[selinux-policy/f17] * Mon Sep 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-149 - Add sanlock_use_fusefs boolean - A
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Sep 17 11:41:04 UTC 2012
commit 441956e1209e4578e651609e3d3aa358ecde5dd3
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Sep 17 13:40:43 2012 +0200
* Mon Sep 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-149
- Add sanlock_use_fusefs boolean
- Add stapserver policy from F18
- Allow rhnsd to send syslog msgs
- ABRT wants to read Xorg.0.log if if it detects problem with Xorg
- ALlow chrome_sandbox to leak unix_dram_socket into chrome_sandbox_
- Allow postalias to read postfix config files
- Allow tmpreaper to cleanup all files in /tmp
- Allow chown capability for zarafa domains
- Allow xauth to read /dev/urandom
- Allow tmpreaper to list admin_home dir
- Allow clamd to write/delete own pid file with clamd_var_run_t labe
- Add support for gitolite3
- Allow virsh_t to getattr on virtd_exec_t
- Allow virsh can_exec on virsh_exec_t
- Look up group name by spamass-milter-postfix
- Add mozilla_plugin_can_network_connect boolean
- Fix /var/lib/sqlgrey labeling
- Add support for a new path for passenger
permissivedomains.pp | Bin 98309 -> 98662 bytes
policy-F16.patch | 725 +++++++++++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 22 ++-
3 files changed, 615 insertions(+), 132 deletions(-)
---
diff --git a/permissivedomains.pp b/permissivedomains.pp
index 4c4a2d5..8b47751 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/policy-F16.patch b/policy-F16.patch
index c52e079..a87e93b 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -65095,21 +65095,21 @@ index e0791b9..98d188e 100644
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/passenger.fc b/policy/modules/admin/passenger.fc
-index 545518d..7d5bf4c 100644
+index 545518d..1f3251d 100644
--- a/policy/modules/admin/passenger.fc
+++ b/policy/modules/admin/passenger.fc
-@@ -3,6 +3,11 @@
- /usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
- /usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+@@ -1,7 +1,7 @@
+-/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+
/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
- /var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
index f68b573..8fb9cd3 100644
--- a/policy/modules/admin/passenger.if
@@ -67271,7 +67271,7 @@ index d5aaf0e..6b16aef 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..2fd53ed 100644
+index 6a5004b..63c8af6 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -67282,7 +67282,7 @@ index 6a5004b..2fd53ed 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -18,33 +19,50 @@ role system_r types tmpreaper_t;
+@@ -18,33 +19,51 @@ role system_r types tmpreaper_t;
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
@@ -67329,6 +67329,7 @@ index 6a5004b..2fd53ed 100644
- userdom_delete_user_home_content_dirs(tmpreaper_t)
- userdom_delete_user_home_content_files(tmpreaper_t)
- userdom_delete_user_home_content_symlinks(tmpreaper_t)
++ userdom_list_admin_dir(tmpreaper_t)
+ userdom_delete_all_user_home_content_dirs(tmpreaper_t)
+ userdom_delete_all_user_home_content_files(tmpreaper_t)
+ userdom_delete_all_user_home_content_sock_files(tmpreaper_t)
@@ -67337,7 +67338,7 @@ index 6a5004b..2fd53ed 100644
')
optional_policy(`
-@@ -52,7 +70,9 @@ optional_policy(`
+@@ -52,7 +71,9 @@ optional_policy(`
')
optional_policy(`
@@ -67347,7 +67348,7 @@ index 6a5004b..2fd53ed 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +86,13 @@ optional_policy(`
+@@ -66,9 +87,13 @@ optional_policy(`
')
optional_policy(`
@@ -68210,10 +68211,10 @@ index 0000000..efebae7
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..a0c979d
+index 0000000..163c017
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,186 @@
+@@ -0,0 +1,187 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -68364,6 +68365,7 @@ index 0000000..a0c979d
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
@@ -68749,6 +68751,16 @@ index 6e4add5..5c81832 100644
-')
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
+diff --git a/policy/modules/apps/gitosis.fc b/policy/modules/apps/gitosis.fc
+index 7e90e45..5052171 100644
+--- a/policy/modules/apps/gitosis.fc
++++ b/policy/modules/apps/gitosis.fc
+@@ -2,4 +2,4 @@
+ /usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+ /var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+-/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
++/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff --git a/policy/modules/apps/gitosis.te b/policy/modules/apps/gitosis.te
index 4a2e63b..e964f12 100644
--- a/policy/modules/apps/gitosis.te
@@ -72177,10 +72189,22 @@ index fbb5c5a..67c1168 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..fccaa73 100644
+index 2e9318b..25de928 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
-@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
+@@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3)
+
+ ## <desc>
+ ## <p>
++## Allow mozilla plugin domain to connect to the network using TCP.
