[selinux-policy] - xdm_t needs getsession for switch user - Every app that used to exec init is now execing systemdct
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Apr 15 07:07:12 UTC 2011
commit 6ac26422cc7137f042bb110fed4f94c61b2f6716
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Apr 15 09:08:10 2011 +0000
- xdm_t needs getsession for switch user
- Every app that used to exec init is now execing systemdctl
- Allow squid to manage krb5_host_rcache_t files
- Allow foghorn to connect to agentx port - Fixes for colord policy
policy-F16.patch | 584 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 8 +-
2 files changed, 364 insertions(+), 228 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 62292e3..8c28a80 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1001,7 +1001,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..68cb617 100644
+index 75ce30f..0e77aea 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t)
@@ -1024,7 +1024,15 @@ index 75ce30f..68cb617 100644
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -70,6 +76,8 @@ fs_getattr_all_fs(logwatch_t)
+@@ -58,6 +64,7 @@ files_list_var(logwatch_t)
+ files_read_var_symlinks(logwatch_t)
+ files_read_etc_files(logwatch_t)
+ files_read_etc_runtime_files(logwatch_t)
++files_read_system_conf_files(logwatch_t)
+ files_read_usr_files(logwatch_t)
+ files_search_spool(logwatch_t)
+ files_search_mnt(logwatch_t)
+@@ -70,6 +77,8 @@ fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
@@ -1033,7 +1041,7 @@ index 75ce30f..68cb617 100644
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
-@@ -92,11 +100,21 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +101,21 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -1324,6 +1332,19 @@ index 0000000..73ffa81
+ modutils_read_module_config(ncftool_t)
+ modutils_domtrans_insmod(ncftool_t)
+')
+diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
+index 407078f..a818e14 100644
+--- a/policy/modules/admin/netutils.fc
++++ b/policy/modules/admin/netutils.fc
+@@ -8,7 +8,7 @@
+ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+-/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index c6ca761..46e0767 100644
--- a/policy/modules/admin/netutils.if
@@ -10936,7 +10957,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..60437ca 100644
+index e9313fb..255c5bb 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -11278,7 +11299,7 @@ index e9313fb..60437ca 100644
## Write to watchdog devices.
## </summary>
## <param name="domain">
-@@ -4748,3 +4874,23 @@ interface(`dev_unconfined',`
+@@ -4748,3 +4874,22 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -11301,7 +11322,6 @@ index e9313fb..60437ca 100644
+
+ dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
+')
-+
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 3ff4f60..89ffda6 100644
--- a/policy/modules/kernel/devices.te
@@ -11774,7 +11794,7 @@ index 16108f6..e76bf67 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..cec6add 100644
+index 958ca84..aaf48dc 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -12244,7 +12264,32 @@ index 958ca84..cec6add 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3914,6 +4268,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3858,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',`
+ dontaudit $1 tmp_t:dir list_dir_perms;
+ ')
+
++#######################################
++## <summary>
++## Allow read and write to the tmp directory (/tmp).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain not to audit.
++## </summary>
++## </param>
++#
++interface(`files_rw_generic_tmp_dir',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ allow $1 tmp_t:dir rw_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Remove entries from the tmp directory.
+@@ -3914,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -12277,7 +12322,7 @@ index 958ca84..cec6add 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3968,7 +4348,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,7 +4366,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -12286,7 +12331,7 @@ index 958ca84..cec6add 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3976,17 +4356,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3976,17 +4374,95 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -12305,33 +12350,27 @@ index 958ca84..cec6add 100644
## <summary>
-## List all tmp directories.
+## Relabel a file from the type used in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3994,22 +4374,100 @@ interface(`files_setattr_all_tmp_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_all_tmp',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_relabelfrom_tmp_files',`
- gen_require(`
-- attribute tmpfile;
++ gen_require(`
+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
++ ')
++
+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp files.
++')
++
++########################################
++## <summary>
+## Relabel all tmp dirs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
@@ -12389,33 +12428,10 @@ index 958ca84..cec6add 100644
+########################################
+## <summary>
+## List all tmp directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_list_all_tmp',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain not to audit.
