[selinux-policy/f16] - Add sblim, uuidd policies - Allow kernel_t dyntrasition to init_t
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Aug 1 21:22:53 UTC 2011
commit e6657a2595fcc257a437317f6363b3a43b8d1408
Author: Miroslav <mgrepl at redhat.com>
Date: Mon Aug 1 23:22:34 2011 +0200
- Add sblim, uuidd policies
- Allow kernel_t dyntrasition to init_t
modules-targeted.conf | 7 +
policy-F16.patch | 846 +++++++++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 6 +-
3 files changed, 728 insertions(+), 131 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 770508a..e3b5d24 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2437,3 +2437,10 @@ ctdbd = module
# fcoemon
#
fcoemon = module
+
+# Layer: services
+# Module: sblim
+#
+# sblim
+#
+sblim = module
diff --git a/policy-F16.patch b/policy-F16.patch
index bc64861..31d23df 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -6147,7 +6147,7 @@ index 4f9dc90..8dc8a5f 100644
+ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
-index 66beb80..702a727 100644
+index 66beb80..b69a628 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t)
@@ -6190,7 +6190,7 @@ index 66beb80..702a727 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(irc_t)
-@@ -101,3 +125,73 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -101,3 +125,78 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
nis_use_ypbind(irc_t)
')
@@ -6221,6 +6221,11 @@ index 66beb80..702a727 100644
+corenet_tcp_sendrecv_ircd_port(irssi_t)
+corenet_sendrecv_ircd_client_packets(irssi_t)
+
++# tcp:7000 is often used for SSL irc
++corenet_tcp_connect_gatekeeper_port(irssi_t)
++corenet_tcp_sendrecv_gatekeeper_port(irssi_t)
++corenet_sendrecv_gatekeeper_client_packets(irssi_t)
++
+# Privoxy
+corenet_tcp_connect_http_cache_port(irssi_t)
+corenet_tcp_sendrecv_http_cache_port(irssi_t)
@@ -11876,7 +11881,7 @@ index 4f3b542..5a41e58 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..7345e5f 100644
+index 99b71cb..68a36f8 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,14 @@ attribute netif_type;
@@ -11921,7 +11926,19 @@ index 99b71cb..7345e5f 100644
type client_packet_t, packet_type, client_packet_type;
#
-@@ -65,22 +81,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -50,6 +66,11 @@ type port_t, port_type;
+ sid port gen_context(system_u:object_r:port_t,s0)
+
+ #
++# port_t is the default type of INET port numbers.
++#
++type unreserved_port_t, unreserved_port_type;
++
++#
+ # reserved_port_t is the type of INET port numbers below 1024.
+ #
+ type reserved_port_t, port_type, reserved_port_type;
+@@ -65,22 +86,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -11949,7 +11966,7 @@ index 99b71cb..7345e5f 100644
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
-@@ -88,7 +108,9 @@ network_port(clamd, tcp,3310,s0)
+@@ -88,7 +113,9 @@ network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cobbler, tcp,25151,s0)
@@ -11959,7 +11976,7 @@ index 99b71cb..7345e5f 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,9 +121,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,9 +126,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -11974,7 +11991,7 @@ index 99b71cb..7345e5f 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -129,20 +156,25 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +161,25 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -12003,7 +12020,7 @@ index 99b71cb..7345e5f 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -155,13 +187,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+@@ -155,13 +192,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
@@ -12017,7 +12034,7 @@ index 99b71cb..7345e5f 100644
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
+network_port(piranha, tcp,3636,s0)
-+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9946, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
@@ -12026,7 +12043,12 @@ index 99b71cb..7345e5f 100644
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -183,25 +223,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -179,29 +224,34 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+ network_port(radius, udp,1645,s0, udp,1812,s0)
+ network_port(radsec, tcp,2083,s0)
+ network_port(razor, tcp,2703,s0)
++network_port(repository, tcp, 6363, s0)
+ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -12059,7 +12081,7 @@ index 99b71cb..7345e5f 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -215,7 +259,7 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,7 +265,7 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -12068,7 +12090,7 @@ index 99b71cb..7345e5f 100644
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
