[selinux-policy/f14/master] - Allow mdadm_t to create files and sock files in /dev/md/
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Sep 10 16:18:45 UTC 2010
commit 71257d5b9fc0379b1a0b97c0d1e8981962bc8ed0
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Sep 10 12:18:42 2010 -0400
- Allow mdadm_t to create files and sock files in /dev/md/
booleans-targeted.conf | 4 +
modules-targeted.conf | 7 +
policy-F14.patch | 469 ++++++++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 8 +-
4 files changed, 411 insertions(+), 77 deletions(-)
---
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 872362c..44af619 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -110,6 +110,10 @@ httpd_tty_comm = false
#
httpd_unified = false
+# Allow httpd to use avahi
+#
+httpd_dbus_avahi = true
+
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 3164f2c..1a70e73 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -25,6 +25,13 @@ accountsd = module
#
acct = base
+# Layer: services
+# Module: ajaxterm
+#
+# Web Based Terminal
+#
+ajaxterm = module
+
# Layer: admin
# Module: alsa
#
diff --git a/policy-F14.patch b/policy-F14.patch
index 399f776..9324ac3 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -149,9 +149,34 @@ index 0000000..e9c43b1
+.SH "SEE ALSO"
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --git a/policy/global_tunables b/policy/global_tunables
-index 3316f6e..56af226 100644
+index 3316f6e..f85244d 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
+@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)
+
+ ## <desc>
+ ## <p>
+-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
++## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_execmem,false)
+
+ ## <desc>
+ ## <p>
+-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
++## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_execmod,false)
+
+ ## <desc>
+ ## <p>
+-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
++## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_execstack,false)
@@ -61,15 +61,6 @@ gen_tunable(global_ssp,false)
## <desc>
@@ -1555,7 +1580,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 5f44f1b..464a11e 100644
+index 5f44f1b..2993130 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -1593,9 +1618,11 @@ index 5f44f1b..464a11e 100644
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
-@@ -134,12 +141,16 @@ template(`sudo_role_template',`
+@@ -133,13 +140,18 @@ template(`sudo_role_template',`
+ userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
++ userdom_signal_unpriv_users($1_sudo_t)
# for some PAM modules and for cwd
- userdom_dontaudit_search_user_home_content($1_sudo_t)
+ userdom_search_user_home_content($1_sudo_t)
@@ -1889,10 +1916,10 @@ index 0000000..5ef90cd
+
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..90c754f
+index 0000000..5725183
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,88 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -1955,6 +1982,8 @@ index 0000000..90c754f
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
+
++sysnet_dontaudit_read_config(chrome_sandbox_t)
++
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
+')
@@ -3777,7 +3806,7 @@ index 9a6d67d..47aa143 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..58899ca 100644
+index cbf4bec..3018e86 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3850,7 +3879,7 @@ index cbf4bec..58899ca 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,78 @@ optional_policy(`
+@@ -266,3 +291,89 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -3878,6 +3907,8 @@ index cbf4bec..58899ca 100644
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
++can_exec(mozilla_plugin_t, mozilla_exec_t)
++
+kernel_read_kernel_sysctls(mozilla_plugin_t)
+kernel_read_system_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
@@ -3888,6 +3919,8 @@ index cbf4bec..58899ca 100644
+dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
++dev_read_sound(mozilla_plugin_t)
++dev_write_sound(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -3908,16 +3941,22 @@ index cbf4bec..58899ca 100644
+userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+
+optional_policy(`
++ alsa_read_rw_config(mozilla_plugin_t)
++')
++
++optional_policy(`
+ dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_home_config(mozilla_plugin_t)
++ gnome_setattr_config_dirs(mozilla_plugin_t)
+')
+
+optional_policy(`
+ nsplugin_domtrans(mozilla_plugin_t)
+ nsplugin_rw_exec(mozilla_plugin_t)
++ nsplugin_manage_home_dirs(mozilla_plugin_t)
+ nsplugin_manage_home_files(mozilla_plugin_t)
+')
+
@@ -3928,6 +3967,7 @@ index cbf4bec..58899ca 100644
+optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
++ xserver_use_user_fonts(mozilla_plugin_t)
+')
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
@@ -4031,10 +4071,10 @@ index 0000000..63abc5c
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644
-index 0000000..4dd9d05
+index 0000000..c779d44
--- /dev/null
+++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,374 @@
+@@ -0,0 +1,392 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -4321,6 +4361,24 @@ index 0000000..4dd9d05
+
+########################################
+## <summary>
++## manage nnsplugin home dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nsplugin_manage_home_dirs',`
++ gen_require(`
++ type nsplugin_home_t;
++ ')
++
++ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
++')
++
++########################################
++## <summary>
+## Allow attempts to read and write to
+## nsplugin named pipes.
