Add sanlock_use_fusefs boolean
- numad wants send/recieve msg
- Allow rhnsd to send syslog msgs
- Make piranha-pulse as initrc domain
- Update openshift instances to dontaudit setattr until the kernel is fixed.
policy-rawhide.patch | 596 +++++++++++++++++++++++++++++++++---------
policy_contrib-rawhide.patch | 358 +++++++++++++++++---------
selinux-policy.spec | 12 +-
3 files changed, 717 insertions(+), 249 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 6c53f13..d98cef4 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -55302,6 +55302,119 @@ index 0000000..cc869e0
+selinux(8), pam_console(8), semanage(8), restorecon(8), chcon(1)
+, pam_selinux(8)
\ No newline at end of file
+diff --git a/man/man8/pam_timestamp_selinux.8 b/man/man8/pam_timestamp_selinux.8
+new file mode 100644
+index 0000000..8a4d1da
+--- /dev/null
++++ b/man/man8/pam_timestamp_selinux.8
+@@ -0,0 +1,107 @@
++.TH "pam_timestamp_selinux" "8" "pam_timestamp" "dwalsh at redhat.com" "pam_timestamp SELinux Policy documentation"
++.SH "NAME"
++pam_timestamp_selinux \- Security Enhanced Linux Policy for the pam_timestamp processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pam_timestamp processes via flexible mandatory access
++control.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_timestamp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pam_timestamp_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pam_timestamp policy is very flexible allowing users to setup their pam_timestamp processes in as secure a method as possible.
++.PP
++The following file types are defined for pam_timestamp:
++
++
++.EX
++.PP
++.B pam_timestamp_exec_t
++.EE
++
++- Set files with the pam_timestamp_exec_t type, if you want to transition an executable to the pam_timestamp_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/pam_timestamp_check, /usr/sbin/pam_timestamp_check
++
++.EX
++.PP
++.B pam_timestamp_tmp_t
++.EE
++
++- Set files with the pam_timestamp_tmp_t type, if you want to store pam timestamp temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pam_timestamp policy is very flexible allowing users to setup their pam_timestamp processes in as secure a method as possible.
++.PP
++The following process types are defined for pam_timestamp:
++
++.EX
++.B pam_timestamp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "MANAGED FILES"
++
++The SELinux user type pam_timestamp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B pam_timestamp_tmp_t
++
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pam_timestamp(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/passenger_selinux.8 b/man/man8/passenger_selinux.8
new file mode 100644
index 0000000..d724a7a
@@ -105655,7 +105768,7 @@ index 8796ca3..10f0231 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..76477ca 100644
+index e1e814d..13c475a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -105675,7 +105788,52 @@ index e1e814d..76477ca 100644
allow $1 non_security_file_type:file mounton;
')
-@@ -683,12 +684,82 @@ interface(`files_read_non_security_files',`
+@@ -620,6 +621,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to set the attributes
++## of non security files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_setattr_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file setattr;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to set the attributes
++## of non security directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_setattr_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:dir setattr;
++')
++
++########################################
++## <summary>
+ ## Read all files.
+ ## </summary>
+ ## <param name="domain">
+@@ -683,12 +722,82 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -105758,7 +105916,7 @@ index e1e814d..76477ca 100644
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
-@@ -1073,10 +1144,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,10 +1182,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -105771,7 +105929,7 @@ index e1e814d..76477ca 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1655,6 +1724,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1655,6 +1762,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -105796,7 +105954,7 @@ index e1e814d..76477ca 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +1760,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1673,6 +1798,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -105821,7 +105979,7 @@ index e1e814d..76477ca 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1856,6 +1961,42 @@ interface(`files_delete_root_dir_entry',`
+@@ -1856,6 +1999,42 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -105864,7 +106022,7 @@ index e1e814d..76477ca 100644
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1874,6 +2015,24 @@ interface(`files_unmount_rootfs',`
+@@ -1874,6 +2053,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -105889,7 +106047,7 @@ index e1e814d..76477ca 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2573,6 +2732,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2573,6 +2770,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -105914,7 +106072,7 @@ index e1e814d..76477ca 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2644,6 +2821,7 @@ interface(`files_read_etc_files',`
+@@ -2644,6 +2859,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -105922,7 +106080,7 @@ index e1e814d..76477ca 100644
')
########################################
-@@ -2652,7 +2830,7 @@ interface(`files_read_etc_files',`
+@@ -2652,7 +2868,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -105931,7 +106089,7 @@ index e1e814d..76477ca 100644
## </summary>
## </param>
#
-@@ -2708,6 +2886,25 @@ interface(`files_manage_etc_files',`
+@@ -2708,6 +2924,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -105957,7 +106115,7 @@ index e1e814d..76477ca 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2726,6 +2923,24 @@ interface(`files_delete_etc_files',`
+@@ -2726,6 +2961,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -105982,7 +106140,7 @@ index e1e814d..76477ca 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2891,24 +3106,6 @@ interface(`files_delete_boot_flag',`
+@@ -2891,24 +3144,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -106007,7 +106165,7 @@ index e1e814d..76477ca 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2949,6 +3146,42 @@ interface(`files_read_etc_runtime_files',`
+@@ -2949,6 +3184,42 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -106050,7 +106208,7 @@ index e1e814d..76477ca 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2986,6 +3219,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2986,6 +3257,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -106058,7 +106216,7 @@ index e1e814d..76477ca 100644
')
########################################
-@@ -3007,6 +3241,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3007,6 +3279,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -106066,11 +106224,33 @@ index e1e814d..76477ca 100644
')
########################################
-@@ -3382,6 +3617,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3382,7 +3655,7 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
+-## Create, read, write, and delete block device nodes
+## rw any files inherited from another process
+ ## on new filesystems that have not yet been labeled.
