[selinux-policy/f19] - Allow thumbnails to share memory with apps which run thumbnails - Allow postfix-postqueue block_su
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 30 11:49:11 UTC 2013
commit 5dcff28d4569bd658dd388126e834338ae9f0ee1
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 30 13:48:50 2013 +0200
- Allow thumbnails to share memory with apps which run thumbnails
- Allow postfix-postqueue block_suspend
- Add lib interfaces for smsd
- Add support for nginx
- Allow s2s running as jabberd_t to connect to jabber_interserver_port_t
- Allow pki apache domain to create own tmp files and execute httpd_suexe
- Allow procmail to manger user tmp files/dirs/lnk_files
- Add virt_stream_connect_svirt() interface
- Allow dovecot-auth to execute bin_t
- Allow iscsid to request that kernel load a kernel module
- Add labeling support for /var/lib/mod_security
- Allow iw running as tuned_t to create netlink socket
- Dontaudit sys_tty_config for thumb_t
- Add labeling for nm-l2tp-service
- Allow httpd running as certwatch_t to open tcp socket
- Allow useradd to manager smsd lib files
- Allow useradd_t to add homedirs in /var/lib
- Fix typo in userdomain.te
- Cleanup userdom_read_home_certs
- Implement userdom_home_reader_certs_type to allow read certs also on en
- Allow staff to stream connect to svirt_t to make gnome-boxes working
policy-rawhide-base.patch | 84 ++++---
policy-rawhide-contrib.patch | 531 +++++++++++++++++++++++++++---------------
selinux-policy.spec | 25 ++-
3 files changed, 422 insertions(+), 218 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 11b68a1..0e35c26 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2367,7 +2367,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..fdd0567 100644
+index d555767..4165b4d 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2653,13 +2653,13 @@ index d555767..fdd0567 100644
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
-+
-+optional_policy(`
-+ gnome_exec_keyringd(passwd_t)
-+')
optional_policy(`
- nscd_run(passwd_t, passwd_roles)
++ gnome_exec_keyringd(passwd_t)
++')
++
++optional_policy(`
+ #nscd_run(passwd_t, passwd_roles)
+ nscd_domtrans(passwd_t)
')
@@ -2729,7 +2729,7 @@ index d555767..fdd0567 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -465,36 +513,35 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +513,36 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -2745,6 +2745,7 @@ index d555767..fdd0567 100644
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
+files_manage_etc_files(useradd_t)
++files_rw_var_lib_dirs(useradd_t)
fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
@@ -2777,7 +2778,7 @@ index d555767..fdd0567 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +552,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +553,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -2828,7 +2829,7 @@ index d555767..fdd0567 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +592,8 @@ optional_policy(`
+@@ -542,7 +593,8 @@ optional_policy(`
')
optional_policy(`
@@ -2838,7 +2839,7 @@ index d555767..fdd0567 100644
')
optional_policy(`
-@@ -550,6 +601,11 @@ optional_policy(`
+@@ -550,6 +602,11 @@ optional_policy(`
')
optional_policy(`
@@ -2850,12 +2851,17 @@ index d555767..fdd0567 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +615,7 @@ optional_policy(`
+@@ -559,3 +616,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
+
+optional_policy(`
++ smsd_manage_lib_files(useradd_t)
++ smsd_manage_lib_dirs(useradd_t)
++')
++
++optional_policy(`
+ stapserver_manage_lib(useradd_t)
+')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
@@ -18190,7 +18196,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..b66bc2a 100644
+index 5da7870..8bd910a 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1)
@@ -18510,7 +18516,7 @@ index 5da7870..b66bc2a 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +363,20 @@ ifndef(`distro_redhat',`
+@@ -176,3 +363,21 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -18529,6 +18535,7 @@ index 5da7870..b66bc2a 100644
+ allow staff_t self:fifo_file relabelfrom;
+ dev_rw_kvm(staff_t)
+ virt_manage_images(staff_t)
++ virt_stream_connect_svirt(staff_t)
+ ')
+')
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
@@ -39203,7 +39210,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..b44b1c9 100644
+index 3c5dba7..df7407b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -41870,7 +41877,7 @@ index 3c5dba7..b44b1c9 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4197,1393 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4197,1390 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -42687,13 +42694,10 @@ index 3c5dba7..b44b1c9 100644
+#
+interface(`userdom_read_home_certs',`
+ gen_require(`
-+ type home_cert_t;
++ attribute userdom_home_reader_certs_type;
+ ')
+
-+ userdom_search_user_home_content($1)
-+ allow $1 home_cert_t:dir list_dir_perms;
-+ read_files_pattern($1, home_cert_t, home_cert_t)
-+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
++ typeattribute $1 userdom_home_reader_certs_type;
+')
+
+########################################
@@ -43265,7 +43269,7 @@ index 3c5dba7..b44b1c9 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..9e23738 100644
+index e2b538b..2582882 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -43290,36 +43294,36 @@ index e2b538b..9e23738 100644
## <desc>
## <p>
-## Allow regular users direct mouse access
+-## </p>
+-## </desc>
+-gen_tunable(user_direct_mouse, false)
+-
+-## <desc>
+-## <p>
+-## Allow users to read system messages.