+## </summary>
@@ -6250,7 +6308,7 @@ index 0000000..3d12484
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..c7250ae
+index 0000000..4aea465
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
@@ -0,0 +1,320 @@
@@ -6531,7 +6589,7 @@ index 0000000..c7250ae
+# telepathy domains common policy
+#
+
-+allow telepathy_domain self:process { getsched signal };
++allow telepathy_domain self:process { getsched signal sigkill };
+allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+allow telepathy_domain self:tcp_socket create_socket_perms;
+allow telepathy_domain self:udp_socket create_socket_perms;
@@ -6895,7 +6953,7 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..b267560 100644
+index 0eb1d97..23a1d11 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@@ -6937,18 +6995,20 @@ index 0eb1d97..b267560 100644
#
# /sbin
-@@ -145,6 +154,10 @@ ifdef(`distro_gentoo',`
+@@ -145,6 +154,12 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/opt/google/talkplugin/cron(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -169,6 +182,7 @@ ifdef(`distro_gentoo',`
+@@ -169,6 +184,7 @@ ifdef(`distro_gentoo',`
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6956,15 +7016,19 @@ index 0eb1d97..b267560 100644
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -220,6 +234,7 @@ ifdef(`distro_gentoo',`
+@@ -218,8 +234,11 @@ ifdef(`distro_gentoo',`
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +243,8 @@ ifdef(`distro_gentoo',`
+@@ -228,6 +247,8 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6973,7 +7037,7 @@ index 0eb1d97..b267560 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +331,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +335,7 @@ ifdef(`distro_redhat', `
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -6981,7 +7045,7 @@ index 0eb1d97..b267560 100644
')
ifdef(`distro_suse', `
-@@ -340,3 +358,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +362,27 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7041,7 +7105,7 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 2ecdde8..bb4adcb 100644
+index 2ecdde8..f15e5ba 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -24,6 +24,7 @@ dev_node(ppp_device_t)
@@ -7052,7 +7116,7 @@ index 2ecdde8..bb4adcb 100644
########################################
#
-@@ -64,6 +65,7 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -64,20 +65,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -7060,7 +7124,9 @@ index 2ecdde8..bb4adcb 100644
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
-@@ -72,12 +74,15 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
+ network_port(afs_vl, udp,7003,s0)
+ network_port(agentx, udp,705,s0, tcp,705,s0)
++network_port(ajaxterm, tcp,8022,s0)
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
@@ -7076,7 +7142,7 @@ index 2ecdde8..bb4adcb 100644
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
-@@ -85,6 +90,7 @@ network_port(clamd, tcp,3310,s0)
+@@ -85,6 +91,7 @@ network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cobbler, tcp,25151,s0)
@@ -7084,7 +7150,7 @@ index 2ecdde8..bb4adcb 100644
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -97,7 +103,9 @@ network_port(dict, tcp,2628,s0)
+@@ -97,7 +104,9 @@ network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
@@ -7094,7 +7160,7 @@ index 2ecdde8..bb4adcb 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -109,7 +117,7 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -109,7 +118,7 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -7103,7 +7169,7 @@ index 2ecdde8..bb4adcb 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -123,30 +131,34 @@ network_port(iscsi, tcp,3260,s0)
+@@ -123,30 +132,34 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -7142,7 +7208,7 @@ index 2ecdde8..bb4adcb 100644
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -154,12 +166,20 @@ network_port(pegasus_http, tcp,5988,s0)
+@@ -154,12 +167,20 @@ network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -7163,7 +7229,7 @@ index 2ecdde8..bb4adcb 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -174,24 +194,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -174,24 +195,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7196,7 +7262,7 @@ index 2ecdde8..bb4adcb 100644
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,16 +225,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -201,16 +226,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -7560,10 +7626,36 @@ index eb9c360..20c2d34 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index aad8c52..09d4b31 100644
+index aad8c52..0d8458a 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
-@@ -611,7 +611,7 @@ interface(`domain_read_all_domains_state',`
+@@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',`
+
+ ########################################
+ ## <summary>
++## Dontaudit sending general signals to all domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`domain_dontaudit_signal_all_domains',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:process signal;
++')
++
++########################################
++## <summary>
+ ## Send a null signal to all domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -611,7 +630,7 @@ interface(`domain_read_all_domains_state',`