-@@ -229,6 +273,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +279,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -12076,7 +12098,16 @@ index 99b71cb..7345e5f 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -282,9 +327,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -238,6 +289,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+ portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
++portcon udp 1024-65536 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon tcp 1024-65536 gen_context(system_u:object_r:unreserved_port_t, s0)
+
+ ########################################
+ #
+@@ -282,9 +335,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -13651,7 +13682,7 @@ index fae1ab1..da927bb 100644
+dontaudit can_change_object_identity can_change_object_identity:key link;
+
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c19518a..ba08cfe 100644
+index c19518a..b630279c 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -13662,7 +13693,12 @@ index c19518a..ba08cfe 100644
')
ifdef(`distro_suse',`
-@@ -57,6 +58,13 @@ ifdef(`distro_suse',`
+@@ -53,10 +54,18 @@ ifdef(`distro_suse',`
+ /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
++/etc/machine-id -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -13676,7 +13712,7 @@ index c19518a..ba08cfe 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -68,7 +76,10 @@ ifdef(`distro_suse',`
+@@ -68,7 +77,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -13688,7 +13724,7 @@ index c19518a..ba08cfe 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -102,10 +113,9 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -102,10 +114,9 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -13700,7 +13736,7 @@ index c19518a..ba08cfe 100644
#
# /lost+found
-@@ -146,7 +156,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -146,7 +157,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
@@ -13709,7 +13745,7 @@ index c19518a..ba08cfe 100644
#
# /proc
-@@ -154,6 +164,12 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -154,6 +165,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
@@ -13722,7 +13758,7 @@ index c19518a..ba08cfe 100644
#
# /run
#
-@@ -214,7 +230,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -214,7 +231,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -13730,7 +13766,7 @@ index c19518a..ba08cfe 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -230,17 +245,20 @@ ifndef(`distro_redhat',`
+@@ -230,17 +246,20 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -13752,14 +13788,14 @@ index c19518a..ba08cfe 100644
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
-@@ -257,3 +275,5 @@ ifndef(`distro_redhat',`
+@@ -257,3 +276,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..a049775 100644
+index ff006ea..367d234 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -14713,7 +14749,7 @@ index ff006ea..a049775 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6344,44 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6344,62 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -14740,6 +14776,24 @@ index ff006ea..a049775 100644
+
+########################################
+## <summary>
++## Execute generic programs in /var/run in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_exec_generic_pid_files',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ exec_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
+## manage all pidfiles
+## in the /var/run directory.
+## </summary>
@@ -14758,7 +14812,7 @@ index ff006ea..a049775 100644
')
########################################
-@@ -5900,6 +6450,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6468,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -14849,7 +14903,7 @@ index ff006ea..a049775 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6042,7 +6676,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6694,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14858,7 +14912,7 @@ index ff006ea..a049775 100644
')
########################################
-@@ -6117,3 +6751,284 @@ interface(`files_unconfined',`
+@@ -6117,3 +6769,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -15941,7 +15995,7 @@ index 6346378..edbe041 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..2860a62 100644
+index d91c62f..9740613 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -15981,7 +16035,7 @@ index d91c62f..2860a62 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,19 +276,40 @@ files_list_root(kernel_t)
+@@ -269,25 +276,47 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -16022,7 +16076,14 @@ index d91c62f..2860a62 100644
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -297,6 +325,19 @@ optional_policy(`
+