+## Allow user to r/w files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
## </desc>
--gen_tunable(user_direct_mouse, false)
+-gen_tunable(user_dmesg, false)
+gen_tunable(selinuxuser_rw_noexattrfile, false)
## <desc>
## <p>
--## Allow users to read system messages.
+-## Allow user to r/w files on filesystems
+-## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## Allow user music sharing
## </p>
## </desc>
--gen_tunable(user_dmesg, false)
+-gen_tunable(user_rw_noexattrfile, false)
+gen_tunable(selinuxuser_share_music, false)
## <desc>
## <p>
--## Allow user to r/w files on filesystems
--## that do not have extended attributes (FAT, CDROM, FLOPPY)
+-## Allow w to display everyone
+## Allow user to use ssh chroot environment.
## </p>
## </desc>
--gen_tunable(user_rw_noexattrfile, false)
--
--## <desc>
--## <p>
--## Allow w to display everyone
--## </p>
--## </desc>
-gen_tunable(user_ttyfile_stat, false)
+gen_tunable(selinuxuser_use_ssh_chroot, false)
@@ -43328,10 +43332,11 @@ index e2b538b..9e23738 100644
# all user domains
attribute userdomain;
-@@ -58,6 +52,23 @@ attribute unpriv_userdomain;
+@@ -58,6 +52,24 @@ attribute unpriv_userdomain;
attribute user_home_content_type;
++attribute userdom_home_reader_certs_type;
+attribute userdom_home_reader_type;
+attribute userdom_home_manager_type;
+attribute userdom_filetrans_type;
@@ -43352,7 +43357,7 @@ index e2b538b..9e23738 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +81,207 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +82,218 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -43436,6 +43441,17 @@ index e2b538b..9e23738 100644
+ xserver_filetrans_home_content(userdomain)
+')
+
++
++# rules for types which can read home certs
++allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms;
++read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
++read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
++userdom_search_user_home_content(userdom_home_reader_certs_type)
++
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(userdom_home_reader_certs_type)
++')
++
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(userdom_home_reader_type)
+ fs_read_nfs_files(userdom_home_reader_type)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index efe35c0..cf76426 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2756,10 +2756,10 @@ index 0000000..b334e9a
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..8f98c41 100644
+index 550a69e..53e5708 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,189 @@
+@@ -1,161 +1,196 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -2796,6 +2796,7 @@ index 550a69e..8f98c41 100644
+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -2814,6 +2815,7 @@ index 550a69e..8f98c41 100644
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2862,13 +2864,15 @@ index 550a69e..8f98c41 100644
-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+-
+-ifdef(`distro_suse',`
+-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-
--ifdef(`distro_suse',`
--/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
++
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -2958,6 +2962,8 @@ index 550a69e..8f98c41 100644
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -2990,6 +2996,7 @@ index 550a69e..8f98c41 100644
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
@@ -3008,6 +3015,7 @@ index 550a69e..8f98c41 100644
+/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
@@ -3087,7 +3095,7 @@ index 550a69e..8f98c41 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 83e899c..c0ece1b 100644
+index 83e899c..c5be77c 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3110,8 +3118,12 @@ index 83e899c..c0ece1b 100644
- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
- type httpd_t, httpd_suexec_t;
-- ')
--
++ attribute httpd_exec_scripts, httpd_script_exec_type;
++ type httpd_t, httpd_suexec_t, httpd_log_t;
++ type httpd_sys_content_t;
++ attribute httpd_script_type, httpd_content_type;
+ ')
+
- ########################################
- #
- # Declarations
@@ -3128,12 +3140,6 @@ index 83e899c..c0ece1b 100644
- gen_tunable(allow_httpd_$1_script_anon_write, false)
-
- type httpd_$1_content_t, httpdcontent; # customizable
-+ attribute httpd_exec_scripts, httpd_script_exec_type;
-+ type httpd_t, httpd_suexec_t, httpd_log_t;
-+ type httpd_sys_content_t;
-+ attribute httpd_script_type, httpd_content_type;
-+ ')
-+
+ #This type is for webpages
+ type httpd_$1_content_t; # customizable;
+ typeattribute httpd_$1_content_t httpd_content_type;
@@ -3253,11 +3259,11 @@ index 83e899c..c0ece1b 100644
- ')
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
++
++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
-+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
-+
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
')
@@ -3388,7 +3394,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -241,27 +237,28 @@ interface(`apache_domtrans',`
+@@ -241,27 +237,47 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -3415,6 +3421,25 @@ index 83e899c..c0ece1b 100644
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ can_exec($1, httpd_exec_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to execute apache suexec
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_exec_suexec',`
++ gen_require(`
++ type httpd_suexec_exec_t;
++ ')
++
