[selinux-policy/f15/master] - Allow colord to use unix_dgram_socket - Allow apps that search pids to read /var/run if it is a ln
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Apr 7 17:49:59 UTC 2011
commit 745901ba215ceaadf752166f644277ce844114eb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Apr 7 19:50:31 2011 +0000
- Allow colord to use unix_dgram_socket
- Allow apps that search pids to read /var/run if it is a lnk_file
- iscsid_t creates its own directory
- Allow init to list var_lock_t dir
- apm needs to verify user accounts auth_use_nsswitch
policy-F15.patch | 487 +++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 9 +-
2 files changed, 368 insertions(+), 128 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 3ccc998..4e9cb92 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -2559,7 +2559,7 @@ index 81fb26f..cd18ca8 100644
optional_policy(`
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..89a126f 100644
+index 441cf22..73e9eba 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
@@ -2644,7 +2644,15 @@ index 441cf22..89a126f 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -469,8 +471,7 @@ selinux_compute_create_context(useradd_t)
+@@ -460,6 +462,7 @@ fs_search_auto_mountpoints(useradd_t)
+ fs_getattr_xattr_fs(useradd_t)
+
+ mls_file_upgrade(useradd_t)
++mls_process_read_to_clearance(useradd_t)
+
+ # Allow access to context for shadow file
+ selinux_get_fs_mount(useradd_t)
+@@ -469,8 +472,7 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -2654,7 +2662,7 @@ index 441cf22..89a126f 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,12 +499,8 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,12 +500,8 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -4376,7 +4384,7 @@ index f5afe78..b1b6bf6 100644
+')
+
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..857e7df 100644
+index 2505654..72e5079 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0)
@@ -4451,7 +4459,7 @@ index 2505654..857e7df 100644
##############################
#
# Local Policy
-@@ -75,3 +110,151 @@ optional_policy(`
+@@ -75,3 +110,153 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -4513,6 +4521,8 @@ index 2505654..857e7df 100644
+allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
++kernel_read_system_state(gnomesystemmm_t)
++
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
@@ -7990,10 +8000,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..4f96196
+index 0000000..b347556
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,475 @@
+@@ -0,0 +1,479 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8263,6 +8273,10 @@ index 0000000..4f96196
+')
+
+optional_policy(`
++ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
++')
++
++optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
+')
+
@@ -10810,7 +10824,7 @@ index bc534c1..b70ea07 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 16108f6..0f1470f 100644
+index 16108f6..7307872 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -10904,7 +10918,14 @@ index 16108f6..0f1470f 100644
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-@@ -243,7 +260,7 @@ ifndef(`distro_redhat',`
+@@ -237,13 +254,14 @@ ifndef(`distro_redhat',`
+ /var/lost\+found/.* <<none>>
+
+ /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
++/var/run -l gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+ /var/run/.* gen_context(system_u:object_r:var_run_t,s0)
+ /var/run/.*\.*pid <<none>>
+
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -10913,7 +10934,7 @@ index 16108f6..0f1470f 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -252,3 +269,7 @@ ifndef(`distro_redhat',`
+@@ -252,3 +270,7 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -10922,7 +10943,7 @@ index 16108f6..0f1470f 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..a595aa7 100644
+index 958ca84..d46ed10 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -11762,10 +11783,13 @@ index 958ca84..a595aa7 100644
filetrans_pattern($1, var_lock_t, $2, $3)
')
-@@ -5335,6 +5870,43 @@ interface(`files_search_pids',`
- search_dirs_pattern($1, var_t, var_run_t)
- ')
+@@ -5333,6 +5868,44 @@ interface(`files_search_pids',`
+ ')
+ search_dirs_pattern($1, var_t, var_run_t)
++ read_lnk_files_pattern($1, var_t, var_run_t)
++')
++
+######################################
+## <summary>
+## Add and remove entries from pid directories.
