[selinux-policy] * Fri Jan 11 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-3 - Allow gnomeclock to talk to puppet o
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 11 18:32:19 UTC 2013
commit a7dce2ac5cb4e351ed3701b73682f2e8fc64bab5
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jan 11 19:30:57 2013 +0100
* Fri Jan 11 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-3
- Allow gnomeclock to talk to puppet over dbus
- Allow numad access discovered by Dominic
- Add support for HOME_DIR/.maildir
- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this d
- Allow udev to relabel udev_var_run_t lnk_files
- New bin_t file in mcelog
policy-rawhide-base.patch | 65 +++---
policy-rawhide-contrib.patch | 497 +++++++++++++++++++++++-------------------
selinux-policy.spec | 10 +-
3 files changed, 314 insertions(+), 258 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4a2ac6f..b33c901 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -112432,7 +112432,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..0c58f76 100644
+index 644d4d7..f079522 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -112455,7 +112455,7 @@ index 644d4d7..0c58f76 100644
/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -69,6 +71,13 @@ ifdef(`distro_redhat',`
+@@ -69,16 +71,25 @@ ifdef(`distro_redhat',`
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112469,7 +112469,11 @@ index 644d4d7..0c58f76 100644
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
-@@ -79,6 +88,7 @@ ifdef(`distro_redhat',`
+ /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0)
++/etc/mcelog/.*\.setup -- gen_context(system_u:object_r:bin_t,s0)
+
+ ifdef(`distro_redhat',`
+ /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
')
/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
@@ -112477,7 +112481,7 @@ index 644d4d7..0c58f76 100644
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -101,8 +111,6 @@ ifdef(`distro_redhat',`
+@@ -101,8 +112,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -112486,7 +112490,7 @@ index 644d4d7..0c58f76 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +142,11 @@ ifdef(`distro_debian',`
+@@ -134,10 +143,11 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -112499,7 +112503,7 @@ index 644d4d7..0c58f76 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +160,7 @@ ifdef(`distro_gentoo',`
+@@ -151,7 +161,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -112508,7 +112512,7 @@ index 644d4d7..0c58f76 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +176,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +177,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112516,7 +112520,7 @@ index 644d4d7..0c58f76 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -178,33 +188,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +189,49 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -112575,7 +112579,7 @@ index 644d4d7..0c58f76 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +241,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +242,28 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -112611,7 +112615,7 @@ index 644d4d7..0c58f76 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +277,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +278,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -112627,7 +112631,7 @@ index 644d4d7..0c58f76 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +298,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +299,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -112648,7 +112652,7 @@ index 644d4d7..0c58f76 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +324,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +325,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -112664,7 +112668,7 @@ index 644d4d7..0c58f76 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +347,21 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +348,21 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -112688,7 +112692,7 @@ index 644d4d7..0c58f76 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,8 +379,12 @@ ifdef(`distro_redhat', `
+@@ -321,8 +380,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -112701,7 +112705,7 @@ index 644d4d7..0c58f76 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -332,9 +394,11 @@ ifdef(`distro_redhat', `
