[selinux-policy/f18] - Allow udev to communicate with the logind daemon - Add labeling for texlive bash scripts - Add xse
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jan 15 14:48:45 UTC 2013
commit a5261f65f93e8386bd802618cfc4a02d83d3aedc
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jan 15 15:47:35 2013 +0100
- Allow udev to communicate with the logind daemon
- Add labeling for texlive bash scripts
- Add xserver_filetrans_fonts_cache_home_content() interface
- Allow rpm_script_t to dbus communicate with certmonger_t
- Add support for /var/lock/man-db.lock
- Add support for /var/tmp/abrt(/.*)?
- Add additional labeling for munin cgi scripts
- Allow httpd_t to read munin conf files
- Allow certwatch to read meminfo
- Fix nscd_dontaudit_write_sock_file() interface
- Fix gnome_filetrans_home_content() to include also "fontconfig" d
- Allow mozilla_plugin_t to create HOMEDIR/.fontconfig with the pro
- Allow numad access discovered by Dominic
- Allow gnomeclock to talk to puppet over dbus
- Add support for HOME_DIR/.maildir
policy-f18-base.patch | 53 +++++--
policy-f18-contrib.patch | 373 ++++++++++++++++++++++++++++------------------
selinux-policy.spec | 19 +++-
3 files changed, 283 insertions(+), 162 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 1a16867..ab2beb7 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -112417,7 +112417,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..e2c87b3 100644
+index db981df..7a2ff89 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -112653,7 +112653,7 @@ index db981df..e2c87b3 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -289,16 +342,21 @@ ifdef(`distro_gentoo',`
+@@ -289,16 +342,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -112666,6 +112666,7 @@ index db981df..e2c87b3 100644
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
++/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd) gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112677,7 +112678,7 @@ index db981df..e2c87b3 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +372,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +373,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -112690,7 +112691,7 @@ index db981df..e2c87b3 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +387,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +388,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112702,7 +112703,7 @@ index db981df..e2c87b3 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +440,15 @@ ifdef(`distro_suse', `
+@@ -376,11 +441,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -112719,7 +112720,7 @@ index db981df..e2c87b3 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +458,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +459,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -128366,7 +128367,7 @@ index fc86b7c..ea115aa 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..a75282a 100644
+index 130ced9..f14edb7 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -129163,7 +129164,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -1243,10 +1577,541 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1577,559 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -129602,6 +129603,24 @@ index 130ced9..a75282a 100644
+# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
+
++#######################################
++## <summary>
++## Transition to xserver .fontconfig named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_filetrans_fonts_cache_home_content',`
++ gen_require(`
++ type user_fonts_cache_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++')
++
+########################################
+## <summary>
+## Transition to xserver named content
@@ -143176,7 +143195,7 @@ index 77a13a5..9a5a73f 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 29075b3..8d185fc 100644
+index 29075b3..a4da3c2 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -143354,7 +143373,7 @@ index 29075b3..8d185fc 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +228,16 @@ optional_policy(`
+@@ -216,24 +228,43 @@ optional_policy(`
')
optional_policy(`
@@ -143371,7 +143390,13 @@ index 29075b3..8d185fc 100644
')
optional_policy(`
-@@ -230,10 +247,20 @@ optional_policy(`
+ dbus_system_bus_client(udev_t)
++
++ optional_policy(`
++ systemd_dbus_chat_logind(udev_t)
++ ')
+ ')
+
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -143392,7 +143417,7 @@ index 29075b3..8d185fc 100644
')
optional_policy(`
-@@ -259,6 +286,10 @@ optional_policy(`
+@@ -259,6 +290,10 @@ optional_policy(`
')
optional_policy(`
@@ -143403,7 +143428,7 @@ index 29075b3..8d185fc 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +304,15 @@ optional_policy(`
+@@ -273,6 +308,15 @@ optional_policy(`
')
optional_policy(`
@@ -143419,7 +143444,7 @@ index 29075b3..8d185fc 100644
unconfined_signal(udev_t)
')
-@@ -285,6 +325,7 @@ optional_policy(`
+@@ -285,6 +329,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index dbf0db2..9adf141 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index 1bd5812..ad5baf5 100644
+index 1bd5812..94697ea 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,20 +1,37 @@