+ ## </summary>
+ ## <param name="domain">
+@@ -3391,17 +3664,36 @@ interface(`files_rw_isid_type_blk_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_isid_type_blk_files',`
++interface(`files_rw_inherited_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+- allow $1 file_t:blk_file manage_blk_file_perms;
++ allow $1 file_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete character device nodes
++## Create, read, write, and delete block device nodes
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
@@ -106079,20 +106259,21 @@ index e1e814d..76477ca 100644
+## </summary>
+## </param>
+#
-+interface(`files_rw_inherited_isid_type_files',`
++interface(`files_manage_isid_type_blk_files',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:file rw_inherited_file_perms;
++ allow $1 file_t:blk_file manage_blk_file_perms;
+')
+
+########################################
+## <summary>
- ## Create, read, write, and delete block device nodes
++## Create, read, write, and delete character device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3723,20 +3977,38 @@ interface(`files_list_mnt',`
+ ## <param name="domain">
+@@ -3723,20 +4015,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -106136,15 +106317,12 @@ index e1e814d..76477ca 100644
')
########################################
-@@ -4126,10 +4398,131 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,6 +4436,127 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
--########################################
+#######################################
- ## <summary>
--## Allow the specified type to associate
--## to a filesystem with the type of the
++## <summary>
+## Read manageable system configuration files in /etc
+## </summary>
+## <param name="domain">
@@ -106264,14 +106442,10 @@ index e1e814d..76477ca 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
-+########################################
-+## <summary>
-+## Allow the specified type to associate
-+## to a filesystem with the type of the
- ## temporary directory (/tmp).
- ## </summary>
- ## <param name="file_type">
-@@ -4148,6 +4541,26 @@ interface(`files_associate_tmp',`
+ ########################################
+ ## <summary>
+ ## Allow the specified type to associate
+@@ -4148,6 +4579,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -106298,7 +106472,7 @@ index e1e814d..76477ca 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4161,6 +4574,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,6 +4612,7 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -106306,7 +106480,7 @@ index e1e814d..76477ca 100644
allow $1 tmp_t:dir getattr;
')
-@@ -4171,7 +4585,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4171,7 +4623,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -106315,7 +106489,7 @@ index e1e814d..76477ca 100644
## </summary>
## </param>
#
-@@ -4198,6 +4612,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4650,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -106323,7 +106497,7 @@ index e1e814d..76477ca 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4234,6 +4649,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4687,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -106331,7 +106505,7 @@ index e1e814d..76477ca 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4243,7 +4659,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4697,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -106340,7 +106514,7 @@ index e1e814d..76477ca 100644
## </summary>
## </param>
#
-@@ -4255,6 +4671,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4709,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -106366,7 +106540,7 @@ index e1e814d..76477ca 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4270,6 +4705,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4743,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -106374,7 +106548,7 @@ index e1e814d..76477ca 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4311,6 +4747,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4785,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -106407,7 +106581,7 @@ index e1e814d..76477ca 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4365,6 +4827,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,6 +4865,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -106450,7 +106624,7 @@ index e1e814d..76477ca 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4383,6 +4881,42 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4383,6 +4919,42 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -106493,7 +106667,7 @@ index e1e814d..76477ca 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4428,7 +4962,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4428,7 +5000,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -106502,7 +106676,7 @@ index e1e814d..76477ca 100644
## </summary>
## </param>
#
-@@ -4488,7 +5022,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4488,7 +5060,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -106511,7 +106685,7 @@ index e1e814d..76477ca 100644
## </summary>
## </param>
#
-@@ -4573,6 +5107,16 @@ interface(`files_purge_tmp',`
+@@ -4573,6 +5145,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -106528,7 +106702,7 @@ index e1e814d..76477ca 100644
')
########################################
-@@ -5150,6 +5694,24 @@ interface(`files_list_var',`
+@@ -5150,6 +5732,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -106553,7 +106727,7 @@ index e1e814d..76477ca 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5505,6 +6067,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5505,6 +6105,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -106579,7 +106753,7 @@ index e1e814d..76477ca 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,7 +6131,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6169,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -106588,7 +106762,7 @@ index e1e814d..76477ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5558,12 +6139,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6177,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -106604,7 +106778,7 @@ index e1e814d..76477ca 100644
')
########################################
-@@ -5581,6 +6163,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6201,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -106612,7 +106786,7 @@ index e1e814d..76477ca 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5607,7 +6190,7 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6228,7 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -106621,7 +106795,7 @@ index e1e814d..76477ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5615,13 +6198,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6236,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -106638,7 +106812,7 @@ index e1e814d..76477ca 100644
')
########################################
-@@ -5640,7 +6222,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6260,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -106647,7 +106821,7 @@ index e1e814d..76477ca 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5673,7 +6255,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6293,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -106655,7 +106829,7 @@ index e1e814d..76477ca 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5701,8 +6282,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6320,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -106665,7 +106839,7 @@ index e1e814d..76477ca 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5718,13 +6298,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6336,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -106683,7 +106857,7 @@ index e1e814d..76477ca 100644
')
########################################
-@@ -5743,8 +6322,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6360,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -106693,7 +106867,7 @@ index e1e814d..76477ca 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5786,8 +6364,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6402,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -106703,7 +106877,7 @@ index e1e814d..76477ca 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6386,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6424,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -106713,7 +106887,7 @@ index e1e814d..76477ca 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6423,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6461,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -106723,7 +106897,7 @@ index e1e814d..76477ca 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5911,6 +6486,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6524,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -106767,64 +106941,33 @@ index e1e814d..76477ca 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5933,28 +6545,47 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6583,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
--## List the contents of the runtime process
--## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_list_pids',`
-+interface(`files_dontaudit_search_all_pids',`
- gen_require(`
-- type var_t, var_run_t;
-+ attribute pidfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-+ dontaudit $1 pidfile:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Read generic process ID files.
