[selinux-policy/f14/master] Allow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can se
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Sep 8 16:09:41 UTC 2010
commit c5bc0bc683f153ac4097c721c69c57d20ffe4a38
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Sep 8 12:09:43 2010 -0400
Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
booleans-targeted.conf | 4 +
policy-F14.patch | 711 ++++++++++++++++++++++++++----------------------
selinux-policy.spec | 2 +-
sources | 2 +-
4 files changed, 398 insertions(+), 321 deletions(-)
---
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 778f0ab..8cecaa7 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -251,6 +251,10 @@ allow_nsplugin_execmem=true
#
allow_unconfined_nsplugin_transition=true
+# Allow mplayer to run in the unconfined domain
+#
+unconfined_mplayer=true
+
# System uses init upstart program
#
init_upstart = true
diff --git a/policy-F14.patch b/policy-F14.patch
index e3ed193..470095b 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -206,59 +206,6 @@ index af90ef2..fbd2c40 100644
(( h1 dom h2 ) or ( t1 == mcskillall ));
#
-diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 69aa742..30bfb08 100644
---- a/policy/modules/admin/alsa.if
-+++ b/policy/modules/admin/alsa.if
-@@ -74,6 +74,7 @@ interface(`alsa_read_rw_config',`
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-+ files_search_etc($1)
-
- ifdef(`distro_debian',`
- files_search_usr($1)
-@@ -99,6 +100,7 @@ interface(`alsa_manage_rw_config',`
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-+ files_search_etc($1)
-
- ifdef(`distro_debian',`
- files_search_usr($1)
-@@ -122,6 +124,7 @@ interface(`alsa_read_home_files',`
-
- userdom_search_user_home_dirs($1)
- allow $1 alsa_home_t:file read_file_perms;
-+>>>>>>> .merge_file_D1FKe3
- ')
-
- ########################################
-@@ -141,4 +144,24 @@ interface(`alsa_read_lib',`
-
- files_search_var_lib($1)
- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read alsa home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`alsa_read_home_files',`
-+ gen_require(`
-+ type alsa_home_t;
-+ ')
-+
-+ allow $1 alsa_home_t:file read_file_perms;
-+ userdom_search_user_home_dirs($1)
- ')
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index d1d035e..2cb11ea 100644
--- a/policy/modules/admin/amanda.if
@@ -2000,10 +1947,10 @@ index 7fd0900..899e234 100644
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
-index 0000000..e049042
+index 0000000..9bd4f45
--- /dev/null
+++ b/policy/modules/apps/execmem.fc
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,48 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2016,7 +1963,6 @@ index 0000000..e049042
+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/vlc -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2351,157 +2297,88 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..09beb26 100644
+index f5afe78..db1a0d0 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -37,8 +37,26 @@ interface(`gnome_role',`
+@@ -37,8 +37,7 @@ interface(`gnome_role',`
########################################
## <summary>
-## Execute gconf programs in
-## in the caller domain.
+## gconf connection template.
-+## </summary>
-+## <param name="user_domain">
-+## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_stream_connect_gconf',`
-+ gen_require(`
-+ type gconfd_t, gconf_tmp_t;
-+ ')
-+
-+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
-+ allow $1 gconfd_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+## <summary>
-+## Run gconfd in gconfd domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -46,75 +64,124 @@ interface(`gnome_role',`
+@@ -46,37 +45,36 @@ interface(`gnome_role',`
## </summary>
## </param>
#
-interface(`gnome_exec_gconf',`
-+interface(`gnome_domtrans_gconfd',`
++interface(`gnome_stream_connect_gconf',`
gen_require(`
- type gconfd_exec_t;
-+ type gconfd_t, gconfd_exec_t;
++ type gconfd_t, gconf_tmp_t;
')
- can_exec($1, gconfd_exec_t)
-+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+')
-+
-+########################################
-+## <summary>
-+## Dontaudit search gnome homedir content (.config)
-+## </summary>
-+## <param name="user_domain">
-+## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_dontaudit_search_config',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ dontaudit $1 gnome_home_type:dir search_dir_perms;
++ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
++ allow $1 gconfd_t:unix_stream_socket connectto;
')
########################################
## <summary>
-## Read gconf config files.
-+## manage gnome homedir content (.config)
++## Run gconfd in gconfd domain.
