[selinux-policy: 3172/3172] - Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr - Update to upstream
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:42:05 UTC 2010
commit 6f934680a8c1bcfe14cf96a9e4557dffd1951c39
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Oct 7 14:55:49 2010 -0400
- Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
- Update to upstream
policy-F14.patch | 640 ++++++++++++++++-----------------------------------
selinux-policy.spec | 7 +-
sources | 2 +-
3 files changed, 201 insertions(+), 448 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 7ac41af..a01e1ac 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1,8 +1,8 @@
diff --git a/Makefile b/Makefile
-index f802d3b..b8804f7 100644
+index 376acee..c5bb5f8 100644
--- a/Makefile
+++ b/Makefile
-@@ -244,7 +244,7 @@ seusers := $(appconf)/seusers
+@@ -248,7 +248,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
@@ -246,7 +246,7 @@ index af90ef2..9fef0f8 100644
# MCS policy for SELinux-enabled databases
#
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 69aa742..20d51d0 100644
+index 90d5203..1392679 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -21,6 +21,32 @@ interface(`alsa_domtrans',`
@@ -304,11 +304,11 @@ index f76ed8a..9a9526a 100644
optional_policy(`
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
-index 5b43db5..fdb453c 100644
+index 2c2cdb6..b95a47f 100644
--- a/policy/modules/admin/brctl.if
+++ b/policy/modules/admin/brctl.if
-@@ -17,3 +17,22 @@ interface(`brctl_domtrans',`
-
+@@ -18,3 +18,22 @@ interface(`brctl_domtrans',`
+ corecmd_search_bin($1)
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
+
@@ -344,10 +344,10 @@ index a2e9cb5..cec5c56 100644
optional_policy(`
apache_exec_modules(certwatch_t)
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index 2b12a37..a370656 100644
+index a768511..c07eff8 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
-@@ -81,10 +81,7 @@ optional_policy(`
+@@ -82,10 +82,7 @@ optional_policy(`
')
optional_policy(`
@@ -400,7 +400,7 @@ index 66e486e..bfda8e9 100644
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 0b6123e..d64682f 100644
+index 7390b15..a46b249 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -119,14 +119,20 @@ seutil_dontaudit_read_config(logrotate_t)
@@ -687,10 +687,10 @@ index 0000000..eef0c87
+ netutils_domtrans(ncftool_t)
+')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index b687b5d..4f38995 100644
+index 6a53a18..202c770 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
-@@ -51,6 +51,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
kernel_read_all_sysctls(netutils_t)
@@ -699,7 +699,7 @@ index b687b5d..4f38995 100644
corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
-@@ -67,6 +69,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
dev_read_sysfs(netutils_t)
@@ -709,7 +709,7 @@ index b687b5d..4f38995 100644
fs_getattr_xattr_fs(netutils_t)
-@@ -137,8 +142,6 @@ logging_send_syslog_msg(ping_t)
+@@ -134,8 +139,6 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
@@ -718,7 +718,7 @@ index b687b5d..4f38995 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -148,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +148,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -744,7 +744,7 @@ index b687b5d..4f38995 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -197,6 +214,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +211,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -752,7 +752,7 @@ index b687b5d..4f38995 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -207,9 +225,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +222,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@@ -910,17 +910,16 @@ index b206bf6..48922c9 100644
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
-index 86463e3..ddbb3af 100644
+index d33daa8..cad488d 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
-@@ -13,11 +13,14 @@
+@@ -13,10 +13,13 @@
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
+ attribute rpm_transition_domain;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
+ typeattribute $1 rpm_transition_domain;
@@ -928,10 +927,10 @@ index 86463e3..ddbb3af 100644
')
########################################
-@@ -87,6 +90,11 @@ interface(`rpm_run',`
+@@ -83,6 +86,11 @@ interface(`rpm_run',`
+
rpm_domtrans($1)
- role $2 types rpm_t;
- role $2 types rpm_script_t;
+ role $2 types { rpm_t rpm_script_t };
+
+ domain_system_change_exemption($1)
+ role_transition $2 rpm_exec_t system_r;
@@ -940,7 +939,7 @@ index 86463e3..ddbb3af 100644
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
-@@ -185,6 +193,41 @@ interface(`rpm_rw_pipes',`
+@@ -181,6 +189,41 @@ interface(`rpm_rw_pipes',`
########################################
## <summary>
@@ -982,7 +981,7 @@ index 86463e3..ddbb3af 100644
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -338,7 +381,9 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -992,7 +991,7 @@ index 86463e3..ddbb3af 100644
')
#####################################
-@@ -378,7 +423,9 @@ interface(`rpm_manage_tmp_files',`