+ optional_policy(`
+ init_sigchld(kernel_t)
++ init_dyntrans(kernel_t)
+ ')
+
+ optional_policy(`
+@@ -297,6 +326,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -16042,7 +16103,7 @@ index d91c62f..2860a62 100644
')
optional_policy(`
-@@ -334,9 +375,7 @@ optional_policy(`
+@@ -334,9 +376,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -16053,7 +16114,7 @@ index d91c62f..2860a62 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -345,7 +384,7 @@ optional_policy(`
+@@ -345,7 +385,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -16062,7 +16123,7 @@ index d91c62f..2860a62 100644
')
')
-@@ -358,6 +397,15 @@ optional_policy(`
+@@ -358,6 +398,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -23155,7 +23216,7 @@ index 0197980..f8bce2c 100644
+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f4e7ad3..68aebc4 100644
+index f4e7ad3..2faf42a 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t)
@@ -23172,7 +23233,7 @@ index f4e7ad3..68aebc4 100644
-allow bitlbee_t self:capability { setgid setuid };
-allow bitlbee_t self:process signal;
-+allow bitlbee_t self:capability { setgid setuid sys_nice };
++allow bitlbee_t self:capability { dac_override setgid setuid sys_nice };
+allow bitlbee_t self:process { setsched signal };
+
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
@@ -23211,6 +23272,16 @@ index f4e7ad3..68aebc4 100644
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+@@ -69,6 +81,9 @@ corenet_tcp_connect_http_port(bitlbee_t)
+ corenet_tcp_sendrecv_http_port(bitlbee_t)
+ corenet_tcp_connect_http_cache_port(bitlbee_t)
+ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
++corenet_tcp_bind_ircd_port(bitlbee_t)
++corenet_tcp_sendrecv_ircd_port(bitlbee_t)
++corenet_sendrecv_ircd_server_packets(bitlbee_t)
+
+ dev_read_rand(bitlbee_t)
+ dev_read_urand(bitlbee_t)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 3e45431..4aa8fb1 100644
--- a/policy/modules/services/bluetooth.if
@@ -27476,24 +27547,27 @@ index f7583ab..3c9cf5a 100644
diff --git a/policy/modules/services/ctdbd.fc b/policy/modules/services/ctdbd.fc
new file mode 100644
-index 0000000..e490a2a
+index 0000000..2db6b61
--- /dev/null
+++ b/policy/modules/services/ctdbd.fc
-@@ -0,0 +1,15 @@
+@@ -0,0 +1,18 @@
+
+/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+
-+/var/log/log.ctdb gen_context(system_u:object_r:ctdbd_log_t,s0)
++/etc/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++
++/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
++
++/var/log/log\.ctdb -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+
+/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
+
+/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+
-+/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
+/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+
diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if
new file mode 100644
@@ -27758,7 +27832,7 @@ index 0000000..9146ef1
+
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
new file mode 100644
-index 0000000..5e2a4bd
+index 0000000..579e420
--- /dev/null
+++ b/policy/modules/services/ctdbd.te
@@ -0,0 +1,114 @@
@@ -27835,11 +27909,13 @@ index 0000000..5e2a4bd
+kernel_read_system_state(ctdbd_t)
+
+corenet_tcp_bind_generic_node(ctdbd_t)
++corenet_tcp_bind_ctdb_port(ctdbd_t)
+
+corecmd_exec_bin(ctdbd_t)
+corecmd_exec_shell(ctdbd_t)
+
+dev_read_sysfs(ctdbd_t)
++dev_read_urand(ctdbd_t)
+
+domain_use_interactive_fds(ctdbd_t)
+domain_dontaudit_read_all_domains_state(ctdbd_t)
@@ -27852,8 +27928,6 @@ index 0000000..5e2a4bd
+miscfiles_read_localization(ctdbd_t)
+miscfiles_read_public_files(ctdbd_t)
+
-+#corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t)
-+#corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t)
+
+optional_policy(`
+ consoletype_exec(ctdbd_t)
@@ -27870,7 +27944,7 @@ index 0000000..5e2a4bd
+optional_policy(`
+ samba_initrc_domtrans(ctdbd_t)
+ samba_domtrans_net(ctdbd_t)
-+ samba_read_var_files(ctdbd_t)
++ samba_rw_var_files(ctdbd_t)
+')
+
+optional_policy(`
@@ -36210,10 +36284,10 @@ index 0000000..e2cda9b
+
diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te
new file mode 100644
-index 0000000..1c74e98
+index 0000000..b5ba929
--- /dev/null
+++ b/policy/modules/services/lldpad.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,70 @@
+policy_module(lldpad, 1.0.0)
+
+########################################
@@ -36279,6 +36353,8 @@ index 0000000..1c74e98
+
+miscfiles_read_localization(lldpad_t)
+
++userdom_dgram_send(lldpad_t)
++
+optional_policy(`
+ fcoemon_dgram_send(lldpad_t)
+')
@@ -48314,7 +48390,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..a23112b 100644