+@@ -332,9 +395,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112713,7 +112717,7 @@ index 644d4d7..0c58f76 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +447,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +448,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -112730,7 +112734,7 @@ index 644d4d7..0c58f76 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +465,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +466,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -142913,7 +142917,7 @@ index 0f64692..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..6e4726f 100644
+index a5ec88b..99fd5da 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -142954,7 +142958,7 @@ index a5ec88b..6e4726f 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -63,31 +64,35 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -63,31 +64,36 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -142974,6 +142978,7 @@ index a5ec88b..6e4726f 100644
-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+allow udev_t udev_var_run_t:file mounton;
++allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms;
+dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
+kernel_load_module(udev_t)
@@ -142997,7 +143002,7 @@ index a5ec88b..6e4726f 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -98,6 +103,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -98,6 +104,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -143005,7 +143010,7 @@ index a5ec88b..6e4726f 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -106,23 +112,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -106,23 +113,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -143041,7 +143046,7 @@ index a5ec88b..6e4726f 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
-@@ -144,17 +158,20 @@ auth_use_nsswitch(udev_t)
+@@ -144,17 +159,20 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -143063,7 +143068,7 @@ index a5ec88b..6e4726f 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -170,6 +187,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -170,6 +188,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -143072,7 +143077,7 @@ index a5ec88b..6e4726f 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -179,16 +198,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +199,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -143091,7 +143096,7 @@ index a5ec88b..6e4726f 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -217,6 +229,10 @@ optional_policy(`
+@@ -217,6 +230,10 @@ optional_policy(`
')
optional_policy(`
@@ -143102,7 +143107,7 @@ index a5ec88b..6e4726f 100644
consoletype_exec(udev_t)
')
-@@ -226,6 +242,7 @@ optional_policy(`
+@@ -226,6 +243,7 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -143110,7 +143115,7 @@ index a5ec88b..6e4726f 100644
')
optional_policy(`
-@@ -235,10 +252,20 @@ optional_policy(`
+@@ -235,10 +253,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -143131,7 +143136,7 @@ index a5ec88b..6e4726f 100644
')
optional_policy(`
-@@ -264,6 +291,10 @@ optional_policy(`
+@@ -264,6 +292,10 @@ optional_policy(`
')
optional_policy(`
@@ -143142,7 +143147,7 @@ index a5ec88b..6e4726f 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -278,6 +309,15 @@ optional_policy(`
+@@ -278,6 +310,15 @@ optional_policy(`
')
optional_policy(`
@@ -143158,7 +143163,7 @@ index a5ec88b..6e4726f 100644
unconfined_signal(udev_t)
')
-@@ -290,6 +330,7 @@ optional_policy(`
+@@ -290,6 +331,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 65fe9be..ea72e38 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -7164,10 +7164,10 @@ index 536ec3c..271b976 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..005bb7e 100644
+index 2b9a3a1..1cb1b4f 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -1,54 +1,69 @@
+@@ -1,54 +1,70 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -7202,6 +7202,7 @@ index 2b9a3a1..005bb7e 100644
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -11852,15 +11853,24 @@ index 3f2b672..a7aaf98 100644
+ unconfined_domain(condor_startd_t)
+')
diff --git a/consolekit.fc b/consolekit.fc
-index 23c9558..29e5fd3 100644
+index 23c9558..ee585a7 100644
--- a/consolekit.fc
+++ b/consolekit.fc
-@@ -1,3 +1,5 @@
-+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
-+
- /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+@@ -1,7 +1,9 @@
+-/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
++#/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
- /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
+-/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
++#/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+
+-/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
+-/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+-/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
++#/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
