[selinux-policy: 4/4] - Fix up handling of dnsmasq_t creating /var/run/libvirt/network - Turn on sshd_forward_ports boolea
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Nov 30 21:24:16 UTC 2010
commit 5bcd7aa5b325e31553b4f5654aa3b2f2e35c264e
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Nov 30 16:24:01 2010 -0500
- Fix up handling of dnsmasq_t creating /var/run/libvirt/network
- Turn on sshd_forward_ports boolean by default
- Allow sysadmin to dbus chat with rpm
- Add interface for rw_tpm_dev
- Allow cron to execute bin
- fsadm needs to write sysfs
- Dontaudit consoletype reading /var/run/pm-utils
- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin
- certmonger needs to manage dirsrv data
- /var/run/pm-utils should be labeled as devicekit_var_run_t
booleans-targeted.conf | 4 +
policy-F15.patch | 532 +++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 14 ++-
3 files changed, 403 insertions(+), 147 deletions(-)
---
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 861a6d9..71778d6 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -275,3 +275,7 @@ nscd_use_shm = true
# Allow fenced domain to connect to the network using TCP.
#
fenced_can_network_connect=false
+
+## allow sshd to forward port connections
+#
+sshd_forward_ports=true
diff --git a/policy-F15.patch b/policy-F15.patch
index f229f8c..7aaeaae 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -316,10 +316,20 @@ index a2e9cb5..cec5c56 100644
optional_policy(`
apache_exec_modules(certwatch_t)
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index 66fee7d..1b46503 100644
+index 66fee7d..4192e6a 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
-@@ -85,10 +85,7 @@ optional_policy(`
+@@ -79,16 +79,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ devicekit_dontaudit_read_pid_files(consoletype_t)
++')
++
++optional_policy(`
+ files_read_etc_files(consoletype_t)
+ firstboot_use_fds(consoletype_t)
+ firstboot_rw_pipes(consoletype_t)
')
optional_policy(`
@@ -331,7 +341,7 @@ index 66fee7d..1b46503 100644
')
optional_policy(`
-@@ -114,6 +111,7 @@ optional_policy(`
+@@ -114,6 +115,7 @@ optional_policy(`
optional_policy(`
userdom_use_unpriv_users_fds(consoletype_t)
@@ -356,6 +366,19 @@ index 72bc6d8..5421065 100644
seutil_sigchld_newrole(dmesg_t)
')
+diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
+index 6776b69..86cff15 100644
+--- a/policy/modules/admin/dpkg.te
++++ b/policy/modules/admin/dpkg.te
+@@ -18,7 +18,7 @@ role system_r types dpkg_t;
+
+ # lockfile
+ type dpkg_lock_t;
+-files_type(dpkg_lock_t)
++files_lock_file(dpkg_lock_t)
+
+ type dpkg_tmp_t;
+ files_tmp_file(dpkg_tmp_t)
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
index 8fa451c..bc5bfc4 100644
--- a/policy/modules/admin/firstboot.if
@@ -1889,7 +1912,7 @@ index 0000000..432fb25
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..5ef90cd
+index 0000000..840efc9
--- /dev/null
+++ b/policy/modules/apps/chrome.if
@@ -0,0 +1,90 @@
@@ -1975,8 +1998,8 @@ index 0000000..5ef90cd
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+ allow chrome_sandbox_t $2:unix_stream_socket { read write };
-+ allow $2 chrome_sandbox_t:unix_stream_socket { read write };
++ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
++ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
@@ -4065,7 +4088,7 @@ index 9a6d67d..b0c1197 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..7099120 100644
+index cbf4bec..05dd44a 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2)
@@ -4147,7 +4170,7 @@ index cbf4bec..7099120 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,129 @@ optional_policy(`
+@@ -266,3 +291,139 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -4158,7 +4181,7 @@ index cbf4bec..7099120 100644
+#
+allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-+allow mozilla_plugin_t self:tcp_socket create_socket_perms;
++allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
+
+allow mozilla_plugin_t self:sem create_sem_perms;
@@ -4171,7 +4194,8 @@ index cbf4bec..7099120 100644
+
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
+
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -4198,6 +4222,7 @@ index cbf4bec..7099120 100644
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+
++dev_read_rand(mozilla_plugin_t)
+dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_write_video_dev(mozilla_plugin_t)
@@ -4211,13 +4236,17 @@ index cbf4bec..7099120 100644
+
+files_read_config_files(mozilla_plugin_t)
+files_read_usr_files(mozilla_plugin_t)
++files_list_mnt(mozilla_plugin_t)
+
+fs_getattr_tmpfs(mozilla_plugin_t)
++fs_list_dos_dirs(mozilla_plugin_t)
++fs_read_dos_files(mozilla_plugin_t)
+
+application_dontaudit_signull(mozilla_plugin_t)
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
++miscfiles_read_certs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+
+sysnet_dns_name_resolve(mozilla_plugin_t)
@@ -4255,6 +4284,10 @@ index cbf4bec..7099120 100644
+')
+
+optional_policy(`
++ java_exec(mozilla_plugin_t)
++')
++
++optional_policy(`
+ nsplugin_domtrans(mozilla_plugin_t)
+ nsplugin_rw_exec(mozilla_plugin_t)
+ nsplugin_manage_home_dirs(mozilla_plugin_t)
@@ -7642,7 +7675,7 @@ index b06df19..5282ad5 100644
########################################
