[selinux-policy] - Cleanup policy via dgrift - Allow dovecot_deliver to append to inherited log files - Lots of fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Sep 23 21:40:44 UTC 2010
commit 42c814d215ec54a9ad5dee62966a19089d10f956
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Sep 23 17:40:24 2010 -0400
- Cleanup policy via dgrift
- Allow dovecot_deliver to append to inherited log files
- Lots of fixes for consolehelper
policy-F14.patch | 977 +++++++++++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 7 +-
2 files changed, 838 insertions(+), 146 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 2b4238e..a644247 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -6592,7 +6592,7 @@ index e70b0e8..cd83b89 100644
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index ced285a..d73e7c8 100644
+index ced285a..2e50976 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -6603,7 +6603,7 @@ index ced285a..d73e7c8 100644
')
########################################
-@@ -256,3 +257,58 @@ interface(`userhelper_exec',`
+@@ -256,3 +257,61 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
')
@@ -6653,20 +6653,23 @@ index ced285a..d73e7c8 100644
+
+ auth_use_pam($1_consolehelper_t)
+
++ userdom_manage_tmpfs_role($2, $1_consolehelper_t)
++
+ optional_policy(`
+ shutdown_run($1_consolehelper_t, $2)
+ shutdown_send_sigchld($3)
+ ')
+
+ optional_policy(`
++ xserver_run_xauth($1_consolehelper_t, $2)
+ xserver_read_xdm_pid($1_consolehelper_t)
+ ')
+')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
-index d584dff..f62c171 100644
+index d584dff..b46a20e 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
-@@ -6,9 +6,54 @@ policy_module(userhelper, 1.5.1)
+@@ -6,9 +6,61 @@ policy_module(userhelper, 1.5.1)
#
attribute userhelper_type;
@@ -6686,6 +6689,7 @@ index d584dff..f62c171 100644
+# consolehelper local policy
+#
+
++allow consolehelper_domain self:shm create_shm_perms;
+allow consolehelper_domain self:capability { setgid setuid };
+
+dontaudit consolehelper_domain userhelper_conf_t:file write;
@@ -6711,14 +6715,20 @@ index d584dff..f62c171 100644
+init_read_utmp(consolehelper_domain)
+
+miscfiles_read_localization(consolehelper_domain)
++miscfiles_read_fonts(consolehelper_domain)
+
+userhelper_exec(consolehelper_domain)
+
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
-+userdom_search_user_home_content(consolehelper_domain)
++userdom_read_user_home_content_files(consolehelper_domain)
+
+optional_policy(`
++ gnome_read_gconf_home_files(consolehelper_domain)
++')
++
++optional_policy(`
++ xserver_read_home_fonts(consolehelper_domain)
+ xserver_stream_connect(consolehelper_domain)
+')
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
@@ -6928,7 +6938,7 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..93c9ec1 100644
+index 0eb1d97..794a0eb 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@@ -6992,7 +7002,17 @@ index 0eb1d97..93c9ec1 100644
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -218,8 +235,11 @@ ifdef(`distro_gentoo',`
+@@ -205,7 +222,8 @@ ifdef(`distro_gentoo',`
+ /usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/libsexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+@@ -218,8 +236,11 @@ ifdef(`distro_gentoo',`
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7004,7 +7024,7 @@ index 0eb1d97..93c9ec1 100644
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +248,8 @@ ifdef(`distro_gentoo',`
+@@ -228,6 +249,8 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7013,7 +7033,7 @@ index 0eb1d97..93c9ec1 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +336,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +337,7 @@ ifdef(`distro_redhat', `
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -7021,7 +7041,7 @@ index 0eb1d97..93c9ec1 100644
')
ifdef(`distro_suse', `
-@@ -340,3 +363,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +364,27 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -18305,7 +18325,7 @@ index e1d7dc5..ee51a19 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..aff2296 100644
+index cbe14e4..396f956 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -18409,7 +18429,7 @@ index cbe14e4..aff2296 100644
logging_send_syslog_msg(dovecot_deliver_t)
-logging_search_logs(dovecot_auth_t)
-+logging_search_logs(dovecot_deliver_t)
++logging_append_all_logs(dovecot_deliver_t)
miscfiles_read_localization(dovecot_deliver_t)
@@ -23480,7 +23500,7 @@ index 8581040..89e1edf 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..61a3920 100644
+index da5b33d..3b620e3 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@@ -23519,6 +23539,15 @@ index da5b33d..61a3920 100644
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
+@@ -180,7 +179,7 @@ optional_policy(`
+ #
+
+ allow nrpe_t self:capability { setuid setgid };
+-dontaudit nrpe_t self:capability {sys_tty_config sys_resource};
++dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
+ allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
+ allow nrpe_t self:fifo_file rw_fifo_file_perms;
+ allow nrpe_t self:tcp_socket create_stream_socket_perms;
@@ -270,7 +269,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
@@ -24068,6 +24097,19 @@ index 23c769c..be5a5b4 100644
+ files_list_pids($1)
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
+diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
+index ded9fb6..9d1e60a 100644
+--- a/policy/modules/services/ntop.te
++++ b/policy/modules/services/ntop.te
+@@ -51,7 +51,7 @@ files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
+
+ manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+ manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+-files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
++files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir })
+
+ manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
+ files_pid_filetrans(ntop_t, ntop_var_run_t, file)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index e80f8c0..694b002 100644
--- a/policy/modules/services/ntp.if
@@ -24134,7 +24176,7 @@ index 79a225c..cbb2bce 100644
filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
')
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
-index ebb9582..c1825de 100644
+index ebb9582..1c72c6e 100644
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
@@ -24147,6 +24189,15 @@ index ebb9582..c1825de 100644
########################################
#
# NX server local policy
+@@ -36,7 +39,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms;
+ allow nx_server_t self:tcp_socket create_socket_perms;
+ allow nx_server_t self:udp_socket create_socket_perms;
+
+-allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(nx_server_t, nx_server_devpts_t)
+
+ manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
@@ -50,6 +53,9 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
@@ -24157,6 +24208,21 @@ index ebb9582..c1825de 100644
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
+@@ -83,10 +89,10 @@ seutil_dontaudit_search_config(nx_server_t)
+ sysnet_read_config(nx_server_t)
+
+ ifdef(`TODO',`
+-# clients already have create permissions; the nxclient wants to also have unlink rights
+-allow userdomain xdm_tmp_t:sock_file unlink;
+-# for a lockfile created by the client process
+-allow nx_server_t user_tmpfile:file getattr;
++ # clients already have create permissions; the nxclient wants to also have unlink rights
++ allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms;
++ # for a lockfile created by the client process
++ allow nx_server_t user_tmpfile:file getattr_file_perms;
+ ')