+@@ -375,7 +420,9 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -1002,7 +1001,7 @@ index 86463e3..ddbb3af 100644
')
########################################
-@@ -461,6 +508,7 @@ interface(`rpm_read_db',`
+@@ -459,6 +506,7 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -1010,7 +1009,7 @@ index 86463e3..ddbb3af 100644
')
########################################
-@@ -577,3 +625,66 @@ interface(`rpm_pid_filetrans',`
+@@ -576,3 +624,66 @@ interface(`rpm_pid_filetrans',`
files_pid_filetrans($1, rpm_var_run_t, file)
')
@@ -1078,11 +1077,11 @@ index 86463e3..ddbb3af 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 95dbcf3..bdba9c5 100644
+index 542b820..a91d384 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
- policy_module(rpm, 1.11.1)
+ policy_module(rpm, 1.11.2)
+attribute rpm_transition_domain;
+
@@ -1094,15 +1093,7 @@ index 95dbcf3..bdba9c5 100644
type debuginfo_exec_t;
domain_entry_file(rpm_t, debuginfo_exec_t)
-@@ -44,6 +45,7 @@ type rpm_script_exec_t;
- domain_obj_id_change_exemption(rpm_script_t)
- domain_system_change_exemption(rpm_script_t)
- corecmd_shell_entry_type(rpm_script_t)
-+corecmd_bin_entry_type(rpm_script_t)
- domain_type(rpm_script_t)
- domain_entry_file(rpm_t, rpm_script_exec_t)
- domain_interactive_fd(rpm_script_t)
-@@ -77,6 +79,8 @@ allow rpm_t self:shm create_shm_perms;
+@@ -76,6 +77,8 @@ allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
@@ -1111,23 +1102,7 @@ index 95dbcf3..bdba9c5 100644
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -84,6 +88,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file)
- manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
- manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
- files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
-+can_exec(rpm_t, rpm_tmp_t)
-
- manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
- manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
-@@ -91,6 +96,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
- manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
- manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
- fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+can_exec(rpm_t, rpm_tmpfs_t)
-
- manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
- manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
-@@ -100,12 +106,14 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+@@ -101,13 +104,15 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
@@ -1136,6 +1111,7 @@ index 95dbcf3..bdba9c5 100644
-files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
+ kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
@@ -1143,7 +1119,7 @@ index 95dbcf3..bdba9c5 100644
corecmd_exec_all_executables(rpm_t)
-@@ -125,6 +133,8 @@ corenet_sendrecv_all_client_packets(rpm_t)
+@@ -127,6 +132,8 @@ corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -1152,7 +1128,7 @@ index 95dbcf3..bdba9c5 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -205,6 +215,7 @@ optional_policy(`
+@@ -207,6 +214,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -1160,7 +1136,7 @@ index 95dbcf3..bdba9c5 100644
')
optional_policy(`
-@@ -212,7 +223,7 @@ optional_policy(`
+@@ -214,7 +222,7 @@ optional_policy(`
')
optional_policy(`
@@ -1169,16 +1145,7 @@ index 95dbcf3..bdba9c5 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -242,6 +253,8 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms;
- allow rpm_script_t rpm_script_tmp_t:dir mounton;
- manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
- manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
-+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
-+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
- files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
-
- manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -254,6 +267,7 @@ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_fi
+@@ -261,6 +269,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
@@ -1186,7 +1153,7 @@ index 95dbcf3..bdba9c5 100644
kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
-@@ -301,6 +315,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
+@@ -308,6 +317,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
@@ -1195,7 +1162,7 @@ index 95dbcf3..bdba9c5 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -331,12 +347,15 @@ modutils_domtrans_insmod(rpm_script_t)
+@@ -338,12 +349,15 @@ modutils_domtrans_insmod(rpm_script_t)
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1211,7 +1178,7 @@ index 95dbcf3..bdba9c5 100644
')
')
-@@ -366,8 +385,9 @@ optional_policy(`
+@@ -377,8 +391,9 @@ optional_policy(`
')
optional_policy(`
@@ -1350,21 +1317,11 @@ index a22e546..ffc0571 100644
optional_policy(`
hostname_exec(shorewall_t)
-diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
-index 9174268..09c3771 100644
---- a/policy/modules/admin/shutdown.fc
-+++ b/policy/modules/admin/shutdown.fc
-@@ -3,3 +3,5 @@
- /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
-+
-+/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
-index d2c068d..914e1ac 100644
+index d0604cf..679d61c 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
-@@ -19,10 +19,11 @@ interface(`shutdown_domtrans',`