+index e30bb63..2977339 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -48411,17 +48487,18 @@ index e30bb63..a23112b 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +407,9 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +407,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
+optional_policy(`
+ ctdbd_stream_connect(smbd_t)
++ ctdbd_manage_lib_files(smbd_t)
+')
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -445,26 +445,25 @@ optional_policy(`
+@@ -445,26 +446,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -48455,7 +48532,7 @@ index e30bb63..a23112b 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +483,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -48466,7 +48543,7 @@ index e30bb63..a23112b 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +560,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -48484,7 +48561,7 @@ index e30bb63..a23112b 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -578,7 +578,7 @@ files_read_etc_files(smbcontrol_t)
+@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t)
miscfiles_read_localization(smbcontrol_t)
@@ -48493,7 +48570,7 @@ index e30bb63..a23112b 100644
########################################
#
-@@ -644,19 +644,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -48518,7 +48595,7 @@ index e30bb63..a23112b 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -48527,7 +48604,7 @@ index e30bb63..a23112b 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -48542,7 +48619,7 @@ index e30bb63..a23112b 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -48550,7 +48627,7 @@ index e30bb63..a23112b 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +759,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +760,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -48559,7 +48636,7 @@ index e30bb63..a23112b 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -48581,7 +48658,7 @@ index e30bb63..a23112b 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -48589,7 +48666,7 @@ index e30bb63..a23112b 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -904,7 +913,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -48598,7 +48675,7 @@ index e30bb63..a23112b 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +931,18 @@ optional_policy(`
+@@ -922,6 +932,18 @@ optional_policy(`
#
optional_policy(`
@@ -48617,7 +48694,7 @@ index e30bb63..a23112b 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +953,12 @@ optional_policy(`
+@@ -932,9 +954,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -48776,10 +48853,10 @@ index 0000000..486d53d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..f050bc5
+index 0000000..dae577a
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,65 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -48820,12 +48897,16 @@ index 0000000..f050bc5
+manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+
++kernel_read_system_state(sanlock_t)
++
+domain_use_interactive_fds(sanlock_t)
+
+files_read_etc_files(sanlock_t)
+
+storage_raw_rw_fixed_disk(sanlock_t)
+
++dev_read_urand(sanlock_t)
++
+logging_send_syslog_msg(sanlock_t)
+
+init_read_utmp(sanlock_t)
@@ -48915,6 +48996,205 @@ index cfc60dd..53a9d2d 100644
')
optional_policy(`
+diff --git a/policy/modules/services/sblim.fc b/policy/modules/services/sblim.fc
+new file mode 100644
+index 0000000..d5c3c3f
+--- /dev/null
++++ b/policy/modules/services/sblim.fc
+@@ -0,0 +1,6 @@
++
++/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
++
++/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
++
++/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
+diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if
+new file mode 100644
+index 0000000..8aef188
+--- /dev/null
++++ b/policy/modules/services/sblim.if
+@@ -0,0 +1,78 @@
++
++## <summary> policy for SBLIM Gatherer </summary>
++
++########################################
++## <summary>
++## Transition to gatherd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sblim_gatherd_domtrans',`
++ gen_require(`
++ type sblim_gatherd_t, sblim_gatherd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t)
++')
++
++
++########################################
++## <summary>
++## Read gatherd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sblim_read_pid_files',`
++ gen_require(`
++ type sblim_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 gatherd_var_run_t:file read_file_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an gatherd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`sblim_admin',`
++ gen_require(`
++ type sblim_gatherd_t;
++ type sblim_reposd_t;
++ type sblim_var_run_t;
++ ')
++
++ allow $1 sblim_gatherd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, sblim_gatherd_t)