+
+ ########################################
diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
index bdf8c89..5ee1598 100644
--- a/policy/modules/services/oddjob.fc
@@ -24243,10 +24309,26 @@ index bd76ec2..ca6517b 100644
## <summary>
## Execute a domain transition to run oddjob_mkhomedir.
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
-index cadfc63..ef6919f 100644
+index cadfc63..c8f4d64 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
-@@ -99,8 +99,7 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
+@@ -7,7 +7,6 @@ policy_module(oddjob, 1.7.0)
+
+ type oddjob_t;
+ type oddjob_exec_t;
+-domain_type(oddjob_t)
+ init_daemon_domain(oddjob_t, oddjob_exec_t)
+ domain_obj_id_change_exemption(oddjob_t)
+ domain_role_change_exemption(oddjob_t)
+@@ -15,7 +14,6 @@ domain_subj_id_change_exemption(oddjob_t)
+
+ type oddjob_mkhomedir_t;
+ type oddjob_mkhomedir_exec_t;
+-domain_type(oddjob_mkhomedir_t)
+ domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+ init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+ oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+@@ -99,8 +97,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
@@ -24254,9 +24336,9 @@ index cadfc63..ef6919f 100644
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+-
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
-
diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if
index bb4fae5..b1b5e51 100644
--- a/policy/modules/services/oident.if
@@ -24327,9 +24409,30 @@ index bb4fae5..b1b5e51 100644
+ admin_pattern($1, oidentd_config_t)
+')
diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
-index 0a244b1..9097656 100644
+index 0a244b1..73c1fa5 100644
--- a/policy/modules/services/oident.te
+++ b/policy/modules/services/oident.te
+@@ -1,4 +1,4 @@
+-policy_module(oident, 2.1.0)
++policy_module(oident, 2.1.0)
+
+ ########################################
+ #
+@@ -26,10 +26,10 @@ files_config_file(oidentd_config_t)
+ #
+
+ allow oidentd_t self:capability { setuid setgid };
+-allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+-allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+-allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+-allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
++allow oidentd_t self:netlink_route_socket create_netlink_socket_perms;
++allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++allow oidentd_t self:tcp_socket create_stream_socket_perms;
++allow oidentd_t self:udp_socket create_socket_perms;
+ allow oidentd_t self:unix_dgram_socket { create connect };
+
+ allow oidentd_t oidentd_config_t:file read_file_perms;
@@ -48,6 +48,7 @@ kernel_read_kernel_sysctls(oidentd_t)
kernel_read_network_state(oidentd_t)
kernel_read_network_state_symlinks(oidentd_t)
@@ -24367,9 +24470,22 @@ index 9d0a67b..9197ef0 100644
#
interface(`openct_domtrans',`
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..ba7c06b 100644
+index 8b550f4..cb87bef 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
+@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow openvpn to read home directories
+-## </p>
++## <p>
++## Allow openvpn to read home directories
++## </p>
+ ## </desc>
+ gen_tunable(openvpn_enable_homedirs, false)
+
@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -24380,7 +24496,12 @@ index 8b550f4..ba7c06b 100644
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
-@@ -48,7 +51,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -43,12 +46,11 @@ files_pid_file(openvpn_var_run_t)
+ allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+ allow openvpn_t self:process { signal getsched };
+ allow openvpn_t self:fifo_file rw_fifo_file_perms;
+-
+ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket server_stream_socket_perms;
@@ -24389,7 +24510,7 @@ index 8b550f4..ba7c06b 100644
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
can_exec(openvpn_t, openvpn_etc_t)
-@@ -58,9 +61,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+@@ -58,9 +60,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
@@ -24403,7 +24524,7 @@ index 8b550f4..ba7c06b 100644
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
-@@ -68,6 +75,7 @@ kernel_read_kernel_sysctls(openvpn_t)
+@@ -68,6 +74,7 @@ kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
@@ -24411,7 +24532,7 @@ index 8b550f4..ba7c06b 100644
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-@@ -113,19 +121,19 @@ sysnet_manage_config(openvpn_t)
+@@ -113,20 +120,20 @@ sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
@@ -24424,17 +24545,22 @@ index 8b550f4..ba7c06b 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
- fs_read_nfs_files(openvpn_t)
+- fs_read_nfs_files(openvpn_t)
- fs_read_nfs_symlinks(openvpn_t)
- ')
+-')
++ fs_read_nfs_files(openvpn_t)
++')
tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(openvpn_t)
+- fs_read_cifs_files(openvpn_t)
- fs_read_cifs_symlinks(openvpn_t)
- ')
+-')
++ fs_read_cifs_files(openvpn_t)
++')
optional_policy(`
-@@ -138,3 +146,7 @@ optional_policy(`
+ daemontools_service_domain(openvpn_t, openvpn_exec_t)