+@@ -20,7 +20,7 @@ interface(`shutdown_domtrans',`
ifdef(`hide_broken_symptoms', `
dontaudit shutdown_t $1:socket_class_set { read write };
@@ -1373,11 +1330,7 @@ index d2c068d..914e1ac 100644
')
')
-+
- ########################################
- ## <summary>
- ## Execute shutdown in the shutdown domain, and
-@@ -50,6 +51,73 @@ interface(`shutdown_run',`
+@@ -51,6 +51,73 @@ interface(`shutdown_run',`
########################################
## <summary>
@@ -1452,10 +1405,10 @@ index d2c068d..914e1ac 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
-index 51f7c3a..eb63a79 100644
+index 3863241..5280124 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
-@@ -36,15 +36,17 @@ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+@@ -38,13 +38,14 @@ domain_use_interactive_fds(shutdown_t)
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
@@ -1469,13 +1422,10 @@ index 51f7c3a..eb63a79 100644
-init_dontaudit_write_utmp(shutdown_t)
-init_read_utmp(shutdown_t)
+init_rw_utmp(shutdown_t)
+ init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
-+logging_search_logs(shutdown_t)
- logging_send_audit_msgs(shutdown_t)
-
- miscfiles_read_localization(shutdown_t)
-@@ -55,5 +57,10 @@ optional_policy(`
+@@ -59,5 +60,10 @@ optional_policy(`
')
optional_policy(`
@@ -1637,7 +1587,7 @@ index 6a5004b..50cd538 100644
')
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
-index aa9636d..7851643 100644
+index 332ba93..e6d3bd9 100644
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
@@ -1650,10 +1600,10 @@ index aa9636d..7851643 100644
fs_getattr_xattr_fs(tzdata_t)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index aecbf1c..0b5e634 100644
+index 81fb26f..cd18ca8 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
-@@ -290,6 +290,9 @@ interface(`usermanage_run_useradd',`
+@@ -285,6 +285,9 @@ interface(`usermanage_run_useradd',`
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
@@ -1664,10 +1614,10 @@ index aecbf1c..0b5e634 100644
optional_policy(`
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index c35d801..b1a841a 100644
+index 65f8143..16a8510 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
+@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
@@ -1678,7 +1628,7 @@ index c35d801..b1a841a 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
-@@ -293,17 +291,18 @@ selinux_compute_create_context(passwd_t)
+@@ -291,17 +289,18 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -1701,7 +1651,7 @@ index c35d801..b1a841a 100644
domain_use_interactive_fds(passwd_t)
-@@ -334,6 +333,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +331,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -1709,7 +1659,7 @@ index c35d801..b1a841a 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -428,7 +428,7 @@ optional_policy(`
+@@ -426,7 +426,7 @@ optional_policy(`
# Useradd local policy
#
@@ -1718,7 +1668,7 @@ index c35d801..b1a841a 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -500,12 +500,8 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,12 +498,8 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -2314,7 +2264,7 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..91737d4 100644
+index f5afe78..8978675 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,7 @@ interface(`gnome_role',`
@@ -2327,7 +2277,7 @@ index f5afe78..91737d4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +45,313 @@ interface(`gnome_role',`
+@@ -46,25 +45,282 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -2494,11 +2444,12 @@ index f5afe78..91737d4 100644
+## append to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-template(`gnome_read_gconf_config',`
+interface(`gnome_append_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
@@ -2606,21 +2557,16 @@ index f5afe78..91737d4 100644
+## read gconf config files
+## </summary>
+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--template(`gnome_read_gconf_config',`
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_read_gconf_config',`
gen_require(`
type gconf_etc_t;
')
-
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
-- files_search_etc($1)
- ')
+@@ -76,7 +332,27 @@ template(`gnome_read_gconf_config',`
#######################################
## <summary>
@@ -2649,7 +2595,7 @@ index f5afe78..91737d4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +359,40 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +360,40 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -2701,7 +2647,7 @@ index f5afe78..91737d4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +400,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +401,13 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -2718,7 +2664,7 @@ index f5afe78..91737d4 100644
')
########################################
-@@ -151,40 +430,173 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +431,173 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -7442,7 +7388,7 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 2ecdde8..f15e5ba 100644
+index 36ba519..ba41f1f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -24,6 +24,7 @@ dev_node(ppp_device_t)