## </summary>
- ## <param name="user_domain">
- ## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_manage_config',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ allow $1 gnome_home_type:dir manage_dir_perms;
-+ allow $1 gnome_home_type:file manage_file_perms;
-+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
-+## Send general signals to all gconf domains.
-+## </summary>
+-## <param name="user_domain">
+## <param name="domain">
-+## <summary>
+ ## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-template(`gnome_read_gconf_config',`
-+interface(`gnome_signal_all',`
++interface(`gnome_domtrans_gconfd',`
gen_require(`
- type gconf_etc_t;
-+ attribute gnomedomain;
++ type gconfd_t, gconfd_exec_t;
')
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ allow $1 gnomedomain:process signal;
++ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
-#######################################
+########################################
## <summary>
-## Create, read, write, and delete gconf config files.
-+## Create objects in a Gnome cache home directory
-+## with an automatic type transition to
-+## a specified private type.
++## Dontaudit search gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -84,37 +82,38 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
-+## <param name="private_type">
-+## <summary>
-+## The type of the object to create.
-+## </summary>
-+## </param>
-+## <param name="object_class">
-+## <summary>
-+## The class of the object to be created.
-+## </summary>
-+## </param>
#
-interface(`gnome_manage_gconf_config',`
-+interface(`gnome_cache_filetrans',`
++interface(`gnome_dontaudit_search_config',`
gen_require(`
- type gconf_etc_t;
-+ type cache_home_t;
++ attribute gnome_home_type;
')
- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ filetrans_pattern($1, cache_home_t, $2, $3)
-+ userdom_search_user_home_dirs($1)
++ dontaudit $1 gnome_home_type:dir search_dir_perms;
')
########################################
## <summary>
-## gconf connection template.
-+## Read generic cache home files (.cache)
++## manage gnome homedir content (.config)
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -2511,37 +2388,107 @@ index f5afe78..09beb26 100644
## </param>
#
-interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_read_generic_cache_files',`
++interface(`gnome_manage_config',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
-+ type cache_home_t;
++ attribute gnome_home_type;
')
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-+ read_files_pattern($1, cache_home_t, cache_home_t)
++ allow $1 gnome_home_type:dir manage_dir_perms;
++ allow $1 gnome_home_type:file manage_file_perms;
++ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Run gconfd in gconfd domain.
-+## Set attributes of cache home dir (.cache)
++## Send general signals to all gconf domains.
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +189,71 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +121,139 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
-interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_setattr_cache_home_dir',`
++interface(`gnome_signal_all',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
-+ type cache_home_t;
++ attribute gnomedomain;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
++ allow $1 gnomedomain:process signal;
++')
++
++########################################
++## <summary>
++## Create objects in a Gnome cache home directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`gnome_cache_filetrans',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ filetrans_pattern($1, cache_home_t, $2, $3)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Read generic cache home files (.cache)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_read_generic_cache_files',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ read_files_pattern($1, cache_home_t, cache_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Set attributes of cache home dir (.cache)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_setattr_cache_home_dir',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
@@ -2588,9 +2535,9 @@ index f5afe78..09beb26 100644
+## <summary>
+## read gnome homedir content (.config)
+## </summary>
-+## <param name="user_domain">
++## <param name="domain">
+## <summary>
-+## The type of the user domain.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -2605,7 +2552,7 @@ index f5afe78..09beb26 100644
')
########################################
-@@ -151,22 +277,251 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +277,306 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -2666,9 +2613,9 @@ index f5afe78..09beb26 100644
+## <summary>
+## read gconf config files
## </summary>
- ## <param name="user_domain">
- ## <summary>
-+## The type of the user domain.