- ## </summary>
- ## </param>
- #
-@@ -4127,6 +4585,15 @@ interface(`files_purge_tmp',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4127,6 +4603,15 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -12431,7 +12447,7 @@ index 958ca84..cec6add 100644
')
########################################
-@@ -4736,6 +5203,24 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5221,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -12456,7 +12472,7 @@ index 958ca84..cec6add 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5071,6 +5556,25 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5574,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -12473,7 +12489,7 @@ index 958ca84..cec6add 100644
+ type var_t, var_lock_t;
+ ')
+
-+ files_search_pids($1)
++ files_search_locks($1)
+ list_dirs_pattern($1, var_t, var_lock_t)
+')
+
@@ -12482,15 +12498,22 @@ index 958ca84..cec6add 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5084,6 +5588,7 @@ interface(`files_search_locks',`
+@@ -5084,6 +5606,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
+ files_search_pids($1)
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5108,6 +5613,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5103,11 +5627,32 @@ interface(`files_dontaudit_search_locks',`
+ type var_lock_t;
+ ')
+
++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 var_lock_t:dir search_dir_perms;
+ ')
########################################
## <summary>
@@ -12508,7 +12531,7 @@ index 958ca84..cec6add 100644
+ type var_t, var_lock_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
++ files_search_locks($1)
+ allow $1 var_lock_t:dir create_dir_perms;
+')
+
@@ -12517,23 +12540,24 @@ index 958ca84..cec6add 100644
## Add and remove entries in the /var/lock
## directories.
## </summary>
-@@ -5122,6 +5647,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5122,6 +5667,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
-+ files_search_pids($1)
++ files_search_locks($1)
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5142,6 +5668,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5140,7 +5686,7 @@ interface(`files_getattr_generic_locks',`
+ type var_t, var_lock_t;
+ ')
- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_t:dir search_dir_perms;
++ files_search_locks($1)
allow $1 var_lock_t:dir list_dir_perms;
-+ files_search_pids($1)
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-
-@@ -5156,12 +5683,13 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5702,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -12545,21 +12569,21 @@ index 958ca84..cec6add 100644
- allow $1 var_t:dir search_dir_perms;
- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ files_search_pids($1)
++ files_search_locks($1)
+ delete_files_pattern($1, var_lock_t, var_lock_t)
')
########################################
-@@ -5181,6 +5709,7 @@ interface(`files_manage_generic_locks',`
+@@ -5180,7 +5726,7 @@ interface(`files_manage_generic_locks',`
+ type var_t, var_lock_t;
')
- allow $1 var_t:dir search_dir_perms;
-+ files_search_pids($1)
+- allow $1 var_t:dir search_dir_perms;
++ files_search_locks($1)
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5207,6 +5736,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5753,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -12587,37 +12611,41 @@ index 958ca84..cec6add 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5224,6 +5774,7 @@ interface(`files_read_all_locks',`
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+@@ -5221,7 +5788,7 @@ interface(`files_read_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
-+ files_search_pids($1)
read_lnk_files_pattern($1, lockfile, lockfile)
- ')
-
-@@ -5244,6 +5795,7 @@ interface(`files_manage_all_locks',`
+@@ -5243,7 +5810,7 @@ interface(`files_manage_all_locks',`
+ type var_t, var_lock_t;
')
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_pids($1)
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5276,6 +5828,7 @@ interface(`files_lock_filetrans',`
+@@ -5275,7 +5842,7 @@ interface(`files_lock_filetrans',`
+ type var_t, var_lock_t;
')
- allow $1 var_t:dir search_dir_perms;
-+ files_search_pids($1)
+- allow $1 var_t:dir search_dir_perms;
++ files_search_locks($1)
filetrans_pattern($1, var_lock_t, $2, $3)
')
-@@ -5333,6 +5886,44 @@ interface(`files_search_pids',`
+@@ -5332,9 +5899,47 @@ interface(`files_search_pids',`
+ type var_t, var_run_t;
')
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_run_t)
-+ read_lnk_files_pattern($1, var_t, var_run_t)
-+')
-+
+ ')
+
+######################################
+## <summary>
+## Add and remove entries from pid directories.