--## </summary>
-+## List the contents of the runtime process
-+## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_list_pids',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
-+ type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ list_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Read generic process ID files.
-+## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
-@@ -6048,7 +6679,6 @@ interface(`files_pid_filetrans',`
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ## </summary>
+@@ -6048,7 +6717,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -106832,7 +106975,7 @@ index e1e814d..76477ca 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6157,6 +6787,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,6 +6825,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -106949,7 +107092,7 @@ index e1e814d..76477ca 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -6169,12 +6909,67 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6169,12 +6947,67 @@ interface(`files_dontaudit_ioctl_all_pids',`
interface(`files_read_all_pids',`
gen_require(`
attribute pidfile;
@@ -107019,7 +107162,7 @@ index e1e814d..76477ca 100644
')
########################################
-@@ -6245,6 +7040,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6245,6 +7078,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -107110,7 +107253,7 @@ index e1e814d..76477ca 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6467,3 +7346,346 @@ interface(`files_unconfined',`
+@@ -6467,3 +7384,346 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -117452,7 +117595,7 @@ index c6fdab7..32f45fa 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..47fdb65 100644
+index 28ad538..df78158 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,3 +1,7 @@
@@ -117463,7 +117606,7 @@ index 28ad538..47fdb65 100644
/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-@@ -5,7 +9,14 @@
+@@ -5,10 +9,17 @@
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
@@ -117477,7 +117620,11 @@ index 28ad538..47fdb65 100644
+/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
- /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
+-/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
++/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
+ /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+ /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -16,13 +27,22 @@ ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -117489,7 +117636,7 @@ index 28ad538..47fdb65 100644
-/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
-/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
-+/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
++/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -117528,7 +117675,7 @@ index 28ad538..47fdb65 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..b647a7b 100644
+index f416ce9..bce907a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -117726,7 +117873,7 @@ index f416ce9..b647a7b 100644
+interface(`authlogin_read_state',`
+ gen_require(`
+ attribute polydomain;
- ')
++ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, polydomain)
@@ -117745,7 +117892,7 @@ index f416ce9..b647a7b 100644
+interface(`authlogin_rw_pipes',`
+ gen_require(`
+ attribute polydomain;
-+ ')
+ ')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
')
@@ -117891,7 +118038,102 @@ index f416ce9..b647a7b 100644
')
#######################################
-@@ -959,9 +1172,30 @@ interface(`auth_manage_var_auth',`
+@@ -826,7 +1039,7 @@ interface(`auth_rw_lastlog',`
+
+ ########################################
+ ## <summary>
+-## Execute pam programs in the pam domain.
++## Execute pam timestamp programs in the pam timestamp domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -834,12 +1047,26 @@ interface(`auth_rw_lastlog',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`auth_domtrans_pam',`
++interface(`auth_domtrans_pam_timestamp',`
+ gen_require(`
+- type pam_t, pam_exec_t;
++ type pam_timestamp_t, pam_timestamp_exec_t;
+ ')
+
+- domtrans_pattern($1, pam_exec_t, pam_t)
++ domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t)
++')
++
++########################################
++## <summary>
++## Execute pam timestamp programs in the pam timestamp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`auth_domtrans_pam',`
++ auth_domtrans_pam_timestamp($1)
+ ')
+
+ ########################################
+@@ -854,15 +1081,15 @@ interface(`auth_domtrans_pam',`
+ #
+ interface(`auth_signal_pam',`
+ gen_require(`
+- type pam_t;
++ type pam_timestamp_t;
+ ')
+
+- allow $1 pam_t:process signal;
++ allow $1 pam_timestamp_t:process signal;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute pam programs in the PAM domain.
++## Execute pam_timestamp programs in the PAM timestamp domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -875,13 +1102,32 @@ interface(`auth_signal_pam',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`auth_run_pam',`
++interface(`auth_run_pam_timestamp',`
+ gen_require(`
+- type pam_t;
++ type pam_timestamp_t;
+ ')
+
+- auth_domtrans_pam($1)
+- role $2 types pam_t;
++ auth_domtrans_pam_timestamp($1)
++ role $2 types pam_timestamp_t;
++')
++
++########################################
++## <summary>
++## Execute pam_timestamp programs in the PAM timestamp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to allow the PAM domain.