++## <param name="domain">
++## <summary>
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -2707,14 +2654,12 @@ index f5afe78..09beb26 100644
+## </summary>
+## <param name="domain">
+## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--template(`gnome_read_config',`
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_exec_gconf',`
- gen_require(`
-- type gnome_home_t;
++ gen_require(`
+ type gconfd_exec_t;
+ ')
+
@@ -2735,11 +2680,8 @@ index f5afe78..09beb26 100644
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
- ')
-
-- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
-- read_files_pattern($1, gnome_home_t, gnome_home_t)
-- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
++ ')
++
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
@@ -2750,9 +2692,9 @@ index f5afe78..09beb26 100644
+## <summary>
+## search gconf homedir (.local)
+## </summary>
-+## <param name="user_domain">
++## <param name="domain">
+## <summary>
-+## The type of the domain.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -2811,8 +2753,8 @@ index f5afe78..09beb26 100644
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="user_domain">
-+## <summary>
+ ## <param name="user_domain">
+ ## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
@@ -2830,17 +2772,22 @@ index f5afe78..09beb26 100644
+## <summary>
+## list gnome homedir content (.config)
+## </summary>
-+## <param name="user_domain">
++## <param name="domain">
+## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-template(`gnome_read_config',`
+template(`gnome_list_home_config',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ type config_home_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+- read_files_pattern($1, gnome_home_t, gnome_home_t)
+- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+ allow $1 config_home_t:dir list_dir_perms;
+')
+
@@ -2848,9 +2795,9 @@ index f5afe78..09beb26 100644
+## <summary>
+## read gnome homedir content (.config)
+## </summary>
-+## <param name="user_domain">
++## <param name="domain">
+## <summary>
-+## The type of the user domain.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -2863,19 +2810,26 @@ index f5afe78..09beb26 100644
')
########################################
-@@ -175,16 +530,53 @@ template(`gnome_read_config',`
+ ## <summary>
+ ## manage gnome homedir content (.config)
## </summary>
- ## <param name="user_domain">
+-## <param name="user_domain">
++## <param name="domain">
## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_manage_config',`
+template(`gnome_manage_home_config',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ type config_home_t;
-+ ')
-+
+ ')
+
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
+- userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, config_home_t, config_home_t)
+')
+
@@ -2885,20 +2839,15 @@ index f5afe78..09beb26 100644
+## </summary>
+## <param name="domain">
+## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`gnome_manage_config',`
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_rw_inherited_config',`
- gen_require(`
-- type gnome_home_t;
++ gen_require(`
+ attribute gnome_home_type;
- ')
-
-- allow $1 gnome_home_t:dir manage_dir_perms;
-- allow $1 gnome_home_t:file manage_file_perms;
-- userdom_search_user_home_dirs($1)
++ ')
++
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
@@ -3781,7 +3730,7 @@ index 9a6d67d..47aa143 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..04f5196 100644
+index cbf4bec..58899ca 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3854,7 +3803,7 @@ index cbf4bec..04f5196 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,80 @@ optional_policy(`
+@@ -266,3 +291,78 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -3899,8 +3848,7 @@ index cbf4bec..04f5196 100644
+files_read_config_files(mozilla_plugin_t)
+files_read_usr_files(mozilla_plugin_t)
+
-+# Would like to get rid of this but needed to talk to mislabeled tmpfs
-+fs_rw_tmpfs_files(mozilla_plugin_t)
++fs_getattr_tmpfs(mozilla_plugin_t)
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
@@ -3934,7 +3882,6 @@ index cbf4bec..04f5196 100644
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+')
-+
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
--- a/policy/modules/apps/mplayer.if
@@ -4037,10 +3984,10 @@ index 0000000..63abc5c
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644
-index 0000000..74c624e
+index 0000000..4dd9d05
--- /dev/null
+++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,391 @@
+@@ -0,0 +1,374 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -4088,21 +4035,9 @@ index 0000000..74c624e
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
-+## <desc>
-+## <p>
-+## This template creates a derived domains which are used
-+## for nsplugin web browser.
-+## </p>
-+## <p>
-+## This template is invoked automatically for each user, and
-+## generally does not need to be invoked directly
-+## by policy writers.
-+## </p>
-+## </desc>
-+## <param name="userdomain_prefix">
++## <param name="user_role">
+## <summary>
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
++## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
@@ -4110,11 +4045,6 @@ index 0000000..74c624e
+## The type of the user domain.
+## </summary>
+## </param>
-+## <param name="user_role">
-+## <summary>
-+## The role associated with the user domain.