@@ -12653,10 +12681,12 @@ index 958ca84..cec6add 100644
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir create_dir_perms;
- ')
-
++')
++
########################################
-@@ -5542,6 +6133,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ ## <summary>
+ ## Do not audit attempts to search
+@@ -5542,6 +6147,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -12719,7 +12749,7 @@ index 958ca84..cec6add 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6206,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6220,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -12764,7 +12794,7 @@ index 958ca84..cec6add 100644
')
########################################
-@@ -5844,3 +6529,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6543,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -22444,10 +22474,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..694e975
+index 0000000..eba511c
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,81 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -22492,11 +22522,12 @@ index 0000000..694e975
+dev_write_raw_memory(colord_t)
+dev_read_video_dev(colord_t)
+dev_write_video_dev(colord_t)
++dev_rw_printer(colord_t)
+dev_read_rand(colord_t)
+dev_read_sysfs(colord_t)
+dev_read_urand(colord_t)
+dev_list_sysfs(colord_t)
-+dev_read_generic_usb_dev(colord_t)
++dev_rw_generic_usb_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
+
@@ -22505,11 +22536,14 @@ index 0000000..694e975
+files_read_etc_files(colord_t)
+files_read_usr_files(colord_t)
+
++logging_send_syslog_msg(colord_t)
++
+miscfiles_read_localization(colord_t)
+
+sysnet_dns_name_resolve(colord_t)
+
+optional_policy(`
++ cups_read_config(colord_t)
+ cups_read_rw_config(colord_t)
+ cups_stream_connect(colord_t)
+ cups_dbus_chat(colord_t)
@@ -22618,7 +22652,7 @@ index fd15dfe..ad224fa 100644
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index e67a003..894d4e0 100644
+index e67a003..192332a 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
@@ -22631,10 +22665,12 @@ index e67a003..894d4e0 100644
########################################
#
# consolekit local policy
-@@ -69,11 +72,12 @@ logging_send_audit_msgs(consolekit_t)
+@@ -69,11 +72,14 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
++systemd_exec_systemctl(consolekit_t)
++
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
@@ -22646,7 +22682,7 @@ index e67a003..894d4e0 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
')
-@@ -83,6 +87,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -83,6 +89,14 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -22661,7 +22697,7 @@ index e67a003..894d4e0 100644
dbus_system_domain(consolekit_t, consolekit_exec_t)
optional_policy(`
-@@ -99,6 +111,10 @@ optional_policy(`
+@@ -99,6 +113,10 @@ optional_policy(`
')
optional_policy(`
@@ -22672,7 +22708,7 @@ index e67a003..894d4e0 100644
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
-@@ -106,9 +122,10 @@ optional_policy(`
+@@ -106,9 +124,10 @@ optional_policy(`
')
optional_policy(`
@@ -22685,7 +22721,7 @@ index e67a003..894d4e0 100644
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
-@@ -125,5 +142,6 @@ optional_policy(`
+@@ -125,5 +144,6 @@ optional_policy(`
optional_policy(`
#reading .Xauthity
@@ -29164,7 +29200,7 @@ index da2127e..e141bc5 100644
+
+sysnet_read_config(jabberd_domain)
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index 3525d24..e5db539 100644
+index 3525d24..923e979 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@@ -29176,8 +29212,13 @@ index 3525d24..e5db539 100644
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+@@ -31,3 +31,4 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+ /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+
+ /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..9026661 100644
+index 604f67b..65fdeb0 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -29258,7 +29299,15 @@ index 604f67b..9026661 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -296,28 +314,6 @@ interface(`kerberos_manage_host_rcache',`
+@@ -289,6 +307,7 @@ interface(`kerberos_manage_host_rcache',`
+
+ seutil_read_file_contexts($1)
+
++ files_rw_generic_tmp_dir($1)
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
+ files_search_tmp($1)
+ ')
+@@ -296,28 +315,6 @@ interface(`kerberos_manage_host_rcache',`
########################################
## <summary>
@@ -29287,7 +29336,7 @@ index 604f67b..9026661 100644
## All of the rules required to administrate
## an kerberos environment
## </summary>
-@@ -338,9 +334,8 @@ interface(`kerberos_admin',`