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 36ba519..8b431af 100644
+index 36ba519..e14ac30 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type;
@@ -7781,7 +7814,7 @@ index 36ba519..8b431af 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -176,24 +200,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -176,43 +200,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7814,7 +7847,10 @@ index 36ba519..8b431af 100644
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -203,16 +231,17 @@ network_port(transproxy, tcp,8081,s0)
+ network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
+ network_port(traceroute, udp,64000-64010,s0)
+ network_port(transproxy, tcp,8081,s0)
++network_port(tscd, tcp,30003,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -7835,7 +7871,7 @@ index 36ba519..8b431af 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -262,6 +291,10 @@ network_interface(lo, lo, s0 - mls_systemhigh)
+@@ -262,6 +292,10 @@ network_interface(lo, lo, s0 - mls_systemhigh)
typealias netif_t alias { lo_netif_t netif_lo_t };
')
@@ -7884,7 +7920,7 @@ index 3b2da10..7c29e17 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 15a7bef..d5f08a4 100644
+index 15a7bef..80ad190 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
@@ -8130,7 +8166,7 @@ index 15a7bef..d5f08a4 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3773,6 +3917,24 @@ interface(`dev_rw_sysfs',`
+@@ -3773,6 +3917,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -8150,12 +8186,30 @@ index 15a7bef..d5f08a4 100644
+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
++######################################
++## <summary>
++## Read and write tpm device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_tpm_dev',`
++ gen_require(`
++ type device_t, tpm_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, tpm_device_t)
++')
++
+########################################
+## <summary>
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
-@@ -3942,6 +4104,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3942,6 +4122,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@@ -8180,7 +8234,7 @@ index 15a7bef..d5f08a4 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4252,11 +4432,10 @@ interface(`dev_write_video_dev',`
+@@ -4252,11 +4450,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -9642,7 +9696,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..99984fd 100644
+index dfe361a..f296623 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -9793,7 +9847,33 @@ index dfe361a..99984fd 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1931,7 +1995,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1659,6 +1723,25 @@ interface(`fs_search_dos',`
+
+ ########################################
+ ## <summary>
++## list dirs
++## on a DOS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_list_dos_dirs',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ list_dirs_pattern($1, dosfs_t, dosfs_t)
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete dirs
+ ## on a DOS filesystem.
+ ## </summary>
+@@ -1931,7 +2014,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -9821,7 +9901,7 @@ index dfe361a..99984fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,6 +2029,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +2048,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -9863,7 +9943,7 @@ index dfe361a..99984fd 100644
########################################
## <summary>
-@@ -1999,6 +2117,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2136,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -9871,7 +9951,7 @@ index dfe361a..99984fd 100644
')
########################################
-@@ -2331,6 +2450,7 @@ interface(`fs_read_nfs_files',`
+@@ -2331,6 +2469,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -9879,7 +9959,7 @@ index dfe361a..99984fd 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2369,6 +2489,7 @@ interface(`fs_write_nfs_files',`
+@@ -2369,6 +2508,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -9887,7 +9967,7 @@ index dfe361a..99984fd 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2395,6 +2516,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2535,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -9913,7 +9993,7 @@ index dfe361a..99984fd 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2435,6 +2575,24 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2435,6 +2594,24 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -9938,7 +10018,7 @@ index dfe361a..99984fd 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2449,7 +2607,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2626,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -9947,7 +10027,7 @@ index dfe361a..99984fd 100644
')
########################################
-@@ -2637,6 +2795,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2814,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
## <summary>
@@ -9972,7 +10052,7 @@ index dfe361a..99984fd 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2653,6 +2829,25 @@ interface(`fs_read_removable_symlinks',`
+@@ -2653,6 +2848,25 @@ interface(`fs_read_removable_symlinks',`
read_lnk_files_pattern($1, removable_t, removable_t)
')