++## </summary>
++## </param>
++#
++interface(`auth_run_pam',`
++ auth_run_pam_timestamp($1, #2)
+ ')
+
+ ########################################
+@@ -959,9 +1205,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -117925,7 +118167,7 @@ index f416ce9..b647a7b 100644
')
########################################
-@@ -1040,6 +1274,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1307,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -117936,7 +118178,7 @@ index f416ce9..b647a7b 100644
')
########################################
-@@ -1157,6 +1395,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1428,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -117944,7 +118186,7 @@ index f416ce9..b647a7b 100644
')
#######################################
-@@ -1526,6 +1765,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1798,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -117970,7 +118212,7 @@ index f416ce9..b647a7b 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1676,24 +1934,7 @@ interface(`auth_manage_login_records',`
+@@ -1676,24 +1967,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -117996,7 +118238,7 @@ index f416ce9..b647a7b 100644
')
########################################
-@@ -1717,9 +1958,9 @@ interface(`auth_relabel_login_records',`
+@@ -1717,9 +1991,9 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -118009,7 +118251,7 @@ index f416ce9..b647a7b 100644
typeattribute $1 nsswitch_domain;
')
-@@ -1755,3 +1996,194 @@ interface(`auth_unconfined',`
+@@ -1755,3 +2029,194 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -118205,7 +118447,7 @@ index f416ce9..b647a7b 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f145ccb..81a2094 100644
+index f145ccb..f2f26a8 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,12 @@ policy_module(authlogin, 2.4.0)
@@ -118248,6 +118490,29 @@ index f145ccb..81a2094 100644
type lastlog_t;
logging_log_file(lastlog_t)
+@@ -42,15 +53,15 @@ type pam_console_exec_t;
+ init_system_domain(pam_console_t, pam_console_exec_t)
+ role system_r types pam_console_t;
+
+-type pam_t;
+-domain_type(pam_t)
+-role system_r types pam_t;
++type pam_timestamp_t alias pam_t;
++domain_type(pam_timestamp_t)
++role system_r types pam_timestamp_t;
+
+-type pam_exec_t;
+-domain_entry_file(pam_t, pam_exec_t)
++type pam_timestamp_exec_t alias pam_exec_t;
++domain_entry_file(pam_timestamp_t, pam_timestamp_exec_t)
+
+-type pam_tmp_t;
+-files_tmp_file(pam_tmp_t)
++type pam_timestamp_tmp_t;
++files_tmp_file(pam_timestamp_tmp_t)
+
+ type pam_var_console_t;
+ files_pid_file(pam_var_console_t)
@@ -64,6 +75,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
@@ -118276,6 +118541,89 @@ index f145ccb..81a2094 100644
ifdef(`distro_ubuntu',`
optional_policy(`
+@@ -153,53 +169,53 @@ optional_policy(`
+ # PAM local policy
+ #
+
+-allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+-dontaudit pam_t self:capability sys_tty_config;
++allow pam_timestamp_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++dontaudit pam_timestamp_t self:capability sys_tty_config;
+
+-allow pam_t self:fd use;
+-allow pam_t self:fifo_file rw_file_perms;
+-allow pam_t self:unix_dgram_socket create_socket_perms;
+-allow pam_t self:unix_stream_socket rw_stream_socket_perms;
+-allow pam_t self:unix_dgram_socket sendto;
+-allow pam_t self:unix_stream_socket connectto;
+-allow pam_t self:shm create_shm_perms;
+-allow pam_t self:sem create_sem_perms;
+-allow pam_t self:msgq create_msgq_perms;
+-allow pam_t self:msg { send receive };
++allow pam_timestamp_t self:fd use;
++allow pam_timestamp_t self:fifo_file rw_file_perms;
++allow pam_timestamp_t self:unix_dgram_socket create_socket_perms;
++allow pam_timestamp_t self:unix_stream_socket rw_stream_socket_perms;
++allow pam_timestamp_t self:unix_dgram_socket sendto;
++allow pam_timestamp_t self:unix_stream_socket connectto;
++allow pam_timestamp_t self:shm create_shm_perms;
++allow pam_timestamp_t self:sem create_sem_perms;
++allow pam_timestamp_t self:msgq create_msgq_perms;
++allow pam_timestamp_t self:msg { send receive };
+
+-delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
+-read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
+-files_list_pids(pam_t)
++delete_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t)
++read_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t)
++files_list_pids(pam_timestamp_t)
+
+-allow pam_t pam_tmp_t:dir manage_dir_perms;
+-allow pam_t pam_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
++allow pam_timestamp_t pam_timestamp_tmp_t:dir manage_dir_perms;
++allow pam_timestamp_t pam_timestamp_tmp_t:file manage_file_perms;
++files_tmp_filetrans(pam_timestamp_t, pam_timestamp_tmp_t, { file dir })
+
+-auth_use_nsswitch(pam_t)
++auth_use_nsswitch(pam_timestamp_t)
+
+-kernel_read_system_state(pam_t)
++kernel_read_system_state(pam_timestamp_t)
+
+-files_read_etc_files(pam_t)
++files_read_etc_files(pam_timestamp_t)
+
+-fs_search_auto_mountpoints(pam_t)
++fs_search_auto_mountpoints(pam_timestamp_t)
+
+-miscfiles_read_localization(pam_t)
++miscfiles_read_localization(pam_timestamp_t)
+
+-term_use_all_ttys(pam_t)
+-term_use_all_ptys(pam_t)
++term_use_all_ttys(pam_timestamp_t)
++term_use_all_ptys(pam_timestamp_t)
+
+-init_dontaudit_rw_utmp(pam_t)
++init_dontaudit_rw_utmp(pam_timestamp_t)
+
+-logging_send_syslog_msg(pam_t)
++logging_send_syslog_msg(pam_timestamp_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+- unconfined_domain(pam_t)
++ unconfined_domain(pam_timestamp_t)
+ ')
+ ')
+
+ optional_policy(`
+- locallogin_use_fds(pam_t)
++ locallogin_use_fds(pam_timestamp_t)
+ ')
+
+ ########################################
@@ -341,6 +357,7 @@ kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
@@ -129686,7 +130034,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..d7b1538 100644
+index e720dcd..2c810bb 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -130322,7 +130670,7 @@ index e720dcd..d7b1538 100644