++
++#/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
++#/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
++#/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --git a/consolekit.if b/consolekit.if
index 5b830ec..0647a3b 100644
--- a/consolekit.if
@@ -32985,10 +32995,10 @@ index 327f3f7..65bfa15 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index 5a414e0..4e159c2 100644
+index 5a414e0..708f675 100644
--- a/mandb.te
+++ b/mandb.te
-@@ -10,9 +10,12 @@ roleattribute system_r mandb_roles;
+@@ -10,25 +10,34 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
@@ -33002,7 +33012,10 @@ index 5a414e0..4e159c2 100644
########################################
#
# Local policy
-@@ -22,14 +25,17 @@ allow mandb_t self:process signal;
+ #
+
+-allow mandb_t self:process signal;
++allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
@@ -33010,6 +33023,7 @@ index 5a414e0..4e159c2 100644
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
++can_exec(mandb_t, mandb_exec_t)
+
kernel_read_system_state(mandb_t)
@@ -33018,10 +33032,10 @@ index 5a414e0..4e159c2 100644
domain_use_interactive_fds(mandb_t)
-files_read_etc_files(mandb_t)
--
++files_search_locks(mandb_t)
+
miscfiles_manage_man_cache(mandb_t)
- optional_policy(`
diff --git a/mcelog.if b/mcelog.if
index 9dbe694..f89651e 100644
--- a/mcelog.if
@@ -35349,7 +35363,7 @@ index 6194b80..110cdc6 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..a85da32 100644
+index 6a306ee..03196be 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -35413,13 +35427,12 @@ index 6a306ee..a85da32 100644
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
-userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
--role mozilla_plugin_roles types mozilla_plugin_t;
--
--type mozilla_plugin_home_t;
--userdom_user_home_content(mozilla_plugin_home_t)
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
-+role mozilla_roles types mozilla_plugin_t;
+ role mozilla_plugin_roles types mozilla_plugin_t;
+-type mozilla_plugin_home_t;
+-userdom_user_home_content(mozilla_plugin_home_t)
+-
type mozilla_plugin_tmp_t;
+userdom_user_tmp_content(mozilla_plugin_tmp_t)
userdom_user_tmp_file(mozilla_plugin_tmp_t)
@@ -36516,21 +36529,23 @@ index c97c177..9e68dfb 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index f42896c..2f102b2 100644
+index f42896c..8654c3c 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -2,33 +2,40 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+@@ -2,33 +2,42 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
-HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
++HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
++/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
@@ -36540,14 +36555,14 @@ index f42896c..2f102b2 100644
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
-
--/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++
+/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-+
+
+-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -36573,7 +36588,7 @@ index f42896c..2f102b2 100644
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..0005ac0 100644
+index ed81cac..7d1522c 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -37508,7 +37523,7 @@ index ed81cac..0005ac0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1081,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1046,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -37633,6 +37648,7 @@ index ed81cac..0005ac0 100644
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+')
+
@@ -37656,6 +37672,7 @@ index ed81cac..0005ac0 100644
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+')
+
@@ -44341,7 +44358,7 @@ index 0d3c270..709dda1 100644
+ ')
')
diff --git a/numad.te b/numad.te
-index f5d145d..9510740 100644
+index f5d145d..a4fed11 100644
--- a/numad.te
+++ b/numad.te
@@ -1,4 +1,4 @@
@@ -44350,7 +44367,7 @@ index f5d145d..9510740 100644
########################################
#
-@@ -8,37 +8,38 @@ policy_module(numad, 1.0.3)
+@@ -8,29 +8,29 @@ policy_module(numad, 1.0.3)
type numad_t;
type numad_exec_t;
init_daemon_domain(numad_t, numad_exec_t)
@@ -44375,32 +44392,36 @@ index f5d145d..9510740 100644
+# numad local policy
#
-+allow numad_t self:process { fork };
++allow numad_t self:capability sys_ptrace;
allow numad_t self:fifo_file rw_fifo_file_perms;
-allow numad_t self:msg { send receive };
allow numad_t self:msgq create_msgq_perms;
-+allow numad_t self:msg { send receive };
++allow numad_t self:msg create_msg_perms;
allow numad_t self:unix_stream_socket create_stream_socket_perms;
-allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(numad_t, numad_log_t, file)
+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
-+logging_log_filetrans(numad_t, numad_var_log_t, { file })
++logging_log_filetrans(numad_t, numad_var_log_t, file)
manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
--files_pid_filetrans(numad_t, numad_var_run_t, file)
-+files_pid_filetrans(numad_t, numad_var_run_t, { file })
-
- kernel_read_system_state(numad_t)
+ files_pid_filetrans(numad_t, numad_var_run_t, file)
+@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t)
dev_read_sysfs(numad_t)
-files_read_etc_files(numad_t)
+domain_use_interactive_fds(numad_t)
-+
++domain_read_all_domains_state(numad_t)
++domain_setpriority_all_domains(numad_t)
-miscfiles_read_localization(numad_t)
-+fs_search_cgroup_dirs(numad_t)
++fs_manage_cgroup_dirs(numad_t)
++fs_rw_cgroup_files(numad_t)
++
++tunable_policy(`deny_ptrace',`',`
++ virt_ptrace(numad_t)
++')
diff --git a/nut.fc b/nut.fc
index 379af96..371119d 100644
--- a/nut.fc
@@ -55503,7 +55524,7 @@ index 6864479..0e7d875 100644
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
-index fa3dc8e..ec47fb6 100644
+index fa3dc8e..59808e5 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -2,47 +2,44 @@
@@ -55788,7 +55809,7 @@ index fa3dc8e..ec47fb6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -291,62 +300,72 @@ interface(`pulseaudio_manage_home_files',`
+@@ -291,62 +300,74 @@ interface(`pulseaudio_manage_home_files',`
## </summary>
## </param>
#
@@ -55805,7 +55826,9 @@ index fa3dc8e..ec47fb6 100644
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
-+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
++ optional_policy(`
++ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
++ ')
')
########################################
@@ -56531,7 +56554,7 @@ index 7cb8b1f..b7b5ee7 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index f2309f4..9282fbb 100644
+index f2309f4..fd38d93 100644
--- a/puppet.te
+++ b/puppet.te
@@ -1,4 +1,4 @@
@@ -56925,7 +56948,7 @@ index f2309f4..9282fbb 100644
selinux_validate_context(puppetmaster_t)
-@@ -314,26 +390,27 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +390,31 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
@@ -56935,32 +56958,34 @@ index f2309f4..9282fbb 100644
sysnet_run_ifconfig(puppetmaster_t, system_r)
--optional_policy(`
-- hostname_exec(puppetmaster_t)
--')
+mta_send_mail(puppetmaster_t)
-
++
optional_policy(`
-- mta_send_mail(puppetmaster_t)
+- hostname_exec(puppetmaster_t)
+ tunable_policy(`puppetmaster_use_db',`
+ mysql_stream_connect(puppetmaster_t)
+ ')
')
optional_policy(`
-- mysql_stream_connect(puppetmaster_t)
+- mta_send_mail(puppetmaster_t)
+ tunable_policy(`puppetmaster_use_db',`
+ postgresql_stream_connect(puppetmaster_t)
+ ')
')
optional_policy(`
+- mysql_stream_connect(puppetmaster_t)
++ gnomeclock_dbus_chat(puppetmaster_t)
+ ')
+
+ optional_policy(`
- postgresql_stream_connect(puppetmaster_t)
+ hostname_exec(puppetmaster_t)
')
optional_policy(`
-@@ -342,3 +419,9 @@ optional_policy(`
+@@ -342,3 +423,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -80785,7 +80810,7 @@ index c30da4c..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..347f807 100644
+index 9dec06c..e2c53bf 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -81763,7 +81788,7 @@ index 9dec06c..347f807 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,94 +603,205 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +603,223 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -81794,6 +81819,9 @@ index 9dec06c..347f807 100644
## </summary>
## </param>
-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+#
+interface(`virt_manage_images',`
+ gen_require(`
@@ -81818,7 +81846,8 @@ index 9dec06c..347f807 100644
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
+ ## </param>
+-## <param name="object">
+#
+interface(`virt_manage_default_image_type',`
+ gen_require(`
@@ -81838,11 +81867,11 @@ index 9dec06c..347f807 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The type of the object to be created.
+-## The object class of the object being created.
+## Domain allowed to transition.
## </summary>
## </param>
--## <param name="object">
+-## <param name="name" optional="true">
+#
+interface(`virt_systemctl',`
+ gen_require(`
@@ -81859,37 +81888,58 @@ index 9dec06c..347f807 100644
+
+########################################
+## <summary>
-+## All of the rules required to administrate
-+## an virt environment
++## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
## <summary>
--## The object class of the object being created.