@@ -9998,7 +10078,7 @@ index dfe361a..99984fd 100644
########################################
## <summary>
## Read and write block nodes on removable filesystems.
-@@ -2779,6 +2974,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2779,6 +2993,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -10006,7 +10086,7 @@ index dfe361a..99984fd 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -2819,6 +3015,7 @@ interface(`fs_manage_nfs_files',`
+@@ -2819,6 +3034,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -10014,7 +10094,7 @@ index dfe361a..99984fd 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2845,7 +3042,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +3061,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -10023,7 +10103,7 @@ index dfe361a..99984fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2859,6 +3056,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -2859,6 +3075,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -10031,7 +10111,7 @@ index dfe361a..99984fd 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3989,6 +4187,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3989,6 +4206,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -10074,7 +10154,7 @@ index dfe361a..99984fd 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4271,6 +4505,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4524,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -10083,7 +10163,7 @@ index dfe361a..99984fd 100644
')
########################################
-@@ -4681,3 +4917,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +4936,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -10964,7 +11044,7 @@ index d62886d..cc51f57 100644
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index d5e88be..ab4b892 100644
+index d5e88be..fd670dd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
@@ -11114,7 +11194,7 @@ index d5e88be..ab4b892 100644
')
optional_policy(`
-@@ -265,10 +294,6 @@ optional_policy(`
+@@ -265,20 +294,14 @@ optional_policy(`
')
optional_policy(`
@@ -11125,8 +11205,9 @@ index d5e88be..ab4b892 100644
rpc_domtrans_nfsd(sysadm_t)
')
-@@ -276,9 +301,6 @@ optional_policy(`
+ optional_policy(`
rpm_run(sysadm_t, sysadm_r)
++ rpm_dbus_chat(sysadm_t, sysadm_r)
')
-optional_policy(`
@@ -11135,7 +11216,7 @@ index d5e88be..ab4b892 100644
optional_policy(`
rsync_exec(sysadm_t)
-@@ -303,7 +325,7 @@ optional_policy(`
+@@ -303,7 +326,7 @@ optional_policy(`
')
optional_policy(`
@@ -11144,7 +11225,7 @@ index d5e88be..ab4b892 100644
')
optional_policy(`
-@@ -328,10 +350,6 @@ optional_policy(`
+@@ -328,10 +351,6 @@ optional_policy(`
')
optional_policy(`
@@ -11155,7 +11236,7 @@ index d5e88be..ab4b892 100644
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -339,18 +357,10 @@ optional_policy(`
+@@ -339,18 +358,10 @@ optional_policy(`
')
optional_policy(`
@@ -11174,7 +11255,7 @@ index d5e88be..ab4b892 100644
unconfined_domtrans(sysadm_t)
')
-@@ -363,17 +373,14 @@ optional_policy(`
+@@ -363,17 +374,14 @@ optional_policy(`
')
optional_policy(`
@@ -11194,7 +11275,7 @@ index d5e88be..ab4b892 100644
')
optional_policy(`
-@@ -385,7 +392,7 @@ optional_policy(`
+@@ -385,7 +393,7 @@ optional_policy(`
')
optional_policy(`
@@ -11203,7 +11284,7 @@ index d5e88be..ab4b892 100644
')
optional_policy(`
-@@ -400,8 +407,15 @@ optional_policy(`
+@@ -400,8 +408,15 @@ optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
@@ -11219,7 +11300,7 @@ index d5e88be..ab4b892 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -448,5 +462,60 @@ ifndef(`distro_redhat',`
+@@ -448,5 +463,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
@@ -16453,7 +16534,7 @@ index 7a6e5ba..d664be8 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index 1a65b5e..1bc0bc7 100644
+index 1a65b5e..e08bbdb 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -24,6 +24,7 @@ files_type(certmonger_var_lib_t)
@@ -16494,7 +16575,7 @@ index 1a65b5e..1bc0bc7 100644
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-@@ -58,6 +64,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,15 +64,31 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
@@ -16511,7 +16592,14 @@ index 1a65b5e..1bc0bc7 100644
optional_policy(`
dbus_system_bus_client(certmonger_t)
dbus_connect_system_bus(certmonger_t)
-@@ -68,5 +84,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dirsrv_manage_config(certmonger_t)
++')
++
++optional_policy(`
+ kerberos_use(certmonger_t)
')
optional_policy(`
@@ -18297,7 +18385,7 @@ index 35241ed..b6402c9 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..6d44d8c 100644
+index f35b243..c6b63be 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -18327,6 +18415,15 @@ index f35b243..6d44d8c 100644
## </desc>
gen_tunable(fcron_crond, false)
+@@ -38,7 +38,7 @@ type cron_var_lib_t;
+ files_type(cron_var_lib_t)
+
+ type cron_var_run_t;
+-files_type(cron_var_run_t)
++files_pid_file(cron_var_run_t)
+
+ # var/log files
+ type cron_log_t;
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
type crond_tmp_t;
@@ -18413,7 +18510,11 @@ index f35b243..6d44d8c 100644
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -193,6 +206,8 @@ corecmd_list_bin(crond_t)
+@@ -190,9 +203,12 @@ auth_domtrans_chk_passwd(crond_t)
+