++## </p>
++## </desc>
++gen_tunable(mozilla_plugin_can_network_connect, false)
++
++## <desc>
++## <p>
+ ## Allow confined web browsers to read home directory content
+ ## </p>
## </desc>
gen_tunable(mozilla_read_content, false)
@@ -72194,7 +72218,7 @@ index 2e9318b..fccaa73 100644
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -25,6 +32,7 @@ files_config_file(mozilla_conf_t)
+@@ -25,6 +39,7 @@ files_config_file(mozilla_conf_t)
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
@@ -72202,7 +72226,7 @@ index 2e9318b..fccaa73 100644
userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
-@@ -33,13 +41,22 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+@@ -33,13 +48,22 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role system_r types mozilla_plugin_t;
type mozilla_plugin_tmp_t;
@@ -72225,7 +72249,7 @@ index 2e9318b..fccaa73 100644
type mozilla_tmp_t;
files_tmp_file(mozilla_tmp_t)
ubac_constrained(mozilla_tmp_t)
-@@ -111,12 +128,15 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
+@@ -111,12 +135,15 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
@@ -72241,7 +72265,7 @@ index 2e9318b..fccaa73 100644
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
-@@ -156,6 +176,10 @@ fs_rw_tmpfs_files(mozilla_t)
+@@ -156,6 +183,10 @@ fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -72252,7 +72276,7 @@ index 2e9318b..fccaa73 100644
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-@@ -165,27 +189,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,27 +196,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -72286,7 +72310,7 @@ index 2e9318b..fccaa73 100644
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -262,6 +280,7 @@ optional_policy(`
+@@ -262,6 +287,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -72294,7 +72318,7 @@ index 2e9318b..fccaa73 100644
')
optional_policy(`
-@@ -278,10 +297,6 @@ optional_policy(`
+@@ -278,10 +304,6 @@ optional_policy(`
')
optional_policy(`
@@ -72305,7 +72329,7 @@ index 2e9318b..fccaa73 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -296,25 +311,35 @@ optional_policy(`
+@@ -296,25 +318,35 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -72349,7 +72373,7 @@ index 2e9318b..fccaa73 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,31 +347,48 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,31 +354,49 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -72383,6 +72407,7 @@ index 2e9318b..fccaa73 100644
+corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-corenet_tcp_connect_squid_port(mozilla_plugin_t)
++corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
@@ -72405,7 +72430,7 @@ index 2e9318b..fccaa73 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +397,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +405,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -72413,7 +72438,7 @@ index 2e9318b..fccaa73 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,15 +405,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +413,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -72435,7 +72460,7 @@ index 2e9318b..fccaa73 100644
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -383,35 +432,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,34 +440,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -72467,7 +72492,8 @@ index 2e9318b..fccaa73 100644
-tunable_policy(`allow_execstack',`
- allow mozilla_plugin_t self:process { execstack };
-')
--
++userdom_home_manager(mozilla_plugin_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
@@ -72478,12 +72504,12 @@ index 2e9318b..fccaa73 100644
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
--')
-+userdom_home_manager(mozilla_plugin_t)
++tunable_policy(`mozilla_plugin_can_network_connect',`
++ corenet_tcp_connect_unreserved_ports(mozilla_plugin_t)
+ ')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,24 +462,33 @@ optional_policy(`
+@@ -421,24 +474,33 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -72521,22 +72547,22 @@ index 2e9318b..fccaa73 100644
')
optional_policy(`
-@@ -446,10 +496,105 @@ optional_policy(`
+@@ -446,10 +508,105 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
- ')
-
- optional_policy(`
-+ pcscd_stream_connect(mozilla_plugin_t)
+')
+
+optional_policy(`
-+ rtkit_scheduled(mozilla_plugin_t)
++ pcscd_stream_connect(mozilla_plugin_t)
+')
+
+optional_policy(`
++ rtkit_scheduled(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(mozilla_plugin_t)
+')
+
@@ -81974,7 +82000,7 @@ index c19518a..57d0131 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..5bffba2 100644
+index ff006ea..1438c71 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -83475,7 +83501,7 @@ index ff006ea..5bffba2 100644
')
########################################
-@@ -6117,3 +7008,343 @@ interface(`files_unconfined',`
+@@ -6117,3 +7008,344 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -83780,6 +83806,7 @@ index ff006ea..5bffba2 100644
+ attribute non_security_file_type;
+ ')
+
++ allow $1 non_security_file_type:dir del_entry_dir_perms;
+ allow $1 non_security_file_type:file_class_set delete_file_perms;