-+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="name" optional="true">
-+## <param name="role">
- ## <summary>
-## The name of the object being created.
-+## Role allowed access.
++## Domain allowed to transition.
## </summary>
## </param>
-## <infoflow type="write" weight="10"/>
-+## <rolecap/>
#
-interface(`virt_pid_filetrans',`
-+interface(`virt_admin',`
++interface(`virt_ptrace',`
gen_require(`
- type virt_var_run_t;
++ attribute virt_domain;
+ ')
+
+- files_search_pids($1)
+- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
++ allow $1 virt_domain:self ptrace;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read virt log files.
++## All of the rules required to administrate
++## an virt environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
+ ## <rolecap/>
+ #
+-interface(`virt_read_log',`
++interface(`virt_admin',`
+ gen_require(`
+- type virt_log_t;
+ type virtd_t, virtd_initrc_exec_t;
+ attribute virt_domain;
+ type virt_lxc_t;
+ type virtd_unit_file_t;
')
-- files_search_pids($1)
-- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+- logging_search_logs($1)
+- read_files_pattern($1, virt_log_t, virt_log_t)
+ allow $1 virtd_t:process signal_perms;
+ ps_process_pattern($1, virtd_t)
+ tunable_policy(`deny_ptrace',`',`
@@ -81922,7 +81972,7 @@ index 9dec06c..347f807 100644
########################################
## <summary>
--## Read virt log files.
+-## Append virt log files.
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
## </summary>
@@ -81937,9 +81987,9 @@ index 9dec06c..347f807 100644
+## The role to be allowed the sandbox domain.
## </summary>
## </param>
- ## <rolecap/>
++## <rolecap/>
#
--interface(`virt_read_log',`
+-interface(`virt_append_log',`
+interface(`virt_transition_svirt',`
gen_require(`
- type virt_log_t;
@@ -81950,7 +82000,7 @@ index 9dec06c..347f807 100644
')
- logging_search_logs($1)
-- read_files_pattern($1, virt_log_t, virt_log_t)
+- append_files_pattern($1, virt_log_t, virt_log_t)
+ allow $1 virt_domain:process transition;
+ role $2 types virt_domain;
+ role $2 types virt_bridgehelper_t;
@@ -81969,7 +82019,8 @@ index 9dec06c..347f807 100644
########################################
## <summary>
--## Append virt log files.
+-## Create, read, write, and delete
+-## virt log files.
+## Do not audit attempts to write virt daemon unnamed pipes.
## </summary>
## <param name="domain">
@@ -81979,7 +82030,7 @@ index 9dec06c..347f807 100644
## </summary>
## </param>
#
--interface(`virt_append_log',`
+-interface(`virt_manage_log',`
+interface(`virt_dontaudit_write_pipes',`
gen_require(`
- type virt_log_t;
@@ -81987,41 +82038,17 @@ index 9dec06c..347f807 100644
')
- logging_search_logs($1)
-- append_files_pattern($1, virt_log_t, virt_log_t)
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## virt log files.
-+## Send a sigkill to virtual machines
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -955,20 +809,17 @@ interface(`virt_append_log',`
- ## </summary>
- ## </param>
- #
--interface(`virt_manage_log',`
-+interface(`virt_kill_svirt',`
- gen_require(`
-- type virt_log_t;
-+ attribute virt_domain;
- ')
-
-- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+ allow $1 virt_domain:process sigkill;
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')
########################################
## <summary>
-## Search virt image directories.
-+## Send a signal to virtual machines
++## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
@@ -82030,7 +82057,7 @@ index 9dec06c..347f807 100644
## </param>
#
-interface(`virt_search_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_kill_svirt',`
gen_require(`
- attribute virt_image_type;
+ attribute virt_domain;
@@ -82038,56 +82065,39 @@ index 9dec06c..347f807 100644
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ allow $1 virt_domain:process signal;
++ allow $1 virt_domain:process sigkill;
')
########################################
## <summary>
-## Read virt image files.