++ can_exec($1, httpd_suexec_exec_t)
')
#######################################
@@ -3424,7 +3449,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,7 +276,7 @@ interface(`apache_signal',`
+@@ -279,7 +295,7 @@ interface(`apache_signal',`
########################################
## <summary>
@@ -3433,7 +3458,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -297,7 +294,7 @@ interface(`apache_signull',`
+@@ -297,7 +313,7 @@ interface(`apache_signull',`
########################################
## <summary>
@@ -3442,7 +3467,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -315,8 +312,7 @@ interface(`apache_sigchld',`
+@@ -315,8 +331,7 @@ interface(`apache_sigchld',`
########################################
## <summary>
@@ -3452,7 +3477,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -334,8 +330,8 @@ interface(`apache_use_fds',`
+@@ -334,8 +349,8 @@ interface(`apache_use_fds',`
########################################
## <summary>
@@ -3463,7 +3488,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -348,13 +344,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -348,13 +363,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -3480,7 +3505,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -372,8 +368,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -372,8 +387,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -3491,7 +3516,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -391,8 +387,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+@@ -391,8 +406,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
@@ -3501,7 +3526,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -417,7 +412,8 @@ interface(`apache_manage_all_content',`
+@@ -417,7 +431,8 @@ interface(`apache_manage_all_content',`
########################################
## <summary>
@@ -3511,7 +3536,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -435,7 +431,8 @@ interface(`apache_setattr_cache_dirs',`
+@@ -435,7 +450,8 @@ interface(`apache_setattr_cache_dirs',`
########################################
## <summary>
@@ -3521,7 +3546,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -453,7 +450,8 @@ interface(`apache_list_cache',`
+@@ -453,7 +469,8 @@ interface(`apache_list_cache',`
########################################
## <summary>
@@ -3531,7 +3556,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -471,7 +469,8 @@ interface(`apache_rw_cache_files',`
+@@ -471,7 +488,8 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
@@ -3541,7 +3566,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -489,7 +488,8 @@ interface(`apache_delete_cache_dirs',`
+@@ -489,7 +507,8 @@ interface(`apache_delete_cache_dirs',`
########################################
## <summary>
@@ -3551,7 +3576,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -507,49 +507,51 @@ interface(`apache_delete_cache_files',`
+@@ -507,49 +526,51 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -3614,7 +3639,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -570,8 +572,8 @@ interface(`apache_manage_config',`
+@@ -570,8 +591,8 @@ interface(`apache_manage_config',`
########################################
## <summary>
@@ -3625,7 +3650,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -608,16 +610,38 @@ interface(`apache_domtrans_helper',`
+@@ -608,16 +629,38 @@ interface(`apache_domtrans_helper',`
#
interface(`apache_run_helper',`
gen_require(`
@@ -3667,7 +3692,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -639,7 +663,8 @@ interface(`apache_read_log',`
+@@ -639,7 +682,8 @@ interface(`apache_read_log',`
########################################
## <summary>
@@ -3677,7 +3702,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -657,10 +682,29 @@ interface(`apache_append_log',`
+@@ -657,10 +701,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -3709,7 +3734,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -678,8 +722,8 @@ interface(`apache_dontaudit_append_log',`
+@@ -678,8 +741,8 @@ interface(`apache_dontaudit_append_log',`
########################################
## <summary>
@@ -3720,7 +3745,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -698,47 +742,49 @@ interface(`apache_manage_log',`
+@@ -698,47 +761,49 @@ interface(`apache_manage_log',`
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -3783,7 +3808,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -752,11 +798,13 @@ interface(`apache_list_modules',`
+@@ -752,11 +817,13 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -3798,7 +3823,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -776,46 +824,63 @@ interface(`apache_exec_modules',`
+@@ -776,46 +843,63 @@ interface(`apache_exec_modules',`
########################################
## <summary>
@@ -3879,7 +3904,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -829,13 +894,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +913,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -3896,7 +3921,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -844,6 +910,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +929,7 @@ interface(`apache_list_sys_content',`
## </param>
## <rolecap/>
#
@@ -3904,21 +3929,23 @@ index 83e899c..c0ece1b 100644
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
-@@ -855,32 +922,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +941,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Create, read, write, and delete
+-## httpd system rw content.