+@@ -1,20 +1,38 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -32,6 +32,7 @@ index 1bd5812..ad5baf5 100644
/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+# ABRT retrace server
+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
@@ -366,7 +367,7 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..6d98338 100644
+index 30861ec..e143a71 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
@@ -405,7 +406,13 @@ index 30861ec..6d98338 100644
# etc files
type abrt_etc_t;
files_config_file(abrt_etc_t)
-@@ -32,10 +52,20 @@ files_type(abrt_var_cache_t)
+@@ -27,15 +47,26 @@ files_tmp_file(abrt_tmp_t)
+ # var/cache files
+ type abrt_var_cache_t;
+ files_type(abrt_var_cache_t)
++files_tmp_file(abrt_var_cache_t)
+
+ # pid files
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -428,7 +435,7 @@ index 30861ec..6d98338 100644
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,14 +73,36 @@ ifdef(`enable_mcs',`
+@@ -43,14 +74,36 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -467,7 +474,7 @@ index 30861ec..6d98338 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +111,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +112,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -475,7 +482,7 @@ index 30861ec..6d98338 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -68,7 +121,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +122,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -485,7 +492,14 @@ index 30861ec..6d98338 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +137,11 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -76,16 +132,18 @@ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
+ files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
++files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
+
+ # abrt pid files
+ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -499,7 +513,7 @@ index 30861ec..6d98338 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -93,7 +149,6 @@ corecmd_exec_shell(abrt_t)
+@@ -93,7 +151,6 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -507,7 +521,7 @@ index 30861ec..6d98338 100644
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
corenet_tcp_sendrecv_generic_port(abrt_t)
-@@ -104,6 +159,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +161,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -516,7 +530,7 @@ index 30861ec..6d98338 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +170,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +172,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -526,7 +540,7 @@ index 30861ec..6d98338 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +179,9 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +181,9 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -536,7 +550,7 @@ index 30861ec..6d98338 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +192,37 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +194,37 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -578,7 +592,7 @@ index 30861ec..6d98338 100644
')
optional_policy(`
-@@ -167,6 +243,7 @@ optional_policy(`
+@@ -167,6 +245,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -586,7 +600,7 @@ index 30861ec..6d98338 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,9 +255,36 @@ optional_policy(`
+@@ -178,9 +257,36 @@ optional_policy(`
')
optional_policy(`
@@ -623,7 +637,12 @@ index 30861ec..6d98338 100644
########################################
#
# abrt--helper local policy
-@@ -200,9 +304,11 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -196,13 +302,16 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
++files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
+
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -636,7 +655,7 @@ index 30861ec..6d98338 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -211,12 +317,11 @@ auth_use_nsswitch(abrt_helper_t)
+@@ -211,12 +320,11 @@ auth_use_nsswitch(abrt_helper_t)
logging_send_syslog_msg(abrt_helper_t)
@@ -651,7 +670,7 @@ index 30861ec..6d98338 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +329,149 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +332,150 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -757,6 +776,7 @@ index 30861ec..6d98338 100644
+manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
++files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
+
+read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
@@ -3151,7 +3171,7 @@ index 6480167..7b2ad39 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..2864927 100644
+index 0833afb..833af5e 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3870,7 +3890,7 @@ index 0833afb..2864927 100644
')
optional_policy(`
-@@ -573,7 +911,21 @@ optional_policy(`
+@@ -573,7 +911,25 @@ optional_policy(`
')
optional_policy(`
@@ -3887,12 +3907,16 @@ index 0833afb..2864927 100644
+')
+
+optional_policy(`
++ munin_read_config(httpd_t)
++')
++
++optional_policy(`
# Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -584,6 +936,7 @@ optional_policy(`
+@@ -584,6 +940,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3900,7 +3924,7 @@ index 0833afb..2864927 100644
')
optional_policy(`
-@@ -594,6 +947,42 @@ optional_policy(`