+@@ -338,9 +335,8 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -29298,7 +29347,7 @@ index 604f67b..9026661 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +373,41 @@ interface(`kerberos_admin',`
+@@ -378,3 +374,41 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -31079,10 +31128,10 @@ index 0000000..f60483e
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..33329d5
+index 0000000..675ea8b
--- /dev/null
+++ b/policy/modules/services/mock.te
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,126 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -31158,6 +31207,7 @@ index 0000000..33329d5
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
++corecmd_dontaudit_exec_all_executables(mock_t)
+
+corenet_tcp_connect_http_port(mock_t)
+
@@ -35602,7 +35652,7 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index 06e217d..dc27c14 100644
+index 06e217d..208ef3a 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1)
@@ -35634,12 +35684,14 @@ index 06e217d..dc27c14 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +68,23 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +68,25 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
+term_use_unallocated_ttys(plymouthd_t)
+
++init_signal(plymouthd_t)
++
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
@@ -35658,7 +35710,7 @@ index 06e217d..dc27c14 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +95,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +97,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -35666,7 +35718,7 @@ index 06e217d..dc27c14 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +109,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +111,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -39364,7 +39416,7 @@ index de37806..229a3c7 100644
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..9bdb8ab 100644
+index 93c896a..883f6f5 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0)
@@ -39455,7 +39507,7 @@ index 93c896a..9bdb8ab 100644
')
optional_policy(`
-@@ -114,13 +126,29 @@ optional_policy(`
+@@ -114,13 +126,37 @@ optional_policy(`
lvm_read_config(fenced_t)
')
@@ -39465,8 +39517,15 @@ index 93c896a..9bdb8ab 100644
+#
+
+allow foghorn_t self:process { signal };
++allow foghorn_t self:tcp_socket create_stream_socket_perms;
++allow foghorn_t self:udp_socket create_socket_perms;
++
++corenet_tcp_connect_agentx_port(foghorn_t)
++
++dev_read_urand(foghorn_t)
+
+files_read_etc_files(foghorn_t)
++files_read_usr_files(foghorn_t)
+
+optional_policy(`
+ dbus_connect_system_bus(foghorn_t)
@@ -39474,6 +39533,7 @@ index 93c896a..9bdb8ab 100644
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(foghorn_t)
++ snmp_stream_connect(foghorn_t)
+')
+
######################################
@@ -39486,7 +39546,7 @@ index 93c896a..9bdb8ab 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +167,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +175,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -39497,7 +39557,7 @@ index 93c896a..9bdb8ab 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +178,10 @@ optional_policy(`
+@@ -154,9 +186,10 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -39509,7 +39569,7 @@ index 93c896a..9bdb8ab 100644
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -168,8 +193,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +201,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -39519,7 +39579,7 @@ index 93c896a..9bdb8ab 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -199,6 +223,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -199,6 +231,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -39528,7 +39588,7 @@ index 93c896a..9bdb8ab 100644
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +233,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +241,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -39539,7 +39599,7 @@ index 93c896a..9bdb8ab 100644
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +245,28 @@ optional_policy(`
+@@ -223,18 +253,28 @@ optional_policy(`
# rhcs domains common policy
#
@@ -42627,7 +42687,7 @@ index d2496bd..1d0c078 100644
allow $1 squid_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..d45dc67 100644
+index 4b2230e..950e65a 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -42682,6 +42742,14 @@ index 4b2230e..d45dc67 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
+@@ -206,3 +208,7 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(squid_t)
+ ')
++
++optional_policy(`