@@ -11801,12 +11825,10 @@ index 958ca84..a595aa7 100644
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir create_dir_perms;
-+')
-+
+ ')
+
########################################
- ## <summary>
- ## Do not audit attempts to search
-@@ -5542,6 +6114,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6115,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -11869,7 +11891,7 @@ index 958ca84..a595aa7 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6187,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6188,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -11914,7 +11936,7 @@ index 958ca84..a595aa7 100644
')
########################################
-@@ -5844,3 +6510,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6511,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12264,7 +12286,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..be9572b 100644
+index dfe361a..e6e4999 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -12277,7 +12299,7 @@ index dfe361a..be9572b 100644
########################################
## <summary>
-+## Relabelto cgroup directories.
++## Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12835,7 +12857,7 @@ index dfe361a..be9572b 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3772,6 +4117,24 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3772,6 +4117,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -12857,10 +12879,28 @@ index dfe361a..be9572b 100644
+
+########################################
+## <summary>
++## Relabel files on tmpfs filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_relabel_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++## <summary>
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -3989,6 +4352,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3989,6 +4370,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -12885,7 +12925,7 @@ index dfe361a..be9572b 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4670,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -12894,7 +12934,7 @@ index dfe361a..be9572b 100644
')
########################################
-@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +5082,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -15070,10 +15110,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..77c513d
+index 0000000..805d0ea
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,499 @@
+@@ -0,0 +1,503 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -15407,9 +15447,9 @@ index 0000000..77c513d
+ lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
-+optional_policy(`
-+ mock_role(unconfined_r, unconfined_t)
-+')
++#optional_policy(`
++# mock_role(unconfined_r, unconfined_t)
++#')
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
@@ -15461,6 +15501,10 @@ index 0000000..77c513d
+')
+
+optional_policy(`
++ quota_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
@@ -18423,7 +18467,7 @@ index 1ea99b2..49e6c74 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..ca71f13 100644
+index 1c8c27e..f0ca259 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -18451,7 +18495,16 @@ index 1c8c27e..ca71f13 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -127,9 +131,6 @@ logging_send_audit_msgs(apmd_t)
+@@ -114,6 +118,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+ files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+ files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
++auth_use_nsswitch(apmd_t)
++
+ init_domtrans_script(apmd_t)
+ init_rw_utmp(apmd_t)
+ init_telinit(apmd_t)
+@@ -127,9 +133,6 @@ logging_send_audit_msgs(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
@@ -18461,7 +18514,7 @@ index 1c8c27e..ca71f13 100644
seutil_dontaudit_read_config(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-@@ -142,9 +143,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +145,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -18472,7 +18525,7 @@ index 1c8c27e..ca71f13 100644
')
optional_policy(`
-@@ -155,6 +155,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +157,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -18488,7 +18541,7 @@ index 1c8c27e..ca71f13 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -205,6 +214,11 @@ optional_policy(`
+@@ -205,6 +216,11 @@ optional_policy(`
')
optional_policy(`
@@ -18542,9 +18595,18 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..51cb893 100644
+index b3b0176..e343da3 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
+@@ -39,7 +39,7 @@ files_pid_file(asterisk_var_run_t)
+ #
+
+ # dac_override for /var/run/asterisk
+-allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
++allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
+ dontaudit asterisk_t self:capability sys_tty_config;
+ allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
+ allow asterisk_t self:fifo_file rw_fifo_file_perms;
@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
@@ -18567,6 +18629,25 @@ index b3b0176..51cb893 100644