+@@ -138,3 +145,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -24470,6 +24596,39 @@ index 8ac407e..8235fb6 100644
+ files_list_etc($1)
admin_pattern($1, pads_config_t)
')
+diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
+index b246bdd..f414173 100644
+--- a/policy/modules/services/pads.te
++++ b/policy/modules/services/pads.te
+@@ -1,4 +1,4 @@
+-policy_module(pads, 1.0.0)
++policy_module(pads, 1.0.0)
+
+ ########################################
+ #
+@@ -8,7 +8,6 @@ policy_module(pads, 1.0.0)
+ type pads_t;
+ type pads_exec_t;
+ init_daemon_domain(pads_t, pads_exec_t)
+-role system_r types pads_t;
+
+ type pads_initrc_exec_t;
+ init_script_file(pads_initrc_exec_t)
+@@ -25,10 +24,10 @@ files_pid_file(pads_var_run_t)
+ #
+
+ allow pads_t self:capability { dac_override net_raw };
+-allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+-allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
+-allow pads_t self:udp_socket { create ioctl };
+-allow pads_t self:unix_dgram_socket { write create connect };
++allow pads_t self:netlink_route_socket create_netlink_socket_perms;
++allow pads_t self:packet_socket create_socket_perms;
++allow pads_t self:udp_socket create_socket_perms;
++allow pads_t self:unix_dgram_socket create_socket_perms;
+
+ allow pads_t pads_config_t:file manage_file_perms;
+ files_etc_filetrans(pads_t, pads_config_t, file)
diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
new file mode 100644
index 0000000..8d00972
@@ -24557,12 +24716,11 @@ index 0000000..66f9799
+')
diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
new file mode 100644
-index 0000000..9cb0d1c
+index 0000000..ba9fdb9
--- /dev/null
+++ b/policy/modules/services/passenger.te
-@@ -0,0 +1,68 @@
-+
-+policy_module(passanger,1.0.0)
+@@ -0,0 +1,66 @@
++policy_module(passanger, 1.0.0)
+
+########################################
+#
@@ -24593,7 +24751,6 @@ index 0000000..9cb0d1c
+
+allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
+allow passenger_t self:process signal;
-+
+allow passenger_t self:fifo_file rw_fifo_file_perms;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
@@ -24645,8 +24802,20 @@ index 1c2a091..ea5ae69 100644
## </param>
#
interface(`pcscd_domtrans',`
+diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
+index 3116191..df751a6 100644
+--- a/policy/modules/services/pcscd.te
++++ b/policy/modules/services/pcscd.te
+@@ -7,7 +7,6 @@ policy_module(pcscd, 1.6.1)
+
+ type pcscd_t;
+ type pcscd_exec_t;
+-domain_type(pcscd_t)
+ init_daemon_domain(pcscd_t, pcscd_exec_t)
+
+ # pid files
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
-index 3185114..e2e2f67 100644
+index 3185114..5322412 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -29,7 +29,7 @@ files_pid_file(pegasus_var_run_t)
@@ -24658,10 +24827,21 @@ index 3185114..e2e2f67 100644
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
-@@ -57,14 +57,17 @@ manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+@@ -38,7 +38,7 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+ allow pegasus_t self:tcp_socket create_stream_socket_perms;
+
+ allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
+-allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
++allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms };
+ allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+@@ -56,15 +56,18 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+ manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
- allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
+-allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
++allow pegasus_t pegasus_var_run_t:sock_file { create_sock_file_perms setattr_sock_file_perms delete_sock_file_perms };
+manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-files_pid_filetrans(pegasus_t, pegasus_var_run_t, file)
@@ -24765,6 +24945,19 @@ index 8688aae..1bfd8d2 100644
')
allow $1 pingd_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te
+index e9cf8a4..4a9d196 100644
+--- a/policy/modules/services/pingd.te
++++ b/policy/modules/services/pingd.te
+@@ -27,7 +27,7 @@ files_type(pingd_modules_t)
+
+ allow pingd_t self:capability net_raw;
+ allow pingd_t self:tcp_socket create_stream_socket_perms;
+-allow pingd_t self:rawip_socket { write read create bind };
++allow pingd_t self:rawip_socket create_socket_perms;
+
+ read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
+
diff --git a/policy/modules/services/piranha.fc b/policy/modules/services/piranha.fc
new file mode 100644
index 0000000..2c7e06f
@@ -24978,11 +25171,11 @@ index 0000000..6403c17
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..0a5f27d
+index 0000000..6b69f38
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,220 @@
-+policy_module(piranha,1.0.0)
+@@ -0,0 +1,214 @@
++policy_module(piranha, 1.0.0)
+
+########################################
+#
@@ -24990,9 +25183,9 @@ index 0000000..0a5f27d
+#
+
+## <desc>
-+## <p>
-+## Allow piranha-lvs domain to connect to the network using TCP.
-+## </p>
++## <p>
++## Allow piranha-lvs domain to connect to the network using TCP.