++ kerberos_manage_host_rcache(squid_t)
++')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..2d60774 100644
--- a/policy/modules/services/ssh.fc
@@ -44589,7 +44657,7 @@ index 2124b6a..6546d6e 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..9b24cb5 100644
+index 7c5d8d8..b961fd7 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,14 +13,15 @@
@@ -44849,10 +44917,23 @@ index 7c5d8d8..9b24cb5 100644
')
########################################
-@@ -516,3 +590,144 @@ interface(`virt_admin',`
+@@ -500,6 +574,7 @@ interface(`virt_manage_images',`
+ interface(`virt_admin',`
+ gen_require(`
+ type virtd_t, virtd_initrc_exec_t;
++ attribute virt_domain;
+ ')
+
+ allow $1 virtd_t:process { ptrace signal_perms };
+@@ -515,4 +590,149 @@ interface(`virt_admin',`
+ virt_manage_lib_files($1)
virt_manage_log($1)
- ')
++
++ virt_manage_images($1)
++
++ allow $1 virt_domain:process { ptrace signal_perms };
++')
+
+########################################
+## <summary>
@@ -44993,7 +45074,7 @@ index 7c5d8d8..9b24cb5 100644
+ ')
+
+ allow $1 virt_tmpfs_type:file manage_file_perms;
-+')
+ ')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3eca020..f715498 100644
--- a/policy/modules/services/virt.te
@@ -47024,7 +47105,7 @@ index 130ced9..33c8170 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 6c01261..900068e 100644
+index 6c01261..3f91fd9 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -47353,7 +47434,7 @@ index 6c01261..900068e 100644
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
-+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace };
++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -47533,7 +47614,7 @@ index 6c01261..900068e 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -433,9 +596,22 @@ files_list_mnt(xdm_t)
+@@ -433,9 +596,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -47541,6 +47622,7 @@ index 6c01261..900068e 100644
+files_dontaudit_write_usr_files(xdm_t)
+files_dontaudit_getattr_all_dirs(xdm_t)
+files_dontaudit_getattr_all_symlinks(xdm_t)
++files_dontaudit_getattr_all_tmp_sockets(xdm_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
@@ -47556,7 +47638,7 @@ index 6c01261..900068e 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -444,28 +620,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -444,28 +621,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -47595,7 +47677,7 @@ index 6c01261..900068e 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -474,9 +658,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -474,9 +659,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -47626,7 +47708,7 @@ index 6c01261..900068e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -492,6 +697,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -492,6 +698,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -47641,7 +47723,7 @@ index 6c01261..900068e 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -505,11 +718,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -505,11 +719,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -47663,7 +47745,7 @@ index 6c01261..900068e 100644
')
optional_policy(`
-@@ -517,7 +740,43 @@ optional_policy(`
+@@ -517,7 +741,43 @@ optional_policy(`
')
optional_policy(`
@@ -47708,7 +47790,7 @@ index 6c01261..900068e 100644
')
optional_policy(`
-@@ -527,6 +786,16 @@ optional_policy(`
+@@ -527,6 +787,16 @@ optional_policy(`
')
optional_policy(`
@@ -47725,7 +47807,7 @@ index 6c01261..900068e 100644
hostname_exec(xdm_t)
')
-@@ -544,28 +813,65 @@ optional_policy(`
+@@ -544,28 +814,65 @@ optional_policy(`
')
optional_policy(`
@@ -47800,7 +47882,7 @@ index 6c01261..900068e 100644
')
optional_policy(`
-@@ -577,6 +883,14 @@ optional_policy(`
+@@ -577,6 +884,14 @@ optional_policy(`
')
optional_policy(`
@@ -47815,7 +47897,7 @@ index 6c01261..900068e 100644
xfs_stream_connect(xdm_t)
')
-@@ -601,7 +915,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +916,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -47824,7 +47906,7 @@ index 6c01261..900068e 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -615,8 +929,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +930,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -47840,7 +47922,7 @@ index 6c01261..900068e 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -635,12 +956,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +957,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -47862,7 +47944,7 @@ index 6c01261..900068e 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -648,6 +976,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +977,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -47870,7 +47952,7 @@ index 6c01261..900068e 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -674,7 +1003,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +1004,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -47878,7 +47960,7 @@ index 6c01261..900068e 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -684,11 +1012,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1013,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -47896,7 +47978,7 @@ index 6c01261..900068e 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -699,8 +1033,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1034,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -47910,7 +47992,7 @@ index 6c01261..900068e 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -713,8 +1052,6 @@ init_getpgid(xserver_t)
+@@ -713,8 +1053,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -47919,7 +48001,7 @@ index 6c01261..900068e 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -722,11 +1059,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -722,11 +1060,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -47934,7 +48016,7 @@ index 6c01261..900068e 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -780,16 +1118,36 @@ optional_policy(`
+@@ -780,16 +1119,36 @@ optional_policy(`
')
optional_policy(`
@@ -47972,7 +48054,7 @@ index 6c01261..900068e 100644
unconfined_domtrans(xserver_t)
')
-@@ -798,6 +1156,10 @@ optional_policy(`
+@@ -798,6 +1157,10 @@ optional_policy(`
')
optional_policy(`
@@ -47983,7 +48065,7 @@ index 6c01261..900068e 100644
xfs_stream_connect(xserver_t)
')
-@@ -813,10 +1175,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1176,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -47997,7 +48079,7 @@ index 6c01261..900068e 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -824,7 +1186,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1187,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -48006,7 +48088,7 @@ index 6c01261..900068e 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -837,6 +1199,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1200,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -48016,7 +48098,7 @@ index 6c01261..900068e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -844,6 +1209,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1210,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -48028,7 +48110,7 @@ index 6c01261..900068e 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -852,11 +1222,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1223,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -48045,7 +48127,7 @@ index 6c01261..900068e 100644
')
optional_policy(`
-@@ -864,6 +1237,10 @@ optional_policy(`
+@@ -864,6 +1238,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -48056,7 +48138,7 @@ index 6c01261..900068e 100644
########################################
#
# Rules common to all X window domains
-@@ -907,7 +1284,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1285,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -48065,7 +48147,7 @@ index 6c01261..900068e 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -961,11 +1338,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1339,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -48097,7 +48179,7 @@ index 6c01261..900068e 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -987,18 +1384,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1385,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -49718,7 +49800,7 @@ index 354ce93..4955c6b 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..3388f34 100644
+index cc83689..e83c909 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -49935,7 +50017,43 @@ index cc83689..3388f34 100644
mls_rangetrans_target($1)
')
')
-@@ -519,10 +632,30 @@ interface(`init_sigchld',`
+@@ -451,6 +564,10 @@ interface(`init_exec',`
+
+ corecmd_search_bin($1)
+ can_exec($1, init_exec_t)
++
++ tunable_policy(`init_systemd',`
++ systemd_exec_systemctl($1)
++ ')
+ ')
+
+ ########################################
+@@ -509,6 +626,24 @@ interface(`init_sigchld',`
+
+ ########################################
+ ## <summary>
++## Send generic signals to init.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_signal',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:process signal;
++')
++
++########################################
++## <summary>
+ ## Connect to init with a unix socket.