-+## </summary>
-+## </param>
+#
+interface(`nsplugin_role_notrans',`
+ gen_require(`
@@ -5504,10 +5434,10 @@ index 0000000..c20d303
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..8d4ac56
+index 0000000..942bb30
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,403 @@
+@@ -0,0 +1,400 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5742,7 +5672,6 @@ index 0000000..8d4ac56
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+
-+#============= sandbox_x_t ==============
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
@@ -5796,7 +5725,6 @@ index 0000000..8d4ac56
+dev_write_sound(sandbox_web_type)
+dev_read_sound(sandbox_web_type)
+
-+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(sandbox_web_type)
+corenet_all_recvfrom_netlabel(sandbox_web_type)
+corenet_tcp_sendrecv_all_if(sandbox_web_type)
@@ -5826,7 +5754,7 @@ index 0000000..8d4ac56
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
-+# Should not need other ports
++
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
@@ -5910,7 +5838,6 @@ index 0000000..8d4ac56
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
-+
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..7455c19 100644
--- a/policy/modules/apps/seunshare.if
@@ -6249,10 +6176,10 @@ index 0000000..3d12484
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..6cd47ee
+index 0000000..c7250ae
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,319 @@
+@@ -0,0 +1,320 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -6314,6 +6241,7 @@ index 0000000..6cd47ee
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
+corenet_tcp_connect_http_port(telepathy_msn_t)
+corenet_tcp_connect_msnp_port(telepathy_msn_t)
++corenet_tcp_connect_sametime_port(telepathy_msn_t)
+
+corecmd_exec_bin(telepathy_msn_t)
+corecmd_exec_shell(telepathy_msn_t)
@@ -7039,7 +6967,7 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 2ecdde8..f118873 100644
+index 2ecdde8..bb4adcb 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -24,6 +24,7 @@ dev_node(ppp_device_t)
@@ -7161,7 +7089,7 @@ index 2ecdde8..f118873 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -174,24 +194,27 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -174,24 +194,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7171,6 +7099,7 @@ index 2ecdde8..f118873 100644
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
++network_port(sametime, tcp,1533,s0, udp,1533,s0)
network_port(sieve, tcp,4190,s0)
-network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
+network_port(sip, tcp,5060-5061,s0, udp,5060-5061,s0)
@@ -7193,7 +7122,7 @@ index 2ecdde8..f118873 100644
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,16 +224,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -201,16 +225,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -7602,7 +7531,7 @@ index aad8c52..09d4b31 100644
+ dontaudit $1 domain:socket_class_set { read write };
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index 099f57f..ae62211 100644
+index 099f57f..d58ef64 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.8.1)
@@ -7692,7 +7621,7 @@ index 099f57f..ae62211 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +194,77 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +194,81 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7754,6 +7683,10 @@ index 099f57f..ae62211 100644
+')
+
+optional_policy(`
++ hal_dontaudit_read_pid_files(domain)
++')
++
++optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ afs_rw_udp_sockets(domain)
+ ')
@@ -10527,10 +10460,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..177e89c
+index 0000000..799db36
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,462 @@
+@@ -0,0 +1,475 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -10548,6 +10481,13 @@ index 0000000..177e89c
+
+## <desc>
+## <p>
++## Allow vidio playing tools to tun unconfined
++## </p>
++## </desc>
++gen_tunable(unconfined_mplayer, false)
++
++## <desc>
++## <p>
+## Allow a user to login as an unconfined domain
+## </p>
+## </desc>
@@ -10969,6 +10909,12 @@ index 0000000..177e89c
+ ')
+
+ optional_policy(`
++ tunable_policy(`unconfined_login',`
++ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
++ ')
++ ')
++
++ optional_policy(`
+ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+')
@@ -11823,7 +11769,7 @@ index 9e39aa5..8603d4d 100644
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..46d0960 100644
+index c9e1a44..2244b11 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,14 @@
@@ -11850,7 +11796,7 @@ index c9e1a44..46d0960 100644
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
-+ search_dirs_pattern($1, httpd_sys_content_t, httpd_script_exec_type)
++ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
+
# This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
@@ -15328,7 +15274,7 @@ index 35241ed..cbd01be 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..939877a 100644
+index f35b243..38a83ea 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
@@ -15623,7 +15569,7 @@ index f35b243..939877a 100644
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+allow cronjob_t user_cron_spool_t:file create_lnk_perms;
++allow cronjob_t user_cron_spool_t:file manage_lnk_file_perms;