++## </p>
+## </desc>
+gen_tunable(piranha_lvs_can_network_connect, false)
+
@@ -25049,7 +25242,6 @@ index 0000000..0a5f27d
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal signull ptrace };
+allow piranha_web_t self:rawip_socket create_socket_perms;
-+
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
+allow piranha_web_t self:shm create_shm_perms;
@@ -25064,7 +25256,7 @@ index 0000000..0a5f27d
+
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
-+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } )
++logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
+
+can_exec(piranha_web_t, piranha_web_tmp_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
@@ -25103,7 +25295,7 @@ index 0000000..0a5f27d
+')
+
+optional_policy(`
-+ sasl_connect(piranha_web_t)
++ sasl_connect(piranha_web_t)
+')
+
+######################################
@@ -25113,9 +25305,7 @@ index 0000000..0a5f27d
+
+# neede by nanny
+allow piranha_lvs_t self:capability { net_raw sys_nice };
-+
+allow piranha_lvs_t self:process signal;
-+
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
@@ -25129,7 +25319,7 @@ index 0000000..0a5f27d
+
+# needed by nanny
+tunable_policy(`piranha_lvs_can_network_connect',`
-+ corenet_tcp_connect_all_ports(piranha_lvs_t)
++ corenet_tcp_connect_all_ports(piranha_lvs_t)
+')
+
+# needed by ipvsadm
@@ -25160,7 +25350,7 @@ index 0000000..0a5f27d
+')
+
+optional_policy(`
-+ sysnet_domtrans_ifconfig(piranha_pulse_t)
++ sysnet_domtrans_ifconfig(piranha_pulse_t)
+')
+
+####################################
@@ -25194,9 +25384,6 @@ index 0000000..0a5f27d
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
-+libs_use_ld_so(piranha_domain)
-+libs_use_shared_libs(piranha_domain)
-+
+logging_send_syslog_msg(piranha_domain)
+
+miscfiles_read_localization(piranha_domain)
@@ -25367,7 +25554,7 @@ index 9759ed8..07dd3ff 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index fb8dc84..c30505a 100644
+index fb8dc84..836e2e2 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -60,10 +60,14 @@ domain_use_interactive_fds(plymouthd_t)
@@ -25393,6 +25580,15 @@ index fb8dc84..c30505a 100644
domain_use_interactive_fds(plymouth_t)
+@@ -87,7 +92,7 @@ sysnet_read_config(plymouth_t)
+
+ plymouthd_stream_connect(plymouth_t)
+
+-ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ hal_dontaudit_write_log(plymouth_t)
+ hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc
index 27c739c..c65d18f 100644
--- a/policy/modules/services/policykit.fc
@@ -25554,7 +25750,7 @@ index 48ff1e8..13cdc77 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..e731afa 100644
+index 1e7169d..7385ecf 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
@@ -25567,7 +25763,7 @@ index 1e7169d..e731afa 100644
type policykit_var_lib_t alias polkit_var_lib_t;
files_type(policykit_var_lib_t)
-@@ -35,11 +38,12 @@ files_pid_file(policykit_var_run_t)
+@@ -35,11 +38,11 @@ files_pid_file(policykit_var_run_t)
# policykit local policy
#
@@ -25577,14 +25773,13 @@ index 1e7169d..e731afa 100644
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
+allow policykit_t self:process { getsched getattr signal };
+allow policykit_t self:fifo_file rw_fifo_file_perms;
-+
allow policykit_t self:unix_dgram_socket create_socket_perms;
-allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
policykit_domtrans_auth(policykit_t)
-@@ -56,10 +60,16 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,10 +59,16 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -25601,7 +25796,7 @@ index 1e7169d..e731afa 100644
auth_use_nsswitch(policykit_t)
-@@ -67,45 +77,90 @@ logging_send_syslog_msg(policykit_t)
+@@ -67,45 +76,90 @@ logging_send_syslog_msg(policykit_t)
miscfiles_read_localization(policykit_t)
@@ -25698,7 +25893,7 @@ index 1e7169d..e731afa 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,6 +173,14 @@ optional_policy(`
+@@ -118,6 +172,14 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
@@ -25713,7 +25908,7 @@ index 1e7169d..e731afa 100644
########################################
#
# polkit_grant local policy
-@@ -125,7 +188,8 @@ optional_policy(`
+@@ -125,7 +187,8 @@ optional_policy(`
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -25723,7 +25918,7 @@ index 1e7169d..e731afa 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -155,9 +219,12 @@ miscfiles_read_localization(policykit_grant_t)
+@@ -155,9 +218,12 @@ miscfiles_read_localization(policykit_grant_t)
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -25737,7 +25932,7 @@ index 1e7169d..e731afa 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -169,7 +236,8 @@ optional_policy(`
+@@ -169,7 +235,8 @@ optional_policy(`
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -25747,6 +25942,23 @@ index 1e7169d..e731afa 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+@@ -207,4 +274,3 @@ optional_policy(`
+ kernel_search_proc(policykit_resolve_t)
+ hal_read_state(policykit_resolve_t)
+ ')
+-
+diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
+index 333a1fe..d1cf513 100644
+--- a/policy/modules/services/portmap.te
++++ b/policy/modules/services/portmap.te
+@@ -12,7 +12,6 @@ init_daemon_domain(portmap_t, portmap_exec_t)
+ type portmap_helper_t;
+ type portmap_helper_exec_t;
+ init_system_domain(portmap_helper_t, portmap_helper_exec_t)
+-role system_r types portmap_helper_t;
+
+ type portmap_tmp_t;
+ files_tmp_file(portmap_tmp_t)
diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc
index c69d047..1d9fa76 100644
--- a/policy/modules/services/portreserve.fc
@@ -26152,18 +26364,17 @@ index 46bee12..7391f7e 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..87043e1 100644
+index 06e37d4..628fcda 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
-@@ -5,6 +5,15 @@ policy_module(postfix, 1.12.0)
+@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
# Declarations
#
+## <desc>
-+## <p>
-+## Allow postfix_local domain full write access to mail_spool directories
-+##
-+## </p>
++## <p>
++## Allow postfix_local domain full write access to mail_spool directories
++## </p>
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool, false)
+
@@ -26171,39 +26382,16 @@ index 06e37d4..87043e1 100644
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
-@@ -12,7 +21,7 @@ attribute postfix_user_domtrans;
+@@ -12,7 +20,7 @@ attribute postfix_user_domtrans;
postfix_server_domain_template(bounce)
-type postfix_spool_bounce_t;
-+type postfix_spool_bounce_t, postfix_spool_type;
++type postfix_spool_bounce_t, postfix_spool_type;
files_type(postfix_spool_bounce_t)
postfix_server_domain_template(cleanup)
-@@ -26,12 +35,21 @@ application_executable_file(postfix_exec_t)
- postfix_server_domain_template(local)
- mta_mailserver_delivery(postfix_local_t)
-
-+# Handle vacation script
-+mta_send_mail(postfix_local_t)
-+
-+userdom_read_user_home_content_files(postfix_local_t)
-+
-+tunable_policy(`allow_postfix_local_write_mail_spool',`