+@@ -594,6 +951,42 @@ optional_policy(`
')
optional_policy(`
@@ -3943,7 +3967,7 @@ index 0833afb..2864927 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +997,11 @@ optional_policy(`
+@@ -608,6 +1001,11 @@ optional_policy(`
')
optional_policy(`
@@ -3955,7 +3979,7 @@ index 0833afb..2864927 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +1014,12 @@ optional_policy(`
+@@ -620,6 +1018,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3968,7 +3992,7 @@ index 0833afb..2864927 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1033,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1037,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -4013,7 +4037,7 @@ index 0833afb..2864927 100644
########################################
#
-@@ -671,28 +1107,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1111,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -4057,7 +4081,7 @@ index 0833afb..2864927 100644
')
########################################
-@@ -702,6 +1140,7 @@ optional_policy(`
+@@ -702,6 +1144,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -4065,7 +4089,7 @@ index 0833afb..2864927 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1155,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1159,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4094,7 +4118,7 @@ index 0833afb..2864927 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1185,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1189,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -4112,7 +4136,7 @@ index 0833afb..2864927 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1203,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1207,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -4145,7 +4169,7 @@ index 0833afb..2864927 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1250,25 @@ optional_policy(`
+@@ -786,6 +1254,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4171,7 +4195,7 @@ index 0833afb..2864927 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1289,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1293,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -4189,7 +4213,7 @@ index 0833afb..2864927 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1308,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1312,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4248,7 +4272,7 @@ index 0833afb..2864927 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1359,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1363,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4289,7 +4313,7 @@ index 0833afb..2864927 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,15 +1399,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+@@ -854,15 +1403,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
optional_policy(`
clamav_domtrans_clamscan(httpd_sys_script_t)
@@ -4316,7 +4340,7 @@ index 0833afb..2864927 100644
')
########################################
-@@ -878,11 +1434,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1438,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4328,7 +4352,7 @@ index 0833afb..2864927 100644
########################################
#
-@@ -908,11 +1462,138 @@ optional_policy(`
+@@ -908,11 +1466,138 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -5815,10 +5839,10 @@ index cf8e59f..ad57d4a 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 59aa54f..005bb7e 100644
+index 59aa54f..1cb1b4f 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -4,6 +4,11 @@
+@@ -4,12 +4,18 @@
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
@@ -5830,7 +5854,14 @@ index 59aa54f..005bb7e 100644
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-@@ -40,6 +45,7 @@ ifdef(`distro_redhat',`
+ /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+ /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+ /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
+
+ /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+
+@@ -40,6 +46,7 @@ ifdef(`distro_redhat',`
/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
@@ -8305,10 +8336,20 @@ index c3e3f79..89db900 100644
+ unconfined_domain(certmonger_unconfined_t)
+')
diff --git a/certwatch.te b/certwatch.te
-index e07cef5..55051ce 100644
+index e07cef5..2f5dd78 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -27,15 +27,15 @@ files_list_tmp(certwatch_t)
+@@ -17,6 +17,9 @@ role system_r types certwatch_t;
+ allow certwatch_t self:capability sys_nice;
+ allow certwatch_t self:process { setsched getsched };
+
++kernel_read_system_state(certwatch_t)
++
++dev_read_rand(certwatch_t)
+ dev_read_urand(certwatch_t)
+
+ files_read_etc_files(certwatch_t)
+@@ -27,15 +30,15 @@ files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
@@ -23571,7 +23612,7 @@ index 00a19e3..52e5a3a 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..2d6e6bb 100644
+index f5afe78..f73c152 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,44 +1,1067 @@
@@ -24923,7 +24964,7 @@ index f5afe78..2d6e6bb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1306,279 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1306,280 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -25134,6 +25175,7 @@ index f5afe78..2d6e6bb 100644
+ filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
++ filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
+ gnome_filetrans_gstreamer_home_content($1)
+')
@@ -32729,13 +32771,15 @@ index 0000000..29b79eb
+')
diff --git a/mandb.fc b/mandb.fc
new file mode 100644
-index 0000000..75b9968
+index 0000000..df710ae
--- /dev/null
+++ b/mandb.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,5 @@
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
++
++/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
diff --git a/mandb.if b/mandb.if
new file mode 100644
index 0000000..4a4e899
@@ -32931,10 +32975,10 @@ index 0000000..4a4e899
+')
diff --git a/mandb.te b/mandb.te
new file mode 100644
-index 0000000..8cc45e7
+index 0000000..cc1c704
--- /dev/null
+++ b/mandb.te
-@@ -0,0 +1,35 @@
+@@ -0,0 +1,41 @@
+policy_module(mandb, 1.0.0)
+
+########################################
@@ -32950,6 +32994,9 @@ index 0000000..8cc45e7
+type mandb_cache_t;
+files_type(mandb_cache_t)
+
++type mandb_lock_t;
++files_lock_file(mandb_lock_t)
++
+########################################
+#
+# mandb local policy
@@ -32963,6 +33010,9 @@ index 0000000..8cc45e7
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
+
++allow mandb_t mandb_lock_t:file manage_file_perms;
++files_lock_filetrans(mandb_t, mandb_lock_t, file)
++
+kernel_read_system_state(mandb_t)
+
+corecmd_exec_bin(mandb_t)
@@ -34717,7 +34767,7 @@ index b397fde..cccec7e 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..8cf0087 100644
+index d4fcb75..95b8be3 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -35124,7 +35174,7 @@ index d4fcb75..8cf0087 100644
')
optional_policy(`
-@@ -447,10 +523,116 @@ optional_policy(`
+@@ -447,10 +523,117 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -35153,6 +35203,7 @@ index d4fcb75..8cf0087 100644
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t)
+ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
++ xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t)
+')
+
+########################################
@@ -35715,16 +35766,18 @@ index 0e19d80..c203717 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index afa18c8..2f102b2 100644
+index afa18c8..8654c3c 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -1,30 +1,41 @@
+@@ -1,30 +1,43 @@
-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
++HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
++
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -35771,7 +35824,7 @@ index afa18c8..2f102b2 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index 4e2a5ba..0005ac0 100644
+index 4e2a5ba..7d1522c 100644
--- a/mta.if
+++ b/mta.if
@@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -36283,7 +36336,7 @@ index 4e2a5ba..0005ac0 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -901,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -901,3 +1046,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -36408,6 +36461,7 @@ index 4e2a5ba..0005ac0 100644
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+')
+
@@ -36431,6 +36485,7 @@ index 4e2a5ba..0005ac0 100644
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+')
+
@@ -36882,7 +36937,7 @@ index 84a7d66..61f95e2 100644
+ clamav_stream_connect(mta_user_agent)
+')
diff --git a/munin.fc b/munin.fc
-index fd71d69..123ee4c 100644
+index fd71d69..4968324 100644
--- a/munin.fc
+++ b/munin.fc
@@ -4,7 +4,9 @@
@@ -36914,7 +36969,7 @@ index fd71d69..123ee4c 100644
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -58,12 +64,15 @@
+@@ -58,12 +64,16 @@
/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@@ -36928,8 +36983,10 @@ index fd71d69..123ee4c 100644
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
- /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
-+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+-/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
index c358d8f..1cc176c 100644
--- a/munin.if
@@ -39890,10 +39947,10 @@ index 623b731..429bd79 100644
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
-index 85188dc..685270c 100644
+index 85188dc..7b8f5ad 100644
--- a/nscd.if
+++ b/nscd.if
-@@ -116,7 +116,44 @@ interface(`nscd_socket_use',`
+@@ -116,7 +116,46 @@ interface(`nscd_socket_use',`
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
@@ -39932,14 +39989,16 @@ index 85188dc..685270c 100644
+#
+interface(`nscd_dontaudit_write_sock_file',`
+ gen_require(`
-+ type nscd_t;
++ type nscd_t, nscd_var_run_t;
+ ')
+
+ dontaudit $1 nscd_t:sock_file write;
++ dontaudit $1 nscd_var_run_t:sock_file write;
++
')
########################################
-@@ -146,11 +183,14 @@ interface(`nscd_shm_use',`
+@@ -146,11 +185,14 @@ interface(`nscd_shm_use',`
# nscd_socket_domain macro. need to investigate
# if they are all actually required
allow $1 self:unix_stream_socket create_stream_socket_perms;
@@ -39957,7 +40016,7 @@ index 85188dc..685270c 100644
')
########################################
-@@ -168,7 +208,7 @@ interface(`nscd_dontaudit_search_pid',`
+@@ -168,7 +210,7 @@ interface(`nscd_dontaudit_search_pid',`
type nscd_var_run_t;
')
@@ -39966,7 +40025,7 @@ index 85188dc..685270c 100644
')