+ corecmd_exec_shell(crond_t)
+ corecmd_list_bin(crond_t)
++corecmd_exec_bin(crond_t)
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -18422,7 +18523,7 @@ index f35b243..6d44d8c 100644
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -208,7 +223,9 @@ init_spec_domtrans_script(crond_t)
+@@ -208,7 +224,9 @@ init_spec_domtrans_script(crond_t)
auth_use_nsswitch(crond_t)
@@ -18432,7 +18533,7 @@ index f35b243..6d44d8c 100644
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -219,8 +236,10 @@ miscfiles_read_localization(crond_t)
+@@ -219,8 +237,10 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -18443,7 +18544,7 @@ index f35b243..6d44d8c 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -232,7 +251,7 @@ ifdef(`distro_debian',`
+@@ -232,7 +252,7 @@ ifdef(`distro_debian',`
')
')
@@ -18452,7 +18553,7 @@ index f35b243..6d44d8c 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -240,16 +259,39 @@ ifdef(`distro_redhat', `
+@@ -240,16 +260,39 @@ ifdef(`distro_redhat', `
')
')
@@ -18493,7 +18594,7 @@ index f35b243..6d44d8c 100644
amanda_search_var_lib(crond_t)
')
-@@ -259,6 +301,8 @@ optional_policy(`
+@@ -259,6 +302,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -18502,7 +18603,7 @@ index f35b243..6d44d8c 100644
')
optional_policy(`
-@@ -284,12 +328,18 @@ optional_policy(`
+@@ -284,12 +329,18 @@ optional_policy(`
udev_read_db(crond_t)
')
@@ -18521,7 +18622,7 @@ index f35b243..6d44d8c 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -301,10 +351,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -301,10 +352,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -18542,7 +18643,7 @@ index f35b243..6d44d8c 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -324,6 +383,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -324,6 +384,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -18550,7 +18651,7 @@ index f35b243..6d44d8c 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -335,9 +395,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -335,9 +396,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -18565,7 +18666,7 @@ index f35b243..6d44d8c 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -360,6 +424,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -360,6 +425,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -18573,7 +18674,7 @@ index f35b243..6d44d8c 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -386,6 +451,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -386,6 +452,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -18581,7 +18682,7 @@ index f35b243..6d44d8c 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -408,8 +474,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -408,8 +475,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -18593,7 +18694,7 @@ index f35b243..6d44d8c 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -434,6 +502,8 @@ optional_policy(`
+@@ -434,6 +503,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -18602,7 +18703,7 @@ index f35b243..6d44d8c 100644
')
optional_policy(`
-@@ -441,6 +511,14 @@ optional_policy(`
+@@ -441,6 +512,14 @@ optional_policy(`
')
optional_policy(`
@@ -18617,7 +18718,7 @@ index f35b243..6d44d8c 100644
ftp_read_log(system_cronjob_t)
')
-@@ -451,15 +529,24 @@ optional_policy(`
+@@ -451,15 +530,24 @@ optional_policy(`
')
optional_policy(`
@@ -18642,7 +18743,7 @@ index f35b243..6d44d8c 100644
')
optional_policy(`
-@@ -475,7 +562,7 @@ optional_policy(`
+@@ -475,7 +563,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -18651,7 +18752,7 @@ index f35b243..6d44d8c 100644
')
optional_policy(`
-@@ -490,6 +577,7 @@ optional_policy(`
+@@ -490,6 +578,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -18659,7 +18760,7 @@ index f35b243..6d44d8c 100644
')
optional_policy(`
-@@ -497,7 +585,13 @@ optional_policy(`
+@@ -497,7 +586,13 @@ optional_policy(`
')
optional_policy(`
@@ -18673,7 +18774,7 @@ index f35b243..6d44d8c 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -590,9 +684,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -590,9 +685,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -19205,6 +19306,19 @@ index 784753e..bf65e7d 100644
+ files_search_pids($1)
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
+diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
+index 8bab059..284a888 100644
+--- a/policy/modules/services/dcc.te
++++ b/policy/modules/services/dcc.te
+@@ -36,7 +36,7 @@ type dcc_var_t;
+ files_type(dcc_var_t)
+
+ type dcc_var_run_t;
+-files_type(dcc_var_run_t)
++files_pid_file(dcc_var_run_t)
+
+ type dccd_t;
+ type dccd_exec_t;
diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
index 0a1a61b..da508f4 100644
--- a/policy/modules/services/ddclient.if
@@ -19378,8 +19492,19 @@ index 8ba9425..b10da2c 100644
+optional_policy(`
+ gnome_dontaudit_search_config(denyhosts_t)
+')
+diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
+index 418a5a0..76542e1 100644
+--- a/policy/modules/services/devicekit.fc
++++ b/policy/modules/services/devicekit.fc
+@@ -10,5 +10,6 @@
+
+ /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..c1ba3f2 100644
+index f706b99..205afb9 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -19420,24 +19545,49 @@ index f706b99..c1ba3f2 100644