-+ mta_manage_spool(postfix_local_t)
-+')
-+
- # Program for creating database files
- type postfix_map_t;
- type postfix_map_exec_t;
- application_domain(postfix_map_t, postfix_map_exec_t)
- role system_r types postfix_map_t;
--
-+
- type postfix_map_tmp_t;
- files_tmp_file(postfix_map_tmp_t)
-
-@@ -41,6 +59,9 @@ typealias postfix_master_t alias postfix_t;
+@@ -41,6 +49,9 @@ typealias postfix_master_t alias postfix_t;
# generation macro work
mta_mailserver(postfix_t, postfix_master_exec_t)
@@ -26213,7 +26401,7 @@ index 06e37d4..87043e1 100644
postfix_server_domain_template(pickup)
postfix_server_domain_template(pipe)
-@@ -49,6 +70,7 @@ postfix_user_domain_template(postdrop)
+@@ -49,6 +60,7 @@ postfix_user_domain_template(postdrop)
mta_mailserver_user_agent(postfix_postdrop_t)
postfix_user_domain_template(postqueue)
@@ -26221,7 +26409,7 @@ index 06e37d4..87043e1 100644
type postfix_private_t;
files_type(postfix_private_t)
-@@ -65,13 +87,13 @@ mta_mailserver_sender(postfix_smtp_t)
+@@ -65,13 +77,13 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
@@ -26238,9 +26426,15 @@ index 06e37d4..87043e1 100644
files_type(postfix_spool_flush_t)
type postfix_public_t;
-@@ -99,7 +121,9 @@ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+@@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t)
+
+ # chown is to set the correct ownership of queue dirs
+ allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
++allow postfix_master_t self:process setrlimit;
+ allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
- allow postfix_master_t self:process setrlimit;
+-allow postfix_master_t self:process setrlimit;
+allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
@@ -26248,7 +26442,30 @@ index 06e37d4..87043e1 100644
can_exec(postfix_master_t, postfix_exec_t)
-@@ -150,6 +174,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+ allow postfix_master_t postfix_data_t:dir manage_dir_perms;
+ allow postfix_master_t postfix_data_t:file manage_file_perms;
+
+-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
++allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
+
+-allow postfix_master_t postfix_postdrop_exec_t:file getattr;
++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
+
+-allow postfix_master_t postfix_postqueue_exec_t:file getattr;
++allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+ manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+ manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+@@ -130,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
+
+ allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
+-allow postfix_master_t postfix_spool_bounce_t:file getattr;
++allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
+
+ manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+ manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -26258,7 +26475,7 @@ index 06e37d4..87043e1 100644
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +194,8 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +184,8 @@ corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -26267,7 +26484,53 @@ index 06e37d4..87043e1 100644
term_dontaudit_search_ptys(postfix_master_t)
-@@ -304,9 +333,17 @@ optional_policy(`
+@@ -220,7 +239,7 @@ allow postfix_bounce_t self:capability dac_read_search;
+ allow postfix_bounce_t self:tcp_socket create_socket_perms;
+
+ allow postfix_bounce_t postfix_public_t:sock_file write;
+-allow postfix_bounce_t postfix_public_t:dir search;
++allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
+
+ manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+@@ -264,8 +283,8 @@ optional_policy(`
+ # Postfix local local policy
+ #
+
+-allow postfix_local_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_local_t self:process { setsched setrlimit };
++allow postfix_local_t self:fifo_file rw_fifo_file_perms;
+
+ # connect to master process
+ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
+@@ -273,6 +292,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+ # for .forward - maybe we need a new type for it?
+ rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
+
++domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
++
+ allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+ corecmd_exec_shell(postfix_local_t)
+@@ -286,10 +307,14 @@ mta_read_aliases(postfix_local_t)
+ mta_delete_spool(postfix_local_t)
+ # For reading spamassasin
+ mta_read_config(postfix_local_t)
++# Handle vacation script
++mta_send_mail(postfix_local_t)
+
+-domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+-# Might be a leak, but I need a postfix expert to explain
+-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
++userdom_read_user_home_content_files(postfix_local_t)
++
++tunable_policy(`allow_postfix_local_write_mail_spool',`
++ mta_manage_spool(postfix_local_t)
++')
+
+ optional_policy(`
+ clamav_search_lib(postfix_local_t)
+@@ -304,9 +329,17 @@ optional_policy(`
')
optional_policy(`
@@ -26285,7 +26548,17 @@ index 06e37d4..87043e1 100644
########################################
#
# Postfix map local policy
-@@ -401,6 +438,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -390,8 +423,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+ # Postfix pipe local policy
+ #
+
+-allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_pipe_t self:process setrlimit;
++allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+
+ write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+
+@@ -401,6 +434,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -26294,7 +26567,7 @@ index 06e37d4..87043e1 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +459,7 @@ optional_policy(`
+@@ -420,6 +455,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -26302,7 +26575,35 @@ index 06e37d4..87043e1 100644
')
optional_policy(`
-@@ -588,6 +628,11 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -436,6 +472,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+ allow postfix_postdrop_t self:tcp_socket create;
+ allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
++# Might be a leak, but I need a postfix expert to explain
++allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
++
+ rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+ postfix_list_spool(postfix_postdrop_t)
+@@ -519,7 +558,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+
+ allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+ allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
++allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
+ corecmd_exec_bin(postfix_qmgr_t)
+
+@@ -539,7 +578,7 @@ postfix_list_spool(postfix_showq_t)
+
+ allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
+ allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
+-allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
++allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
+ # to write the mailq output, it really should not need read access!