########################################
-@@ -224,6 +264,7 @@ interface(`nscd_unconfined',`
+@@ -224,6 +266,7 @@ interface(`nscd_unconfined',`
## Role allowed access.
## </summary>
## </param>
@@ -39974,7 +40033,7 @@ index 85188dc..685270c 100644
#
interface(`nscd_run',`
gen_require(`
-@@ -254,6 +295,29 @@ interface(`nscd_initrc_domtrans',`
+@@ -254,6 +297,29 @@ interface(`nscd_initrc_domtrans',`
########################################
## <summary>
@@ -40004,7 +40063,7 @@ index 85188dc..685270c 100644
## All of the rules required to administrate
## an nscd environment
## </summary>
-@@ -273,10 +337,14 @@ interface(`nscd_admin',`
+@@ -273,10 +339,14 @@ interface(`nscd_admin',`
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
@@ -40020,7 +40079,7 @@ index 85188dc..685270c 100644
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -288,4 +356,8 @@ interface(`nscd_admin',`
+@@ -288,4 +358,8 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
@@ -41537,10 +41596,10 @@ index 0000000..709dda1
+')
diff --git a/numad.te b/numad.te
new file mode 100644
-index 0000000..c2d4196
+index 0000000..97e1148
--- /dev/null
+++ b/numad.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,51 @@
+policy_module(numad, 1.0.0)
+
+########################################
@@ -41566,27 +41625,32 @@ index 0000000..c2d4196
+# numad local policy
+#
+
-+allow numad_t self:process { fork };
++allow numad_t self:capability sys_ptrace;
+allow numad_t self:fifo_file rw_fifo_file_perms;
+allow numad_t self:msgq create_msgq_perms;
+allow numad_t self:msg { send receive };
+allow numad_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
-+logging_log_filetrans(numad_t, numad_var_log_t, { file })
++logging_log_filetrans(numad_t, numad_var_log_t, file)
+
+manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
-+files_pid_filetrans(numad_t, numad_var_run_t, { file })
++files_pid_filetrans(numad_t, numad_var_run_t, file)
+
+kernel_read_system_state(numad_t)
+
+dev_read_sysfs(numad_t)
+
+domain_use_interactive_fds(numad_t)
++domain_read_all_domains_state(numad_t)
++domain_setpriority_all_domains(numad_t)
+
-+files_read_etc_files(numad_t)
++fs_manage_cgroup_dirs(numad_t)
++fs_rw_cgroup_files(numad_t)
+
-+fs_search_cgroup_dirs(numad_t)
++tunable_policy(`deny_ptrace',`',`
++ virt_ptrace(numad_t)
++')
diff --git a/nut.fc b/nut.fc
index 0a929ef..371119d 100644
--- a/nut.fc
@@ -51324,7 +51388,7 @@ index 2855a44..b7b5ee7 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/puppet.te b/puppet.te
-index baa88f6..050d953 100644
+index baa88f6..9cc1f32 100644
--- a/puppet.te
+++ b/puppet.te
@@ -13,6 +13,13 @@ policy_module(puppet, 1.3.0)
@@ -51427,14 +51491,14 @@ index baa88f6..050d953 100644
tunable_policy(`puppet_manage_all_files',`
- files_manage_non_auth_files(puppet_t)
+ files_manage_non_security_files(puppet_t)
-+')
-+
-+optional_policy(`
-+ cfengine_read_lib_files(puppet_t)
')
optional_policy(`
- consoletype_domtrans(puppet_t)
++ cfengine_read_lib_files(puppet_t)
++')
++
++optional_policy(`
+ consoletype_exec(puppet_t)
')
@@ -51591,7 +51655,7 @@ index baa88f6..050d953 100644
')
########################################