########################################
## <summary>
@@ -7572,7 +7664,7 @@ index aad8c52..09d4b31 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -630,7 +630,7 @@ interface(`domain_getattr_all_domains',`
+@@ -630,7 +649,7 @@ interface(`domain_getattr_all_domains',`
########################################
## <summary>
@@ -7581,7 +7673,7 @@ index aad8c52..09d4b31 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1473,3 +1473,22 @@ interface(`domain_unconfined',`
+@@ -1473,3 +1492,22 @@ interface(`domain_unconfined',`
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
')
@@ -8818,7 +8910,7 @@ index 437a42a..8d6d333 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 0dff98e..930062c 100644
+index 0dff98e..a09ab47 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -8842,7 +8934,14 @@ index 0dff98e..930062c 100644
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
-@@ -106,6 +108,15 @@ fs_type(ibmasmfs_t)
+@@ -100,12 +102,22 @@ type hugetlbfs_t;
+ fs_type(hugetlbfs_t)
+ files_mountpoint(hugetlbfs_t)
+ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
++dev_associate(hugetlbfs_t)
+
+ type ibmasmfs_t;
+ fs_type(ibmasmfs_t)
allow ibmasmfs_t self:filesystem associate;
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
@@ -8858,7 +8957,7 @@ index 0dff98e..930062c 100644
type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
-@@ -148,6 +159,12 @@ fs_type(squash_t)
+@@ -148,6 +160,12 @@ fs_type(squash_t)
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
files_mountpoint(squash_t)
@@ -8871,7 +8970,7 @@ index 0dff98e..930062c 100644
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
-@@ -168,6 +185,7 @@ fs_type(tmpfs_t)
+@@ -168,6 +186,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -8879,7 +8978,7 @@ index 0dff98e..930062c 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -247,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -247,6 +266,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -11746,6 +11845,158 @@ index 97c9cae..c24bd66 100644
optional_policy(`
ccs_stream_connect(aisexec_t)
')
+diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc
+new file mode 100644
+index 0000000..aeb1888
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
++
++/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
++
++/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
+diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
+new file mode 100644
+index 0000000..581ae6e
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.if
+@@ -0,0 +1,72 @@
++
++## <summary>policy for ajaxterm</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run ajaxterm.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ajaxterm_domtrans',`
++ gen_require(`
++ type ajaxterm_t, ajaxterm_exec_t;
++ ')
++
++ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
++')
++
++
++########################################
++## <summary>
++## Execute ajaxterm server in the ajaxterm domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`ajaxterm_initrc_domtrans',`
++ gen_require(`
++ type ajaxterm_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an ajaxterm environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ajaxterm_admin',`
++ gen_require(`
++ type ajaxterm_t;
++ type ajaxterm_initrc_exec_t;
++ ')
++
++ allow $1 ajaxterm_t:process { ptrace signal_perms };
++ ps_process_pattern($1, ajaxterm_t)
++
++ ajaxterm_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ajaxterm_initrc_exec_t system_r;
++ allow $2 system_r;
++
++')
+diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
+new file mode 100644
+index 0000000..3441758
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.te
+@@ -0,0 +1,56 @@
++policy_module(ajaxterm,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ajaxterm_t;
++type ajaxterm_exec_t;
++init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
++
++type ajaxterm_initrc_exec_t;
++init_script_file(ajaxterm_initrc_exec_t)
++
++type ajaxterm_var_run_t;
++files_pid_file(ajaxterm_var_run_t)
++
++type ajaxterm_devpts_t;
++term_login_pty(ajaxterm_devpts_t)
++
++permissive ajaxterm_t;
++
++########################################
++#
++# ajaxterm local policy
++#
++allow ajaxterm_t self:capability setuid;
++allow ajaxterm_t self:process setpgid;
++allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
++allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
++allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
++
++allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
++term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
++
++manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
++
++kernel_read_system_state(ajaxterm_t)
++
++corecmd_exec_bin(ajaxterm_t)
++
++corenet_tcp_bind_generic_node(ajaxterm_t)
++corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
++
++dev_read_urand(ajaxterm_t)
++
++domain_use_interactive_fds(ajaxterm_t)
++
++files_read_etc_files(ajaxterm_t)
++files_read_usr_files(ajaxterm_t)
++
++miscfiles_read_localization(ajaxterm_t)
++
++sysnet_dns_name_resolve(ajaxterm_t)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index adb3d5f..de26af5 100644
--- a/policy/modules/services/amavis.if
@@ -15860,7 +16111,7 @@ index 2a0f1c1..ab82c3c 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..63c82b7 100644