+ term_use_all_ptys(postfix_showq_t)
+@@ -588,6 +627,11 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -26314,7 +26615,17 @@ index 06e37d4..87043e1 100644
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
-@@ -630,3 +675,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -611,8 +655,8 @@ optional_policy(`
+ # Postfix virtual local policy
+ #
+
+-allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_virtual_t self:process { setsched setrlimit };
++allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
+
+ allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+
+@@ -630,3 +674,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -26337,6 +26648,28 @@ index feae93b..d960d3f 100644
')
allow $1 postfix_policyd_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te
+index 7257526..7d73656 100644
+--- a/policy/modules/services/postfixpolicyd.te
++++ b/policy/modules/services/postfixpolicyd.te
+@@ -23,14 +23,14 @@ files_pid_file(postfix_policyd_var_run_t)
+ # Local Policy
+ #
+
+-allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+ allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+ allow postfix_policyd_t self:process setrlimit;
+-allow postfix_policyd_t self:unix_dgram_socket { connect create write};
++allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
++allow postfix_policyd_t self:unix_dgram_socket create_socket_perms;
+
+ allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
+ allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
+-allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
++allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
+ files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 539a7c9..4782bdb 100644
--- a/policy/modules/services/postgresql.if
@@ -26494,9 +26827,41 @@ index 539a7c9..4782bdb 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 39abf57..4a85c12 100644
+index 39abf57..b4101fa 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
+@@ -15,16 +15,16 @@ gen_require(`
+ #
+
+ ## <desc>
+-## <p>
+-## Allow unprived users to execute DDL statement
+-## </p>
++## <p>
++## Allow unprived users to execute DDL statement
++## </p>
+ ## </desc>
+ gen_tunable(sepgsql_enable_users_ddl, true)
+
+ ## <desc>
+-## <p>
+-## Allow database admins to execute DML statement
+-## </p>
++## <p>
++## Allow database admins to execute DML statement
++## </p>
+ ## </desc>
+ gen_tunable(sepgsql_unconfined_dbadm, true)
+
+@@ -185,7 +185,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+ read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+ read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+
+-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
++allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
+ can_exec(postgresql_t, postgresql_exec_t )
+
+ allow postgresql_t postgresql_lock_t:file manage_file_perms;
@@ -251,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
@@ -26622,9 +26987,32 @@ index b524673..09699d1 100644
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..74f07f8 100644
+index 2af42e7..d32a0d2 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
+@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow pppd to load kernel modules for certain modems
+-## </p>
++## <p>
++## Allow pppd to load kernel modules for certain modems
++## </p>
+ ## </desc>
+ gen_tunable(pppd_can_insmod, false)
+
+ ## <desc>
+-## <p>
+-## Allow pppd to be run for a regular user
+-## </p>
++## <p>
++## Allow pppd to be run for a regular user
++## </p>
+ ## </desc>
+ gen_tunable(pppd_for_user, false)
+
@@ -70,7 +70,7 @@ files_pid_file(pptp_var_run_t)
# PPPD Local policy
#
@@ -26634,6 +27022,20 @@ index 2af42e7..74f07f8 100644
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process { getsched signal };
allow pppd_t self:fifo_file rw_fifo_file_perms;
+@@ -84,11 +84,11 @@ allow pppd_t self:packet_socket create_socket_perms;
+
+ domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+
+-allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
+ allow pppd_t pppd_etc_t:dir rw_dir_perms;
+ allow pppd_t pppd_etc_t:file read_file_perms;
+-allow pppd_t pppd_etc_t:lnk_file { getattr read };
++allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+ # Automatically label newly created files under /etc/ppp with this type
@@ -104,8 +104,9 @@ manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
@@ -26755,6 +27157,29 @@ index 2316653..77ef768 100644
+ files_list_tmp($1)
+ admin_pattern($1, prelude_lml_tmp_t)
')
+diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
+index 7e84587..7a7310d 100644
+--- a/policy/modules/services/prelude.te
++++ b/policy/modules/services/prelude.te
+@@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t)
+ type prelude_correlator_t;
+ type prelude_correlator_exec_t;
+ init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
+-role system_r types prelude_correlator_t;
+
+ type prelude_correlator_config_t;
+ files_config_file(prelude_correlator_config_t)
+@@ -210,8 +209,8 @@ prelude_manage_spool(prelude_correlator_t)
+ #
+
+ allow prelude_lml_t self:capability dac_override;
+-allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
+-allow prelude_lml_t self:unix_dgram_socket { write create connect };
++allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
++allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
+ allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
+ allow prelude_lml_t self:unix_stream_socket connectto;
+
diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
index 1da26dc..7221526 100644
--- a/policy/modules/services/privoxy.if
@@ -26775,9 +27200,24 @@ index 1da26dc..7221526 100644
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
-index 0d295a8..19138e1 100644
+index 0d295a8..2404ddc 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
+@@ -6,10 +6,10 @@ policy_module(privoxy, 1.10.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow privoxy to connect to all ports, not just
+-## HTTP, FTP, and Gopher ports.
+-## </p>
++## <p>
++## Allow privoxy to connect to all ports, not just
++## HTTP, FTP, and Gopher ports.
++## </p>
+ ## </desc>
+ gen_tunable(privoxy_connect_any, false)
+
@@ -58,10 +58,12 @@ corenet_tcp_bind_generic_node(privoxy_t)
corenet_tcp_bind_http_cache_port(privoxy_t)
corenet_tcp_connect_http_port(privoxy_t)
@@ -26829,7 +27269,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..b558811 100644
+index 29b9295..2a70dd1 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -26842,6 +27282,15 @@ index 29b9295..b558811 100644
type procmail_log_t;
logging_log_file(procmail_log_t)
+@@ -32,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms;
+ can_exec(procmail_t, procmail_exec_t)
+
+ # Write log to /var/log/procmail.log or /var/log/procmail/.*
+-allow procmail_t procmail_log_t:dir setattr;
++allow procmail_t procmail_log_t:dir setattr_dir_perms;
+ create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+ append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+ read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
@@ -76,9 +79,15 @@ files_search_pids(procmail_t)
files_read_usr_files(procmail_t)
@@ -26999,9 +27448,24 @@ index 2855a44..0456b11 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..9587224 100644
+index 64c5f95..80c1f5d 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
+@@ -6,10 +6,10 @@ policy_module(puppet, 1.0.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow Puppet client to manage all file
+-## types.