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
+@@ -125,6 +128,7 @@ files_search_spool(asterisk_t)
+ # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
+ # are labeled usr_t
+ files_read_usr_files(asterisk_t)
++files_dontaudit_search_home(asterisk_t)
+
+ fs_getattr_all_fs(asterisk_t)
+ fs_list_inotifyfs(asterisk_t)
+@@ -141,6 +145,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+ userdom_dontaudit_search_user_home_dirs(asterisk_t)
+
+ optional_policy(`
++ alsa_read_rw_config(asterisk_t)
++')
++
++optional_policy(`
+ mysql_stream_connect(asterisk_t)
+ ')
+
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index d80a16b..a43e006 100644
--- a/policy/modules/services/automount.if
@@ -18912,7 +18993,7 @@ index f4e7ad3..68aebc4 100644
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
-index 3e45431..fa57a6f 100644
+index 3e45431..4aa8fb1 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -14,6 +14,7 @@
@@ -18950,7 +19031,7 @@ index 3e45431..fa57a6f 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -21331,10 +21412,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..173e56f
+index 0000000..eadbdf4
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,79 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -21361,6 +21442,7 @@ index 0000000..173e56f
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:udp_socket create_socket_perms;
++allow colord_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
@@ -22110,7 +22192,7 @@ index 35241ed..b6402c9 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..220ba1b 100644
+index f7583ab..254e671 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -22239,7 +22321,7 @@ index f7583ab..220ba1b 100644
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
-+auth_read_var_auth(crond_t)
++auth_manage_var_auth(crond_t)
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
@@ -22597,7 +22679,7 @@ index 305ddf4..777091a 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..1c96265 100644
+index 0f28095..cda064a 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -22698,7 +22780,18 @@ index 0f28095..1c96265 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -425,11 +434,10 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -393,6 +402,10 @@ dev_read_sysfs(cupsd_config_t)
+ dev_read_urand(cupsd_config_t)
+ dev_read_rand(cupsd_config_t)
+ dev_rw_generic_usb_dev(cupsd_config_t)
++ifdef(`hide_broken_symptoms', `
++ dev_rw_generic_chr_files(cupsd_config_t)
++')
++
+
+ files_search_all_mountpoints(cupsd_config_t)
+
+@@ -425,11 +438,10 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -22711,7 +22804,7 @@ index 0f28095..1c96265 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +461,10 @@ optional_policy(`
+@@ -453,6 +465,10 @@ optional_policy(`
')
optional_policy(`
@@ -22722,7 +22815,7 @@ index 0f28095..1c96265 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +479,10 @@ optional_policy(`
+@@ -467,6 +483,10 @@ optional_policy(`
')
optional_policy(`
@@ -22733,7 +22826,7 @@ index 0f28095..1c96265 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,13 +603,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +607,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -22753,7 +22846,7 @@ index 0f28095..1c96265 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +626,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +630,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -22764,7 +22857,7 @@ index 0f28095..1c96265 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +663,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -22773,7 +22866,7 @@ index 0f28095..1c96265 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +709,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -22781,7 +22874,7 @@ index 0f28095..1c96265 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +721,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -23449,7 +23542,7 @@ index 418a5a0..28d9e41 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..22b862e 100644
+index f706b99..30954ba 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -23464,7 +23557,35 @@ index f706b99..22b862e 100644
## </param>
#
interface(`devicekit_domtrans',`
-@@ -118,6 +118,44 @@ interface(`devicekit_dbus_chat_power',`
+@@ -81,6 +81,27 @@ interface(`devicekit_dbus_chat_disk',`
+
+ ########################################
+ ## <summary>
++## Dontaudit Send and receive messages from
++## devicekit disk over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`devicekit_dontaudit_dbus_chat_disk',`
++ gen_require(`
++ type devicekit_disk_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 devicekit_disk_t:dbus send_msg;
++ dontaudit devicekit_disk_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+ ## Send signal devicekit power
+ ## </summary>
+ ## <param name="domain">
+@@ -118,6 +139,44 @@ interface(`devicekit_dbus_chat_power',`
allow devicekit_power_t $1:dbus send_msg;
')
