[selinux-policy/f14/master] - Fix fusefs handling - Do not allow sandbox to manage nsplugin_rw_t - Allow mozilla_plugin_t to con
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 13:11:36 UTC 2010
commit 348d60a204c4f040ae03404d80d36252c7a60bec
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Oct 7 09:11:40 2010 -0400
- Fix fusefs handling
- Do not allow sandbox to manage nsplugin_rw_t
- Allow mozilla_plugin_t to connecto its parent
- Allow init_t to connect to plymouthd running as kernel_t
- Add mediawiki policy
- dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.
- Disable transition from dbus_session_domain to telepathy for F14
- Allow boinc_project to use shm
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
modules-targeted.conf | 14 ++
policy-F14.patch | 389 +++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 14 ++-
3 files changed, 319 insertions(+), 98 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index a0e09f0..18b94ea 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1742,12 +1742,26 @@ vhostmd = module
wine = module
# Layer: apps
+# Module: telepathy
+#
+# telepathy - Policy for Telepathy framework
+#
+telepathy = module
+
+# Layer: apps
# Module: wireshark
#
# wireshark executable
#
wireshark = module
+# Layer: apps
+# Module: telepathy
+#
+# telepathy - Policy for Telepathy framework
+#
+telepathy = module
+
# Layer: admin
# Module: tzdata
#
diff --git a/policy-F14.patch b/policy-F14.patch
index 4977791..92e7eab 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1733,14 +1733,16 @@ index c35d801..b1a841a 100644
mta_manage_spool(useradd_t)
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
-index a870982..6542902 100644
+index a870982..6067b85 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
-@@ -107,6 +107,7 @@ sysnet_manage_config(vpnc_t)
+@@ -106,7 +106,8 @@ sysnet_etc_filetrans_config(vpnc_t)
+ sysnet_manage_config(vpnc_t)
userdom_use_all_users_fds(vpnc_t)
- userdom_dontaudit_search_user_home_content(vpnc_t)
+-userdom_dontaudit_search_user_home_content(vpnc_t)
+userdom_read_home_certs(vpnc_t)
++userdom_search_admin_dir(vpnc_t)
optional_policy(`
dbus_system_bus_client(vpnc_t)
@@ -3629,6 +3631,109 @@ index 49abe8e..47a193c 100644
')
optional_policy(`
+diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc
+new file mode 100644
+index 0000000..bf872ef
+--- /dev/null
++++ b/policy/modules/apps/mediawiki.fc
+@@ -0,0 +1,10 @@
++
++/usr/lib(64)?/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++/usr/lib(64)?/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++/usr/lib(64)?/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++
++/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
++
++/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
++
++/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+diff --git a/policy/modules/apps/mediawiki.if b/policy/modules/apps/mediawiki.if
+new file mode 100644
+index 0000000..1c1d012
+--- /dev/null
++++ b/policy/modules/apps/mediawiki.if
+@@ -0,0 +1,40 @@
++## <summary>Mediawiki policy</summary>
++
++#######################################
++## <summary>
++## Allow the specified domain to read
++## mediawiki tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mediawiki_read_tmp_files',`
++ gen_require(`
++ type httpd_mediawiki_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++')
++
++#######################################
++## <summary>
++## Delete mediawiki tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mediawiki_delete_tmp_files',`
++ gen_require(`
++ type httpd_mediawiki_tmp_t;
++ ')
++
++ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++')
+diff --git a/policy/modules/apps/mediawiki.te b/policy/modules/apps/mediawiki.te
+new file mode 100644
+index 0000000..b7f569d
+--- /dev/null
++++ b/policy/modules/apps/mediawiki.te
+@@ -0,0 +1,35 @@
++
++policy_module(mediawiki, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++apache_content_template(mediawiki)
++
++type httpd_mediawiki_tmp_t;
++files_tmp_file(httpd_mediawiki_tmp_t)
++
++permissive httpd_mediawiki_script_t;
++
++########################################
++#
++# mediawiki local policy
++#
++
++manage_dirs_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++manage_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++manage_lnk_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++files_tmp_filetrans(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, { file dir lnk_file })
++
++files_search_var_lib(httpd_mediawiki_script_t)
++
++userdom_read_user_tmp_files(httpd_mediawiki_script_t)
++
++miscfiles_read_tetex_data(httpd_mediawiki_script_t)
++
++optional_policy(`
++ apache_dontaudit_rw_tmp_files(httpd_mediawiki_script_t)
++')
++
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index 7b08e13..9c9e6c1 100644
--- a/policy/modules/apps/mono.if
@@ -3673,7 +3778,7 @@ index 93ac529..aafece7 100644
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..dfac7cc 100644
+index 9a6d67d..b0c1197 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -3732,7 +3837,7 @@ index 9a6d67d..dfac7cc 100644