+')
+
@@ -90104,7 +90131,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..fd6deb5 100644
+index 30861ec..74d1de5 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -90315,7 +90342,7 @@ index 30861ec..fd6deb5 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +255,35 @@ optional_policy(`
+@@ -178,12 +255,39 @@ optional_policy(`
')
optional_policy(`
@@ -90328,6 +90355,10 @@ index 30861ec..fd6deb5 100644
sssd_stream_connect(abrt_t)
')
++optional_policy(`
++ xserver_read_log(abrt_t)
++')
++
+#######################################
+#
+# abrt-handle-event local policy
@@ -90352,7 +90383,7 @@ index 30861ec..fd6deb5 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +300,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +304,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -90381,7 +90412,7 @@ index 30861ec..fd6deb5 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +323,146 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +327,146 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -90399,7 +90430,7 @@ index 30861ec..fd6deb5 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
- ')
++')
+
+#######################################
+#
@@ -90514,7 +90545,7 @@ index 30861ec..fd6deb5 100644
+
+optional_policy(`
+ unconfined_domain(abrt_watch_log_t)
-+')
+ ')
+
+#######################################
+#
@@ -91089,10 +91120,10 @@ index d96fdfa..c50d3a0 100644
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
-index e31d92a..1aa0718 100644
+index e31d92a..e988f75 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
-@@ -202,6 +202,7 @@ interface(`amavis_create_pid_files',`
+@@ -202,10 +202,49 @@ interface(`amavis_create_pid_files',`
type amavis_var_run_t;
')
@@ -91100,7 +91131,49 @@ index e31d92a..1aa0718 100644
allow $1 amavis_var_run_t:file create_file_perms;
files_search_pids($1)
')
-@@ -231,9 +232,13 @@ interface(`amavis_admin',`
+
++######################################
++## <summary>
++## Write of amavis pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`amavis_write_pid_files',`
++ gen_require(`
++ type amavis_var_run_t;
++ ')
++
++ allow $1 amavis_var_run_t:file write_file_perms;
++ files_search_pids($1)
++')
++
++#####################################
++## <summary>
++## Write of amavis pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`amavis_delete_pid_files',`
++ gen_require(`
++ type amavis_var_run_t;
++ ')
++
++ allow $1 amavis_var_run_t:file delete_file_perms;
++ files_search_pids($1)
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -231,9 +270,13 @@ interface(`amavis_admin',`
type amavis_initrc_exec_t;
')
@@ -97975,7 +98048,7 @@ index 1f11572..99c5cca 100644
+
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..f931f27 100644
+index f758323..9fd9663 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,23 @@
@@ -98052,7 +98125,7 @@ index f758323..f931f27 100644
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
-@@ -127,13 +149,6 @@ logging_send_syslog_msg(clamd_t)
+@@ -127,28 +149,41 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
@@ -98066,16 +98139,19 @@ index f758323..f931f27 100644
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
-@@ -142,13 +157,31 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ cron_use_fds(clamd_t)
-+ cron_use_system_job_fds(clamd_t)
-+ cron_rw_pipes(clamd_t)
+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
+ amavis_create_pid_files(clamd_t)
++ amavis_write_pid_files(clamd_t)
++ amavis_delete_pid_files(clamd_t)
+')
+
+optional_policy(`
++ cron_use_fds(clamd_t)
++ cron_use_system_job_fds(clamd_t)
++ cron_rw_pipes(clamd_t)
+ ')
+
+ optional_policy(`
exim_read_spool_files(clamd_t)
')
@@ -98099,7 +98175,7 @@ index f758323..f931f27 100644
')
########################################
-@@ -178,10 +211,17 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +213,17 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -98119,7 +98195,7 @@ index f758323..f931f27 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +229,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +231,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -98128,7 +98204,7 @@ index f758323..f931f27 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +249,22 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +251,22 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -98155,7 +98231,7 @@ index f758323..f931f27 100644
########################################
#
# clamscam local policy
-@@ -242,15 +290,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +292,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -98191,7 +98267,7 @@ index f758323..f931f27 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +332,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +334,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -114695,7 +114771,7 @@ index 67c7fdd..d7338be 100644
## <summary>
## Execute mailman CGI scripts in the
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
-index af4d572..0c0925e 100644
+index af4d572..e0f41bb 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