@@ -7497,7 +7443,7 @@ index 2ecdde8..f15e5ba 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -109,7 +118,7 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -111,7 +120,7 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -7506,7 +7452,7 @@ index 2ecdde8..f15e5ba 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -123,30 +132,34 @@ network_port(iscsi, tcp,3260,s0)
+@@ -125,30 +134,34 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -7545,7 +7491,7 @@ index 2ecdde8..f15e5ba 100644
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -154,12 +167,20 @@ network_port(pegasus_http, tcp,5988,s0)
+@@ -156,12 +169,20 @@ network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -7566,7 +7512,7 @@ index 2ecdde8..f15e5ba 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -174,24 +195,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -176,24 +197,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7599,7 +7545,7 @@ index 2ecdde8..f15e5ba 100644
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,16 +226,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -203,16 +228,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -7617,9 +7563,9 @@ index 2ecdde8..f15e5ba 100644
-network_port(xserver, tcp,6000-6020,s0)
+network_port(xserver, tcp,6000-6150,s0)
+network_port(zarafa, tcp,236,s0)
- network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
- network_port(zope, tcp,8021,s0)
-
+ network_port(zookeeper_client, tcp,2181,s0)
+ network_port(zookeeper_election, tcp,3888,s0)
+ network_port(zookeeper_leader, tcp,2888,s0)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 3b2da10..7c29e17 100644
--- a/policy/modules/kernel/devices.fc
@@ -8313,7 +8259,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..a738502 100644
+index 5302dac..2bf2d69 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8666,10 +8612,9 @@ index 5302dac..a738502 100644
#
interface(`files_delete_generic_locks',`
- gen_require(`
-- type var_t, var_lock_t;
-- ')
+ gen_require(`
-+ type var_t, var_lock_t;
+ type var_t, var_lock_t;
+- ')
+ ')
- allow $1 var_t:dir search_dir_perms;
@@ -10045,10 +9990,10 @@ index ebe6a9c..e3a1987 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 1854002..571c76e 100644
+index e0e2550..3653516 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,46 @@ policy_module(staff, 2.1.2)
+@@ -8,12 +8,46 @@ policy_module(staff, 2.1.3)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -10095,7 +10040,7 @@ index 1854002..571c76e 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,6 +61,35 @@ optional_policy(`
+@@ -27,25 +61,104 @@ optional_policy(`
')
optional_policy(`
@@ -10128,10 +10073,12 @@ index 1854002..571c76e 100644
+')
+
+optional_policy(`
- oident_manage_user_content(staff_t)
- oident_relabel_user_content(staff_t)
- ')
-@@ -36,21 +99,66 @@ optional_policy(`
++ oident_manage_user_content(staff_t)
++ oident_relabel_user_content(staff_t)
++')
++
++optional_policy(`
+ postgresql_role(staff_r, staff_t)
')
optional_policy(`
@@ -10200,7 +10147,7 @@ index 1854002..571c76e 100644
optional_policy(`
xserver_role(staff_r, staff_t)
-@@ -138,10 +246,6 @@ ifndef(`distro_redhat',`
+@@ -133,10 +246,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -10212,7 +10159,7 @@ index 1854002..571c76e 100644
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2a19751..1a95085 100644
+index 6b54416..bbbc6d0 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
@@ -10293,7 +10240,7 @@ index 2a19751..1a95085 100644
')
optional_policy(`
-@@ -159,6 +184,13 @@ optional_policy(`
+@@ -163,6 +188,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -10307,7 +10254,7 @@ index 2a19751..1a95085 100644
')
optional_policy(`
-@@ -166,15 +198,15 @@ optional_policy(`
+@@ -170,15 +202,15 @@ optional_policy(`
')
optional_policy(`
@@ -10326,7 +10273,7 @@ index 2a19751..1a95085 100644
')
optional_policy(`
-@@ -198,14 +230,7 @@ optional_policy(`
+@@ -202,14 +234,7 @@ optional_policy(`
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -10342,7 +10289,7 @@ index 2a19751..1a95085 100644
')
optional_policy(`
-@@ -221,6 +246,10 @@ optional_policy(`
+@@ -225,6 +250,10 @@ optional_policy(`
')
optional_policy(`
@@ -10353,7 +10300,7 @@ index 2a19751..1a95085 100644
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -254,7 +283,7 @@ optional_policy(`
+@@ -253,7 +282,7 @@ optional_policy(`
')
optional_policy(`
@@ -10362,7 +10309,7 @@ index 2a19751..1a95085 100644
')
optional_policy(`
-@@ -266,10 +295,6 @@ optional_policy(`
+@@ -265,10 +294,6 @@ optional_policy(`
')
optional_policy(`
@@ -10373,7 +10320,7 @@ index 2a19751..1a95085 100644
rpc_domtrans_nfsd(sysadm_t)
')
-@@ -277,9 +302,6 @@ optional_policy(`
+@@ -276,9 +301,6 @@ optional_policy(`
rpm_run(sysadm_t, sysadm_r)
')
@@ -10383,7 +10330,7 @@ index 2a19751..1a95085 100644
optional_policy(`
rsync_exec(sysadm_t)
-@@ -304,9 +326,10 @@ optional_policy(`
+@@ -303,9 +325,10 @@ optional_policy(`
')
optional_policy(`
@@ -10395,7 +10342,7 @@ index 2a19751..1a95085 100644
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -329,10 +352,6 @@ optional_policy(`
+@@ -328,10 +351,6 @@ optional_policy(`
')
optional_policy(`