## Execmod mozilla home directory content.
## </summary>
## <param name="domain">
-@@ -168,6 +194,69 @@ interface(`mozilla_domtrans',`
+@@ -168,6 +194,70 @@ interface(`mozilla_domtrans',`
########################################
## <summary>
@@ -3777,6 +3882,7 @@ index 9a6d67d..dfac7cc 100644
+
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
++ allow $1 mozilla_plugin_t:unix_stream_socket connectto;
+')
+
+########################################
@@ -5678,10 +5784,10 @@ index 0000000..587c440
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..2251b02
+index 0000000..89fcce3
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,407 @@
+@@ -0,0 +1,408 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5836,6 +5942,8 @@ index 0000000..2251b02
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
++dontaudit sandbox_x_domain self:process signal;
++
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -6047,7 +6155,6 @@ index 0000000..2251b02
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
-+ nsplugin_manage_rw(sandbox_web_type)
+')
+
+optional_policy(`
@@ -6246,10 +6353,10 @@ index 0000000..809bb65
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
new file mode 100644
-index 0000000..3d12484
+index 0000000..21b65bc
--- /dev/null
+++ b/policy/modules/apps/telepathy.if
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,190 @@
+
+## <summary>Telepathy framework.</summary>
+
@@ -6281,7 +6388,9 @@ index 0000000..3d12484
+ files_tmp_file(telepathy_$1_tmp_t)
+ ubac_constrained(telepathy_$1_tmp_t)
+
-+ dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
++ ifdef(`TODO',`
++ dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
++ ')
+')
+
+#######################################
@@ -7129,7 +7238,7 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..46af2a4 100644
+index 0eb1d97..217bd0d 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@@ -7233,7 +7342,15 @@ index 0eb1d97..46af2a4 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +339,7 @@ ifdef(`distro_redhat', `
+@@ -248,6 +273,7 @@ ifdef(`distro_gentoo',`
+ /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
++/usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+@@ -314,6 +340,7 @@ ifdef(`distro_redhat', `
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -7241,7 +7358,7 @@ index 0eb1d97..46af2a4 100644
')
ifdef(`distro_suse', `
-@@ -340,3 +366,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +367,27 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -12714,7 +12831,7 @@ index 9e39aa5..8603d4d 100644
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..ba64143 100644
+index c9e1a44..6918ff2 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -12974,7 +13091,35 @@ index c9e1a44..ba64143 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -694,7 +730,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -544,6 +580,27 @@ interface(`apache_delete_cache_files',`
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to search
++## apache configuration dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_search_config',`
++ gen_require(`
++ type httpd_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 httpd_config_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Allow the specified domain to read
+ ## apache configuration files.
+ ## </summary>
+@@ -694,7 +751,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@@ -12983,7 +13128,7 @@ index c9e1a44..ba64143 100644
')
########################################
-@@ -740,6 +776,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -740,6 +797,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -13009,7 +13154,7 @@ index c9e1a44..ba64143 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -756,6 +811,7 @@ interface(`apache_list_modules',`
+@@ -756,6 +832,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -13017,7 +13162,7 @@ index c9e1a44..ba64143 100644
')
########################################
-@@ -814,6 +870,7 @@ interface(`apache_list_sys_content',`
+@@ -814,6 +891,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -13025,7 +13170,7 @@ index c9e1a44..ba64143 100644
files_search_var($1)
')
-@@ -841,6 +898,74 @@ interface(`apache_manage_sys_content',`
+@@ -841,6 +919,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -13100,7 +13245,7 @@ index c9e1a44..ba64143 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -857,7 +982,11 @@ interface(`apache_manage_sys_content',`
+@@ -857,7 +1003,11 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -13113,7 +13258,7 @@ index c9e1a44..ba64143 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -916,9 +1045,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -916,9 +1066,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -13125,7 +13270,7 @@ index c9e1a44..ba64143 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -945,7 +1075,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -945,7 +1096,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -13134,7 +13279,7 @@ index c9e1a44..ba64143 100644
')
########################################
-@@ -1086,6 +1216,25 @@ interface(`apache_read_tmp_files',`
+@@ -1086,6 +1237,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -13160,7 +13305,7 @@ index c9e1a44..ba64143 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1251,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1102,7 +1272,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -13169,7 +13314,7 @@ index c9e1a44..ba64143 100644
')
########################################
-@@ -1165,17 +1314,14 @@ interface(`apache_cgi_domain',`
+@@ -1165,17 +1335,14 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -13191,7 +13336,7 @@ index c9e1a44..ba64143 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1186,10 +1332,10 @@ interface(`apache_admin',`