## Read devicekit PID files.
## </summary>
## <param name="domain">
-@@ -147,16 +166,6 @@ interface(`devicekit_read_pid_files',`
- ## Domain allowed access.
- ## </summary>
- ## </param>
+@@ -139,22 +158,31 @@ interface(`devicekit_read_pid_files',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to administrate
+-## an devicekit environment
++## Do not audit attempts to read
++## devicekit PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the devicekit domain.
--## </summary>
--## </param>
++## Domain to not audit.
+ ## </summary>
+ ## </param>
-## <param name="terminal">
--## <summary>
++#
++interface(`devicekit_dontaudit_read_pid_files',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an devicekit environment
++## </summary>
++## <param name="domain">
+ ## <summary>
-## The type of the user terminal.
--## </summary>
--## </param>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
## <rolecap/>
- #
- interface(`devicekit_admin',`
-@@ -165,21 +174,22 @@ interface(`devicekit_admin',`
+@@ -165,21 +193,22 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -22208,6 +22358,18 @@ index 03742d8..2a87d1e 100644
dbus_system_bus_client(gpsd_t)
')
+diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
+index c98b0df..9db14d6 100644
+--- a/policy/modules/services/hal.fc
++++ b/policy/modules/services/hal.fc
+@@ -24,7 +24,6 @@
+ /var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+ /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
+ /var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+-/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+ /var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
+ /var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
+
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 7cf6763..ce32fe5 100644
--- a/policy/modules/services/hal.if
@@ -23090,7 +23252,7 @@ index 604f67b..31a6075 100644
+ files_tmp_filetrans($1, krb5_host_rcache_t, file)
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
-index 8edc29b..ee97d9f 100644
+index 8edc29b..c233701 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0)
@@ -23115,6 +23277,15 @@ index 8edc29b..ee97d9f 100644
files_tmp_file(krb5_host_rcache_t)
# types for general configuration files in /etc
+@@ -52,7 +52,7 @@ type krb5kdc_conf_t;
+ files_type(krb5kdc_conf_t)
+
+ type krb5kdc_lock_t;
+-files_type(krb5kdc_lock_t)
++files_lock_file(krb5kdc_lock_t)
+
+ # types for KDC principal file(s)
+ type krb5kdc_principal_t;
@@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
@@ -23500,9 +23671,18 @@ index 771e04b..81d98b3 100644
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, file)
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
-index ae9d49f..65e6d81 100644
+index ae9d49f..931d2f5 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
+@@ -17,7 +17,7 @@ type likewise_var_lib_t;
+ files_type(likewise_var_lib_t)
+
+ type likewise_pstore_lock_t;
+-files_type(likewise_pstore_lock_t)
++files_lock_file(likewise_pstore_lock_t)
+
+ type likewise_krb5_ad_t;
+ files_type(likewise_krb5_ad_t)
@@ -205,7 +205,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
# Likewise DC location service local policy
#
@@ -34535,7 +34715,7 @@ index 22adaca..784c363 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..580297a 100644
+index 2dad3c8..57a8f21 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -34680,7 +34860,7 @@ index 2dad3c8..580297a 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +203,53 @@ optional_policy(`
+@@ -200,6 +203,56 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -34699,6 +34879,9 @@ index 2dad3c8..580297a 100644
+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
++manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++
+kernel_read_kernel_sysctls(ssh_keygen_t)
+
+fs_search_auto_mountpoints(ssh_keygen_t)
@@ -34734,7 +34917,7 @@ index 2dad3c8..580297a 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +259,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +262,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -34743,7 +34926,7 @@ index 2dad3c8..580297a 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +282,39 @@ optional_policy(`
+@@ -232,33 +285,39 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -34792,7 +34975,7 @@ index 2dad3c8..580297a 100644
')
optional_policy(`
-@@ -266,11 +322,24 @@ optional_policy(`
+@@ -266,11 +325,24 @@ optional_policy(`
')
optional_policy(`
@@ -34818,7 +35001,7 @@ index 2dad3c8..580297a 100644
')
optional_policy(`
-@@ -284,6 +353,11 @@ optional_policy(`
+@@ -284,6 +356,11 @@ optional_policy(`
')
optional_policy(`
@@ -34830,7 +35013,7 @@ index 2dad3c8..580297a 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +366,26 @@ optional_policy(`