@@ -10406,7 +10353,7 @@ index 2a19751..1a95085 100644
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -340,18 +359,10 @@ optional_policy(`
+@@ -339,18 +358,10 @@ optional_policy(`
')
optional_policy(`
@@ -10425,7 +10372,7 @@ index 2a19751..1a95085 100644
unconfined_domtrans(sysadm_t)
')
-@@ -364,17 +375,14 @@ optional_policy(`
+@@ -363,17 +374,14 @@ optional_policy(`
')
optional_policy(`
@@ -10445,7 +10392,7 @@ index 2a19751..1a95085 100644
')
optional_policy(`
-@@ -386,19 +394,22 @@ optional_policy(`
+@@ -385,19 +393,22 @@ optional_policy(`
')
optional_policy(`
@@ -10471,7 +10418,7 @@ index 2a19751..1a95085 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -445,5 +456,60 @@ ifndef(`distro_redhat',`
+@@ -444,5 +455,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
@@ -11736,10 +11683,10 @@ index 0000000..31bbe95
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 9b55b00..2932c13 100644
+index 183ea8e..91b4504 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,6 +12,8 @@ role user_r;
+@@ -12,15 +12,46 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -11748,10 +11695,13 @@ index 9b55b00..2932c13 100644
optional_policy(`
apache_role(user_r, user_t)
')
-@@ -22,10 +24,34 @@ optional_policy(`
- ')
optional_policy(`
++ oident_manage_user_content(user_t)
++ oident_relabel_user_content(user_t)
++')
++
++optional_policy(`
+ mozilla_run_plugin(user_t, user_r)
+')
+
@@ -11783,7 +11733,7 @@ index 9b55b00..2932c13 100644
xserver_role(user_r, user_t)
')
-@@ -115,7 +141,7 @@ ifndef(`distro_redhat',`
+@@ -110,7 +141,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18119,22 +18069,6 @@ index 9d44538..7e9057e 100644
## </param>
#
interface(`cyphesis_domtrans',`
-diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te
-index 346f926..1f789f8 100644
---- a/policy/modules/services/cyphesis.te
-+++ b/policy/modules/services/cyphesis.te
-@@ -36,9 +36,10 @@ logging_log_filetrans(cyphesis_t, cyphesis_log_t, file)
- allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
- files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file)
-
-+manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
- manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
- manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
--files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { file sock_file })
-+files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file })
-
- kernel_read_system_state(cyphesis_t)
- kernel_read_kernel_sysctls(cyphesis_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index e182bf4..f80e725 100644
--- a/policy/modules/services/cyrus.te
@@ -19324,164 +19258,33 @@ index 69dcd2a..a9a9116 100644
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
-diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
-index bc27421..26cc64b 100644
---- a/policy/modules/services/ftp.if
-+++ b/policy/modules/services/ftp.if
-@@ -53,25 +53,6 @@ interface(`ftp_read_config',`
-
- ########################################
- ## <summary>
--## Execute FTP daemon entry point programs.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`ftp_check_exec',`
-- gen_require(`
-- type ftpd_exec_t;
-- ')
--
-- corecmd_search_bin($1)
-- allow $1 ftpd_exec_t:file { getattr execute };
--')
--
--########################################
--## <summary>
- ## Read FTP transfer logs
- ## </summary>
- ## <param name="domain">
-@@ -171,9 +152,8 @@ interface(`ftp_dyntrans_sftpd',`
- interface(`ftp_admin',`
- gen_require(`
- type ftpd_t, ftpdctl_t, ftpd_tmp_t;
-- type ftpd_etc_t, ftpd_lock_t;
-+ type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t;
- type ftpd_var_run_t, xferlog_t;
-- type ftpd_initrc_exec_t;
- ')
-
- allow $1 ftpd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..2284f4e 100644
+index 8a74a83..ce4f73b 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
-@@ -6,70 +6,85 @@ policy_module(ftp, 1.12.0)
- #
-
- ## <desc>
--## <p>
--## Allow ftp servers to upload files, used for public file
--## transfer services. Directories must be labeled
--## public_content_rw_t.
--## </p>
-+## <p>
-+## Allow ftp servers to upload files, used for public file
-+## transfer services. Directories must be labeled
-+## public_content_rw_t.
-+## </p>
- ## </desc>
- gen_tunable(allow_ftpd_anon_write, false)
-
- ## <desc>
--## <p>
--## Allow ftp servers to login to local users and
--## read/write all files on the system, governed by DAC.
--## </p>
-+## <p>
-+## Allow ftp servers to login to local users and
-+## read/write all files on the system, governed by DAC.
-+## </p>
- ## </desc>
- gen_tunable(allow_ftpd_full_access, false)
+@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
## <desc>
--## <p>
--## Allow ftp servers to use cifs
--## used for public file transfer services.
--## </p>
-+## <p>
-+## Allow ftp servers to use cifs
-+## used for public file transfer services.
-+## </p>
- ## </desc>
- gen_tunable(allow_ftpd_use_cifs, false)
-
- ## <desc>
--## <p>
--## Allow ftp servers to use nfs
--## used for public file transfer services.
--## </p>
-+## <p>
-+## Allow ftp servers to use nfs
-+## used for public file transfer services.