@@ -114708,7 +114784,17 @@ index af4d572..0c0925e 100644
mailman_domain_template(mail)
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
-@@ -61,14 +64,24 @@ optional_policy(`
+@@ -54,6 +57,9 @@ optional_policy(`
+ apache_search_sys_script_state(mailman_cgi_t)
+ apache_read_config(mailman_cgi_t)
+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
++
++ postfix_read_config(mailman_cgi_t)
++
+ ')
+
+ ########################################
+@@ -61,14 +67,24 @@ optional_policy(`
# Mailman mail local policy
#
@@ -114735,7 +114821,7 @@ index af4d572..0c0925e 100644
files_search_spool(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -81,11 +94,16 @@ optional_policy(`
+@@ -81,11 +97,16 @@ optional_policy(`
')
optional_policy(`
@@ -114752,7 +114838,7 @@ index af4d572..0c0925e 100644
')
########################################
-@@ -104,6 +122,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+@@ -104,6 +125,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
kernel_read_proc_symlinks(mailman_queue_t)
@@ -114761,7 +114847,7 @@ index af4d572..0c0925e 100644
auth_domtrans_chk_passwd(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
-@@ -125,4 +145,4 @@ optional_policy(`
+@@ -125,4 +148,4 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
@@ -115570,7 +115656,7 @@ index b681608..0934c95 100644
kernel_read_kernel_sysctls(memcached_t)
kernel_read_system_state(memcached_t)
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
-index 55a3e2f..4d53f7b 100644
+index 55a3e2f..93a06ee 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -1,12 +1,20 @@
@@ -115584,7 +115670,7 @@ index 55a3e2f..4d53f7b 100644
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-+/var/lib/sqlgrey(/.*)? -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
@@ -115685,7 +115771,7 @@ index ed1af3c..ac7822b 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
-index 47e3612..01ef5a5 100644
+index 47e3612..f3861c3 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -1,4 +1,4 @@
@@ -115775,6 +115861,15 @@ index 47e3612..01ef5a5 100644
########################################
#
# milter-regex local policy
+@@ -88,6 +136,8 @@ corecmd_exec_shell(spamass_milter_t)
+ corecmd_read_bin_symlinks(spamass_milter_t)
+ corecmd_search_bin(spamass_milter_t)
+
++auth_use_nsswitch(spamass_milter_t)
++
+ mta_send_mail(spamass_milter_t)
+
+ # The main job of the milter is to pipe spam through spamc and act on the result
diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
new file mode 100644
index 0000000..8d0e473
@@ -130534,10 +130629,10 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..f82fdec
+index 0000000..581107c
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,77 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -130603,12 +130698,18 @@ index 0000000..f82fdec
+
+auth_read_passwd(rhsmcertd_t)
+
++logging_send_syslog_msg(rhsmcertd_t)
++
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_certs(rhsmcertd_t)
+
+sysnet_dns_name_resolve(rhsmcertd_t)
+
+rpm_read_db(rhsmcertd_t)
++
++optional_policy(`
++ gnome_dontaudit_search_config(rhsmcertd_t)
++')
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327..ed5dc05 100644
--- a/policy/modules/services/ricci.fc
@@ -133129,10 +133230,10 @@ index 0000000..3eb745d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..e218f7a
+index 0000000..f0032ac
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,117 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -133154,6 +133255,13 @@ index 0000000..e218f7a
+## </desc>
+gen_tunable(sanlock_use_samba, false)
+
++## <desc>
++## <p>
++## Allow sanlock to read/write fuse files
++## </p>
++## </desc>
++gen_tunable(sanlock_use_fusefs, false)
++
+type sanlock_t;
+type sanlock_exec_t;
+init_daemon_domain(sanlock_t, sanlock_exec_t)
@@ -133213,6 +133321,13 @@ index 0000000..e218f7a
+
+miscfiles_read_localization(sanlock_t)
+
++tunable_policy(`sanlock_use_fusefs',`
++ fs_manage_fusefs_dirs(sanlock_t)
++ fs_manage_fusefs_files(sanlock_t)
++ fs_read_fusefs_symlinks(sanlock_t)
++ fs_getattr_fusefs(sanlock_t)
++')
++
+tunable_policy(`sanlock_use_nfs',`
+ fs_manage_nfs_dirs(sanlock_t)
+ fs_manage_nfs_files(sanlock_t)
@@ -136961,6 +137076,286 @@ index 8ffa257..a2980c0 100644
+
+
+
+diff --git a/policy/modules/services/stapserver.fc b/policy/modules/services/stapserver.fc
+new file mode 100644
+index 0000000..0ccce59
+--- /dev/null
++++ b/policy/modules/services/stapserver.fc
+@@ -0,0 +1,7 @@
++/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0)
++
++/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0)
++
++/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0)
++
++/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0)
+diff --git a/policy/modules/services/stapserver.if b/policy/modules/services/stapserver.if
+new file mode 100644
+index 0000000..89b20d3
+--- /dev/null
++++ b/policy/modules/services/stapserver.if
+@@ -0,0 +1,156 @@
++
++## <summary> Instrumentation System Server </summary>
++
++########################################
++## <summary>