+@@ -292,26 +369,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -34876,7 +35059,7 @@ index 2dad3c8..580297a 100644
') dnl endif TODO
########################################
-@@ -324,7 +398,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +401,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -34884,7 +35067,7 @@ index 2dad3c8..580297a 100644
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +426,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +429,6 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -35931,7 +36114,7 @@ index 2124b6a..6546d6e 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..2ac9e34 100644
+index 7c5d8d8..8822e63 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -14,13 +14,14 @@
@@ -36088,7 +36271,7 @@ index 7c5d8d8..2ac9e34 100644
+#
+interface(`virt_pid_filetrans',`
+ gen_require(`
-+ type virt_vaar_run_t;
++ type virt_var_run_t;
+ ')
+
+ filetrans_pattern($1, virt_var_run_t, $2, $3)
@@ -39758,7 +39941,7 @@ index 1c4b1e7..ffa4134 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..08a608f 100644
+index bea0ade..6521109 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -40008,7 +40191,32 @@ index bea0ade..08a608f 100644
## Read PAM PID files.
## </summary>
## <param name="domain">
-@@ -1326,6 +1455,25 @@ interface(`auth_setattr_login_records',`
+@@ -1093,6 +1222,24 @@ interface(`auth_delete_pam_console_data',`
+
+ ########################################
+ ## <summary>
++## Relable all pid directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_relabel_pam_console_data_dirs',`
++ gen_require(`
++ type pam_var_console_t;
++ ')
++
++ relabel_dirs_pattern($1, pam_var_console_t, pam_var_console_t)
++')
++
++########################################
++## <summary>
+ ## Read all directories on the filesystem, except
+ ## the shadow passwords and listed exceptions.
+ ## </summary>
+@@ -1326,6 +1473,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -40034,7 +40242,7 @@ index bea0ade..08a608f 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1500,6 +1648,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,6 +1666,8 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -40043,7 +40251,7 @@ index bea0ade..08a608f 100644
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1681,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1699,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -40281,7 +40489,7 @@ index a97a096..dd65c15 100644
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..e159f32 100644
+index a442acc..69c1509 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -40292,6 +40500,15 @@ index a442acc..e159f32 100644
# Allow console log change (updfstab)
kernel_change_ring_buffer_level(fsadm_t)
# mkreiserfs needs this
+@@ -85,7 +86,7 @@ dev_manage_generic_blk_files(fsadm_t)
+ # Access to /initrd devices
+ dev_search_usbfs(fsadm_t)
+ # for swapon
+-dev_read_sysfs(fsadm_t)
++dev_rw_sysfs(fsadm_t)
+ # Access to /initrd devices
+ dev_getattr_usbfs_dirs(fsadm_t)
+ # Access to /dev/mapper/control
@@ -117,6 +118,9 @@ fs_remount_xattr_fs(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
@@ -40830,7 +41047,7 @@ index df3fa64..36da732 100644
+ allow $1 init_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..334ddd0 100644
+index 8a105fd..9a3255e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -40960,7 +41177,7 @@ index 8a105fd..334ddd0 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +221,114 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +221,115 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -41019,6 +41236,7 @@ index 8a105fd..334ddd0 100644
+ storage_getattr_removable_dev(init_t)
+
+ auth_relabel_login_records(init_t)
++ auth_relabel_pam_console_data_dirs(init_t)
+
+ init_read_script_state(init_t)
+
@@ -41075,7 +41293,7 @@ index 8a105fd..334ddd0 100644
')
optional_policy(`
-@@ -199,10 +336,24 @@ optional_policy(`
+@@ -199,10 +337,24 @@ optional_policy(`
')
optional_policy(`
@@ -41100,7 +41318,7 @@ index 8a105fd..334ddd0 100644
unconfined_domain(init_t)
')
-@@ -212,7 +363,7 @@ optional_policy(`
+@@ -212,7 +364,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -41109,7 +41327,7 @@ index 8a105fd..334ddd0 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +392,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +393,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -41124,7 +41342,7 @@ index 8a105fd..334ddd0 100644
init_write_initctl(initrc_t)