-+## </p>
- ## </desc>
- gen_tunable(allow_ftpd_use_nfs, false)
-
- ## <desc>
--## <p>
--## Allow ftp to read and write files in the user home directories
--## </p>
-+## <p>
-+## Allow ftp servers to use connect to mysql database
-+## </p>
+ ## <p>
++## Allow ftp servers to use connect to mysql database
++## </p>
+## </desc>
+gen_tunable(ftpd_connect_db, false)
+
+## <desc>
-+## <p>
-+## Allow ftp to read and write files in the user home directories
-+## </p>
- ## </desc>
- gen_tunable(ftp_home_dir, false)
-
- ## <desc>
--## <p>
--## Allow anon internal-sftp to upload files, used for
--## public file transfer services. Directories must be labeled
--## public_content_rw_t.
--## </p>
-+## <p>
-+## Allow anon internal-sftp to upload files, used for
-+## public file transfer services. Directories must be labeled
-+## public_content_rw_t.
-+## </p>
- ## </desc>
- gen_tunable(sftpd_anon_write, false)
-
- ## <desc>
--## <p>
--## Allow sftp-internal to read and write files
--## in the user home directories
--## </p>
-+## <p>
-+## Allow sftp-internal to read and write files
-+## in the user home directories
-+## </p>
++## <p>
+ ## Allow ftp to read and write files in the user home directories
+ ## </p>
## </desc>
- gen_tunable(sftpd_enable_homedirs, false)
-
- ## <desc>
--## <p>
--## Allow sftp-internal to login to local users and
--## read/write all files on the system, governed by DAC.
--## </p>
-+## <p>
-+## Allow sftp-internal to login to local users and
-+## read/write all files on the system, governed by DAC.
-+## </p>
+@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false)
## </desc>
gen_tunable(sftpd_full_access, false)
+## <desc>
-+## <p>
-+## Allow interlnal-sftp to read and write files
-+## in the user ssh home directories.
-+## </p>
++## <p>
++## Allow interlnal-sftp to read and write files
++## in the user ssh home directories.
++## </p>
+## </desc>
+gen_tunable(sftpd_write_ssh_home, false)
+
@@ -20387,21 +20190,9 @@ index 462de63..a8ce02e 100644
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if
-index 671d8fd..b1f8f93 100644
+index 671d8fd..25c7ab8 100644
--- a/policy/modules/services/gnomeclock.if
+++ b/policy/modules/services/gnomeclock.if
-@@ -5,9 +5,9 @@
- ## Execute a domain transition to run gnomeclock.
- ## </summary>
- ## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed to transition.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`gnomeclock_domtrans',`
@@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',`
allow $1 gnomeclock_t:dbus send_msg;
allow gnomeclock_t $1:dbus send_msg;
@@ -20483,35 +20274,10 @@ index 03742d8..7b9c543 100644
')
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
-index 7cf6763..26de57a 100644
+index 7cf6763..ce32fe5 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
-@@ -20,24 +20,6 @@ interface(`hal_domtrans',`
-
- ########################################
- ## <summary>
--## Get the attributes of a hal process.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`hal_getattr',`
-- gen_require(`
-- type hald_t;
-- ')
--
-- allow $1 hald_t:process getattr;
--')
--
--########################################
--## <summary>
- ## Read hal system state
- ## </summary>
- ## <param name="domain">
-@@ -51,6 +33,7 @@ interface(`hal_read_state',`
+@@ -51,6 +51,7 @@ interface(`hal_read_state',`
type hald_t;
')
@@ -20519,7 +20285,7 @@ index 7cf6763..26de57a 100644
ps_process_pattern($1, hald_t)
')
-@@ -87,7 +70,7 @@ interface(`hal_use_fds',`
+@@ -87,7 +88,7 @@ interface(`hal_use_fds',`
type hald_t;
')
@@ -20528,7 +20294,7 @@ index 7cf6763..26de57a 100644
')
########################################
-@@ -105,7 +88,7 @@ interface(`hal_dontaudit_use_fds',`
+@@ -105,7 +106,7 @@ interface(`hal_dontaudit_use_fds',`
type hald_t;
')
@@ -20537,7 +20303,7 @@ index 7cf6763..26de57a 100644
')
########################################
-@@ -124,7 +107,7 @@ interface(`hal_rw_pipes',`
+@@ -124,7 +125,7 @@ interface(`hal_rw_pipes',`
type hald_t;
')
@@ -20546,7 +20312,7 @@ index 7cf6763..26de57a 100644
')
########################################
-@@ -143,7 +126,7 @@ interface(`hal_dontaudit_rw_pipes',`
+@@ -143,7 +144,7 @@ interface(`hal_dontaudit_rw_pipes',`
type hald_t;
')
@@ -20555,7 +20321,7 @@ index 7cf6763..26de57a 100644
')