+## Allow the specified domain to read
+## apache system content rw files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_files',`
@@ -3950,17 +3977,15 @@ index 83e899c..c0ece1b 100644
+')
+
+######################################
- ## <summary>
--## Create, read, write, and delete
--## httpd system rw content.
++## <summary>
+## Allow the specified domain to manage
+## apache system content rw files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
#
-interface(`apache_manage_sys_rw_content',`
@@ -4011,7 +4036,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -888,10 +1021,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1040,17 @@ interface(`apache_manage_sys_rw_content',`
## </summary>
## </param>
#
@@ -4030,7 +4055,7 @@ index 83e899c..c0ece1b 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1041,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1060,8 @@ interface(`apache_domtrans_sys_script',`
########################################
## <summary>
@@ -4042,7 +4067,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -941,7 +1080,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1099,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
## <summary>
## Execute all user scripts in the user
@@ -4051,7 +4076,7 @@ index 83e899c..c0ece1b 100644
## to the specified role.
## </summary>
## <param name="domain">
-@@ -954,6 +1093,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1112,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
## </summary>
## </param>
@@ -4059,7 +4084,7 @@ index 83e899c..c0ece1b 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -966,7 +1106,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1125,8 @@ interface(`apache_run_all_scripts',`
########################################
## <summary>
@@ -4069,7 +4094,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -979,12 +1120,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1139,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -4085,7 +4110,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1002,7 +1144,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1163,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
## <summary>
@@ -4094,7 +4119,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1015,13 +1157,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1176,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
@@ -4109,7 +4134,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1041,7 +1182,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1201,7 @@ interface(`apache_read_sys_content',`
########################################
## <summary>
@@ -4118,7 +4143,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1059,8 +1200,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1219,7 @@ interface(`apache_search_sys_scripts',`
########################################
## <summary>
@@ -4128,7 +4153,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1070,13 +1210,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1229,22 @@ interface(`apache_search_sys_scripts',`
## <rolecap/>
#
interface(`apache_manage_all_user_content',`
@@ -4154,7 +4179,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1094,7 +1243,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1262,8 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
@@ -4164,7 +4189,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1111,10 +1261,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1280,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -4196,7 +4221,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1127,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1315,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -4205,7 +4230,7 @@ index 83e899c..c0ece1b 100644
')
########################################
-@@ -1136,6 +1305,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1324,9 @@ interface(`apache_dontaudit_write_tmp_files',`
## </summary>
## <desc>
## <p>
@@ -4215,7 +4240,7 @@ index 83e899c..c0ece1b 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1165,8 +1337,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1356,30 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -4248,7 +4273,7 @@ index 83e899c..c0ece1b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1183,18 +1377,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1396,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4277,7 +4302,7 @@ index 83e899c..c0ece1b 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1204,10 +1399,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1418,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4291,7 +4316,7 @@ index 83e899c..c0ece1b 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1413,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1432,129 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -9879,12 +9904,14 @@ index 2354e21..fb8c9ed 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..8f201ca 100644
+index 403af41..8da9f32 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -21,32 +21,40 @@ role certwatch_roles types certwatch_t;
+@@ -20,33 +20,42 @@ role certwatch_roles types certwatch_t;
+
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
++allow certwatch_t self:tcp_socket create_stream_socket_perms;
+kernel_read_system_state(certwatch_t)
+
@@ -20976,7 +21003,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..93e583c 100644
+index a7bfaf0..5690e77 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21226,7 +21253,7 @@ index a7bfaf0..93e583c 100644
sendmail_domtrans(dovecot_t)
')
-@@ -221,46 +213,59 @@ optional_policy(`
+@@ -221,46 +213,61 @@ optional_policy(`
########################################
#
@@ -21257,7 +21284,8 @@ index a7bfaf0..93e583c 100644
+dovecot_stream_connect_auth(dovecot_auth_t)
-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
--
++corecmd_exec_bin(dovecot_auth_t)
+
-files_search_pids(dovecot_auth_t)
-files_read_usr_files(dovecot_auth_t)
-files_read_var_lib_files(dovecot_auth_t)