@@ -23509,7 +23630,7 @@ index f706b99..22b862e 100644
########################################
## <summary>
## Read devicekit PID files.
-@@ -139,22 +177,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +198,52 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
@@ -23569,7 +23690,7 @@ index f706b99..22b862e 100644
## </summary>
## </param>
## <rolecap/>
-@@ -165,21 +233,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +254,21 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -28298,7 +28419,7 @@ index a73b7a1..83a4f38 100644
+
miscfiles_read_localization(ksmtuned_t)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index c62f23e..335fda1 100644
+index c62f23e..92f3475 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -1,6 +1,8 @@
@@ -28307,7 +28428,7 @@ index c62f23e..335fda1 100644
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
-+/etc/rc\.d/init\.d/sldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -33923,7 +34044,7 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index 06e217d..179e320 100644
+index 06e217d..dc27c14 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1)
@@ -33955,12 +34076,13 @@ index 06e217d..179e320 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +68,22 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +68,23 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
+term_use_unallocated_ttys(plymouthd_t)
+
++logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
miscfiles_read_localization(plymouthd_t)
@@ -33978,7 +34100,7 @@ index 06e217d..179e320 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +94,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +95,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -33986,7 +34108,7 @@ index 06e217d..179e320 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +108,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +109,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -39768,7 +39890,7 @@ index bcdd16c..7c379a8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..610a762 100644
+index 086cd5f..79347e7 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
@@ -39803,7 +39925,24 @@ index 086cd5f..610a762 100644
corenet_all_recvfrom_unlabeled(setroubleshootd_t)
corenet_all_recvfrom_netlabel(setroubleshootd_t)
-@@ -112,8 +118,6 @@ logging_send_audit_msgs(setroubleshootd_t)
+@@ -85,6 +91,7 @@ files_getattr_all_files(setroubleshootd_t)
+ files_getattr_all_pipes(setroubleshootd_t)
+ files_getattr_all_sockets(setroubleshootd_t)
+ files_read_all_symlinks(setroubleshootd_t)
++files_read_mnt_files(setroubleshootd_t)
+
+ fs_getattr_all_dirs(setroubleshootd_t)
+ fs_getattr_all_files(setroubleshootd_t)
+@@ -104,6 +111,8 @@ auth_use_nsswitch(setroubleshootd_t)
+ init_read_utmp(setroubleshootd_t)
+ init_dontaudit_write_utmp(setroubleshootd_t)
+
++libs_exec_ld_so(setroubleshootd_t)
++
+ miscfiles_read_localization(setroubleshootd_t)
+
+ locallogin_dontaudit_use_fds(setroubleshootd_t)
+@@ -112,8 +121,6 @@ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -39812,7 +39951,7 @@ index 086cd5f..610a762 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,6 +125,18 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,6 +128,18 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -39831,7 +39970,7 @@ index 086cd5f..610a762 100644
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
')
-@@ -152,6 +168,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -152,6 +171,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
@@ -39839,7 +39978,7 @@ index 086cd5f..610a762 100644
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +181,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +184,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -41201,7 +41340,7 @@ index 22adaca..0f2729b 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..8da0601 100644
+index 2dad3c8..386918b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -41325,16 +41464,18 @@ index 2dad3c8..8da0601 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -138,6 +144,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,7 +144,10 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
+corenet_tcp_bind_generic_node(ssh_t)
+corenet_tcp_bind_all_unreserved_ports(ssh_t)
++dev_read_rand(ssh_t)
dev_read_urand(ssh_t)
-@@ -162,21 +170,28 @@ logging_read_generic_logs(ssh_t)
+ fs_getattr_all_fs(ssh_t)
+@@ -162,21 +171,28 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -41368,7 +41509,7 @@ index 2dad3c8..8da0601 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +211,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +212,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@@ -41384,16 +41525,18 @@ index 2dad3c8..8da0601 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +229,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,8 +230,9 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
- allow ssh_keysign_t sshd_key_t:file { getattr read };
+ allow ssh_keysign_t sshd_key_t:file read_file_perms;
++ dev_read_rand(ssh_keysign_t)
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +252,42 @@ optional_policy(`
+ files_read_etc_files(ssh_keysign_t)
+@@ -232,33 +254,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -41438,6 +41581,7 @@ index 2dad3c8..8da0601 100644
-',`
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
++ userdom_spec_domtrans_all_users(sshd_t)
+')
+
+optional_policy(`
@@ -41445,7 +41589,7 @@ index 2dad3c8..8da0601 100644
')
optional_policy(`
-@@ -266,11 +295,24 @@ optional_policy(`
+@@ -266,11 +298,24 @@ optional_policy(`
')
optional_policy(`