########################################
-@@ -377,6 +360,25 @@ interface(`hal_read_pid_files',`
+@@ -377,6 +378,25 @@ interface(`hal_read_pid_files',`
########################################
## <summary>
@@ -20581,7 +20347,7 @@ index 7cf6763..26de57a 100644
## Read/Write hald PID files.
## </summary>
## <param name="domain">
-@@ -431,3 +433,25 @@ interface(`hal_manage_pid_files',`
+@@ -431,3 +451,25 @@ interface(`hal_manage_pid_files',`
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
@@ -38467,7 +38233,7 @@ index 9775375..b338481 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index f6aafe7..666a58f 100644
+index 8419a01..5865dba 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -38591,7 +38357,7 @@ index f6aafe7..666a58f 100644
')
########################################
-@@ -669,19 +733,24 @@ interface(`init_telinit',`
+@@ -687,19 +751,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -38617,7 +38383,7 @@ index f6aafe7..666a58f 100644
')
')
-@@ -754,18 +823,19 @@ interface(`init_script_file_entry_type',`
+@@ -772,18 +841,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -38641,7 +38407,7 @@ index f6aafe7..666a58f 100644
')
')
-@@ -781,23 +851,45 @@ interface(`init_spec_domtrans_script',`
+@@ -799,23 +869,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -38691,7 +38457,7 @@ index f6aafe7..666a58f 100644
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -849,8 +941,12 @@ interface(`init_script_file_domtrans',`
+@@ -867,8 +959,12 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -38704,7 +38470,7 @@ index f6aafe7..666a58f 100644
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1111,12 +1207,7 @@ interface(`init_read_script_state',`
+@@ -1129,12 +1225,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -38718,7 +38484,7 @@ index f6aafe7..666a58f 100644
')
########################################
-@@ -1338,6 +1429,27 @@ interface(`init_dbus_send_script',`
+@@ -1356,6 +1447,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -38746,7 +38512,7 @@ index f6aafe7..666a58f 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1424,6 +1536,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1442,6 +1554,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -38772,7 +38538,7 @@ index f6aafe7..666a58f 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1637,7 +1768,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1655,7 +1786,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -38781,7 +38547,7 @@ index f6aafe7..666a58f 100644
')
########################################
-@@ -1712,3 +1843,94 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1730,3 +1861,74 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -38838,26 +38604,6 @@ index f6aafe7..666a58f 100644
+ init_dontaudit_use_script_fds($1)
+')
+
-+
-+########################################
-+## <summary>
-+## Allow the specified domain to connect to
-+## the init process with a unix socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`init_stream_connect',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:unix_stream_socket connectto;
-+')
-+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
@@ -43863,15 +43609,14 @@ index 416e668..c6e8ffe 100644
- allow $1 unconfined_t:dbus acquire_svc;
-')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index f976344..4474379 100644
+index 8a4ee77..f0dca4c 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
-@@ -4,227 +4,5 @@ policy_module(unconfined, 3.2.0)
+@@ -4,231 +4,4 @@ policy_module(unconfined, 3.2.1)
#
# Declarations
#
-+attribute unconfined_services;
-
+-
-# usage in this module of types created by these
-# calls is not correct, however we dont currently
-# have another method to add access to these types
@@ -43985,6 +43730,10 @@ index f976344..4474379 100644
-')
-
-optional_policy(`
+- hadoop_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
- inn_domtrans(unconfined_t)
-')
-
@@ -44095,6 +43844,7 @@ index f976344..4474379 100644
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
++attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..392d1ee 100644
--- a/policy/modules/system/userdomain.fc
@@ -44119,7 +43869,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 2aa8928..54365f8 100644
+index 35f1476..8d157ff 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -44685,12 +44435,14 @@ index 2aa8928..54365f8 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,65 +645,108 @@ template(`userdom_common_user_template',`
+@@ -574,67 +645,110 @@ template(`userdom_common_user_template',`
')
optional_policy(`
-- alsa_read_rw_config($1_t)
+ alsa_read_rw_config($1_usertype)
+ alsa_manage_home_files($1_t)
+- alsa_read_rw_config($1_t)
+ alsa_relabel_home_files($1_t)
')
optional_policy(`
@@ -44812,7 +44564,7 @@ index 2aa8928..54365f8 100644
')
optional_policy(`
-@@ -643,41 +757,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +764,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -44874,7 +44626,7 @@ index 2aa8928..54365f8 100644
')
#######################################
-@@ -705,13 +828,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +835,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -44906,7 +44658,7 @@ index 2aa8928..54365f8 100644
userdom_change_password_template($1)
-@@ -729,72 +865,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +872,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -45015,7 +44767,7 @@ index 2aa8928..54365f8 100644
')
')
-@@ -826,6 +961,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +968,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -45025,7 +44777,7 @@ index 2aa8928..54365f8 100644
##############################
#
# Local policy
-@@ -867,45 +1005,105 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1012,105 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -45142,7 +44894,7 @@ index 2aa8928..54365f8 100644
')
')
-@@ -940,7 +1138,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1145,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -45151,7 +44903,7 @@ index 2aa8928..54365f8 100644
userdom_common_user_template($1)
##############################
-@@ -949,54 +1147,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1154,77 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -45259,7 +45011,7 @@ index 2aa8928..54365f8 100644
')
')
-@@ -1032,7 +1253,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1260,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -45268,7 +45020,7 @@ index 2aa8928..54365f8 100644
')
##############################
-@@ -1067,6 +1288,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1295,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -45278,7 +45030,7 @@ index 2aa8928..54365f8 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1081,6 +1305,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1312,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -45286,7 +45038,7 @@ index 2aa8928..54365f8 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1112,10 +1337,13 @@ template(`userdom_admin_user_template',`