+-## </p>
++## <p>
++## Allow Puppet client to manage all file
++## types.
++## </p>
+ ## </desc>
+ gen_tunable(puppet_manage_all_files, false)
+
@@ -63,7 +63,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
@@ -27011,9 +27475,14 @@ index 64c5f95..9587224 100644
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-@@ -179,21 +179,26 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
- allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
- allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+@@ -176,24 +176,29 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
+ list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
+-allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
+-allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
++allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
++allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
@@ -27143,28 +27612,53 @@ index 494f7e2..aa3d0b4 100644
+ admin_pattern($1, pyzor_var_lib_t)
+')
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
-index cd683f9..2f03bad 100644
+index cd683f9..d455637 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
-@@ -5,6 +5,38 @@ policy_module(pyzor, 2.1.0)
+@@ -5,40 +5,62 @@ policy_module(pyzor, 2.1.0)
# Declarations
#
-+
+-type pyzor_t;
+-type pyzor_exec_t;
+-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+-application_domain(pyzor_t, pyzor_exec_t)
+-ubac_constrained(pyzor_t)
+-role system_r types pyzor_t;
+-
+-type pyzor_etc_t;
+-files_type(pyzor_etc_t)
+-
+-type pyzor_home_t;
+-typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+-typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+-userdom_user_home_content(pyzor_home_t)
+-
+-type pyzor_tmp_t;
+-typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+-typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+-files_tmp_file(pyzor_tmp_t)
+-ubac_constrained(pyzor_tmp_t)
+-
+-type pyzor_var_lib_t;
+-typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+-typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+-files_type(pyzor_var_lib_t)
+-ubac_constrained(pyzor_var_lib_t)
+-
+-type pyzord_t;
+-type pyzord_exec_t;
+-init_daemon_domain(pyzord_t, pyzord_exec_t)
+-
+-type pyzord_log_t;
+-logging_log_file(pyzord_log_t)
+ifdef(`distro_redhat',`
-+
+ gen_require(`
-+ type spamc_t;
-+ type spamc_exec_t;
-+ type spamd_t;
-+ type spamd_initrc_exec_t;
-+ type spamd_exec_t;
-+ type spamc_tmp_t;
-+ type spamd_log_t;
-+ type spamd_var_lib_t;
-+ type spamd_etc_t;
-+ type spamc_tmp_t;
-+ type spamc_home_t;
++ type spamc_t, spamc_exec_t, spamd_t;
++ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
++ type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
++ type spamc_tmp_t, spamc_home_t;
+ ')
+
+ typealias spamc_t alias pyzor_t;
@@ -27179,21 +27673,46 @@ index cd683f9..2f03bad 100644
+ typealias spamd_etc_t alias pyzor_etc_t;
+ typealias spamc_home_t alias pyzor_home_t;
+ typealias spamc_home_t alias user_pyzor_home_t;
-+
+',`
++ type pyzor_t;
++ type pyzor_exec_t;
++ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
++ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
++ application_domain(pyzor_t, pyzor_exec_t)
++ ubac_constrained(pyzor_t)
++ role system_r types pyzor_t;
+
- type pyzor_t;
- type pyzor_exec_t;
- typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
-@@ -39,6 +71,7 @@ init_daemon_domain(pyzord_t, pyzord_exec_t)
-
- type pyzord_log_t;
- logging_log_file(pyzord_log_t)
++ type pyzor_etc_t;
++ files_type(pyzor_etc_t)
++
++ type pyzor_home_t;
++ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
++ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
++ userdom_user_home_content(pyzor_home_t)
++
++ type pyzor_tmp_t;
++ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
++ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
++ files_tmp_file(pyzor_tmp_t)
++ ubac_constrained(pyzor_tmp_t)
++
++ type pyzor_var_lib_t;
++ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
++ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
++ files_type(pyzor_var_lib_t)
++ ubac_constrained(pyzor_var_lib_t)
++
++ type pyzord_t;
++ type pyzord_exec_t;
++ init_daemon_domain(pyzord_t, pyzord_exec_t)
++
++ type pyzord_log_t;
++ logging_log_file(pyzord_log_t)
+')
########################################
#
-@@ -76,12 +109,16 @@ corenet_tcp_connect_http_port(pyzor_t)
+@@ -76,12 +98,16 @@ corenet_tcp_connect_http_port(pyzor_t)
dev_read_urand(pyzor_t)
@@ -27210,6 +27729,17 @@ index cd683f9..2f03bad 100644
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
+@@ -111,8 +137,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms;
+ can_exec(pyzord_t, pyzor_exec_t)
+
+ manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
+-allow pyzord_t pyzord_log_t:dir setattr;
+-logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } )
++allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
++logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
+
+ kernel_read_kernel_sysctls(pyzord_t)
+ kernel_read_system_state(pyzord_t)
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
index a55bf44..77a25f5 100644
--- a/policy/modules/services/qmail.if
@@ -27247,10 +27777,47 @@ index a55bf44..77a25f5 100644
')
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
-index 355b2a2..1b01d75 100644
+index 355b2a2..54329f9 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
-@@ -121,6 +121,10 @@ mta_append_spool(qmail_local_t)
+@@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+ ########################################
+ #
+ # qmail-clean local policy
+-# this component cleans up the queue directory
++# this component cleans up the queue directory
+ #
+
+ read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+@@ -69,11 +69,11 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+ ########################################
+ #
+ # qmail-inject local policy
+-# this component preprocesses mail from stdin and invokes qmail-queue
++# this component preprocesses mail from stdin and invokes qmail-queue
+ #
+
+-allow qmail_inject_t self:fifo_file write_fifo_file_perms;
+ allow qmail_inject_t self:process signal_perms;
++allow qmail_inject_t self:fifo_file write_fifo_file_perms;
+
+ allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
+
+@@ -88,11 +88,11 @@ qmail_read_config(qmail_inject_t)
+ ########################################
+ #
+ # qmail-local local policy
+-# this component delivers a mail message
++# this component delivers a mail message