@@ -41471,7 +41615,7 @@ index 2dad3c8..8da0601 100644
')
optional_policy(`
-@@ -284,6 +326,11 @@ optional_policy(`
+@@ -284,6 +329,11 @@ optional_policy(`
')
optional_policy(`
@@ -41483,7 +41627,7 @@ index 2dad3c8..8da0601 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +339,26 @@ optional_policy(`
+@@ -292,26 +342,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -41529,7 +41673,7 @@ index 2dad3c8..8da0601 100644
') dnl endif TODO
########################################
-@@ -322,19 +369,25 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +372,25 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -41556,8 +41700,11 @@ index 2dad3c8..8da0601 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -353,7 +406,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -351,9 +407,10 @@ auth_use_nsswitch(ssh_keygen_t)
+ logging_send_syslog_msg(ssh_keygen_t)
+
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
++userdom_use_user_terminals(ssh_keygen_t)
optional_policy(`
- nscd_socket_use(ssh_keygen_t)
@@ -48455,7 +48602,7 @@ index cc83689..3388f34 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..3a08853 100644
+index ea29513..e2a25f1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -48614,7 +48761,7 @@ index ea29513..3a08853 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +234,113 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +234,116 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -48666,12 +48813,15 @@ index ea29513..3a08853 100644
+ files_relabel_all_pid_files(init_t)
+ files_unlink_all_pid_sockets(init_t)
+ files_manage_urandom_seed(init_t)
++ files_list_locks(init_t)
+ files_create_lock_dirs(init_t)
++ files_relabel_all_lock_dirs(init_t)
+
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_dirs(init_t)
++ fs_relabel_tmpfs_files(init_t)
+ fs_mount_all_fs(init_t)
+ fs_remount_autofs(init_t)
+ fs_list_auto_mountpoints(init_t)
@@ -48728,7 +48878,7 @@ index ea29513..3a08853 100644
')
optional_policy(`
-@@ -199,10 +348,25 @@ optional_policy(`
+@@ -199,10 +351,25 @@ optional_policy(`
')
optional_policy(`
@@ -48754,7 +48904,7 @@ index ea29513..3a08853 100644
unconfined_domain(init_t)
')
-@@ -212,7 +376,7 @@ optional_policy(`
+@@ -212,7 +379,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -48763,7 +48913,7 @@ index ea29513..3a08853 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +405,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +408,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -48779,7 +48929,7 @@ index ea29513..3a08853 100644
init_write_initctl(initrc_t)
-@@ -258,20 +425,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +428,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -48816,7 +48966,7 @@ index ea29513..3a08853 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +458,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +461,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -48824,7 +48974,7 @@ index ea29513..3a08853 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +471,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +474,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -48832,7 +48982,7 @@ index ea29513..3a08853 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +479,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +482,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -48848,7 +48998,7 @@ index ea29513..3a08853 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +497,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +500,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -48856,7 +49006,7 @@ index ea29513..3a08853 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +505,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +508,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -48868,7 +49018,7 @@ index ea29513..3a08853 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +524,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +527,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -48882,7 +49032,7 @@ index ea29513..3a08853 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +539,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +542,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -48891,7 +49041,7 @@ index ea29513..3a08853 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +553,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +556,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -48899,7 +49049,7 @@ index ea29513..3a08853 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +565,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +568,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -48907,7 +49057,7 @@ index ea29513..3a08853 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +586,12 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +589,12 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -48923,7 +49073,18 @@ index ea29513..3a08853 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -478,7 +669,7 @@ ifdef(`distro_redhat',`
+@@ -458,6 +652,10 @@ ifdef(`distro_gentoo',`
+ sysnet_setattr_config(initrc_t)
+
+ optional_policy(`
++ abrt_manage_pid_files(initrc_t)
++ ')
++
++ optional_policy(`
+ alsa_read_lib(initrc_t)
+ ')
+
+@@ -478,7 +676,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -48932,7 +49093,7 @@ index ea29513..3a08853 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +684,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +691,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -48940,7 +49101,7 @@ index ea29513..3a08853 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -524,6 +716,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +723,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -48964,7 +49125,7 @@ index ea29513..3a08853 100644