-@@ -184,51 +335,83 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
+@@ -184,51 +335,87 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
@@ -51646,13 +51710,13 @@ index baa88f6..050d953 100644
domain_read_all_domains_state(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
-
--files_read_etc_files(puppetmaster_t)
--files_search_var_lib(puppetmaster_t)
++
+files_read_usr_files(puppetmaster_t)
+
+selinux_validate_context(puppetmaster_t)
-+
+
+-files_read_etc_files(puppetmaster_t)
+-files_search_var_lib(puppetmaster_t)
+auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
@@ -51679,10 +51743,14 @@ index baa88f6..050d953 100644
+ ')
+')
+
++optional_policy(`
++ gnomeclock_dbus_chat(puppetmaster_t)
++')
++
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -239,3 +422,9 @@ optional_policy(`
+@@ -239,3 +426,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -58139,7 +58207,7 @@ index 951d8f6..bedc8ae 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/rpm.te b/rpm.te
-index 60149a5..b33a77d 100644
+index 60149a5..705935e 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,11 @@
@@ -58360,7 +58428,7 @@ index 60149a5..b33a77d 100644
domain_use_interactive_fds(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t)
-@@ -328,35 +354,41 @@ files_relabel_all_files(rpm_script_t)
+@@ -328,35 +354,45 @@ files_relabel_all_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
@@ -58408,11 +58476,15 @@ index 60149a5..b33a77d 100644
+')
+
+optional_policy(`
++ certmonger_dbus_chat(rpm_script_t)
++')
++
++optional_policy(`
+ cups_filetrans_named_content(rpm_script_t)
')
optional_policy(`
-@@ -364,7 +396,7 @@ optional_policy(`
+@@ -364,7 +400,7 @@ optional_policy(`
')
optional_policy(`
@@ -58421,7 +58493,7 @@ index 60149a5..b33a77d 100644
')
optional_policy(`
-@@ -372,8 +404,17 @@ optional_policy(`
+@@ -372,8 +408,17 @@ optional_policy(`
')
optional_policy(`
@@ -58441,7 +58513,7 @@ index 60149a5..b33a77d 100644
')
optional_policy(`
-@@ -381,7 +422,7 @@ optional_policy(`
+@@ -381,7 +426,7 @@ optional_policy(`
')
optional_policy(`
@@ -58450,7 +58522,7 @@ index 60149a5..b33a77d 100644
unconfined_domtrans(rpm_script_t)
optional_policy(`
-@@ -394,6 +435,6 @@ optional_policy(`
+@@ -394,6 +439,6 @@ optional_policy(`
')
optional_policy(`
@@ -70413,7 +70485,7 @@ index 2124b6a..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..408a20a 100644
+index 6f0736b..882e76b 100644
--- a/virt.if
+++ b/virt.if
@@ -13,67 +13,30 @@
@@ -70847,7 +70919,7 @@ index 6f0736b..408a20a 100644
')
########################################
-@@ -468,18 +636,52 @@ interface(`virt_manage_images',`
+@@ -468,18 +636,70 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -70858,7 +70930,6 @@ index 6f0736b..408a20a 100644
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
-- ')
+#######################################
+## <summary>
+## Allow domain to manage virt image files
@@ -70880,11 +70951,7 @@ index 6f0736b..408a20a 100644
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
+')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
++
+########################################
+## <summary>
+## Execute virt server in the virt domain.