-+## Manage virt home files.
++## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -995,57 +845,57 @@ interface(`virt_search_images',`
+@@ -995,36 +845,17 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_manage_home_files',`
++interface(`virt_signal_svirt',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ type virt_home_t;
- ')
-
+- ')
+-
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- list_dirs_pattern($1, virt_image_type, virt_image_type)
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
-+')
-
+-
- tunable_policy(`virt_use_nfs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
-+## allow domain to read
-+## virt tmpfs files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access
-+## </summary>
-+## </param>
-+#
-+interface(`virt_read_tmpfs_files',`
-+ gen_require(`
-+ attribute virt_tmpfs_type;
++ attribute virt_domain;
')
- tunable_policy(`virt_use_samba',`
@@ -82095,117 +82105,108 @@ index 9dec06c..347f807 100644
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
-+ allow $1 virt_tmpfs_type:file read_file_perms;
++ allow $1 virt_domain:process signal;
')
########################################
## <summary>
-## Read and write all virt image
-## character files.
-+## allow domain to manage
-+## virt tmpfs files
++## Manage virt home files.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain allowed access
+@@ -1032,58 +863,57 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
-interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_manage_tmpfs_files',`
++interface(`virt_manage_home_files',`
gen_require(`
- attribute virt_image_type;
-+ attribute virt_tmpfs_type;
++ type virt_home_t;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virt_tmpfs_type:file manage_file_perms;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## svirt cache files.
-+## Create .virt directory in the user home directory
-+## with an correct label.
++## allow domain to read
++## virt tmpfs files
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,15 +903,27 @@ interface(`virt_rw_all_image_chr_files',`
+-## Domain allowed access.
++## Domain allowed access
## </summary>
## </param>
#
-interface(`virt_manage_svirt_cache',`
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
- virt_manage_virt_cache($1)
-+interface(`virt_filetrans_home_content',`
++interface(`virt_read_tmpfs_files',`
+ gen_require(`
-+ type virt_home_t;
-+ type svirt_home_t;
++ attribute virt_tmpfs_type;
+ ')
+
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-+
-+ optional_policy(`
-+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
-+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
-+ ')
++ allow $1 virt_tmpfs_type:file read_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt cache content.
-+## Dontaudit attempts to Read virt_image_type devices.
++## allow domain to manage
++## virt tmpfs files
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,117 +931,103 @@ interface(`virt_manage_svirt_cache',`
+-## Domain allowed access.
++## Domain allowed access
## </summary>
## </param>
#
-interface(`virt_manage_virt_cache',`
-+interface(`virt_dontaudit_read_chr_dev',`
++interface(`virt_manage_tmpfs_files',`
gen_require(`
- type virt_cache_t;
-+ attribute virt_image_type;
++ attribute virt_tmpfs_type;
')
- files_search_var($1)
- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
- manage_files_pattern($1, virt_cache_t, virt_cache_t)
- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
-+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++ allow $1 virt_tmpfs_type:file manage_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt image files.
-+## Creates types and rules for a basic
-+## virt_lxc process domain.
++## Create .virt directory in the user home directory
++## with an correct label.
## </summary>
--## <param name="domain">
-+## <param name="prefix">
+ ## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Prefix for the domain.