++
++ allow $1 sblim_reposd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, sblim_reposd_t)
++
++ files_search_pids($1)
++ admin_pattern($1, sblim_var_run_t)
++
++')
++
+diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te
+new file mode 100644
+index 0000000..3ced316
+--- /dev/null
++++ b/policy/modules/services/sblim.te
+@@ -0,0 +1,97 @@
++policy_module(sblim, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute sblim_domain;
++
++type sblim_gatherd_t, sblim_domain;
++type sblim_gatherd_exec_t;
++init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
++
++permissive sblim_gatherd_t;
++
++type sblim_reposd_t, sblim_domain;
++type sblim_reposd_exec_t;
++init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
++
++permissive sblim_gatherd_t;
++
++type sblim_var_run_t;
++files_pid_file(sblim_var_run_t)
++
++########################################
++#
++# sblim_gatherd local policy
++#
++
++#needed by ps
++allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override };
++
++allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
++allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_fs_sysctls(sblim_gatherd_t)
++kernel_read_kernel_sysctls(sblim_gatherd_t)
++
++corecmd_exec_bin(sblim_gatherd_t)
++corecmd_exec_shell(sblim_gatherd_t)
++
++corenet_tcp_connect_repository_port(sblim_gatherd_t)
++
++domain_read_all_domains_state(sblim_gatherd_t)
++
++fs_getattr_all_fs(sblim_gatherd_t)
++
++term_getattr_pty_fs(sblim_gatherd_t)
++
++init_read_utmp(sblim_gatherd_t)
++
++userdom_signull_unpriv_users(sblim_gatherd_t)
++
++optional_policy(`
++ sysnet_dns_name_resolve(sblim_gatherd_t)
++')
++
++optional_policy(`
++ virt_stream_connect(sblim_gatherd_t)
++')
++
++optional_policy(`
++ xen_stream_connect(sblim_gatherd_t)
++ xen_stream_connect_xenstore(sblim_gatherd_t)
++')
++
++#######################################
++#
++# sblim_reposd local policy
++#
++
++domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t)
++
++corenet_tcp_bind_all_nodes(sblim_reposd_t)
++corenet_tcp_bind_repository_port(sblim_reposd_t)
++
++######################################
++#
++# sblim_domain local policy
++#
++
++allow sblim_domain self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
++manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
++manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
++
++kernel_read_network_state(sblim_domain)
++kernel_read_system_state(sblim_domain)
++
++dev_read_sysfs(sblim_domain)
++
++logging_send_syslog_msg(sblim_domain)
++
++files_read_etc_files(sblim_domain)
++
++miscfiles_read_localization(sblim_domain)
diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc
index a86ec50..ef4199b 100644
--- a/policy/modules/services/sendmail.fc
@@ -51988,6 +52268,270 @@ index d4349e9..f14d337 100644
- nscd_socket_use(uux_t)
+ postfix_rw_master_pipes(uux_t)
')
+diff --git a/policy/modules/services/uuidd.fc b/policy/modules/services/uuidd.fc
+new file mode 100644
+index 0000000..c184667
+--- /dev/null
++++ b/policy/modules/services/uuidd.fc
+@@ -0,0 +1,9 @@
++
++/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
++
++
++/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
++
++/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0)
++
++/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0)
+diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if
+new file mode 100644
+index 0000000..5a2fd4c
+--- /dev/null
++++ b/policy/modules/services/uuidd.if
+@@ -0,0 +1,193 @@
++## <summary>policy for uuidd</summary>
++
++########################################
++## <summary>
++## Transition to uuidd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`uuidd_domtrans',`
++ gen_require(`
++ type uuidd_t, uuidd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, uuidd_exec_t, uuidd_t)
++')
++
++########################################
++## <summary>
++## Execute uuidd server in the uuidd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_initrc_domtrans',`
++ gen_require(`
++ type uuidd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, uuidd_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Search uuidd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_search_lib',`
++ gen_require(`
++ type uuidd_var_lib_t;
++ ')
++
++ allow $1 uuidd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read uuidd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_read_lib_files',`
++ gen_require(`
++ type uuidd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage uuidd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_manage_lib_files',`
++ gen_require(`
++ type uuidd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage uuidd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_manage_lib_dirs',`