@@ -21296,7 +21324,7 @@ index a7bfaf0..93e583c 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -272,14 +277,21 @@ optional_policy(`
+@@ -272,14 +279,21 @@ optional_policy(`
optional_policy(`
postfix_manage_private_sockets(dovecot_auth_t)
@@ -21319,7 +21347,7 @@ index a7bfaf0..93e583c 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +301,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +303,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -21378,7 +21406,7 @@ index a7bfaf0..93e583c 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +344,6 @@ optional_policy(`
+@@ -326,5 +346,6 @@ optional_policy(`
')
optional_policy(`
@@ -28843,7 +28871,7 @@ index 1a35420..1d27695 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index 57304e4..e7080f8 100644
+index 57304e4..7edd3d4 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
@@ -28865,7 +28893,7 @@ index 57304e4..e7080f8 100644
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
-@@ -64,11 +63,11 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
can_exec(iscsid_t, iscsid_exec_t)
@@ -28873,12 +28901,13 @@ index 57304e4..e7080f8 100644
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
kernel_setsched(iscsid_t)
++kernel_request_load_module(iscsid_t)
-corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,10 +84,13 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,10 +85,13 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -28894,7 +28923,7 @@ index 57304e4..e7080f8 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -99,8 +101,6 @@ init_stream_connect_script(iscsid_t)
+@@ -99,8 +102,6 @@ init_stream_connect_script(iscsid_t)
logging_send_syslog_msg(iscsid_t)
@@ -29170,7 +29199,7 @@ index 16b1666..01673a4 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
-index bb12c90..ff69343 100644
+index bb12c90..fb916e0 100644
--- a/jabber.te
+++ b/jabber.te
@@ -1,4 +1,4 @@
@@ -29179,7 +29208,7 @@ index bb12c90..ff69343 100644
########################################
#
-@@ -9,129 +9,130 @@ attribute jabberd_domain;
+@@ -9,129 +9,131 @@ attribute jabberd_domain;
jabber_domain_template(jabberd)
jabber_domain_template(jabberd_router)
@@ -29280,6 +29309,7 @@ index bb12c90..ff69343 100644
-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
++corenet_tcp_connect_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
-allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
@@ -32232,6 +32262,18 @@ index 9725f1a..34aa63b 100644
seutil_sigchld_newrole(kudzu_t)
')
+diff --git a/l2tp.fc b/l2tp.fc
+index d5d1572..82267a7 100644
+--- a/l2tp.fc
++++ b/l2tp.fc
+@@ -5,6 +5,7 @@
+ /etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0)
+
+ /usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/libexec/nm-l2tp-service -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+
+ /var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+ /var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
index 73e2803..562d25b 100644
--- a/l2tp.if
@@ -51894,10 +51936,10 @@ index 0000000..0c167b7
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..8119448
+index 0000000..e1d3320
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,265 @@
+@@ -0,0 +1,272 @@
+
+## <summary>policy for pki</summary>
+########################################
@@ -51966,6 +52008,9 @@ index 0000000..8119448
+ type $1_lock_t;
+ files_lock_file($1_lock_t)
+
++ type $1_tmp_t;
++ files_tmpfs_file($1_tmp_t)
++
+ ########################################
+ #
+ # $1 local policy
@@ -51996,6 +52041,10 @@ index 0000000..8119448
+ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
+ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
+
++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
++
+ #talk to lunasa hsm
+ logging_send_syslog_msg($1_t)
+
@@ -52165,10 +52214,10 @@ index 0000000..8119448
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..352c7e4
+index 0000000..10eaddc
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,282 @@
+@@ -0,0 +1,283 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -52438,6 +52487,7 @@ index 0000000..352c7e4
+ apache_list_modules(pki_apache_domain)
+ apache_read_config(pki_apache_domain)
+ apache_exec(pki_apache_domain)
++ apache_exec_suexec(pki_apache_domain)
+ apache_entrypoint(pki_apache_domain)
+
+ # should be started using a script which will execute httpd
@@ -55128,7 +55178,7 @@ index 2e23946..589bbf2 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..fa32037 100644
+index 191a66f..c142af5 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -55772,7 +55822,7 @@ index 191a66f..fa32037 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +544,23 @@ optional_policy(`
+@@ -621,17 +544,24 @@ optional_policy(`
#######################################
#
@@ -55780,6 +55830,7 @@ index 191a66f..fa32037 100644
+# Postfix postqueue local policy
#
++allow postfix_postqueue_t self:capability2 block_suspend;
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+
@@ -55799,7 +55850,7 @@ index 191a66f..fa32037 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +576,77 @@ optional_policy(`
+@@ -647,67 +577,77 @@ optional_policy(`
########################################
#
@@ -55895,7 +55946,7 @@ index 191a66f..fa32037 100644
')
optional_policy(`
-@@ -720,24 +659,27 @@ optional_policy(`
+@@ -720,24 +660,27 @@ optional_policy(`
########################################
#
@@ -55929,7 +55980,7 @@ index 191a66f..fa32037 100644
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
-@@ -754,6 +696,7 @@ optional_policy(`
+@@ -754,6 +697,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -55937,7 +55988,7 @@ index 191a66f..fa32037 100644
')
optional_policy(`
-@@ -764,31 +707,99 @@ optional_policy(`
+@@ -764,31 +708,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -57912,7 +57963,7 @@ index 00edeab..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
-index d447152..5940a04 100644
+index d447152..a911295 100644
--- a/procmail.te
+++ b/procmail.te
@@ -1,4 +1,4 @@
@@ -57947,7 +57998,7 @@ index d447152..5940a04 100644