+@@ -1091,95 +921,131 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
-interface(`virt_manage_images',`
-+template(`virt_lxc_domain_template',`
++interface(`virt_filetrans_home_content',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ attribute svirt_lxc_domain;
++ type virt_home_t;
++ type svirt_home_t;
')
- virt_search_lib($1)
@@ -82214,86 +82215,64 @@ index 9dec06c..347f807 100644
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ type $1_t, svirt_lxc_domain;
-+ domain_type($1_t)
-+ domain_user_exemption_target($1_t)
-+ mls_rangetrans_target($1_t)
-+ mcs_constrained($1_t)
-+ role system_r types $1_t;
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
-+ kernel_read_system_state($1_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute a qemu_exec_t in the callers domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_exec_qemu',`
-+ gen_require(`
-+ type qemu_exec_t;
- ')
-
+- ')
+-
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files($1)
- fs_manage_cifs_files($1)
- fs_read_cifs_symlinks($1)
-+ can_exec($1, qemu_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## Transition to virt named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_filetrans_named_content',`
-+ gen_require(`
-+ type virt_lxc_var_run_t;
-+ type virt_var_run_t;
++ optional_policy(`
++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++ gnome_data_filetrans($1, svirt_home_t, dir, "images")
')
-+
-+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
-+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
-+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
')
########################################
## <summary>
-## All of the rules required to
-## administrate an virt environment.
-+## Execute qemu in the svirt domain, and
-+## allow the specified role the svirt domain.
++## Dontaudit attempts to Read virt_image_type devices.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain allowed access
+ ## Domain allowed access.
## </summary>
## </param>
- ## <param name="role">
+-## <param name="role">
++#
++interface(`virt_dontaudit_read_chr_dev',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++')
++
++########################################
++## <summary>
++## Creates types and rules for a basic
++## virt_lxc process domain.
++## </summary>
++## <param name="prefix">
## <summary>
-## Role allowed access.
-+## The role to be allowed the sandbox domain.
++## Prefix for the domain.
## </summary>
## </param>
- ## <rolecap/>
+-## <rolecap/>
#
-interface(`virt_admin',`
-+interface(`virt_transition_svirt_lxc',`
++template(`virt_lxc_domain_template',`
gen_require(`
- attribute virt_domain, virt_image_type, virt_tmpfs_type;
- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
@@ -82318,30 +82297,94 @@ index 9dec06c..347f807 100644
-
- fs_search_tmpfs($1)
- admin_pattern($1, virt_tmpfs_type)
--
++ type $1_t, svirt_lxc_domain;
++ domain_type($1_t)
++ domain_user_exemption_target($1_t)
++ mls_rangetrans_target($1_t)
++ mcs_constrained($1_t)
++ role system_r types $1_t;
+
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
++ kernel_read_system_state($1_t)
++')
+
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
--
++########################################
++## <summary>
++## Execute a qemu_exec_t in the callers domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_exec_qemu',`
++ gen_require(`
++ type qemu_exec_t;
++ ')
+
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
--
++ can_exec($1, qemu_exec_t)
++')
+
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++########################################
++## <summary>
++## Transition to virt named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_filetrans_named_content',`
++ gen_require(`
++ type virt_lxc_var_run_t;
++ type virt_var_run_t;
++ ')
+
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
--
++ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
++ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
++ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
++')
+
- files_search_var_lib($1)
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+ allow $1 svirt_lxc_domain:process transition;
-+ role $2 types svirt_lxc_domain;
++########################################
++## <summary>
++## Execute qemu in the svirt domain, and
++## allow the specified role the svirt domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the sandbox domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`virt_transition_svirt_lxc',`
++ gen_require(`
++ attribute svirt_lxc_domain;
++ ')
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
--
++ allow $1 svirt_lxc_domain:process transition;
++ role $2 types svirt_lxc_domain;
+
- dev_list_all_dev_nodes($1)
- allow $1 virt_ptynode:chr_file rw_term_perms;
+ allow svirt_lxc_domain $1:process sigchld;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ffb3b30..907e268 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jan 11 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-3
+- Allow gnomeclock to talk to puppet over dbus
+- Allow numad access discovered by Dominic
+- Add support for HOME_DIR/.maildir
+- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain
+- Allow udev to relabel udev_var_run_t lnk_files
+- New bin_t file in mcelog
+
* Thu Jan 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-2
- Remove all mcs overrides and replace with t1 != mcs_constrained_types
- Add attribute_role for iptables
More information about the scm-commits
mailing list