++## Execute stapserver in the stapserver domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`stapserver_domtrans',`
++ gen_require(`
++ type stapserver_t, stapserver_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, stapserver_exec_t, stapserver_t)
++')
++########################################
++## <summary>
++## Read stapserver's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`stapserver_read_log',`
++ gen_require(`
++ type stapserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, stapserver_log_t, stapserver_log_t)
++')
++
++########################################
++## <summary>
++## Append to stapserver log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`stapserver_append_log',`
++ gen_require(`
++ type stapserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, stapserver_log_t, stapserver_log_t)
++')
++
++########################################
++## <summary>
++## Manage stapserver log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`stapserver_manage_log',`
++ gen_require(`
++ type stapserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t)
++ manage_files_pattern($1, stapserver_log_t, stapserver_log_t)
++ manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t)
++')
++########################################
++## <summary>
++## Read stapserver PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`stapserver_read_pid_files',`
++ gen_require(`
++ type stapserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 stapserver_var_run_t:file read_file_perms;
++')
++
++#######################################
++## <summary>
++## Manage stapserver lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`stapserver_manage_lib',`
++ gen_require(`
++ type stapserver_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
++ manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an stapserver environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`stapserver_admin',`
++ gen_require(`
++ type stapserver_t;
++ type stapserver_log_t;
++ type stapserver_var_run_t;
++ ')
++
++ allow $1 stapserver_t:process { ptrace signal_perms };
++ ps_process_pattern($1, stapserver_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, stapserver_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, stapserver_var_run_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/stapserver.te b/policy/modules/services/stapserver.te
+new file mode 100644
+index 0000000..fa12095
+--- /dev/null
++++ b/policy/modules/services/stapserver.te
+@@ -0,0 +1,99 @@
++policy_module(stapserver, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type stapserver_t;
++type stapserver_exec_t;
++init_daemon_domain(stapserver_t, stapserver_exec_t)
++
++type stapserver_var_lib_t;
++files_type(stapserver_var_lib_t)
++
++type stapserver_log_t;
++logging_log_file(stapserver_log_t)
++
++type stapserver_var_run_t;
++files_pid_file(stapserver_var_run_t)
++
++########################################
++#
++# stapserver local policy
++#
++
++#runuser
++allow stapserver_t self:capability { setuid setgid };
++allow stapserver_t self:process setsched;
++
++allow stapserver_t self:capability { dac_override kill };
++allow stapserver_t self:process { setrlimit signal };
++
++allow stapserver_t self:fifo_file rw_fifo_file_perms;
++allow stapserver_t self:key write;
++allow stapserver_t self:unix_stream_socket create_stream_socket_perms;
++allow stapserver_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
++manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
++files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
++
++manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
++manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
++logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
++
++manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
++manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
++files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
++
++kernel_read_system_state(stapserver_t)
++kernel_read_kernel_sysctls(stapserver_t)
++
++corecmd_exec_bin(stapserver_t)
++corecmd_exec_shell(stapserver_t)
++
++domain_read_all_domains_state(stapserver_t)
++domain_use_interactive_fds(stapserver_t)
++
++dev_read_sysfs(stapserver_t)
++dev_read_rand(stapserver_t)
++dev_read_urand(stapserver_t)
++
++files_list_tmp(stapserver_t)
++files_read_usr_files(stapserver_t)
++files_search_kernel_modules(stapserver_t)
++
++auth_use_nsswitch(stapserver_t)
++
++init_read_utmp(stapserver_t)
++
++logging_send_audit_msgs(stapserver_t)
++logging_send_syslog_msg(stapserver_t)
++
++miscfiles_read_localization(stapserver_t)
++#lspci
++miscfiles_read_hwdata(stapserver_t)
++
++userdom_use_user_terminals(stapserver_t)
++
++optional_policy(`
++ consoletype_exec(stapserver_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(stapserver_t)
++')
++
++optional_policy(`
++ hostname_exec(stapserver_t)
++')
++
++optional_policy(`
++ plymouthd_exec_plymouth(stapserver_t)
++')
++
++optional_policy(`
++ rpm_exec(stapserver_t)
++')
++
diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
index 6073656..eaf49b2 100644