+ ## </summary>
+ ## <param name="domain">
+@@ -519,10 +654,30 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -49968,7 +50086,7 @@ index cc83689..3388f34 100644
')
########################################
-@@ -688,19 +821,24 @@ interface(`init_telinit',`
+@@ -688,19 +843,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -49994,7 +50112,7 @@ index cc83689..3388f34 100644
')
')
-@@ -773,18 +911,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +933,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -50018,7 +50136,7 @@ index cc83689..3388f34 100644
')
')
-@@ -800,19 +939,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +961,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -50041,11 +50159,11 @@ index cc83689..3388f34 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -50058,13 +50176,17 @@ index cc83689..3388f34 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -868,9 +1029,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +1051,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -50079,7 +50201,7 @@ index cc83689..3388f34 100644
files_search_etc($1)
')
-@@ -1079,6 +1245,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1267,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -50104,7 +50226,7 @@ index cc83689..3388f34 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1314,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1336,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -50118,7 +50240,7 @@ index cc83689..3388f34 100644
')
########################################
-@@ -1375,6 +1554,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1576,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -50146,7 +50268,7 @@ index cc83689..3388f34 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1661,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1683,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -50172,7 +50294,7 @@ index cc83689..3388f34 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1738,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1760,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -50197,7 +50319,7 @@ index cc83689..3388f34 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1674,7 +1911,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1933,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -50206,7 +50328,7 @@ index cc83689..3388f34 100644
')
########################################
-@@ -1715,6 +1952,74 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1974,74 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -50281,7 +50403,7 @@ index cc83689..3388f34 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2054,139 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2076,139 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -50422,7 +50544,7 @@ index cc83689..3388f34 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..9740a9f 100644
+index ea29513..0bdb8d8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -50588,7 +50710,7 @@ index ea29513..9740a9f 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +236,119 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +236,118 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -50645,6 +50767,7 @@ index ea29513..9740a9f 100644
+ files_relabel_all_lock_dirs(init_t)
+
+ fs_manage_cgroup_dirs(init_t)
++ fs_manage_cgroup_files(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_dirs(init_t)
@@ -50652,8 +50775,6 @@ index ea29513..9740a9f 100644
+ fs_mount_all_fs(init_t)
+ fs_remount_autofs(init_t)
+ fs_list_auto_mountpoints(init_t)
-+ fs_read_cgroup_files(init_t)
-+ fs_write_cgroup_files(init_t)
+ fs_relabel_cgroup_dirs(init_t)
+ fs_search_cgroup_dirs(daemon)
+
@@ -50708,7 +50829,7 @@ index ea29513..9740a9f 100644
')
optional_policy(`
-@@ -199,10 +356,25 @@ optional_policy(`
+@@ -199,10 +355,25 @@ optional_policy(`
')
optional_policy(`
@@ -50734,7 +50855,7 @@ index ea29513..9740a9f 100644
unconfined_domain(init_t)
')
-@@ -212,7 +384,7 @@ optional_policy(`
+@@ -212,7 +383,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -50743,7 +50864,7 @@ index ea29513..9740a9f 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +413,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +412,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -50759,7 +50880,7 @@ index ea29513..9740a9f 100644
init_write_initctl(initrc_t)
-@@ -258,20 +433,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +432,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -50796,7 +50917,7 @@ index ea29513..9740a9f 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +466,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +465,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -50804,7 +50925,7 @@ index ea29513..9740a9f 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +479,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +478,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -50812,7 +50933,7 @@ index ea29513..9740a9f 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +487,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +486,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -50828,7 +50949,7 @@ index ea29513..9740a9f 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +505,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +504,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -50836,7 +50957,7 @@ index ea29513..9740a9f 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +513,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +512,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -50848,7 +50969,7 @@ index ea29513..9740a9f 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +532,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +531,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -50862,7 +50983,7 @@ index ea29513..9740a9f 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +547,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +546,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -50871,7 +50992,7 @@ index ea29513..9740a9f 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +561,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +560,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -50879,7 +51000,7 @@ index ea29513..9740a9f 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +573,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +572,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -50887,7 +51008,7 @@ index ea29513..9740a9f 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +594,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +593,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -50909,7 +51030,7 @@ index ea29513..9740a9f 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +657,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +656,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -50920,7 +51041,7 @@ index ea29513..9740a9f 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +681,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +680,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -50929,7 +51050,7 @@ index ea29513..9740a9f 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +696,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +695,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -50937,7 +51058,7 @@ index ea29513..9740a9f 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -524,6 +728,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +727,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -50961,7 +51082,7 @@ index ea29513..9740a9f 100644
')
optional_policy(`
-@@ -531,10 +752,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +751,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -50979,7 +51100,7 @@ index ea29513..9740a9f 100644
')
optional_policy(`
-@@ -549,6 +777,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +776,39 @@ ifdef(`distro_suse',`
')
')
@@ -51019,7 +51140,7 @@ index ea29513..9740a9f 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +822,8 @@ optional_policy(`
+@@ -561,6 +821,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -51028,7 +51149,7 @@ index ea29513..9740a9f 100644
')
optional_policy(`
-@@ -577,6 +840,7 @@ optional_policy(`
+@@ -577,6 +839,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -51036,7 +51157,7 @@ index ea29513..9740a9f 100644
')
optional_policy(`
-@@ -589,6 +853,11 @@ optional_policy(`
+@@ -589,6 +852,11 @@ optional_policy(`
')
optional_policy(`
@@ -51048,7 +51169,7 @@ index ea29513..9740a9f 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +874,13 @@ optional_policy(`
+@@ -605,9 +873,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -51062,7 +51183,7 @@ index ea29513..9740a9f 100644
')
optional_policy(`
-@@ -649,6 +922,11 @@ optional_policy(`
+@@ -649,6 +921,11 @@ optional_policy(`
')
optional_policy(`
@@ -51074,7 +51195,7 @@ index ea29513..9740a9f 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +984,13 @@ optional_policy(`
+@@ -706,7 +983,13 @@ optional_policy(`
')
optional_policy(`
@@ -51088,7 +51209,7 @@ index ea29513..9740a9f 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1013,10 @@ optional_policy(`
+@@ -729,6 +1012,10 @@ optional_policy(`
')
optional_policy(`
@@ -51099,7 +51220,7 @@ index ea29513..9740a9f 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1026,20 @@ optional_policy(`
+@@ -738,10 +1025,20 @@ optional_policy(`
')
optional_policy(`
@@ -51120,7 +51241,7 @@ index ea29513..9740a9f 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1048,10 @@ optional_policy(`
+@@ -750,6 +1047,10 @@ optional_policy(`
')
optional_policy(`
@@ -51131,7 +51252,7 @@ index ea29513..9740a9f 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1073,6 @@ optional_policy(`
+@@ -771,8 +1072,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -51140,7 +51261,7 @@ index ea29513..9740a9f 100644
')
optional_policy(`
-@@ -781,14 +1081,21 @@ optional_policy(`
+@@ -781,14 +1080,21 @@ optional_policy(`
')
optional_policy(`
@@ -51162,7 +51283,7 @@ index ea29513..9740a9f 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1107,6 @@ optional_policy(`
+@@ -800,7 +1106,6 @@ optional_policy(`
')
optional_policy(`
@@ -51170,7 +51291,7 @@ index ea29513..9740a9f 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1116,19 @@ optional_policy(`
+@@ -810,11 +1115,19 @@ optional_policy(`
')
optional_policy(`
@@ -51191,7 +51312,7 @@ index ea29513..9740a9f 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1138,25 @@ optional_policy(`
+@@ -824,6 +1137,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -51217,7 +51338,7 @@ index ea29513..9740a9f 100644
')
optional_policy(`
-@@ -849,3 +1182,42 @@ optional_policy(`
+@@ -849,3 +1181,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -57475,7 +57596,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..359a84b 100644
+index 28b88de..791d89f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -59071,6 +59192,15 @@ index 28b88de..359a84b 100644
########################################
## <summary>
+@@ -2008,7 +2410,7 @@ interface(`userdom_user_home_dir_filetrans',`
+ type user_home_dir_t;
+ ')
+
+- filetrans_pattern($1, user_home_dir_t, $2, $3)
++ filetrans_pattern($1, user_home_dir_t, $2, $3, $4)
+ files_search_home($1)
+ ')
+
@@ -2182,7 +2584,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -59721,7 +59851,7 @@ index 28b88de..359a84b 100644
+ type admin_home_t;
+ ')
+
-+ filetrans_pattern($1, admin_home_t, $2, $3)
++ filetrans_pattern($1, admin_home_t, $2, $3, $4)
+')
+
+########################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 20e6ab4..5769271 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 14%{?dist}
+Release: 15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,12 @@ exit 0
%endif
%changelog
+* Fri Apr 15 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-15
+- xdm_t needs getsession for switch user
+- Every app that used to exec init is now execing systemdctl
+- Allow squid to manage krb5_host_rcache_t files
+- Allow foghorn to connect to agentx port - Fixes for colord policy
+
* Mon Apr 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-14
- Add Dan's patch to remove 64 bit variants
- Allow colord to use unix_dgram_socket
More information about the scm-commits
mailing list