++ gen_require(`
++ type uuidd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Read uuidd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_read_pid_files',`
++ gen_require(`
++ type uuidd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 uuidd_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Connect to uuidd over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_stream_connect_manager',`
++ gen_require(`
++ type uuidd_t, uuidd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an uuidd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`uuidd_admin',`
++ gen_require(`
++ type uuidd_t;
++ type uuidd_initrc_exec_t;
++ type uuidd_var_lib_t;
++ type uuidd_var_run_t;
++ ')
++
++ allow $1 uuidd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, uuidd_t)
++
++ uuidd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 uuidd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, uuidd_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, uuidd_var_run_t)
++')
+diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te
+new file mode 100644
+index 0000000..1adb81a
+--- /dev/null
++++ b/policy/modules/services/uuidd.te
+@@ -0,0 +1,44 @@
++policy_module(uuidd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type uuidd_t;
++type uuidd_exec_t;
++init_daemon_domain(uuidd_t, uuidd_exec_t)
++
++permissive uuidd_t;
++
++type uuidd_initrc_exec_t;
++init_script_file(uuidd_initrc_exec_t)
++
++type uuidd_var_lib_t;
++files_type(uuidd_var_lib_t)
++
++type uuidd_var_run_t;
++files_pid_file(uuidd_var_run_t)
++
++########################################
++#
++# uuidd local policy
++#
++allow uuidd_t self:capability { kill setuid };
++allow uuidd_t self:process { signal };
++
++allow uuidd_t self:fifo_file rw_fifo_file_perms;
++allow uuidd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t)
++manage_files_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t)
++
++manage_dirs_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
++manage_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
++manage_sock_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
++
++domain_use_interactive_fds(uuidd_t)
++
++files_read_etc_files(uuidd_t)
++
++miscfiles_read_localization(uuidd_t)
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
index f9310f3..064171e 100644
--- a/policy/modules/services/varnishd.te
@@ -52802,7 +53346,7 @@ index 7c5d8d8..4feaf88 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..5a0c2ce 100644
+index 3eca020..e18ede2 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -52977,7 +53521,12 @@ index 3eca020..5a0c2ce 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -133,6 +170,8 @@ dev_list_sysfs(svirt_t)
+@@ -130,9 +167,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+
+ dev_list_sysfs(svirt_t)
+
++fs_getattr_xattr_fs(svirt_t)
++
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
@@ -52986,7 +53535,7 @@ index 3eca020..5a0c2ce 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +186,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +188,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -53002,7 +53551,7 @@ index 3eca020..5a0c2ce 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +203,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +205,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -53025,7 +53574,7 @@ index 3eca020..5a0c2ce 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +228,35 @@ optional_policy(`
+@@ -174,21 +230,35 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -53066,7 +53615,7 @@ index 3eca020..5a0c2ce 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +268,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +270,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -53084,7 +53633,7 @@ index 3eca020..5a0c2ce 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +292,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +294,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -53100,7 +53649,7 @@ index 3eca020..5a0c2ce 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +320,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +322,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -53133,7 +53682,7 @@ index 3eca020..5a0c2ce 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +352,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +354,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -53152,14 +53701,14 @@ index 3eca020..5a0c2ce 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +387,29 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +389,29 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -53182,7 +53731,7 @@ index 3eca020..5a0c2ce 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +428,10 @@ optional_policy(`