')
optional_policy(`
-@@ -531,10 +740,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +747,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -48982,7 +49143,7 @@ index ea29513..3a08853 100644
')
optional_policy(`
-@@ -549,6 +765,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +772,39 @@ ifdef(`distro_suse',`
')
')
@@ -49022,7 +49183,7 @@ index ea29513..3a08853 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +810,8 @@ optional_policy(`
+@@ -561,6 +817,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -49031,7 +49192,7 @@ index ea29513..3a08853 100644
')
optional_policy(`
-@@ -577,6 +828,7 @@ optional_policy(`
+@@ -577,6 +835,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -49039,7 +49200,7 @@ index ea29513..3a08853 100644
')
optional_policy(`
-@@ -589,6 +841,11 @@ optional_policy(`
+@@ -589,6 +848,11 @@ optional_policy(`
')
optional_policy(`
@@ -49051,7 +49212,7 @@ index ea29513..3a08853 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +862,13 @@ optional_policy(`
+@@ -605,9 +869,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -49065,7 +49226,7 @@ index ea29513..3a08853 100644
')
optional_policy(`
-@@ -649,6 +910,11 @@ optional_policy(`
+@@ -649,6 +917,11 @@ optional_policy(`
')
optional_policy(`
@@ -49077,7 +49238,7 @@ index ea29513..3a08853 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +972,13 @@ optional_policy(`
+@@ -706,7 +979,13 @@ optional_policy(`
')
optional_policy(`
@@ -49091,7 +49252,7 @@ index ea29513..3a08853 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1001,10 @@ optional_policy(`
+@@ -729,6 +1008,10 @@ optional_policy(`
')
optional_policy(`
@@ -49102,7 +49263,7 @@ index ea29513..3a08853 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1014,20 @@ optional_policy(`
+@@ -738,10 +1021,20 @@ optional_policy(`
')
optional_policy(`
@@ -49123,7 +49284,7 @@ index ea29513..3a08853 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1036,10 @@ optional_policy(`
+@@ -750,6 +1043,10 @@ optional_policy(`
')
optional_policy(`
@@ -49134,7 +49295,7 @@ index ea29513..3a08853 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1061,6 @@ optional_policy(`
+@@ -771,8 +1068,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -49143,7 +49304,7 @@ index ea29513..3a08853 100644
')
optional_policy(`
-@@ -781,14 +1069,21 @@ optional_policy(`
+@@ -781,14 +1076,21 @@ optional_policy(`
')
optional_policy(`
@@ -49165,7 +49326,7 @@ index ea29513..3a08853 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1095,6 @@ optional_policy(`
+@@ -800,7 +1102,6 @@ optional_policy(`
')
optional_policy(`
@@ -49173,7 +49334,7 @@ index ea29513..3a08853 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1104,24 @@ optional_policy(`
+@@ -810,11 +1111,24 @@ optional_policy(`
')
optional_policy(`
@@ -49199,7 +49360,7 @@ index ea29513..3a08853 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1131,25 @@ optional_policy(`
+@@ -824,6 +1138,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -49225,7 +49386,7 @@ index ea29513..3a08853 100644
')
optional_policy(`
-@@ -849,3 +1175,42 @@ optional_policy(`
+@@ -849,3 +1182,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -49787,7 +49948,7 @@ index 663a47b..ad0b864 100644
+ allow $1 iscsid_t:sem create_sem_perms;
+')
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index 1d1c399..67d0dec 100644
+index 1d1c399..b8f623a 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -31,6 +31,7 @@ files_pid_file(iscsi_var_run_t)
@@ -49798,7 +49959,18 @@ index 1d1c399..67d0dec 100644
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -64,6 +65,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -44,8 +45,9 @@ allow iscsid_t self:tcp_socket create_stream_socket_perms;
+
+ can_exec(iscsid_t, iscsid_exec_t)
+
++manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+ manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+-files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
++files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file })
+
+ manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
+ logging_log_filetrans(iscsid_t, iscsi_log_t, file)
+@@ -64,6 +66,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
@@ -49806,7 +49978,7 @@ index 1d1c399..67d0dec 100644
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -76,6 +78,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
+@@ -76,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -49815,7 +49987,7 @@ index 1d1c399..67d0dec 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -91,5 +95,5 @@ logging_send_syslog_msg(iscsid_t)
+@@ -91,5 +96,5 @@ logging_send_syslog_msg(iscsid_t)
miscfiles_read_localization(iscsid_t)
optional_policy(`
@@ -50405,7 +50577,7 @@ index 571599b..ddaf246 100644
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index c7cfb62..6160239 100644
+index c7cfb62..ee89659 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
@@ -50508,10 +50680,29 @@ index c7cfb62..6160239 100644
')
########################################
-@@ -824,6 +899,25 @@ interface(`logging_read_generic_logs',`
+@@ -824,6 +899,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
++## Link generic log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_link_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ allow $1 var_log_t:file link;
++')
++
++########################################
++## <summary>
+## Delete generic log files.