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,59 +44,72 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,59 +44,76 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -57998,10 +58049,10 @@ index d447152..5940a04 100644
-logging_send_syslog_msg(procmail_t)
+application_exec_all(procmail_t)
-+
-+init_read_utmp(procmail_t)
-miscfiles_read_localization(procmail_t)
++init_read_utmp(procmail_t)
++
+logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
@@ -58023,6 +58074,10 @@ index d447152..5940a04 100644
+userdom_manage_user_home_content_sockets(procmail_t)
+userdom_filetrans_home_content(procmail_t)
+
++userdom_manage_user_tmp_dirs(procmail_t)
++userdom_manage_user_tmp_files(procmail_t)
++userdom_manage_user_tmp_symlinks(procmail_t)
++
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
+
@@ -58047,7 +58102,7 @@ index d447152..5940a04 100644
')
optional_policy(`
-@@ -100,12 +117,7 @@ optional_policy(`
+@@ -100,12 +121,7 @@ optional_policy(`
')
optional_policy(`
@@ -58061,7 +58116,7 @@ index d447152..5940a04 100644
')
optional_policy(`
-@@ -113,16 +125,17 @@ optional_policy(`
+@@ -113,16 +129,17 @@ optional_policy(`
')
optional_policy(`
@@ -58084,7 +58139,7 @@ index d447152..5940a04 100644
')
optional_policy(`
-@@ -131,6 +144,8 @@ optional_policy(`
+@@ -131,6 +148,8 @@ optional_policy(`
')
optional_policy(`
@@ -76813,6 +76868,92 @@ index 0000000..92c3638
+logging_send_syslog_msg(smsd_t)
+
+sysnet_dns_name_resolve(smsd_t)
+diff --git a/smstools.if b/smstools.if
+index cbfe369..085ac13 100644
+--- a/smstools.if
++++ b/smstools.if
+@@ -1,5 +1,81 @@
+ ## <summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary>
+
++#######################################
++## <summary>
++## Search smsd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`smsd_search_lib',`
++ gen_require(`
++ type smsd_var_lib_t;
++ ')
++
++ allow $1 smsd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++#######################################
++## <summary>
++## Read smsd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`smsd_read_lib_files',`
++ gen_require(`
++ type smsd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
++')
++
++#######################################
++## <summary>
++## Manage smsd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`smsd_manage_lib_files',`
++ gen_require(`
++ type smsd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
++')
++
++#######################################
++## <summary>
++## Manage smsd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`smsd_manage_lib_dirs',`
++ gen_require(`
++ type smsd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to
diff --git a/snmp.fc b/snmp.fc
index c73fa24..408ff61 100644
--- a/snmp.fc
@@ -82049,10 +82190,10 @@ index 0000000..601aea3
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
-index 0000000..bfcd2c7
+index 0000000..74cd27c
--- /dev/null
+++ b/thumb.if
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,129 @@
+
+## <summary>policy for thumb</summary>
+
@@ -82104,6 +82245,9 @@ index 0000000..bfcd2c7
+
+ dontaudit thumb_t $1:dir list_dir_perms;
+ dontaudit thumb_t $1:file read_file_perms;
++
++ allow thumb_t $1:shm rw_shm_perms;
++ allow thumb_t $1:sem create_sem_perms;
+')
+
+########################################
@@ -82181,10 +82325,10 @@ index 0000000..bfcd2c7
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..4e9dc5e
+index 0000000..780a62e
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,143 @@
+@@ -0,0 +1,144 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -82214,6 +82358,7 @@ index 0000000..4e9dc5e
+#
+
+allow thumb_t self:process { setsched signal signull setrlimit };
++dontaudit thumb_t self:capability sys_tty_config;
+
+tunable_policy(`deny_execmem',`',`
+ allow thumb_t self:process execmem;
@@ -83222,7 +83367,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..ef6133e 100644
+index 7116181..8beef17 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -83235,7 +83380,7 @@ index 7116181..ef6133e 100644
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
-@@ -29,10 +32,12 @@ files_pid_file(tuned_var_run_t)
+@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t)
# Local policy
#
@@ -83246,11 +83391,12 @@ index 7116181..ef6133e 100644
+allow tuned_t self:process { setsched signal };
allow tuned_t self:fifo_file rw_fifo_file_perms;
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow tuned_t self:netlink_socket create_socket_perms;
+allow tuned_t self:udp_socket create_socket_perms;
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -41,10 +46,12 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
+@@ -41,10 +47,12 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -83267,7 +83413,7 @@ index 7116181..ef6133e 100644
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
-@@ -57,6 +64,7 @@ kernel_request_load_module(tuned_t)
+@@ -57,6 +65,7 @@ kernel_request_load_module(tuned_t)
kernel_rw_kernel_sysctl(tuned_t)
kernel_rw_hotplug_sysctls(tuned_t)
kernel_rw_vm_sysctls(tuned_t)
@@ -83275,7 +83421,7 @@ index 7116181..ef6133e 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +72,52 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +73,52 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -84959,7 +85105,7 @@ index c30da4c..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..cd873d3 100644
+index 9dec06c..6e25af1 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -85166,7 +85312,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -177,161 +89,53 @@ interface(`virt_domtrans_qmf',`
+@@ -177,142 +89,53 @@ interface(`virt_domtrans_qmf',`
## </summary>
## </param>
#
@@ -85243,24 +85389,6 @@ index 9dec06c..cd873d3 100644
-########################################
-## <summary>
-## Send generic signals to all virt domains.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`virt_signal_all_virt_domains',`
-- gen_require(`
-- attribute virt_domain;
-- ')
--
-- allow $1 virt_domain:process signal;
--')
--
--########################################
--## <summary>
--## Send kill signals to all virt domains.