+ #
+
+-allow qmail_local_t self:fifo_file write_file_perms;
+ allow qmail_local_t self:process signal_perms;
++allow qmail_local_t self:fifo_file write_file_perms;
+ allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+@@ -121,13 +121,17 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
optional_policy(`
@@ -27261,6 +27828,102 @@ index 355b2a2..1b01d75 100644
spamassassin_domtrans_client(qmail_local_t)
')
+ ########################################
+ #
+ # qmail-lspawn local policy
+-# this component schedules local deliveries
++# this component schedules local deliveries
+ #
+
+ allow qmail_lspawn_t self:capability { setuid setgid };
+@@ -150,15 +154,15 @@ files_search_tmp(qmail_lspawn_t)
+ ########################################
+ #
+ # qmail-queue local policy
+-# this component places a mail in a delivery queue, later to be processed by qmail-send
++# this component places a mail in a delivery queue, later to be processed by qmail-send
+ #
+
+ allow qmail_queue_t qmail_lspawn_t:fd use;
+ allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
+
++allow qmail_queue_t qmail_smtpd_t:process sigchld;
+ allow qmail_queue_t qmail_smtpd_t:fd use;
+ allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
+-allow qmail_queue_t qmail_smtpd_t:process sigchld;
+
+ manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+ manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+@@ -175,7 +179,7 @@ optional_policy(`
+ ########################################
+ #
+ # qmail-remote local policy
+-# this component sends mail via SMTP
++# this component sends mail via SMTP
+ #
+
+ allow qmail_remote_t self:tcp_socket create_socket_perms;
+@@ -202,7 +206,7 @@ sysnet_read_config(qmail_remote_t)
+ ########################################
+ #
+ # qmail-rspawn local policy
+-# this component scedules remote deliveries
++# this component scedules remote deliveries
+ #
+
+ allow qmail_rspawn_t self:process signal_perms;
+@@ -217,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t)
+ ########################################
+ #
+ # qmail-send local policy
+-# this component delivers mail messages from the queue
++# this component delivers mail messages from the queue
+ #
+
+ allow qmail_send_t self:process signal_perms;
+@@ -236,7 +240,7 @@ optional_policy(`
+ ########################################
+ #
+ # qmail-smtpd local policy
+-# this component receives mails via SMTP
++# this component receives mails via SMTP
+ #
+
+ allow qmail_smtpd_t self:process signal_perms;
+@@ -265,7 +269,7 @@ optional_policy(`
+ ########################################
+ #
+ # splogger local policy
+-# this component creates entries in syslog
++# this component creates entries in syslog
+ #
+
+ allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+@@ -279,13 +283,13 @@ miscfiles_read_localization(qmail_splogger_t)
+ ########################################
+ #
+ # qmail-start local policy
+-# this component starts up the mail delivery component
++# this component starts up the mail delivery component
+ #
+
+ allow qmail_start_t self:capability { setgid setuid };
+ dontaudit qmail_start_t self:capability sys_tty_config;
+-allow qmail_start_t self:fifo_file rw_fifo_file_perms;
+ allow qmail_start_t self:process signal_perms;
++allow qmail_start_t self:fifo_file rw_fifo_file_perms;
+
+ can_exec(qmail_start_t, qmail_start_exec_t)
+
+@@ -303,7 +307,7 @@ optional_policy(`
+ ########################################
+ #
+ # tcp-env local policy
+-# this component sets up TCP-related environment variables
++# this component sets up TCP-related environment variables
+ #
+
+ allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
diff --git a/policy/modules/services/qpidd.fc b/policy/modules/services/qpidd.fc
new file mode 100644
index 0000000..f3b89e4
@@ -27512,11 +28175,11 @@ index 0000000..c403abc
+')
diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te
new file mode 100644
-index 0000000..cf9a327
+index 0000000..43639a0
--- /dev/null
+++ b/policy/modules/services/qpidd.te
@@ -0,0 +1,59 @@
-+policy_module(qpidd,1.0.0)
++policy_module(qpidd, 1.0.0)
+
+########################################
+#
@@ -27550,7 +28213,7 @@ index 0000000..cf9a327
+
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir } )
++files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
+
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
@@ -33205,7 +33868,7 @@ index 6f1e3c7..39c2bb3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..61cc021 100644
+index da2601a..ef2a773 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -33740,7 +34403,7 @@ index da2601a..61cc021 100644
')
########################################
-@@ -1243,10 +1358,331 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1358,355 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -33946,7 +34609,7 @@ index da2601a..61cc021 100644
+
+########################################
+## <summary>
-+## Read user homedir fonts.
++## Read/write inherited user homedir fonts.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -34052,6 +34715,7 @@ index da2601a..61cc021 100644
+ xserver_domtrans_xauth($1)
+ role $2 types xauth_t;
+')
++
+########################################
+## <summary>
+## Read user homedir fonts.
@@ -34063,6 +34727,29 @@ index da2601a..61cc021 100644
+## </param>
+## <rolecap/>
+#
++interface(`xserver_read_home_fonts',`
++ gen_require(`
++ type user_fonts_t, user_fonts_config_t;
++ ')
++
++ list_dirs_pattern($1, user_fonts_t, user_fonts_t)
++ read_files_pattern($1, user_fonts_t, user_fonts_t)
++ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
++
++ read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++')
++
++########################################
++## <summary>
++## Manage user homedir fonts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
+interface(`xserver_manage_home_fonts',`
+ gen_require(`
+ type user_fonts_t, user_fonts_config_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 61e9c1a..80e32c1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.5
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Thu Sep 23 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-4
+- Cleanup policy via dgrift
+- Allow dovecot_deliver to append to inherited log files
+- Lots of fixes for consolehelper
+
* Wed Sep 21 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-3
- Fix up Xguest policy
More information about the scm-commits
mailing list