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
@@ -15840,7 +15786,7 @@ index 2a0f1c1..ab82c3c 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..4ab36ba 100644
+index 39e901a..e385f2f 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -42,8 +42,10 @@ template(`dbus_role_template',`
@@ -15911,7 +15857,7 @@ index 39e901a..4ab36ba 100644
domtrans_pattern(system_dbusd_t, $2, $1)
-+ fs_search_cgroup_dirs($1)
++ fs_search_all($1)
+
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
@@ -18419,8 +18365,27 @@ index db4fd6f..c28a876 100644
')
allow $1 memcached_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
+index 55a3e2f..613c69d 100644
+--- a/policy/modules/services/milter.fc
++++ b/policy/modules/services/milter.fc
+@@ -1,3 +1,6 @@
++/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
++
++/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+ /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+ /usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+ /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+@@ -5,6 +8,7 @@
+ /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
++/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
-index ed1af3c..96cba91 100644
+index ed1af3c..a000225 100644
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -37,6 +37,8 @@ template(`milter_template',`
@@ -18457,6 +18422,71 @@ index ed1af3c..96cba91 100644
## Manage spamassassin milter state
## </summary>
## <param name="domain">
+@@ -100,3 +120,22 @@ interface(`milter_manage_spamass_state',`
+ manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ ')
++
++#######################################
++## <summary>
++## Delete dkim-milter PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`milter_delete_dkim_pid_files',`
++ gen_require(`
++ type dkim_milter_data_t;
++ ')
++
++ files_search_pids($1)
++ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
++')
+diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
+index 1b6dea0..6ba48ff 100644
+--- a/policy/modules/services/milter.te
++++ b/policy/modules/services/milter.te
+@@ -9,6 +9,13 @@ policy_module(milter, 1.2.1)
+ attribute milter_domains;
+ attribute milter_data_type;
+
++# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
++milter_template(dkim)
++
++# type for the private key of dkim-milter
++type dkim_milter_private_key_t;
++files_type(dkim_milter_private_key_t)
++
+ # currently-supported milters are milter-greylist, milter-regex and spamass-milter
+ milter_template(greylist)
+ milter_template(regex)
+@@ -20,6 +27,23 @@ milter_template(spamass)
+ type spamass_milter_state_t;
+ files_type(spamass_milter_state_t)
+
++#######################################
++#
++# dkim-milter local policy
++#
++
++allow dkim_milter_t self:capability { kill setgid setuid };
++
++allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
++
++auth_use_nsswitch(dkim_milter_t)
++
++sysnet_dns_name_resolve(dkim_milter_t)
++
++mta_read_config(dkim_milter_t)
++
+ ########################################
+ #
+ # milter-greylist local policy
diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
new file mode 100644
index 0000000..42bb2a3
@@ -20166,7 +20196,7 @@ index 2324d9e..1a1bfe4 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 442cff9..9677236 100644
+index 442cff9..45ecee3 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -35,7 +35,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
@@ -20228,7 +20258,7 @@ index 442cff9..9677236 100644
')
optional_policy(`
-@@ -172,7 +183,7 @@ optional_policy(`
+@@ -172,12 +183,14 @@ optional_policy(`
')
optional_policy(`
@@ -20237,7 +20267,14 @@ index 442cff9..9677236 100644
')
optional_policy(`
-@@ -202,6 +213,13 @@ optional_policy(`
+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+
++ init_dbus_chat(NetworkManager_t)
++
+ optional_policy(`
+ consolekit_dbus_chat(NetworkManager_t)
+ ')
+@@ -202,6 +215,13 @@ optional_policy(`
')
optional_policy(`
@@ -20251,7 +20288,7 @@ index 442cff9..9677236 100644
iptables_domtrans(NetworkManager_t)
')
-@@ -263,6 +281,7 @@ optional_policy(`
+@@ -263,6 +283,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -27013,7 +27050,7 @@ index 6f1e3c7..39c2bb3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..81c0af8 100644
+index da2601a..4bc9fff 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -27028,7 +27065,7 @@ index da2601a..81c0af8 100644
')
role $1 types { xserver_t xauth_t iceauth_t };
-@@ -31,7 +32,7 @@ interface(`xserver_restricted_role',`
+@@ -31,12 +32,13 @@ interface(`xserver_restricted_role',`
allow xserver_t $2:shm rw_shm_perms;
domtrans_pattern($2, xserver_exec_t, xserver_t)
@@ -27037,7 +27074,13 @@ index da2601a..81c0af8 100644
allow xserver_t $2:shm rw_shm_perms;
-@@ -45,6 +46,7 @@ interface(`xserver_restricted_role',`
+ allow $2 user_fonts_t:dir list_dir_perms;
+ allow $2 user_fonts_t:file read_file_perms;
++ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
+
+ allow $2 user_fonts_config_t:dir list_dir_perms;
+ allow $2 user_fonts_config_t:file read_file_perms;
+@@ -45,6 +47,7 @@ interface(`xserver_restricted_role',`
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -27045,7 +27088,7 @@ index da2601a..81c0af8 100644
files_search_tmp($2)