@@ -70900,16 +70967,38 @@ index 6f0736b..408a20a 100644
+ type virtd_unit_file_t;
+ type virtd_t;
')
-+
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+ systemd_exec_systemctl($1)
+ allow $1 virtd_unit_file_t:file read_file_perms;
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, virtd_t)
++')
++
++########################################
++## <summary>
++## Ptrace the svirt domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`virt_ptrace',`
++ gen_require(`
++ attribute virt_domain;
+ ')
++
++ allow $1 virt_domain:process ptrace;
')
########################################
-@@ -502,10 +704,20 @@ interface(`virt_manage_images',`
+@@ -502,10 +722,20 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -70931,7 +71020,7 @@ index 6f0736b..408a20a 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +729,305 @@ interface(`virt_admin',`
+@@ -517,4 +747,305 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -71238,10 +71327,10 @@ index 6f0736b..408a20a 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..1e4a204 100644
+index 947bbc6..75efecc 100644
--- a/virt.te
+++ b/virt.te
-@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
+@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0)
# Declarations
#
@@ -71302,14 +71391,6 @@ index 947bbc6..1e4a204 100644
gen_tunable(virt_use_samba, false)
## <desc>
- ## <p>
--## Allow virt to manage device configuration, (pci)
-+## Allow confined virtual guests to manage device configuration, (pci)
- ## </p>
- ## </desc>
- gen_tunable(virt_use_sysfs, false)
-
- ## <desc>
+## <p>
+## Allow confined virtual guests to interact with the sanlock
+## </p>
@@ -71325,14 +71406,16 @@ index 947bbc6..1e4a204 100644
+
+## <desc>
## <p>
--## Allow virt to use usb devices
+-## Allow virt to manage device configuration, (pci)
+## Allow confined virtual guests to interact with the xserver
-+## </p>
-+## </desc>
+ ## </p>
+ ## </desc>
+-gen_tunable(virt_use_sysfs, false)
+gen_tunable(virt_use_xserver, false)
-+
-+## <desc>
-+## <p>
+
+ ## <desc>
+ ## <p>
+-## Allow virt to use usb devices
+## Allow confined virtual guests to use usb devices
## </p>
## </desc>
@@ -71356,7 +71439,7 @@ index 947bbc6..1e4a204 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,26 +110,37 @@ files_config_file(virt_etc_t)
+@@ -62,26 +103,37 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -71397,7 +71480,7 @@ index 947bbc6..1e4a204 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+@@ -89,9 +141,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
@@ -71415,7 +71498,7 @@ index 947bbc6..1e4a204 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -100,28 +167,53 @@ ifdef(`enable_mls',`
+@@ -100,28 +160,53 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -71483,7 +71566,7 @@ index 947bbc6..1e4a204 100644
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
-@@ -131,67 +223,73 @@ corenet_udp_bind_all_ports(svirt_t)
+@@ -131,67 +216,73 @@ corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
@@ -71492,8 +71575,7 @@ index 947bbc6..1e4a204 100644
-userdom_search_user_home_content(svirt_t)
-userdom_read_user_home_content_symlinks(svirt_t)
-userdom_read_all_users_state(svirt_t)
-+miscfiles_read_generic_certs(svirt_t)
-
+-
-tunable_policy(`virt_use_comm',`
- term_use_unallocated_ttys(svirt_t)
- dev_rw_printer(svirt_t)
@@ -71503,7 +71585,8 @@ index 947bbc6..1e4a204 100644
- fs_read_fusefs_files(svirt_t)
- fs_read_fusefs_symlinks(svirt_t)
-')
--
++miscfiles_read_generic_certs(svirt_t)
+
-tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs(svirt_t)
- fs_manage_nfs_files(svirt_t)
@@ -71596,7 +71679,7 @@ index 947bbc6..1e4a204 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +300,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +293,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -71632,7 +71715,7 @@ index 947bbc6..1e4a204 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +333,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +326,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -71656,7 +71739,7 @@ index 947bbc6..1e4a204 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +361,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +354,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -71690,7 +71773,7 @@ index 947bbc6..1e4a204 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +393,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +386,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -71709,7 +71792,7 @@ index 947bbc6..1e4a204 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +419,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +412,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -71719,7 +71802,7 @@ index 947bbc6..1e4a204 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +429,36 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +422,36 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -71756,7 +71839,7 @@ index 947bbc6..1e4a204 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +477,10 @@ optional_policy(`