+index 39e901a..87fc055 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -42,8 +42,10 @@ template(`dbus_role_template',`
@@ -15971,7 +16222,7 @@ index 39e901a..63c82b7 100644
+#
+interface(`dbus_delete_pid_files',`
+ gen_require(`
-+ type dbus_var_run_t;
++ type system_dbusd_var_run_t;
+ ')
+
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
@@ -16582,9 +16833,21 @@ index c92403b..f50e0f1 100644
kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t)
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
-index 7df52c7..54fada0 100644
+index 7df52c7..899feaf 100644
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
+@@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t)
+ # Local policy
+ #
+
+-allow fprintd_t self:capability sys_ptrace;
++allow fprintd_t self:capability { sys_nice sys_ptrace };
+ allow fprintd_t self:fifo_file rw_fifo_file_perms;
+-allow fprintd_t self:process { getsched signal };
++allow fprintd_t self:process { getsched setsched signal };
+
+ manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+ manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
@@ -54,4 +54,5 @@ optional_policy(`
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
@@ -20764,7 +21027,7 @@ index 4996f62..975deca 100644
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index f3d5790..196f2a2 100644
+index f3d5790..4c61aa5 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
@@ -20808,7 +21071,7 @@ index f3d5790..196f2a2 100644
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-@@ -113,6 +121,8 @@ sysnet_manage_config(openvpn_t)
+@@ -113,19 +121,19 @@ sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
@@ -20816,8 +21079,22 @@ index f3d5790..196f2a2 100644
+userdom_attach_admin_tun_iface(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
- userdom_read_user_home_content_files(openvpn_t)
-@@ -138,3 +148,7 @@ optional_policy(`
+- userdom_read_user_home_content_files(openvpn_t)
++ userdom_search_user_home_dirs(openvpn_t)
+ ')
+
+ tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(openvpn_t)
+- fs_read_nfs_symlinks(openvpn_t)
+ ')
+
+ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(openvpn_t)
+- fs_read_cifs_symlinks(openvpn_t)
+ ')
+
+ optional_policy(`
+@@ -138,3 +146,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -27822,7 +28099,7 @@ index da2601a..4bc9fff 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..9b9e013 100644
+index e226da4..5fbf38f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@@ -28263,7 +28540,7 @@ index e226da4..9b9e013 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -410,18 +560,22 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -410,18 +560,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -28286,10 +28563,11 @@ index e226da4..9b9e013 100644
# Do not audit denied probes of /proc.
domain_dontaudit_read_all_domains_state(xdm_t)
+domain_dontaudit_ptrace_all_domains(xdm_t)
++domain_dontaudit_signal_all_domains(xdm_t)
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -432,9 +586,17 @@ files_list_mnt(xdm_t)
+@@ -432,9 +587,17 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -28307,7 +28585,7 @@ index e226da4..9b9e013 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,28 +605,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -443,28 +606,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28346,7 +28624,7 @@ index e226da4..9b9e013 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,6 +643,13 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -473,6 +644,13 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -28360,7 +28638,7 @@ index e226da4..9b9e013 100644
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,11 +681,17 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -504,11 +682,17 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -28378,7 +28656,7 @@ index e226da4..9b9e013 100644
')
optional_policy(`
-@@ -516,12 +699,51 @@ optional_policy(`
+@@ -516,12 +700,51 @@ optional_policy(`
')
optional_policy(`
@@ -28430,7 +28708,7 @@ index e226da4..9b9e013 100644
hostname_exec(xdm_t)
')
-@@ -539,20 +761,64 @@ optional_policy(`
+@@ -539,20 +762,64 @@ optional_policy(`
')
optional_policy(`
@@ -28497,7 +28775,7 @@ index e226da4..9b9e013 100644
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -561,7 +827,6 @@ optional_policy(`
+@@ -561,7 +828,6 @@ optional_policy(`
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -28505,7 +28783,7 @@ index e226da4..9b9e013 100644
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +837,10 @@ optional_policy(`
+@@ -572,6 +838,10 @@ optional_policy(`
')
optional_policy(`