-@@ -258,11 +411,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +412,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -41148,7 +41366,7 @@ index 8a105fd..334ddd0 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +456,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +457,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -41156,7 +41374,7 @@ index 8a105fd..334ddd0 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +464,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +465,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -41172,7 +41390,7 @@ index 8a105fd..334ddd0 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +489,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +490,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -41184,7 +41402,7 @@ index 8a105fd..334ddd0 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +508,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +509,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -41198,7 +41416,7 @@ index 8a105fd..334ddd0 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +523,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +524,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -41207,7 +41425,7 @@ index 8a105fd..334ddd0 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +537,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +538,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -41215,7 +41433,7 @@ index 8a105fd..334ddd0 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +549,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +550,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -41223,7 +41441,7 @@ index 8a105fd..334ddd0 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +570,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +571,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -41239,7 +41457,7 @@ index 8a105fd..334ddd0 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +650,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +651,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -41248,7 +41466,7 @@ index 8a105fd..334ddd0 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +696,23 @@ ifdef(`distro_redhat',`
+@@ -519,6 +697,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -41272,7 +41490,7 @@ index 8a105fd..334ddd0 100644
')
optional_policy(`
-@@ -526,10 +720,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +721,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -41290,7 +41508,7 @@ index 8a105fd..334ddd0 100644
')
optional_policy(`
-@@ -544,6 +745,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +746,35 @@ ifdef(`distro_suse',`
')
')
@@ -41326,7 +41544,7 @@ index 8a105fd..334ddd0 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +786,8 @@ optional_policy(`
+@@ -556,6 +787,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -41335,7 +41553,7 @@ index 8a105fd..334ddd0 100644
')
optional_policy(`
-@@ -572,6 +804,7 @@ optional_policy(`
+@@ -572,6 +805,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -41343,7 +41561,7 @@ index 8a105fd..334ddd0 100644
')
optional_policy(`
-@@ -584,6 +817,11 @@ optional_policy(`
+@@ -584,6 +818,11 @@ optional_policy(`
')
optional_policy(`
@@ -41355,7 +41573,7 @@ index 8a105fd..334ddd0 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,9 +838,13 @@ optional_policy(`
+@@ -600,9 +839,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -41369,7 +41587,7 @@ index 8a105fd..334ddd0 100644
')
optional_policy(`
-@@ -701,7 +943,13 @@ optional_policy(`
+@@ -701,7 +944,13 @@ optional_policy(`
')
optional_policy(`
@@ -41383,7 +41601,7 @@ index 8a105fd..334ddd0 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +972,10 @@ optional_policy(`
+@@ -724,6 +973,10 @@ optional_policy(`
')
optional_policy(`
@@ -41394,7 +41612,7 @@ index 8a105fd..334ddd0 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -737,6 +989,10 @@ optional_policy(`
+@@ -737,6 +990,10 @@ optional_policy(`
')
optional_policy(`
@@ -41405,7 +41623,7 @@ index 8a105fd..334ddd0 100644
quota_manage_flags(initrc_t)
')
-@@ -745,6 +1001,10 @@ optional_policy(`
+@@ -745,6 +1002,10 @@ optional_policy(`
')
optional_policy(`
@@ -41416,7 +41634,7 @@ index 8a105fd..334ddd0 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +1026,6 @@ optional_policy(`
+@@ -766,8 +1027,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -41425,7 +41643,7 @@ index 8a105fd..334ddd0 100644
')
optional_policy(`
-@@ -776,14 +1034,21 @@ optional_policy(`
+@@ -776,14 +1035,21 @@ optional_policy(`
')
optional_policy(`
@@ -41447,7 +41665,7 @@ index 8a105fd..334ddd0 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1070,19 @@ optional_policy(`
+@@ -805,11 +1071,19 @@ optional_policy(`
')
optional_policy(`
@@ -41468,7 +41686,7 @@ index 8a105fd..334ddd0 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1092,25 @@ optional_policy(`
+@@ -819,6 +1093,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -41494,7 +41712,7 @@ index 8a105fd..334ddd0 100644
')
optional_policy(`