- auth_run_pam($1_t, $1_r)
- auth_run_utempter($1_t, $1_r)
+ auth_read_login_records($1_usertype)
-+ auth_run_pam($1_t,$1_r)
++ auth_run_pam_timestamp($1_t,$1_r)
+ auth_run_utempter($1_t,$1_r)
+ auth_filetrans_admin_home_content($1_t)
+ auth_filetrans_home_content($1_t)
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 74eae57..83fd4ed 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -316,7 +316,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..5d15d35 100644
+index 30861ec..baac38b 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -539,7 +539,7 @@ index 30861ec..5d15d35 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,9 +264,32 @@ optional_policy(`
+@@ -178,9 +264,36 @@ optional_policy(`
')
optional_policy(`
@@ -552,6 +552,10 @@ index 30861ec..5d15d35 100644
sssd_stream_connect(abrt_t)
')
++optional_policy(`
++ xserver_read_log(abrt_t)
++')
++
+#######################################
+#
+# abrt-handle-event local policy
@@ -572,7 +576,7 @@ index 30861ec..5d15d35 100644
########################################
#
# abrt--helper local policy
-@@ -200,23 +309,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +313,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -601,7 +605,7 @@ index 30861ec..5d15d35 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +332,146 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +336,146 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -619,7 +623,7 @@ index 30861ec..5d15d35 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
-+')
+ ')
+
+#######################################
+#
@@ -734,7 +738,7 @@ index 30861ec..5d15d35 100644
+
+optional_policy(`
+ unconfined_domain(abrt_watch_log_t)
- ')
++')
+
+#######################################
+#
@@ -17579,19 +17583,36 @@ index e1d7dc5..df96c0d 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te
-index 2df7766..7193004 100644
+index 2df7766..d681b28 100644
--- a/dovecot.te
+++ b/dovecot.te
-@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
+@@ -4,11 +4,13 @@ policy_module(dovecot, 1.14.0)
+ #
+ # Declarations
+ #
+-type dovecot_t;
++attribute dovecot_domain;
++
++type dovecot_t, dovecot_domain;
+ type dovecot_exec_t;
+ init_daemon_domain(dovecot_t, dovecot_exec_t)
+
+-type dovecot_auth_t;
++type dovecot_auth_t, dovecot_domain;
+ type dovecot_auth_exec_t;
+ domain_type(dovecot_auth_t)
+ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
+@@ -18,14 +20,17 @@ type dovecot_auth_tmp_t;
files_tmp_file(dovecot_auth_tmp_t)
type dovecot_cert_t;
-files_type(dovecot_cert_t)
+miscfiles_cert_type(dovecot_cert_t)
- type dovecot_deliver_t;
+-type dovecot_deliver_t;
++type dovecot_deliver_t, dovecot_domain;
type dovecot_deliver_exec_t;
-@@ -26,6 +26,9 @@ domain_type(dovecot_deliver_t)
+ domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
@@ -17601,7 +17622,7 @@ index 2df7766..7193004 100644
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
-@@ -36,7 +39,7 @@ type dovecot_passwd_t;
+@@ -36,7 +41,7 @@ type dovecot_passwd_t;
files_type(dovecot_passwd_t)
type dovecot_spool_t;
@@ -17610,20 +17631,53 @@ index 2df7766..7193004 100644
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
-@@ -56,9 +59,10 @@ files_pid_file(dovecot_var_run_t)
+@@ -51,17 +56,41 @@ logging_log_file(dovecot_var_log_t)
+ type dovecot_var_run_t;
+ files_pid_file(dovecot_var_run_t)
+
++#######################################
++#
++# dovecot domain local policy
++#
++
++allow dovecot_domain self:capability2 block_suspend;
++
++allow dovecot_domain self:unix_dgram_socket create_socket_perms;
++allow dovecot_domain self:fifo_file rw_fifo_file_perms;
++
++kernel_read_all_sysctls(dovecot_domain)
++kernel_read_system_state(dovecot_domain)
++
++corecmd_exec_bin(dovecot_domain)
++
++dev_read_sysfs(dovecot_domain)
++dev_read_rand(dovecot_domain)
++dev_read_urand(dovecot_domain)
++
++# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
++files_read_etc_runtime_files(dovecot_domain)
++
++logging_send_syslog_msg(dovecot_domain)
++
++miscfiles_read_localization(dovecot_domain)
++
+ ########################################
+ #
# dovecot local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
-+allow dovecot_t self:capability2 block_suspend;
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+-allow dovecot_t self:fifo_file rw_fifo_file_perms;
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
- allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
- allow dovecot_t self:unix_dgram_socket create_socket_perms;
-@@ -72,7 +76,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+-allow dovecot_t self:unix_dgram_socket create_socket_perms;
+ allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+ domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+@@ -72,7 +101,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
@@ -17634,7 +17688,7 @@ index 2df7766..7193004 100644
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,15 +100,16 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,15 +125,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -17643,17 +17697,17 @@ index 2df7766..7193004 100644
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
+-
+-kernel_read_kernel_sysctls(dovecot_t)
+-kernel_read_system_state(dovecot_t)
+manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
- kernel_read_kernel_sysctls(dovecot_t)
- kernel_read_system_state(dovecot_t)
-
-corenet_all_recvfrom_unlabeled(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
-@@ -110,6 +117,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,41 +139,34 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
@@ -17661,39 +17715,55 @@ index 2df7766..7193004 100644
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -128,13 +136,14 @@ corecmd_exec_bin(dovecot_t)
+ corenet_sendrecv_pop_server_packets(dovecot_t)
+ corenet_sendrecv_all_client_packets(dovecot_t)
+
+-dev_read_sysfs(dovecot_t)