# Communicate via System V shared memory.
-@@ -56,6 +58,10 @@ interface(`xserver_restricted_role',`
+@@ -56,6 +59,10 @@ interface(`xserver_restricted_role',`
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
@@ -27056,7 +27099,7 @@ index da2601a..81c0af8 100644
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -71,9 +77,13 @@ interface(`xserver_restricted_role',`
+@@ -71,9 +78,13 @@ interface(`xserver_restricted_role',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -27071,7 +27114,7 @@ index da2601a..81c0af8 100644
# Client read xserver shm
allow $2 xserver_t:fd use;
-@@ -89,14 +99,17 @@ interface(`xserver_restricted_role',`
+@@ -89,14 +100,17 @@ interface(`xserver_restricted_role',`
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
@@ -27091,15 +27134,18 @@ index da2601a..81c0af8 100644
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -148,6 +161,7 @@ interface(`xserver_role',`
+@@ -148,8 +162,10 @@ interface(`xserver_role',`
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
+ mls_xwin_read_to_clearance($2)
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
manage_files_pattern($2, user_fonts_t, user_fonts_t)
++ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
-@@ -197,7 +211,7 @@ interface(`xserver_ro_session',`
+ relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+
+@@ -197,7 +213,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -27108,7 +27154,7 @@ index da2601a..81c0af8 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -291,12 +305,12 @@ interface(`xserver_user_client',`
+@@ -291,12 +307,12 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -27124,7 +27170,7 @@ index da2601a..81c0af8 100644
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -355,6 +369,12 @@ template(`xserver_common_x_domain_template',`
+@@ -355,6 +371,12 @@ template(`xserver_common_x_domain_template',`
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -27137,7 +27183,7 @@ index da2601a..81c0af8 100644
')
##############################
-@@ -386,6 +406,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +408,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -27153,7 +27199,7 @@ index da2601a..81c0af8 100644
')
#######################################
-@@ -476,11 +505,16 @@ template(`xserver_user_x_domain_template',`
+@@ -476,11 +507,16 @@ template(`xserver_user_x_domain_template',`
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -27170,13 +27216,21 @@ index da2601a..81c0af8 100644
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
-@@ -545,6 +579,27 @@ interface(`xserver_domtrans_xauth',`
+@@ -517,6 +553,7 @@ interface(`xserver_use_user_fonts',`
+ # Read per user fonts
+ allow $1 user_fonts_t:dir list_dir_perms;
+ allow $1 user_fonts_t:file read_file_perms;
++ allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
+
+ # Manipulate the global font cache
+ manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+@@ -545,6 +582,27 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
-+ifdef(`hide_broken_symptoms', `
-+ dontaudit xauth_t $1:socket_class_set { read write };
-+')
++ ifdef(`hide_broken_symptoms', `
++ dontaudit xauth_t $1:socket_class_set { read write };
++ ')
+')
+
+########################################
@@ -27198,7 +27252,7 @@ index da2601a..81c0af8 100644
')
########################################
-@@ -598,6 +653,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +656,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -27206,7 +27260,7 @@ index da2601a..81c0af8 100644
')
########################################
-@@ -725,10 +781,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -725,10 +784,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
interface(`xserver_stream_connect_xdm',`
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -27219,7 +27273,7 @@ index da2601a..81c0af8 100644
')
########################################
-@@ -805,7 +863,7 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +866,7 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -27228,7 +27282,7 @@ index da2601a..81c0af8 100644
')
########################################
-@@ -916,7 +974,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +977,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -27237,7 +27291,7 @@ index da2601a..81c0af8 100644
')
########################################
-@@ -963,6 +1021,44 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1024,44 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -27282,7 +27336,7 @@ index da2601a..81c0af8 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1072,6 +1168,8 @@ interface(`xserver_domtrans',`
+@@ -1072,6 +1171,8 @@ interface(`xserver_domtrans',`