--- a/policy/modules/services/stunnel.if
@@ -140340,7 +140735,7 @@ index 7c5d8d8..aafa852 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..c747758 100644
+index 3eca020..13cb72a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1,60 +1,91 @@
@@ -140953,7 +141348,7 @@ index 3eca020..c747758 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +666,438 @@ files_search_all(virt_domain)
+@@ -440,25 +666,441 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -141017,8 +141412,11 @@ index 3eca020..c747758 100644
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
++can_exec(virsh_t, virsh_exec_t)
++
+allow virsh_t virt_etc_t:file read_file_perms;
+virt_stream_connect(virsh_t)
++virt_getattr_exec(virsh_t)
+
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
@@ -141853,7 +142251,7 @@ index 4966c94..c231dab 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..3024c40 100644
+index 130ced9..dd8a707 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -142422,16 +142820,35 @@ index 130ced9..3024c40 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -897,7 +1105,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1105,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
- allow $1 xserver_log_t:file getattr;
+ allow $1 xserver_log_t:file getattr_file_perms;
++')
++
++#######################################
++## <summary>
++## Allow domain to read X server logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_read_log',`
++ gen_require(`
++ type xserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 xserver_log_t:file read_file_perms;
')
########################################
-@@ -916,7 +1124,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1143,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -142440,7 +142857,7 @@ index 130ced9..3024c40 100644
')
########################################
-@@ -963,6 +1171,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1190,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -142486,7 +142903,7 @@ index 130ced9..3024c40 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1223,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1242,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -142495,7 +142912,7 @@ index 130ced9..3024c40 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1285,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1304,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -142538,7 +142955,7 @@ index 130ced9..3024c40 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1335,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1354,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -142547,7 +142964,7 @@ index 130ced9..3024c40 100644
')
########################################
-@@ -1070,8 +1353,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1372,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -142559,7 +142976,7 @@ index 130ced9..3024c40 100644
')
########################################
-@@ -1185,6 +1470,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1489,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -142586,7 +143003,7 @@ index 130ced9..3024c40 100644
')
########################################
-@@ -1210,7 +1515,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1534,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -142595,7 +143012,7 @@ index 130ced9..3024c40 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1525,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1544,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -142620,7 +143037,7 @@ index 130ced9..3024c40 100644
')
########################################
-@@ -1243,10 +1558,533 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1577,533 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -143157,7 +143574,7 @@ index 130ced9..3024c40 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..cec8e1b 100644
+index 143c893..2bf3618 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -143394,7 +143811,7 @@ index 143c893..cec8e1b 100644
')
########################################
-@@ -252,45 +315,78 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -252,45 +315,81 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -143428,6 +143845,9 @@ index 143c893..cec8e1b 100644
+kernel_read_system_state(xauth_t)
kernel_request_load_module(xauth_t)
++dev_read_rand(xauth_t)
++dev_read_urand(xauth_t)
++
domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
@@ -143483,7 +143903,7 @@ index 143c893..cec8e1b 100644
')
optional_policy(`
-@@ -304,64 +400,103 @@ optional_policy(`
+@@ -304,64 +403,103 @@ optional_policy(`
# XDM Local policy
#
@@ -143597,7 +144017,7 @@ index 143c893..cec8e1b 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +505,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +508,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -143625,7 +144045,7 @@ index 143c893..cec8e1b 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +536,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +539,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -143678,7 +144098,7 @@ index 143c893..cec8e1b 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +588,25 @@ files_list_mnt(xdm_t)