-@@ -844,3 +1136,59 @@ optional_policy(`
+@@ -844,3 +1137,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -44239,7 +44457,7 @@ index 170e2c7..bbaa8cf 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ff5d72d..51a1496 100644
+index ff5d72d..9cd171a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -44272,7 +44490,7 @@ index ff5d72d..51a1496 100644
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -88,9 +91,14 @@ role system_r types run_init_t;
+@@ -88,26 +91,36 @@ role system_r types run_init_t;
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
@@ -44287,7 +44505,19 @@ index ff5d72d..51a1496 100644
type semanage_store_t;
files_type(semanage_store_t)
-@@ -108,6 +116,11 @@ type setfiles_exec_t alias restorecon_exec_t;
+ type semanage_read_lock_t;
+-files_type(semanage_read_lock_t)
++files_lock_file(semanage_read_lock_t)
+
+ type semanage_tmp_t;
+ files_tmp_file(semanage_tmp_t)
+
+ type semanage_trans_lock_t;
+-files_type(semanage_trans_lock_t)
++files_lock_file(semanage_trans_lock_t)
+
+ type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
+ type setfiles_exec_t alias restorecon_exec_t;
init_system_domain(setfiles_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
@@ -44900,7 +45130,7 @@ index 8e71fb7..350d003 100644
+ role_transition $1 dhcpc_exec_t system_r;
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index dfbe736..e70feca 100644
+index dfbe736..f66bf66 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
@@ -44975,7 +45205,7 @@ index dfbe736..e70feca 100644
miscfiles_read_localization(dhcpc_t)
modutils_domtrans_insmod(dhcpc_t)
-@@ -155,6 +175,10 @@ optional_policy(`
+@@ -155,6 +175,14 @@ optional_policy(`
')
optional_policy(`
@@ -44983,10 +45213,14 @@ index dfbe736..e70feca 100644
+')
+
+optional_policy(`
++ devicekit_dontaudit_read_pid_files(dhcpc_t)
++')
++
++optional_policy(`
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +195,8 @@ optional_policy(`
+@@ -171,6 +199,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -44995,7 +45229,7 @@ index dfbe736..e70feca 100644
')
optional_policy(`
-@@ -192,6 +218,13 @@ optional_policy(`
+@@ -192,6 +222,13 @@ optional_policy(`
')
optional_policy(`
@@ -45009,7 +45243,7 @@ index dfbe736..e70feca 100644
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -213,6 +246,7 @@ optional_policy(`
+@@ -213,6 +250,7 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -45017,7 +45251,7 @@ index dfbe736..e70feca 100644
')
optional_policy(`
-@@ -276,8 +310,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +314,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -45029,7 +45263,7 @@ index dfbe736..e70feca 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -305,6 +342,8 @@ modutils_domtrans_insmod(ifconfig_t)
+@@ -305,6 +346,8 @@ modutils_domtrans_insmod(ifconfig_t)
seutil_use_runinit_fds(ifconfig_t)
@@ -45038,7 +45272,7 @@ index dfbe736..e70feca 100644
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -314,6 +353,10 @@ ifdef(`distro_ubuntu',`
+@@ -314,6 +357,10 @@ ifdef(`distro_ubuntu',`
')
')
@@ -45049,8 +45283,14 @@ index dfbe736..e70feca 100644
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -327,6 +370,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +372,14 @@ ifdef(`hide_broken_symptoms',`
+ ')
+
optional_policy(`
++ devicekit_dontaudit_read_pid_files(ifconfig_t)
++')
++
++optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+ hal_dontaudit_read_pid_files(ifconfig_t)
@@ -45058,7 +45298,7 @@ index dfbe736..e70feca 100644
')
optional_policy(`
-@@ -334,6 +379,14 @@ optional_policy(`
+@@ -334,6 +387,14 @@ optional_policy(`
')
optional_policy(`
@@ -45073,7 +45313,7 @@ index dfbe736..e70feca 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -355,3 +408,9 @@ optional_policy(`
+@@ -355,3 +416,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bfac031..7da2388 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.10
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,18 @@ exit 0
%endif
%changelog
+* Tue Nov 30 2010 Dan Walsh <dwalsh at redhat.com> 3.9.9-4
+- Fix up handling of dnsmasq_t creating /var/run/libvirt/network
+- Turn on sshd_forward_ports boolean by default
+- Allow sysadmin to dbus chat with rpm
+- Add interface for rw_tpm_dev
+- Allow cron to execute bin
+- fsadm needs to write sysfs
+- Dontaudit consoletype reading /var/run/pm-utils
+- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin
+- certmonger needs to manage dirsrv data
+- /var/run/pm-utils should be labeled as devicekit_var_run_t
+
* Tue Nov 30 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.10-3
- fixes to allow /var/run and /var/lock as tmpfs
- Allow chrome sandbox to connect to web ports
More information about the scm-commits
mailing list