+## </summary>
+## <param name="domain">
@@ -50534,7 +50725,7 @@ index c7cfb62..6160239 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -971,6 +1065,7 @@ interface(`logging_admin_syslog',`
+@@ -971,6 +1084,7 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -50542,7 +50733,7 @@ index c7cfb62..6160239 100644
allow $1 syslogd_t:process { ptrace signal_perms };
allow $1 klogd_t:process { ptrace signal_perms };
ps_process_pattern($1, syslogd_t)
-@@ -996,6 +1091,8 @@ interface(`logging_admin_syslog',`
+@@ -996,6 +1110,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -50818,7 +51009,7 @@ index 58bc27f..b95f0c0 100644
+ allow $1 clvmd_tmpfs_t:file unlink;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..e35b248 100644
+index a0a0ebf..612ad99 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -50948,7 +51139,15 @@ index a0a0ebf..e35b248 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -311,6 +333,11 @@ ifdef(`distro_redhat',`
+@@ -300,6 +322,7 @@ seutil_search_default_contexts(lvm_t)
+ seutil_sigchld_newrole(lvm_t)
+
+ userdom_use_user_terminals(lvm_t)
++userdom_rw_semaphores(lvm_t)
+
+ ifdef(`distro_redhat',`
+ # this is from the initrd:
+@@ -311,6 +334,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -50960,7 +51159,7 @@ index a0a0ebf..e35b248 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,6 +358,10 @@ optional_policy(`
+@@ -331,14 +359,26 @@ optional_policy(`
')
optional_policy(`
@@ -50971,7 +51170,12 @@ index a0a0ebf..e35b248 100644
modutils_domtrans_insmod(lvm_t)
')
-@@ -339,6 +370,10 @@ optional_policy(`
+ optional_policy(`
++ raid_read_mdadm_pid(lvm_t)
++')
++
++optional_policy(`
+ rpm_manage_script_tmp_files(lvm_t)
')
optional_policy(`
@@ -51895,6 +52099,35 @@ index ed9c70d..b961d53 100644
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
+index c817fda..8bcb1fd 100644
+--- a/policy/modules/system/raid.if
++++ b/policy/modules/system/raid.if
+@@ -21,6 +21,24 @@ interface(`raid_domtrans_mdadm',`
+
+ ########################################
+ ## <summary>
++## read the mdadm pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`raid_read_mdadm_pid',`
++ gen_require(`
++ type mdadm_var_run_t;
++ ')
++
++ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete the mdadm pid files.
+ ## </summary>
+ ## <desc>
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 73cc8cf..bf6a0b6 100644
--- a/policy/modules/system/raid.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8bafbd8..1a7d898 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 12%{?dist}
+Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
%endif
%changelog
+* Thu Apr 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-13
+- Allow colord to use unix_dgram_socket
+- Allow apps that search pids to read /var/run if it is a lnk_file
+- iscsid_t creates its own directory
+- Allow init to list var_lock_t dir
+- apm needs to verify user accounts auth_use_nsswitch
+
* Mon Apr 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-12
- Add /var/run/lock /var/lock definition to file_contexts.subs
- nslcd_t is looking for kerberos cc files
More information about the scm-commits
mailing list