+-dev_read_urand(dovecot_t)
+-
+ fs_getattr_all_fs(dovecot_t)
+ fs_getattr_all_dirs(dovecot_t)
+ fs_search_auto_mountpoints(dovecot_t)
+ fs_list_inotifyfs(dovecot_t)
+-corecmd_exec_bin(dovecot_t)
+-
domain_use_interactive_fds(dovecot_t)
-files_read_etc_files(dovecot_t)
files_search_spool(dovecot_t)
files_search_tmp(dovecot_t)
files_dontaudit_list_default(dovecot_t)
+-# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+-files_read_etc_runtime_files(dovecot_t)
+files_dontaudit_search_all_dirs(dovecot_t)
- # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
- files_read_etc_runtime_files(dovecot_t)
files_search_all_mountpoints(dovecot_t)
+files_read_var_lib_files(dovecot_t)
init_getattr_utmp(dovecot_t)
-@@ -145,6 +154,7 @@ logging_send_syslog_msg(dovecot_t)
+ auth_use_nsswitch(dovecot_t)
+
+-logging_send_syslog_msg(dovecot_t)
+-
miscfiles_read_generic_certs(dovecot_t)
- miscfiles_read_localization(dovecot_t)
+-miscfiles_read_localization(dovecot_t)
+userdom_home_manager(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -153,10 +163,21 @@ userdom_manage_user_home_content_pipes(dovecot_t)
+@@ -153,10 +175,23 @@ userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
-+mta_manage_home_rw(dovecot_t)
- mta_manage_spool(dovecot_t)
-
- optional_policy(`
-- kerberos_keytab_template(dovecot, dovecot_t)
+-mta_manage_spool(dovecot_t)
++optional_policy(`
++ mta_manage_home_rw(dovecot_t)
++ mta_manage_spool(dovecot_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(dovecot_t, dovecot_t)
+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
+')
@@ -17701,14 +17771,15 @@ index 2df7766..7193004 100644
+optional_policy(`
+ gnome_manage_data(dovecot_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- kerberos_keytab_template(dovecot, dovecot_t)
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
')
optional_policy(`
-@@ -164,6 +185,11 @@ optional_policy(`
+@@ -164,6 +199,11 @@ optional_policy(`
')
optional_policy(`
@@ -17720,18 +17791,19 @@ index 2df7766..7193004 100644
seutil_sigchld_newrole(dovecot_t)
')
-@@ -180,8 +206,8 @@ optional_policy(`
+@@ -180,16 +220,17 @@ optional_policy(`
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
-allow dovecot_auth_t self:process { signal_perms getcap setcap };
+-allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
+-allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
+allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
- allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
- allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +216,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+
+ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -17741,35 +17813,35 @@ index 2df7766..7193004 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,22 +230,25 @@ dovecot_stream_connect_auth(dovecot_auth_t)
- kernel_read_all_sysctls(dovecot_auth_t)
- kernel_read_system_state(dovecot_auth_t)
+@@ -198,32 +239,25 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+ manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+ dovecot_stream_connect_auth(dovecot_auth_t)
-+corecmd_exec_bin(dovecot_auth_t)
-+
+-kernel_read_all_sysctls(dovecot_auth_t)
+-kernel_read_system_state(dovecot_auth_t)
+-
logging_send_audit_msgs(dovecot_auth_t)
- logging_send_syslog_msg(dovecot_auth_t)
-
-+dev_search_sysfs(dovecot_auth_t)
- dev_read_urand(dovecot_auth_t)
+-logging_send_syslog_msg(dovecot_auth_t)
+-
+-dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
-files_read_etc_files(dovecot_auth_t)
- files_read_etc_runtime_files(dovecot_auth_t)
+-files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
-files_read_var_lib_files(dovecot_t)
-+
-+fs_getattr_xattr_fs(dovecot_auth_t)
- init_rw_utmp(dovecot_auth_t)
+-init_rw_utmp(dovecot_auth_t)
++fs_getattr_xattr_fs(dovecot_auth_t)
-@@ -224,6 +256,8 @@ miscfiles_read_localization(dovecot_auth_t)
+-miscfiles_read_localization(dovecot_auth_t)
++init_rw_utmp(dovecot_auth_t)
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -17796,53 +17868,50 @@ index 2df7766..7193004 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +288,42 @@ optional_policy(`
+@@ -250,25 +288,31 @@ optional_policy(`
#
# dovecot deliver local policy
#
-+
-+allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
- allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+-allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+-allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
-+
+
+-kernel_read_all_sysctls(dovecot_deliver_t)
+-kernel_read_system_state(dovecot_deliver_t)
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
-+
+
+-files_read_etc_files(dovecot_deliver_t)
+-files_read_etc_runtime_files(dovecot_deliver_t)
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-+
+
+-auth_use_nsswitch(dovecot_deliver_t)
+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
+
- allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
++allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect(dovecot_deliver_t)
-+
-+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
- kernel_read_all_sysctls(dovecot_deliver_t)
- kernel_read_system_state(dovecot_deliver_t)
+-logging_send_syslog_msg(dovecot_deliver_t)
+-logging_search_logs(dovecot_auth_t)
++can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
--files_read_etc_files(dovecot_deliver_t)
-+corecmd_exec_bin(dovecot_deliver_t)
+-miscfiles_read_localization(dovecot_deliver_t)
++auth_use_nsswitch(dovecot_deliver_t)
+
- files_read_etc_runtime_files(dovecot_deliver_t)
-
- auth_use_nsswitch(dovecot_deliver_t)
-
- logging_send_syslog_msg(dovecot_deliver_t)
--logging_search_logs(dovecot_auth_t)
+logging_append_all_logs(dovecot_deliver_t)
- miscfiles_read_localization(dovecot_deliver_t)
+ dovecot_stream_connect_auth(dovecot_deliver_t)
-@@ -283,24 +340,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +327,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -17853,11 +17922,8 @@ index 2df7766..7193004 100644