+@@ -1186,10 +1353,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -13204,7 +13349,7 @@ index c9e1a44..ba64143 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1200,14 +1346,41 @@ interface(`apache_admin',`
+@@ -1200,14 +1367,41 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -13252,7 +13397,7 @@ index c9e1a44..ba64143 100644
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..411a3ff 100644
+index 08dfa0c..410ff39 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@@ -13555,7 +13700,13 @@ index 08dfa0c..411a3ff 100644
# File Type of squirrelmail attachments
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
-@@ -286,6 +369,7 @@ allow httpd_t self:udp_socket create_socket_perms;
+@@ -281,11 +364,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow httpd_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_t self:udp_socket create_socket_perms;
++dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
+
+ # Allow httpd_t to put files in /var/cache/httpd etc
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -13563,7 +13714,7 @@ index 08dfa0c..411a3ff 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -355,6 +439,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +440,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -13571,7 +13722,7 @@ index 08dfa0c..411a3ff 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +450,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,8 +451,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -13582,7 +13733,7 @@ index 08dfa0c..411a3ff 100644
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +465,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +466,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -13598,7 +13749,7 @@ index 08dfa0c..411a3ff 100644
domain_use_interactive_fds(httpd_t)
-@@ -402,6 +489,10 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +490,10 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -13609,7 +13760,7 @@ index 08dfa0c..411a3ff 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +507,70 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +508,70 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -13682,7 +13833,7 @@ index 08dfa0c..411a3ff 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +583,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +584,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -13693,7 +13844,7 @@ index 08dfa0c..411a3ff 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,8 +597,12 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,8 +598,12 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -13708,7 +13859,7 @@ index 08dfa0c..411a3ff 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,6 +610,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -475,6 +611,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -13721,7 +13872,7 @@ index 08dfa0c..411a3ff 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +625,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +626,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -13738,7 +13889,7 @@ index 08dfa0c..411a3ff 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +650,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +651,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -13749,7 +13900,7 @@ index 08dfa0c..411a3ff 100644
')
optional_policy(`
-@@ -513,7 +665,13 @@ optional_policy(`
+@@ -513,7 +666,13 @@ optional_policy(`
')
optional_policy(`
@@ -13764,7 +13915,7 @@ index 08dfa0c..411a3ff 100644
')
optional_policy(`
-@@ -528,7 +686,7 @@ optional_policy(`
+@@ -528,7 +687,7 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -13773,7 +13924,7 @@ index 08dfa0c..411a3ff 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +695,12 @@ optional_policy(`
+@@ -537,8 +696,12 @@ optional_policy(`
')
optional_policy(`
@@ -13787,15 +13938,21 @@ index 08dfa0c..411a3ff 100644
')
')
-@@ -557,6 +719,7 @@ optional_policy(`
+@@ -556,7 +719,13 @@ optional_policy(`
+ ')
optional_policy(`
++ mediawiki_read_tmp_files(httpd_t)
++ mediawiki_delete_tmp_files(httpd_t)
++')
++
++optional_policy(`
# Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +730,7 @@ optional_policy(`
+@@ -567,6 +736,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -13803,7 +13960,7 @@ index 08dfa0c..411a3ff 100644
')
optional_policy(`
-@@ -577,6 +741,16 @@ optional_policy(`
+@@ -577,6 +747,16 @@ optional_policy(`
')
optional_policy(`
@@ -13820,7 +13977,7 @@ index 08dfa0c..411a3ff 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +765,11 @@ optional_policy(`
+@@ -591,6 +771,11 @@ optional_policy(`
')
optional_policy(`
@@ -13832,7 +13989,7 @@ index 08dfa0c..411a3ff 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +782,10 @@ optional_policy(`
+@@ -603,6 +788,10 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -13843,7 +14000,7 @@ index 08dfa0c..411a3ff 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +801,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +807,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -13854,7 +14011,7 @@ index 08dfa0c..411a3ff 100644
########################################
#
# Apache PHP script local policy
-@@ -654,28 +841,27 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +847,27 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -13895,7 +14052,7 @@ index 08dfa0c..411a3ff 100644
')
########################################
-@@ -699,17 +885,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +891,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -13921,7 +14078,7 @@ index 08dfa0c..411a3ff 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +931,20 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +937,20 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -13943,7 +14100,7 @@ index 08dfa0c..411a3ff 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +970,25 @@ optional_policy(`