+@@ -435,9 +591,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -143704,7 +144124,7 @@ index 143c893..cec8e1b 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +615,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +618,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -143746,7 +144166,7 @@ index 143c893..cec8e1b 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +655,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +658,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -143796,7 +144216,7 @@ index 143c893..cec8e1b 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +705,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +708,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -143818,7 +144238,7 @@ index 143c893..cec8e1b 100644
')
optional_policy(`
-@@ -519,12 +727,64 @@ optional_policy(`
+@@ -519,12 +730,64 @@ optional_policy(`
')
optional_policy(`
@@ -143883,7 +144303,7 @@ index 143c893..cec8e1b 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +802,69 @@ optional_policy(`
+@@ -542,28 +805,69 @@ optional_policy(`
')
optional_policy(`
@@ -143962,7 +144382,7 @@ index 143c893..cec8e1b 100644
')
optional_policy(`
-@@ -575,6 +876,14 @@ optional_policy(`
+@@ -575,6 +879,14 @@ optional_policy(`
')
optional_policy(`
@@ -143977,7 +144397,7 @@ index 143c893..cec8e1b 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +908,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +911,8 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -143987,7 +144407,7 @@ index 143c893..cec8e1b 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +923,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +926,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -144003,7 +144423,7 @@ index 143c893..cec8e1b 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +950,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +953,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -144025,7 +144445,7 @@ index 143c893..cec8e1b 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +970,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +973,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -144033,7 +144453,7 @@ index 143c893..cec8e1b 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +997,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +1000,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -144064,7 +144484,7 @@ index 143c893..cec8e1b 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1029,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1032,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -144078,7 +144498,7 @@ index 143c893..cec8e1b 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1048,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1051,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -144087,7 +144507,7 @@ index 143c893..cec8e1b 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1055,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1058,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -144102,7 +144522,7 @@ index 143c893..cec8e1b 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1114,40 @@ optional_policy(`
+@@ -778,16 +1117,40 @@ optional_policy(`
')
optional_policy(`
@@ -144144,7 +144564,7 @@ index 143c893..cec8e1b 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1156,10 @@ optional_policy(`
+@@ -796,6 +1159,10 @@ optional_policy(`
')
optional_policy(`
@@ -144155,7 +144575,7 @@ index 143c893..cec8e1b 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1175,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1178,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -144169,7 +144589,7 @@ index 143c893..cec8e1b 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1186,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1189,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -144178,7 +144598,7 @@ index 143c893..cec8e1b 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,26 +1199,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1202,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -144213,7 +144633,7 @@ index 143c893..cec8e1b 100644
')
optional_policy(`
-@@ -862,6 +1221,10 @@ optional_policy(`
+@@ -862,6 +1224,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -144224,7 +144644,7 @@ index 143c893..cec8e1b 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1268,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1271,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -144233,7 +144653,7 @@ index 143c893..cec8e1b 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1322,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1325,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -144265,7 +144685,7 @@ index 143c893..cec8e1b 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1368,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1371,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -144607,7 +145027,7 @@ index 21ae664..cb3a098 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..bd73b2a 100644