allow $1 xserver_t:process siginh;
domtrans_pattern($1, xserver_exec_t, xserver_t)
@@ -27291,15 +27345,15 @@ index da2601a..81c0af8 100644
')
########################################
-@@ -1185,6 +1283,7 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1286,7 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+ allow xserver $1:shm rw_shm_perms;
++ allow xserver_t $1:shm rw_shm_perms;
')
########################################
-@@ -1224,9 +1323,20 @@ interface(`xserver_manage_core_devices',`
+@@ -1224,9 +1326,20 @@ interface(`xserver_manage_core_devices',`
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -27320,7 +27374,7 @@ index da2601a..81c0af8 100644
')
########################################
-@@ -1250,3 +1360,329 @@ interface(`xserver_unconfined',`
+@@ -1250,3 +1363,329 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -28961,10 +29015,19 @@ index 1c4b1e7..2997dd7 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 7fddc24..304bc75 100644
+index 7fddc24..395f8f3 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
-@@ -66,6 +66,10 @@ interface(`auth_use_pam',`
+@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
+ auth_exec_pam($1)
+ auth_use_nsswitch($1)
+
++ init_rw_stream_sockets($1)
++
+ logging_send_audit_msgs($1)
+ logging_send_syslog_msg($1)
+
+@@ -66,6 +68,10 @@ interface(`auth_use_pam',`
optional_policy(`
consolekit_dbus_chat($1)
')
@@ -28975,7 +29038,7 @@ index 7fddc24..304bc75 100644
')
optional_policy(`
-@@ -91,9 +95,12 @@ interface(`auth_use_pam',`
+@@ -91,9 +97,12 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -28988,7 +29051,7 @@ index 7fddc24..304bc75 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -107,8 +114,10 @@ interface(`auth_login_pgm_domain',`
+@@ -107,8 +116,10 @@ interface(`auth_login_pgm_domain',`
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
@@ -28999,7 +29062,7 @@ index 7fddc24..304bc75 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -126,6 +135,8 @@ interface(`auth_login_pgm_domain',`
+@@ -126,6 +137,8 @@ interface(`auth_login_pgm_domain',`
files_read_etc_files($1)
fs_list_auto_mountpoints($1)
@@ -29008,7 +29071,7 @@ index 7fddc24..304bc75 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -141,6 +152,7 @@ interface(`auth_login_pgm_domain',`
+@@ -141,6 +154,7 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -29016,7 +29079,7 @@ index 7fddc24..304bc75 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +163,38 @@ interface(`auth_login_pgm_domain',`
+@@ -151,8 +165,38 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -29057,7 +29120,7 @@ index 7fddc24..304bc75 100644
')
')
-@@ -365,13 +407,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -365,13 +409,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -29074,7 +29137,7 @@ index 7fddc24..304bc75 100644
')
########################################
-@@ -418,6 +462,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +464,7 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -29082,7 +29145,7 @@ index 7fddc24..304bc75 100644
')
########################################
-@@ -874,6 +919,26 @@ interface(`auth_exec_pam',`
+@@ -874,6 +921,26 @@ interface(`auth_exec_pam',`
########################################
## <summary>
@@ -29109,7 +29172,7 @@ index 7fddc24..304bc75 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -1500,6 +1565,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,6 +1567,8 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -29118,7 +29181,7 @@ index 7fddc24..304bc75 100644
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1598,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1600,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -29510,7 +29573,7 @@ index 9775375..b338481 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index f6aafe7..c504f34 100644
+index f6aafe7..f28524b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -29734,7 +29797,7 @@ index f6aafe7..c504f34 100644
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -849,8 +941,10 @@ interface(`init_script_file_domtrans',`
+@@ -849,8 +941,12 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -29742,10 +29805,12 @@ index f6aafe7..c504f34 100644
')
+ typeattribute $1 initrc_transition_domain;
++ # service script searches all filesystems via mountpoint
++ fs_search_all($1)
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1338,6 +1432,27 @@ interface(`init_dbus_send_script',`
+@@ -1338,6 +1434,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -29773,7 +29838,7 @@ index f6aafe7..c504f34 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1637,7 +1752,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1637,7 +1754,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -29782,7 +29847,7 @@ index f6aafe7..c504f34 100644