+@@ -1119,10 +1344,13 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -45300,7 +45052,7 @@ index 2aa8928..54365f8 100644
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1135,6 +1363,7 @@ template(`userdom_admin_user_template',`
+@@ -1142,6 +1370,7 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -45308,7 +45060,7 @@ index 2aa8928..54365f8 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1203,6 +1432,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1439,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -45317,7 +45069,7 @@ index 2aa8928..54365f8 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1230,6 +1461,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1468,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -45325,7 +45077,7 @@ index 2aa8928..54365f8 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1268,12 +1500,15 @@ template(`userdom_security_admin_template',`
+@@ -1275,12 +1507,15 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -45342,7 +45094,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -1384,6 +1619,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1391,6 +1626,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -45350,7 +45102,7 @@ index 2aa8928..54365f8 100644
files_search_home($1)
')
-@@ -1430,6 +1666,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1437,6 +1673,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -45365,7 +45117,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -1445,9 +1689,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1452,9 +1696,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -45377,7 +45129,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -1504,6 +1750,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1511,6 +1757,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -45420,7 +45172,7 @@ index 2aa8928..54365f8 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1578,6 +1860,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1585,6 +1867,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -45429,7 +45181,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -1592,10 +1876,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1599,10 +1883,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -45444,7 +45196,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -1638,34 +1924,53 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1645,34 +1931,53 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -45506,7 +45258,7 @@ index 2aa8928..54365f8 100644
gen_require(`
type user_home_dir_t, user_home_t;
')
-@@ -1689,12 +1994,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1696,12 +2001,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -45539,7 +45291,7 @@ index 2aa8928..54365f8 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1705,11 +2030,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1712,11 +2037,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -45557,7 +45309,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -1799,8 +2127,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1806,8 +2134,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -45567,7 +45319,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -1816,20 +2143,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1823,20 +2150,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -45592,7 +45344,7 @@ index 2aa8928..54365f8 100644
########################################
## <summary>
-@@ -2171,7 +2492,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2178,7 +2499,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -45601,7 +45353,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -2424,13 +2745,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2431,13 +2752,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -45617,7 +45369,7 @@ index 2aa8928..54365f8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2451,26 +2773,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2458,26 +2780,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -45644,7 +45396,7 @@ index 2aa8928..54365f8 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2804,7 +3106,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2811,7 +3113,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -45653,7 +45405,7 @@ index 2aa8928..54365f8 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2820,11 +3122,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2827,11 +3129,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -45669,7 +45421,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -2906,7 +3210,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2913,7 +3217,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -45678,7 +45430,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -2961,7 +3265,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2968,7 +3272,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -45725,7 +45477,7 @@ index 2aa8928..54365f8 100644
')
########################################
-@@ -2998,6 +3340,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3005,6 +3347,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -45733,7 +45485,7 @@ index 2aa8928..54365f8 100644
kernel_search_proc($1)
')
-@@ -3128,3 +3471,854 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3135,3 +3478,854 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -46589,7 +46341,7 @@ index 2aa8928..54365f8 100644
+ type_transition $1 user_tmp_t:process $2;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 60937f0..0aa5ce3 100644
+index a7088c6..5119d1e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -43,6 +43,13 @@ gen_tunable(user_rw_noexattrfile, false)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index de35d49..ba856b0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,8 +20,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.5
-Release: 12%{?dist}
+Version: 3.9.6
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,9 +470,10 @@ exit 0
%endif
%changelog
-* Thu Oct 7 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-12
+* Thu Oct 7 2010 Dan Walsh <dwalsh at redhat.com> 3.9.6-1
- Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
+- Update to upstream
* Wed Oct 6 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-11
- Fix fusefs handling
diff --git a/sources b/sources
index 1e6d985..d834e79 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-92b67fbf7e35e89cd46d04881966d2ae serefpolicy-3.9.5.tgz
+21e517616738920ab9db791eec691b00 serefpolicy-3.9.6.tgz
More information about the scm-commits
mailing list