## </summary>
-## <param name="domain">
-## <summary>
@@ -85268,26 +85396,45 @@ index 9dec06c..cd873d3 100644
-## </summary>
## </param>
#
--interface(`virt_kill_all_virt_domains',`
+-interface(`virt_signal_all_virt_domains',`
+interface(`virt_domtrans_qmf',`
gen_require(`
- attribute virt_domain;
+ type virt_qmf_t, virt_qmf_exec_t;
')
-- allow $1 virt_domain:process sigkill;
+- allow $1 virt_domain:process signal;
+ corecmd_search_bin($1)
+ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
')
########################################
## <summary>
+-## Send kill signals to all virt domains.
++## Transition to virt_bridgehelper.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`virt_kill_all_virt_domains',`
+- gen_require(`
+- attribute virt_domain;
+- ')
+-
+- allow $1 virt_domain:process sigkill;
+-')
+-
+-########################################
+ ## <summary>
-## Execute svirt lxc domains in their
-## domain, and allow the specified
-## role that svirt lxc domain.
-+## Transition to virt_bridgehelper.
++## Domain allowed to transition.
## </summary>
- ## <param name="domain">
+-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
@@ -85296,53 +85443,71 @@ index 9dec06c..cd873d3 100644
-## <summary>
-## Role allowed access.
-## </summary>
--## </param>
+ ## </param>
-#
-interface(`virt_run_svirt_lxc_domain',`
-- gen_require(`
++interface(`virt_domtrans_bridgehelper',`
+ gen_require(`
- attribute svirt_lxc_domain;
- attribute_role svirt_lxc_domain_roles;
-- ')
--
++ type virt_bridgehelper_t, virt_bridgehelper_exec_t;
+ ')
+
- allow $1 svirt_lxc_domain:process { signal transition };
- roleattribute $2 svirt_lxc_domain_roles;
-
- allow svirt_lxc_domain $1:fd use;
- allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms;
- allow svirt_lxc_domain $1:process sigchld;
--')
--
--#######################################
++ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
+ ')
+
+ #######################################
## <summary>
-## Get attributes of virtd executable files.
-+## Domain allowed to transition.
++## Connect to virt over a unix domain stream socket.
## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -320,18 +143,18 @@ interface(`virt_run_svirt_lxc_domain',`
+ ## </summary>
## </param>
--#
+ #
-interface(`virt_getattr_virtd_exec_files',`
-+interface(`virt_domtrans_bridgehelper',`
++interface(`virt_stream_connect',`
gen_require(`
- type virtd_exec_t;
-+ type virt_bridgehelper_t, virt_bridgehelper_exec_t;
++ type virtd_t, virt_var_run_t;
')
- allow $1 virtd_exec_t:file getattr_file_perms;
-+ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
++ files_search_pids($1)
++ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
#######################################
## <summary>
-## Connect to virt with a unix
-## domain stream socket.
-+## Connect to virt over a unix domain stream socket.