@@ -28516,7 +28794,7 @@ index e226da4..9b9e013 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +865,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +866,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28525,7 +28803,7 @@ index e226da4..9b9e013 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +879,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +880,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28544,7 +28822,7 @@ index e226da4..9b9e013 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +910,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +911,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28566,7 +28844,7 @@ index e226da4..9b9e013 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +930,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +931,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -28574,7 +28852,7 @@ index e226da4..9b9e013 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +957,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +958,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28582,7 +28860,7 @@ index e226da4..9b9e013 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,8 +966,13 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,8 +967,13 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28596,7 +28874,7 @@ index e226da4..9b9e013 100644
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
-@@ -693,8 +986,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +987,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28610,7 +28888,7 @@ index e226da4..9b9e013 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1014,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1015,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28625,7 +28903,7 @@ index e226da4..9b9e013 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1074,28 @@ optional_policy(`
+@@ -773,12 +1075,28 @@ optional_policy(`
')
optional_policy(`
@@ -28655,7 +28933,7 @@ index e226da4..9b9e013 100644
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1104,10 @@ optional_policy(`
+@@ -787,6 +1105,10 @@ optional_policy(`
')
optional_policy(`
@@ -28666,7 +28944,7 @@ index e226da4..9b9e013 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1123,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1124,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -28679,7 +28957,7 @@ index e226da4..9b9e013 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -826,6 +1147,13 @@ init_use_fds(xserver_t)
+@@ -826,6 +1148,13 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28693,7 +28971,7 @@ index e226da4..9b9e013 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -841,11 +1169,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1170,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -28710,7 +28988,7 @@ index e226da4..9b9e013 100644
')
optional_policy(`
-@@ -991,3 +1322,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+@@ -991,3 +1323,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -31974,10 +32252,18 @@ index 86ef2da..7f649d5 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 7711464..63c1b2f 100644
+index 7711464..1f0ccfd 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
-@@ -75,13 +75,11 @@ ifdef(`distro_redhat',`
+@@ -11,6 +11,7 @@ ifdef(`distro_gentoo',`
+ /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+
+ ifdef(`distro_redhat',`
+ /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
+@@ -75,13 +76,11 @@ ifdef(`distro_redhat',`
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -32761,22 +33047,53 @@ index fca6947..a2f7102 100644
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_user_terminals(showmount_t)
+diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
+index ed9c70d..42d3890 100644
+--- a/policy/modules/system/raid.fc
++++ b/policy/modules/system/raid.fc
+@@ -1,4 +1,5 @@
+-/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
++/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
++/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+
+ /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+ /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index 09845c4..2fe5969 100644
+index 09845c4..6500830 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
-@@ -30,8 +30,9 @@ allow mdadm_t self:fifo_file rw_fifo_file_perms;
- allow mdadm_t mdadm_map_t:file manage_file_perms;
- dev_filetrans(mdadm_t, mdadm_map_t, file)
+@@ -10,11 +10,9 @@ type mdadm_exec_t;
+ init_daemon_domain(mdadm_t, mdadm_exec_t)
+ role system_r types mdadm_t;
+
+-type mdadm_map_t;
+-files_type(mdadm_map_t)
+-
+-type mdadm_var_run_t;
++type mdadm_var_run_t alias mdadm_map_t;
+ files_pid_file(mdadm_var_run_t)
++dev_associate(mdadm_var_run_t)
+ ########################################
+ #
+@@ -26,12 +24,11 @@ dontaudit mdadm_t self:capability sys_tty_config;
+ allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+ allow mdadm_t self:fifo_file rw_fifo_file_perms;
+
+-# create .mdadm files in /dev
+-allow mdadm_t mdadm_map_t:file manage_file_perms;
+-dev_filetrans(mdadm_t, mdadm_map_t, file)
+-
+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
++manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
++dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
-@@ -52,13 +53,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+@@ -52,13 +49,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ad2d720..aa02f9a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.3
-Release: 2%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Thu Sep 8 2010 Dan Walsh <dwalsh at redhat.com> 3.9.3-4
+- Allow mdadm_t to create files and sock files in /dev/md/
+
+* Thu Sep 8 2010 Dan Walsh <dwalsh at redhat.com> 3.9.3-3
+- Add policy for ajaxterm
+
* Wed Sep 8 2010 Dan Walsh <dwalsh at redhat.com> 3.9.3-2
- Handle /var/db/sudo
- Allow pulseaudio to read alsa config
More information about the scm-commits
mailing list