+@@ -769,6 +976,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -13969,7 +14126,7 @@ index 08dfa0c..411a3ff 100644
########################################
#
# Apache system script local policy
-@@ -792,9 +1012,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +1018,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -13983,7 +14140,7 @@ index 08dfa0c..411a3ff 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1027,33 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1033,33 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -14017,7 +14174,7 @@ index 08dfa0c..411a3ff 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1073,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,7 +1079,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -14026,7 +14183,7 @@ index 08dfa0c..411a3ff 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1081,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1087,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -14047,7 +14204,7 @@ index 08dfa0c..411a3ff 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1107,20 @@ optional_policy(`
+@@ -842,10 +1113,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -14068,7 +14225,7 @@ index 08dfa0c..411a3ff 100644
')
########################################
-@@ -891,11 +1166,21 @@ optional_policy(`
+@@ -891,11 +1172,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -14876,10 +15033,10 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..c9622ef
+index 0000000..4bc3f06
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,167 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -15004,6 +15161,7 @@ index 0000000..c9622ef
+allow boinc_project_t self:process { execmem execstack };
+
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
++allow boinc_project_t self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@@ -15592,7 +15750,7 @@ index 7a6e5ba..d664be8 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index 1a65b5e..1c87fb3 100644
+index 1a65b5e..5595c96 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
@@ -15604,6 +15762,28 @@ index 1a65b5e..1c87fb3 100644
manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+@@ -58,6 +58,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+
+ sysnet_dns_name_resolve(certmonger_t)
+
++userdom_search_user_home_content(certmonger_t)
++
++optional_policy(`
++ apache_search_config(certmonger_t)
++')
++
++optional_policy(`
++ bind_search_cache(certmonger_t)
++')
++
+ optional_policy(`
+ dbus_system_bus_client(certmonger_t)
+ dbus_connect_system_bus(certmonger_t)
+@@ -70,3 +80,4 @@ optional_policy(`
+ optional_policy(`
+ pcscd_stream_connect(certmonger_t)
+ ')
++
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
index d020c93..e5cbcef 100644
--- a/policy/modules/services/cgroup.if
@@ -19059,9 +19239,18 @@ index f590a1f..87f6bfb 100644
allow $1 fail2ban_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..7c5bf19 100644
+index 2a69e5e..0a4216c 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
+@@ -28,7 +28,7 @@ files_pid_file(fail2ban_var_run_t)
+ # fail2ban local policy
+ #
+
+-allow fail2ban_t self:capability { sys_tty_config };
++allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
+ allow fail2ban_t self:process signal;
+ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+ allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
@@ -38698,7 +38887,7 @@ index f6aafe7..666a58f 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 698c11e..d17f2bf 100644
+index 698c11e..e90e509 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -38774,7 +38963,13 @@ index 698c11e..d17f2bf 100644
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -119,6 +144,7 @@ corecmd_exec_chroot(init_t)
+@@ -114,11 +139,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+
+ kernel_read_system_state(init_t)
+ kernel_share_state(init_t)
++kernel_stream_connect(init_t)
+
+ corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
dev_read_sysfs(init_t)
@@ -38782,7 +38977,7 @@ index 698c11e..d17f2bf 100644
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
-@@ -127,9 +153,12 @@ domain_kill_all_domains(init_t)
+@@ -127,9 +154,12 @@ domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
@@ -38795,7 +38990,7 @@ index 698c11e..d17f2bf 100644
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dirs(init_t)
files_manage_etc_runtime_files(init_t)
-@@ -162,12 +191,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +192,15 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -38811,7 +39006,7 @@ index 698c11e..d17f2bf 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +210,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +211,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -38820,7 +39015,7 @@ index 698c11e..d17f2bf 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +218,74 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +219,74 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -38895,7 +39090,7 @@ index 698c11e..d17f2bf 100644
')
optional_policy(`
-@@ -199,10 +293,19 @@ optional_policy(`
+@@ -199,10 +294,19 @@ optional_policy(`
')
optional_policy(`
@@ -38915,7 +39110,7 @@ index 698c11e..d17f2bf 100644
unconfined_domain(init_t)
')
-@@ -212,7 +315,7 @@ optional_policy(`