+@@ -313,6 +430,10 @@ optional_policy(`
')
optional_policy(`
@@ -53193,7 +53742,7 @@ index 3eca020..5a0c2ce 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,11 +448,17 @@ optional_policy(`
+@@ -329,11 +450,17 @@ optional_policy(`
')
optional_policy(`
@@ -53211,7 +53760,7 @@ index 3eca020..5a0c2ce 100644
')
optional_policy(`
-@@ -365,6 +490,12 @@ optional_policy(`
+@@ -365,6 +492,12 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -53224,7 +53773,7 @@ index 3eca020..5a0c2ce 100644
')
optional_policy(`
-@@ -385,23 +516,37 @@ optional_policy(`
+@@ -385,29 +518,45 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -53267,7 +53816,15 @@ index 3eca020..5a0c2ce 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -418,10 +563,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+
+ kernel_read_system_state(virt_domain)
+
++fs_getattr_xattr_fs(virt_domain)
++
+ corecmd_exec_bin(virt_domain)
+ corecmd_exec_shell(virt_domain)
+
+@@ -418,10 +567,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -53280,7 +53837,7 @@ index 3eca020..5a0c2ce 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +575,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +579,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -53293,7 +53850,7 @@ index 3eca020..5a0c2ce 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,14 +588,20 @@ files_search_all(virt_domain)
+@@ -440,14 +592,20 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -53301,12 +53858,12 @@ index 3eca020..5a0c2ce 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -53317,7 +53874,7 @@ index 3eca020..5a0c2ce 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +611,176 @@ optional_policy(`
+@@ -457,8 +615,176 @@ optional_policy(`
')
optional_policy(`
@@ -57557,7 +58114,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..354e39c 100644
+index 94fd8dd..417ec32 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,42 @@ interface(`init_script_domain',`
@@ -57725,7 +58282,7 @@ index 94fd8dd..354e39c 100644
')
')
-@@ -401,16 +428,19 @@ interface(`init_system_domain',`
+@@ -401,20 +428,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -57745,7 +58302,29 @@ index 94fd8dd..354e39c 100644
mls_rangetrans_target($1)
')
')
-@@ -451,6 +481,10 @@ interface(`init_exec',`
+
++######################################
++## <summary>
++## Allow domain dyntransition to init_t domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`init_dyntrans',`
++ gen_require(`
++ type anon_sftpd_t;
++ ')
++
++ dyntrans_pattern($1, init_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute init (/sbin/init) with a domain transition.
+@@ -451,6 +499,10 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -57756,7 +58335,7 @@ index 94fd8dd..354e39c 100644
')
########################################
-@@ -509,6 +543,24 @@ interface(`init_sigchld',`
+@@ -509,6 +561,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -57781,7 +58360,7 @@ index 94fd8dd..354e39c 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +571,29 @@ interface(`init_sigchld',`
+@@ -519,10 +589,29 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -57813,7 +58392,7 @@ index 94fd8dd..354e39c 100644
')
########################################
-@@ -688,19 +759,25 @@ interface(`init_telinit',`
+@@ -688,19 +777,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -57840,7 +58419,7 @@ index 94fd8dd..354e39c 100644
')
')
-@@ -730,7 +807,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +825,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -57849,7 +58428,7 @@ index 94fd8dd..354e39c 100644
## </summary>
## </param>
#
-@@ -773,18 +850,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +868,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -57873,7 +58452,7 @@ index 94fd8dd..354e39c 100644
')
')
-@@ -800,19 +878,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +896,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -57896,11 +58475,11 @@ index 94fd8dd..354e39c 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -57913,13 +58492,17 @@ index 94fd8dd..354e39c 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -868,9 +968,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +986,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -57934,7 +58517,7 @@ index 94fd8dd..354e39c 100644
files_search_etc($1)
')
-@@ -1079,6 +1184,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1202,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -57959,7 +58542,7 @@ index 94fd8dd..354e39c 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1253,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1271,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -57973,7 +58556,7 @@ index 94fd8dd..354e39c 100644