- fs_manage_nfs_dirs(dovecot_t)
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
+-')
+userdom_home_manager(dovecot_deliver_t)
-+
-+optional_policy(`
-+ gnome_manage_data(dovecot_deliver_t)
- ')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_deliver_t)
@@ -17866,16 +17932,21 @@ index 2df7766..7193004 100644
- fs_manage_cifs_dirs(dovecot_t)
- fs_manage_cifs_files(dovecot_t)
- fs_manage_cifs_symlinks(dovecot_t)
-+mta_manage_spool(dovecot_deliver_t)
-+mta_read_queue(dovecot_deliver_t)
-+mta_manage_home_rw(dovecot_deliver_t)
-+
+optional_policy(`
-+ postfix_use_fds_master(dovecot_deliver_t)
++ gnome_manage_data(dovecot_deliver_t)
')
optional_policy(`
-- mta_manage_spool(dovecot_deliver_t)
+ mta_manage_spool(dovecot_deliver_t)
++ mta_read_queue(dovecot_deliver_t)
++ mta_manage_home_rw(dovecot_deliver_t)
++')
++
++optional_policy(`
++ postfix_use_fds_master(dovecot_deliver_t)
++')
++
++optional_policy(`
+ # Handle sieve scripts
+ sendmail_domtrans(dovecot_deliver_t)
')
@@ -21346,7 +21417,7 @@ index 7ff9d6d..6b0a7ff 100644
allow $1 glance_api_t:process signal_perms;
ps_process_pattern($1, glance_api_t)
diff --git a/glance.te b/glance.te
-index 4afb81f..40df3ea 100644
+index 4afb81f..8a383f0 100644
--- a/glance.te
+++ b/glance.te
@@ -57,12 +57,17 @@ manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -21383,7 +21454,7 @@ index 4afb81f..40df3ea 100644
########################################
#
-@@ -94,11 +108,11 @@ can_exec(glance_api_t, glance_tmp_t)
+@@ -94,11 +108,15 @@ can_exec(glance_api_t, glance_tmp_t)
corecmd_exec_shell(glance_api_t)
corenet_tcp_bind_generic_node(glance_api_t)
@@ -21395,8 +21466,11 @@ index 4afb81f..40df3ea 100644
dev_read_urand(glance_api_t)
fs_getattr_xattr_fs(glance_api_t)
--
+
-libs_exec_ldconfig(glance_api_t)
++optional_policy(`
++ mysql_stream_connect(glance_api_t)
++')
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
index 0000000..6418e39
@@ -21742,7 +21816,7 @@ index 00a19e3..17006fc 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..a5a95df 100644
+index f5afe78..7cace3a 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,44 +1,956 @@
@@ -22823,7 +22897,7 @@ index f5afe78..a5a95df 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +1050,98 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +1050,100 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -22902,6 +22976,8 @@ index f5afe78..a5a95df 100644
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
@@ -22933,7 +23009,7 @@ index f5afe78..a5a95df 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1149,36 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1151,36 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -22974,7 +23050,7 @@ index f5afe78..a5a95df 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1186,274 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1188,274 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -32169,7 +32245,7 @@ index b397fde..36e1117 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..3287b22 100644
+index d4fcb75..06e7064 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -32261,7 +32337,12 @@ index d4fcb75..3287b22 100644
# /var/lib
files_read_var_lib_files(mozilla_t)
# interacting with gstreamer
-@@ -155,38 +181,31 @@ fs_rw_tmpfs_files(mozilla_t)
+@@ -151,42 +177,35 @@ files_dontaudit_getattr_boot_dirs(mozilla_t)
+ fs_dontaudit_getattr_all_fs(mozilla_t)
+ fs_search_auto_mountpoints(mozilla_t)
+ fs_list_inotifyfs(mozilla_t)
+-fs_rw_tmpfs_files(mozilla_t)
++fs_rw_inherited_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -32442,7 +32523,7 @@ index d4fcb75..3287b22 100644
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
-+fs_dontaudit_read_tmpfs_files(mozilla_plugin_t)
++fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
fs_list_dos(mozilla_plugin_t)
@@ -38423,10 +38504,10 @@ index 0000000..709dda1
+')
diff --git a/numad.te b/numad.te
new file mode 100644
-index 0000000..e18b767
+index 0000000..0530669
--- /dev/null
+++ b/numad.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,46 @@
+policy_module(numad, 1.0.0)
+
+########################################
@@ -38455,6 +38536,7 @@ index 0000000..e18b767
+allow numad_t self:process { fork };
+allow numad_t self:fifo_file rw_fifo_file_perms;
+allow numad_t self:msgq create_msgq_perms;
++allow numad_t self:msg { send receive };
+allow numad_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
@@ -39254,10 +39336,10 @@ index 0000000..3eb6a30
+## <summary></summary>
diff --git a/openshift-origin.te b/openshift-origin.te
new file mode 100644
-index 0000000..7866b08
+index 0000000..966d0b3
--- /dev/null
+++ b/openshift-origin.te
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,14 @@
+policy_module(openshift-origin,1.0.0)
+gen_require(`
+ attribute openshift_domain;
@@ -39267,21 +39349,26 @@ index 0000000..7866b08
+#
+# openshift origin standard local policy
+#
++allow openshift_domain self:socket_class_set create_socket_perms;
+corenet_tcp_connect_all_ports(openshift_domain)
+corenet_tcp_bind_all_ports(openshift_domain)
-+allow openshift_domain self:socket create_socket_perms;
++dev_read_sysfs(openshift_domain)
++files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..ec3e972
+index 0000000..84338ed
--- /dev/null
+++ b/openshift.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,17 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
++
+/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++
+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
+
+/usr/bin/rhc-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
@@ -39845,7 +39932,7 @@ index 0000000..f5d6f44
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..466dd85
+index 0000000..d5b29dc
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,346 @@
@@ -39862,7 +39949,7 @@ index 0000000..466dd85
+
+# openshift applications that can use the network.