+@@ -322,6 +470,10 @@ optional_policy(`
')
optional_policy(`
@@ -71767,7 +71850,7 @@ index 947bbc6..1e4a204 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +494,34 @@ optional_policy(`
+@@ -335,19 +487,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -71803,7 +71886,7 @@ index 947bbc6..1e4a204 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +536,12 @@ optional_policy(`
+@@ -362,6 +529,12 @@ optional_policy(`
')
optional_policy(`
@@ -71816,7 +71899,7 @@ index 947bbc6..1e4a204 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +549,11 @@ optional_policy(`
+@@ -369,11 +542,11 @@ optional_policy(`
')
optional_policy(`
@@ -71833,7 +71916,7 @@ index 947bbc6..1e4a204 100644
')
optional_policy(`
-@@ -384,6 +564,7 @@ optional_policy(`
+@@ -384,6 +557,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -71841,7 +71924,7 @@ index 947bbc6..1e4a204 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +583,85 @@ optional_policy(`
+@@ -402,35 +576,86 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -71849,6 +71932,7 @@ index 947bbc6..1e4a204 100644
-allow virt_domain self:capability { dac_read_search dac_override kill };
-allow virt_domain self:process { execmem execstack signal getsched signull };
-allow virt_domain self:fifo_file rw_file_perms;
++allow virt_domain self:capability2 compromise_kernel;
+allow virt_domain self:process { signal getsched signull };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
allow virt_domain self:shm create_shm_perms;
@@ -71936,7 +72020,7 @@ index 947bbc6..1e4a204 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +669,630 @@ dev_write_sound(virt_domain)
+@@ -438,34 +663,625 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -71962,10 +72046,10 @@ index 947bbc6..1e4a204 100644
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
++
++sysnet_read_config(virt_domain)
-term_use_all_terms(virt_domain)
-+sysnet_read_config(virt_domain)
-+
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -71995,7 +72079,7 @@ index 947bbc6..1e4a204 100644
virt_read_content(virt_domain)
virt_stream_connect(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
-+')
+ ')
+
+optional_policy(`
+ xserver_rw_shm(virt_domain)
@@ -72029,11 +72113,6 @@ index 947bbc6..1e4a204 100644
+ fs_getattr_cifs(virt_domain)
+')
+
-+tunable_policy(`virt_use_sysfs',`
-+ allow svirt_t self:capability2 compromise_kernel;
-+ dev_rw_sysfs(virt_domain)
-+')
-+
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -72185,7 +72264,7 @@ index 947bbc6..1e4a204 100644
+ optional_policy(`
+ hal_dbus_chat(virsh_t)
+ ')
- ')
++')
+
+optional_policy(`
+ vhostmd_rw_tmpfs_files(virsh_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index be3bb57..24e1eb6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 70%{?dist}
+Release: 71%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jan 15 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-71
+- Allow udev to communicate with the logind daemon
+- Add labeling for texlive bash scripts
+- Add xserver_filetrans_fonts_cache_home_content() interface
+- Allow rpm_script_t to dbus communicate with certmonger_t
+- Add support for /var/lock/man-db.lock
+- Add support for /var/tmp/abrt(/.*)?
+- Add additional labeling for munin cgi scripts
+- Allow httpd_t to read munin conf files
+- Allow certwatch to read meminfo
+- Fix nscd_dontaudit_write_sock_file() interface
+- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
+- Allow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
+- Allow numad access discovered by Dominic
+- Allow gnomeclock to talk to puppet over dbus
+- Add support for HOME_DIR/.maildir
+
* Thu Jan 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-70
- Add label for dns lib files
- Allow svirt_t images to compromise_kernel when using pci-passthrough
More information about the scm-commits
mailing list