+@@ -212,7 +316,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38924,7 +39119,7 @@ index 698c11e..d17f2bf 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,6 +344,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +345,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38932,7 +39127,7 @@ index 698c11e..d17f2bf 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +362,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +363,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38956,7 +39151,7 @@ index 698c11e..d17f2bf 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +407,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +408,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -38964,7 +39159,7 @@ index 698c11e..d17f2bf 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +415,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +416,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -38980,7 +39175,7 @@ index 698c11e..d17f2bf 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +440,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +441,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38992,7 +39187,7 @@ index 698c11e..d17f2bf 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +459,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +460,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -39006,7 +39201,7 @@ index 698c11e..d17f2bf 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +474,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +475,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -39015,7 +39210,7 @@ index 698c11e..d17f2bf 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +488,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +489,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -39023,7 +39218,7 @@ index 698c11e..d17f2bf 100644
selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +506,7 @@ auth_read_pam_pid(initrc_t)
+@@ -380,6 +507,7 @@ auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
@@ -39031,7 +39226,7 @@ index 698c11e..d17f2bf 100644
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
-@@ -394,13 +521,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +522,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -39047,7 +39242,7 @@ index 698c11e..d17f2bf 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +601,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +602,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -39056,7 +39251,7 @@ index 698c11e..d17f2bf 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +647,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +648,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -39076,7 +39271,7 @@ index 698c11e..d17f2bf 100644
')
optional_policy(`
-@@ -526,10 +667,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +668,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -39094,7 +39289,7 @@ index 698c11e..d17f2bf 100644
')
optional_policy(`
-@@ -544,6 +692,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +693,35 @@ ifdef(`distro_suse',`
')
')
@@ -39130,7 +39325,7 @@ index 698c11e..d17f2bf 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +733,8 @@ optional_policy(`
+@@ -556,6 +734,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -39139,7 +39334,7 @@ index 698c11e..d17f2bf 100644
')
optional_policy(`
-@@ -572,6 +751,7 @@ optional_policy(`
+@@ -572,6 +752,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -39147,7 +39342,7 @@ index 698c11e..d17f2bf 100644
')
optional_policy(`
-@@ -584,6 +764,11 @@ optional_policy(`
+@@ -584,6 +765,11 @@ optional_policy(`
')
optional_policy(`
@@ -39159,7 +39354,7 @@ index 698c11e..d17f2bf 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +785,9 @@ optional_policy(`
+@@ -600,6 +786,9 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -39169,7 +39364,7 @@ index 698c11e..d17f2bf 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +889,13 @@ optional_policy(`
+@@ -701,7 +890,13 @@ optional_policy(`
')
optional_policy(`
@@ -39183,7 +39378,7 @@ index 698c11e..d17f2bf 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +918,10 @@ optional_policy(`
+@@ -724,6 +919,10 @@ optional_policy(`
')
optional_policy(`
@@ -39194,7 +39389,7 @@ index 698c11e..d17f2bf 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +943,10 @@ optional_policy(`
+@@ -745,6 +944,10 @@ optional_policy(`
')
optional_policy(`
@@ -39205,7 +39400,7 @@ index 698c11e..d17f2bf 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +968,6 @@ optional_policy(`
+@@ -766,8 +969,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -39214,7 +39409,7 @@ index 698c11e..d17f2bf 100644
')
optional_policy(`
-@@ -776,14 +976,21 @@ optional_policy(`
+@@ -776,14 +977,21 @@ optional_policy(`
')
optional_policy(`
@@ -39236,7 +39431,7 @@ index 698c11e..d17f2bf 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1012,19 @@ optional_policy(`
+@@ -805,11 +1013,19 @@ optional_policy(`
')
optional_policy(`
@@ -39257,7 +39452,7 @@ index 698c11e..d17f2bf 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1034,25 @@ optional_policy(`
+@@ -819,6 +1035,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -39283,7 +39478,7 @@ index 698c11e..d17f2bf 100644
')
optional_policy(`
-@@ -844,3 +1078,55 @@ optional_policy(`
+@@ -844,3 +1079,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index be8982d..c26a444 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.5
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,18 @@ exit 0
%endif
%changelog
+* Wed Oct 6 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-11
+- Fix fusefs handling
+- Do not allow sandbox to manage nsplugin_rw_t
+- Allow mozilla_plugin_t to connecto its parent
+- Allow init_t to connect to plymouthd running as kernel_t
+- Add mediawiki policy
+- dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.
+- Disable transition from dbus_session_domain to telepathy for F14
+- Allow boinc_project to use shm
+- Allow certmonger to search through directories that contain certs
+- Allow fail2ban the DAC Override so it can read log files owned by non root users
+
* Mon Oct 4 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-10
- Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
More information about the scm-commits
mailing list