+attribute openshift_net_domain;
-+# Attribute representing all openshift user processes execludes run by apache
++# Attribute representing all openshift user processes (excludes apache processes)
+attribute openshift_user_domain;
+# Attribute representing all openshift processes
+attribute openshift_domain;
@@ -40050,7 +40137,8 @@ index 0000000..466dd85
+files_exec_etc_files(openshift_domain)
+files_read_usr_files(openshift_domain)
+files_dontaudit_getattr_non_security_sockets(openshift_domain)
-+files_dontaudit_setattr_etc_runtime_files(openshift_domain)
++files_dontaudit_setattr_non_security_dirs(openshift_domain)
++files_dontaudit_setattr_non_security_files(openshift_domain)
+
+libs_exec_lib_files(openshift_domain)
+libs_exec_ld_so(openshift_domain)
@@ -40194,7 +40282,6 @@ index 0000000..466dd85
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
+read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
-+
diff --git a/openvpn.if b/openvpn.if
index d883214..d6afa87 100644
--- a/openvpn.if
@@ -41670,10 +41757,10 @@ index 0000000..242567b
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
-index 0000000..f29bf1d
+index 0000000..2e5571e
--- /dev/null
+++ b/piranha.te
-@@ -0,0 +1,298 @@
+@@ -0,0 +1,300 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -41875,6 +41962,8 @@ index 0000000..f29bf1d
+
+fs_getattr_all_fs(piranha_pulse_t)
+
++init_initrc_domain(piranha_pulse_t)
++
+logging_send_syslog_msg(piranha_pulse_t)
+
+miscfiles_read_localization(piranha_pulse_t)
@@ -50991,7 +51080,7 @@ index 137605a..7624759 100644
+ ')
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..dd784e3 100644
+index 783f678..ef8a8da 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -51004,7 +51093,7 @@ index 783f678..dd784e3 100644
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,17 +46,31 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+@@ -43,17 +46,33 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
@@ -51025,6 +51114,8 @@ index 783f678..dd784e3 100644
+files_manage_generic_locks(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
++
++logging_send_syslog_msg(rhsmcertd_t)
miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
@@ -55416,7 +55507,7 @@ index cfe3172..3eb745d 100644
+
')
diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..8e19451 100644
+index e02eb6c..29f3319 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -55425,7 +55516,7 @@ index e02eb6c..8e19451 100644
########################################
#
-@@ -6,16 +6,16 @@ policy_module(sanlock, 1.0.0)
+@@ -6,18 +6,25 @@ policy_module(sanlock, 1.0.0)
#
## <desc>
@@ -55439,16 +55530,24 @@ index e02eb6c..8e19451 100644
gen_tunable(sanlock_use_nfs, false)
## <desc>
--## <p>
--## Allow confined virtual guests to manage cifs files
--## </p>
+## <p>
+## Allow sanlock to manage cifs files
+## </p>
++## </desc>
++gen_tunable(sanlock_use_samba, false)
++
++## <desc>
+ ## <p>
+-## Allow confined virtual guests to manage cifs files
++## Allow sanlock to read/write fuse files
+ ## </p>
## </desc>
- gen_tunable(sanlock_use_samba, false)
+-gen_tunable(sanlock_use_samba, false)
++gen_tunable(sanlock_use_fusefs, false)
-@@ -44,8 +44,9 @@ ifdef(`enable_mls',`
+ type sanlock_t;
+ type sanlock_exec_t;
+@@ -44,8 +51,9 @@ ifdef(`enable_mls',`
#
# sanlock local policy
#
@@ -55460,7 +55559,7 @@ index e02eb6c..8e19451 100644
allow sanlock_t self:fifo_file rw_fifo_file_perms;
allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
-@@ -58,15 +59,17 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+@@ -58,15 +66,17 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
@@ -55479,9 +55578,17 @@ index e02eb6c..8e19451 100644
init_read_utmp(sanlock_t)
init_dontaudit_write_utmp(sanlock_t)
-@@ -75,19 +78,25 @@ logging_send_syslog_msg(sanlock_t)
+@@ -74,20 +84,33 @@ logging_send_syslog_msg(sanlock_t)
+
miscfiles_read_localization(sanlock_t)
++tunable_policy(`sanlock_use_fusefs',`
++ fs_manage_fusefs_dirs(sanlock_t)
++ fs_manage_fusefs_files(sanlock_t)
++ fs_read_fusefs_symlinks(sanlock_t)
++ fs_getattr_fusefs(sanlock_t)
++')
++
tunable_policy(`sanlock_use_nfs',`
- fs_manage_nfs_dirs(sanlock_t)
- fs_manage_nfs_files(sanlock_t)
@@ -60219,7 +60326,7 @@ index f09171e..18952a8 100644
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/telepathy.te b/telepathy.te
-index 964978b..f8bb7e4 100644
+index 964978b..3b45a43 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -7,16 +7,16 @@ policy_module(telepathy, 1.3.0)
@@ -60466,7 +60573,7 @@ index 964978b..f8bb7e4 100644
corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
-@@ -361,10 +401,14 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+@@ -361,11 +401,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
allow telepathy_domain self:tcp_socket create_socket_perms;
allow telepathy_domain self:udp_socket create_socket_perms;
@@ -60479,9 +60586,11 @@ index 964978b..f8bb7e4 100644
+fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
++fs_rw_inherited_tmpfs_files(telepathy_domain)
miscfiles_read_localization(telepathy_domain)
-@@ -374,5 +418,23 @@ optional_policy(`
+
+@@ -374,5 +419,23 @@ optional_policy(`
')
optional_policy(`
@@ -61248,10 +61357,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..b4564df
+index 0000000..d41ccbd
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,120 @@
+@@ -0,0 +1,121 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -61332,6 +61441,7 @@ index 0000000..b4564df
+
+fs_getattr_all_fs(thumb_t)
+fs_read_dos_files(thumb_t)
++fs_rw_inherited_tmpfs_files(thumb_t)
+
+auth_use_nsswitch(thumb_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 92d55fe..9b975da 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -495,6 +495,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Sep 17 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-21
+- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check
+- Change pam_t to pam_timestamp_t
+- Add dovecot_domain attribute and allow this attribute block_suspend capability2
+- Add sanlock_use_fusefs boolean
+- numad wants send/recieve msg
+- Allow rhnsd to send syslog msgs
+- Make piranha-pulse as initrc domain
+- Update openshift instances to dontaudit setattr until the kernel is fixed.
+
* Fri Sep 14 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-20
- Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd
- Remove pam_selinux.8 which conflicts with man page owned by the pam package
More information about the scm-commits
mailing list