+index 9fb4747..b88c305 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -144621,7 +145041,16 @@ index 9fb4747..bd73b2a 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -57,6 +61,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -46,7 +50,7 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+ # zarafa_gateway local policy
+ #
+
+-allow zarafa_gateway_t self:capability { chown kill };
++allow zarafa_gateway_t self:capability { kill };
+ allow zarafa_gateway_t self:process setrlimit;
+
+ corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
+@@ -57,12 +61,25 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -144630,7 +145059,6 @@ index 9fb4747..bd73b2a 100644
+# zarafa-indexer local policy
+#
+
-+allow zarafa_indexer_t self:capability chown;
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
@@ -144643,7 +145071,29 @@ index 9fb4747..bd73b2a 100644
#######################################
#
# zarafa-ical local policy
-@@ -93,7 +112,8 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+ #
+
+-allow zarafa_ical_t self:capability chown;
+
+ corenet_all_recvfrom_unlabeled(zarafa_ical_t)
+ corenet_all_recvfrom_netlabel(zarafa_ical_t)
+@@ -77,14 +94,13 @@ corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+ # zarafa-monitor local policy
+ #
+
+-allow zarafa_monitor_t self:capability chown;
+
+ ########################################
+ #
+ # zarafa_server local policy
+ #
+
+-allow zarafa_server_t self:capability { chown kill net_bind_service };
++allow zarafa_server_t self:capability { kill net_bind_service };
+ allow zarafa_server_t self:process setrlimit;
+
+ manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
+@@ -93,7 +109,8 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
@@ -144653,7 +145103,7 @@ index 9fb4747..bd73b2a 100644
stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
-@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
+@@ -107,7 +124,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
files_read_usr_files(zarafa_server_t)
@@ -144661,14 +145111,23 @@ index 9fb4747..bd73b2a 100644
logging_send_audit_msgs(zarafa_server_t)
sysnet_dns_name_resolve(zarafa_server_t)
-@@ -138,6 +157,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+@@ -125,7 +141,7 @@ optional_policy(`
+ # zarafa_spooler local policy
+ #
+
+-allow zarafa_spooler_t self:capability { chown kill };
++allow zarafa_spooler_t self:capability { kill };
+
+ can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
+
+@@ -138,11 +154,35 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
########################################
#
+# zarafa_gateway local policy
+#
+
-+allow zarafa_gateway_t self:capability { chown kill };
++allow zarafa_gateway_t self:capability { kill };
+allow zarafa_gateway_t self:process setrlimit;
+
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -144678,7 +145137,6 @@ index 9fb4747..bd73b2a 100644
+# zarafa-ical local policy
+#
+
-+allow zarafa_ical_t self:capability chown;
+
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+
@@ -144687,14 +145145,19 @@ index 9fb4747..bd73b2a 100644
+# zarafa-monitor local policy
+#
+
-+allow zarafa_monitor_t self:capability chown;
+
+########################################
+#
# zarafa domains local policy
#
-@@ -152,10 +197,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+ # bad permission on /etc/zarafa
+-allow zarafa_domain self:capability { dac_override setgid setuid };
++allow zarafa_domain self:capability { dac_override chown setgid setuid };
+ allow zarafa_domain self:process signal;
+ allow zarafa_domain self:fifo_file rw_fifo_file_perms;
+ allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+@@ -152,10 +192,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 31a9230..da2b817 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 148%{?dist}
+Release: 149%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,26 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Sep 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-149
+- Add sanlock_use_fusefs boolean
+- Add stapserver policy from F18
+- Allow rhnsd to send syslog msgs
+- ABRT wants to read Xorg.0.log if if it detects problem with Xorg
+- ALlow chrome_sandbox to leak unix_dram_socket into chrome_sandbox_nacl_t
+- Allow postalias to read postfix config files
+- Allow tmpreaper to cleanup all files in /tmp
+- Allow chown capability for zarafa domains
+- Allow xauth to read /dev/urandom
+- Allow tmpreaper to list admin_home dir
+- Allow clamd to write/delete own pid file with clamd_var_run_t label
+- Add support for gitolite3
+- Allow virsh_t to getattr on virtd_exec_t
+- Allow virsh can_exec on virsh_exec_t
+- Look up group name by spamass-milter-postfix
+- Add mozilla_plugin_can_network_connect boolean
+- Fix /var/lib/sqlgrey labeling
+- Add support for a new path for passenger
+
* Tue Aug 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-148
- Allow virsh to stream connect to virtd
- Add support for $HOME/.cache/libvirt
More information about the scm-commits
mailing list