')
########################################
-@@ -1375,6 +1493,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1511,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -58001,7 +58584,7 @@ index 94fd8dd..354e39c 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1600,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1618,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -58027,7 +58610,7 @@ index 94fd8dd..354e39c 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1677,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1695,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -58052,7 +58635,7 @@ index 94fd8dd..354e39c 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1868,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -58061,7 +58644,7 @@ index 94fd8dd..354e39c 100644
')
########################################
-@@ -1715,6 +1891,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1909,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -58190,7 +58773,7 @@ index 94fd8dd..354e39c 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2047,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2065,156 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -58348,7 +58931,7 @@ index 94fd8dd..354e39c 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..837bc69 100644
+index 29a9565..4d20828 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -58579,9 +59162,9 @@ index 29a9565..837bc69 100644
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
+ files_create_all_pid_sockets(init_t)
-+ files_delete_all_pid_sockets(init_t)
++ files_delete_all_pids(init_t)
++ files_exec_generic_pid_files(init_t)
+ files_create_all_pid_pipes(init_t)
-+ files_delete_all_pid_pipes(init_t)
+ files_create_all_spool_sockets(init_t)
+ files_delete_all_spool_sockets(init_t)
+ files_manage_urandom_seed(init_t)
@@ -60601,7 +61184,7 @@ index 831b909..57064ad 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..fa034d6 100644
+index b6ec597..2674701 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -20,6 +20,7 @@ files_security_file(auditd_log_t)
@@ -60761,7 +61344,7 @@ index b6ec597..fa034d6 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -496,6 +535,10 @@ optional_policy(`
+@@ -496,11 +535,20 @@ optional_policy(`
')
optional_policy(`
@@ -60772,17 +61355,16 @@ index b6ec597..fa034d6 100644
postgresql_stream_connect(syslogd_t)
')
-@@ -504,6 +547,10 @@ optional_policy(`
- ')
-
optional_policy(`
-+ daemontools_search_svc_dir(syslogd_t)
+ seutil_sigchld_newrole(syslogd_t)
++ snmp_read_snmp_var_lib_files(syslogd_t)
+')
+
+optional_policy(`
- udev_read_db(syslogd_t)
++ daemontools_search_svc_dir(syslogd_t)
')
+ optional_policy(`
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 879bb1e..7b22111 100644
--- a/policy/modules/system/lvm.fc
@@ -63506,7 +64088,7 @@ index ff80d0a..752e031 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..0cdb0be 100644
+index 34d0ec5..76e53a6 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -63705,7 +64287,7 @@ index 34d0ec5..0cdb0be 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +363,14 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +363,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -63713,6 +64295,10 @@ index 34d0ec5..0cdb0be 100644
+ brctl_domtrans(ifconfig_t)
+')
+
++optional_policy(`
++ ctdbd_read_lib_files(ifconfig_t)
++')
++
ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit ifconfig_t self:capability sys_module;
@@ -63720,7 +64306,7 @@ index 34d0ec5..0cdb0be 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +381,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +385,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -63735,7 +64321,7 @@ index 34d0ec5..0cdb0be 100644
')
optional_policy(`
-@@ -335,6 +397,18 @@ optional_policy(`
+@@ -335,6 +401,18 @@ optional_policy(`
')
optional_policy(`
@@ -63754,7 +64340,7 @@ index 34d0ec5..0cdb0be 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +430,9 @@ optional_policy(`
+@@ -356,3 +434,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2d6973c..b7ccc22 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -452,6 +452,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Aug Mon 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-12
+- Add sblim, uuidd policies
+- Allow kernel_t dyntrasition to init_t
+
* Fri Jul 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-11
- init_t need setexec
- More fixes of rules which cause an explosion in rules by Dan Walsh
More information about the scm-commits
mailing list