++## Connect to svirt process over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -350,7 +154,7 @@ interface(`virt_stream_connect',`
+@@ -339,18 +162,17 @@ interface(`virt_getattr_virtd_exec_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_stream_connect',`
++interface(`virt_stream_connect_svirt',`
+ gen_require(`
+- type virtd_t, virt_var_run_t;
++ type svirt_t;
+ ')
+
+- files_search_pids($1)
+- stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
++ allow $1 svirt_t:unix_stream_socket connectto;
+ ')
########################################
## <summary>
@@ -85351,7 +85516,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -369,7 +173,7 @@ interface(`virt_attach_tun_iface',`
+@@ -369,7 +191,7 @@ interface(`virt_attach_tun_iface',`
########################################
## <summary>
@@ -85360,7 +85525,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -383,7 +187,6 @@ interface(`virt_read_config',`
+@@ -383,7 +205,6 @@ interface(`virt_read_config',`
')
files_search_etc($1)
@@ -85368,7 +85533,7 @@ index 9dec06c..cd873d3 100644
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -391,8 +194,7 @@ interface(`virt_read_config',`
+@@ -391,8 +212,7 @@ interface(`virt_read_config',`
########################################
## <summary>
@@ -85378,7 +85543,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -406,7 +208,6 @@ interface(`virt_manage_config',`
+@@ -406,7 +226,6 @@ interface(`virt_manage_config',`
')
files_search_etc($1)
@@ -85386,7 +85551,7 @@ index 9dec06c..cd873d3 100644
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +215,7 @@ interface(`virt_manage_config',`
+@@ -414,8 +233,7 @@ interface(`virt_manage_config',`
########################################
## <summary>
@@ -85396,7 +85561,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -450,8 +250,7 @@ interface(`virt_read_content',`
+@@ -450,8 +268,7 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -85406,7 +85571,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,35 +258,17 @@ interface(`virt_read_content',`
+@@ -459,35 +276,17 @@ interface(`virt_read_content',`
## </summary>
## </param>
#
@@ -85445,7 +85610,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -495,53 +276,40 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +294,40 @@ interface(`virt_manage_virt_content',`
## </summary>
## </param>
#
@@ -85512,7 +85677,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -549,67 +317,36 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,67 +335,36 @@ interface(`virt_home_filetrans_virt_content',`
## </summary>
## </param>
#
@@ -85593,7 +85758,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -618,54 +355,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +373,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary>
## </param>
#
@@ -85657,7 +85822,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,54 +392,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +410,38 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -85724,7 +85889,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -728,52 +431,78 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +449,78 @@ interface(`virt_manage_generic_virt_home_content',`
## </summary>
## </param>
#
@@ -85822,7 +85987,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -781,19 +510,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +528,18 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
@@ -85847,7 +86012,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -801,18 +529,36 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +547,36 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
@@ -85889,7 +86054,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -820,18 +566,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +584,17 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
@@ -85912,7 +86077,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -839,20 +584,18 @@ interface(`virt_search_lib',`
+@@ -839,20 +602,18 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
@@ -85937,7 +86102,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,115 +603,245 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +621,245 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -86148,13 +86313,13 @@ index 9dec06c..cd873d3 100644
## <summary>
-## Domain allowed access.
+## Domain allowed access
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <rolecap/>
#
-interface(`virt_append_log',`
@@ -86220,7 +86385,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +849,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +867,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -86243,7 +86408,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +867,35 @@ interface(`virt_search_images',`
+@@ -995,36 +885,35 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -86299,7 +86464,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,58 +903,57 @@ interface(`virt_read_images',`
+@@ -1032,58 +921,57 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -86379,7 +86544,7 @@ index 9dec06c..cd873d3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,95 +961,168 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +979,168 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a51744a..b5bdd7c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 37%{?dist}
+Release: 38%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,29 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-38
+- Allow thumbnails to share memory with apps which run thumbnails
+- Allow postfix-postqueue block_suspend
+- Add lib interfaces for smsd
+- Add support for nginx
+- Allow s2s running as jabberd_t to connect to jabber_interserver_port_t
+- Allow pki apache domain to create own tmp files and execute httpd_suexec
+- Allow procmail to manger user tmp files/dirs/lnk_files
+- Add virt_stream_connect_svirt() interface
+- Allow dovecot-auth to execute bin_t
+- Allow iscsid to request that kernel load a kernel module
+- Add labeling support for /var/lib/mod_security
+- Allow iw running as tuned_t to create netlink socket
+- Dontaudit sys_tty_config for thumb_t
+- Add labeling for nm-l2tp-service
+- Allow httpd running as certwatch_t to open tcp socket
+- Allow useradd to manager smsd lib files
+- Allow useradd_t to add homedirs in /var/lib
+- Fix typo in userdomain.te
+- Cleanup userdom_read_home_certs
+- Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t
+- Allow staff to stream connect to svirt_t to make gnome-boxes working
+
* Fri Apr 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-37
- Allow lvm to create its own unit files
- Label /var/lib/sepolgen as selinux_config_t
More information about the scm-commits
mailing list