')
########################################
-@@ -1712,3 +1827,94 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1712,3 +1829,94 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -29878,7 +29943,7 @@ index f6aafe7..c504f34 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index abab4cf..9f9b812 100644
+index abab4cf..a80b4c7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -30329,10 +30394,11 @@ index abab4cf..9f9b812 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +882,12 @@ optional_policy(`
+@@ -701,7 +882,13 @@ optional_policy(`
')
optional_policy(`
++ milter_delete_dkim_pid_files(initrc_t)
+ milter_setattr_all_dirs(initrc_t)
+')
+
@@ -30342,7 +30408,7 @@ index abab4cf..9f9b812 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +910,10 @@ optional_policy(`
+@@ -724,6 +911,10 @@ optional_policy(`
')
optional_policy(`
@@ -30353,7 +30419,7 @@ index abab4cf..9f9b812 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +935,10 @@ optional_policy(`
+@@ -745,6 +936,10 @@ optional_policy(`
')
optional_policy(`
@@ -30364,7 +30430,7 @@ index abab4cf..9f9b812 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +960,6 @@ optional_policy(`
+@@ -766,8 +961,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30373,7 +30439,7 @@ index abab4cf..9f9b812 100644
')
optional_policy(`
-@@ -776,14 +968,21 @@ optional_policy(`
+@@ -776,14 +969,21 @@ optional_policy(`
')
optional_policy(`
@@ -30395,7 +30461,7 @@ index abab4cf..9f9b812 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1004,19 @@ optional_policy(`
+@@ -805,11 +1005,19 @@ optional_policy(`
')
optional_policy(`
@@ -30416,7 +30482,7 @@ index abab4cf..9f9b812 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1026,25 @@ optional_policy(`
+@@ -819,6 +1027,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -30442,7 +30508,7 @@ index abab4cf..9f9b812 100644
')
optional_policy(`
-@@ -844,3 +1070,55 @@ optional_policy(`
+@@ -844,3 +1071,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31229,7 +31295,7 @@ index d97d16d..8b174c8 100644
## of shared libraries.
## </summary>
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index bf416a4..561a849 100644
+index bf416a4..99d7f60 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -31279,12 +31345,11 @@ index bf416a4..561a849 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -143,4 +153,4 @@ optional_policy(`
-
+@@ -144,3 +154,4 @@ optional_policy(`
optional_policy(`
unconfined_domain(ldconfig_t)
--')
-+')'
+ ')
++
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
index 7570583..be6a81b 100644
--- a/policy/modules/system/locallogin.fc
@@ -34213,7 +34278,7 @@ index 025348a..59bc26b 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a054cf5..f99fdcb 100644
+index a054cf5..9f316ca 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -34233,7 +34298,15 @@ index a054cf5..f99fdcb 100644
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -116,10 +117,13 @@ files_exec_etc_files(udev_t)
+@@ -111,15 +112,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+
+ files_read_usr_files(udev_t)
+ files_read_etc_runtime_files(udev_t)
+-files_read_etc_files(udev_t)
++
++# console_init manages files in /etc/sysconfig
++files_manage_etc_files(udev_t)
+ files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@@ -34247,7 +34320,7 @@ index a054cf5..f99fdcb 100644
mcs_ptrace_all(udev_t)
-@@ -216,11 +220,16 @@ optional_policy(`
+@@ -216,11 +222,16 @@ optional_policy(`
')
optional_policy(`
@@ -34264,7 +34337,7 @@ index a054cf5..f99fdcb 100644
')
optional_policy(`
-@@ -233,6 +242,10 @@ optional_policy(`
+@@ -233,6 +244,10 @@ optional_policy(`
')
optional_policy(`
@@ -34275,7 +34348,7 @@ index a054cf5..f99fdcb 100644
lvm_domtrans(udev_t)
')
-@@ -259,6 +272,10 @@ optional_policy(`
+@@ -259,6 +274,10 @@ optional_policy(`
')
optional_policy(`
@@ -34286,7 +34359,7 @@ index a054cf5..f99fdcb 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +290,11 @@ optional_policy(`
+@@ -273,6 +292,11 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 65e8e79..1b82efa 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -470,7 +470,7 @@ exit 0
%changelog
* Thu Aug 31 2010 Dan Walsh <dwalsh at redhat.com> 3.9.3-1
- Allow iptables to read shorewall tmp files
+Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
diff --git a/sources b/sources
index 535c885..3c4a5ef 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-3e2c5dfff98731a4aee5548d3be54467 serefpolicy-3.9.3.tgz
+2330fe4b7094df0e0a453856db12e3a4 serefpolicy-3.9.3.tgz
More information about the scm-commits
mailing list