[selinux-policy/f16] - Add abrt_domain attribute - Allow corosync to manage cluster lib files - Allow corosync to connect
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Aug 2 19:37:11 UTC 2011
commit 1ed80a2aec29c14fe34a7e8e3abb197ca76c7cb9
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Aug 2 21:36:49 2011 +0200
- Add abrt_domain attribute
- Allow corosync to manage cluster lib files
- Allow corosync to connect to the system DBUS
policy-F16.patch | 391 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 7 +-
2 files changed, 258 insertions(+), 140 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 31d23df..f9db5f9 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -6496,10 +6496,19 @@ index 0000000..bb02f40
+')
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
-index 2dde73a..12281bb 100644
+index 2dde73a..e4ccac2 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
-@@ -47,6 +47,12 @@ miscfiles_read_localization(kdumpgui_t)
+@@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
+ files_etc_filetrans_etc_runtime(kdumpgui_t, file)
+ files_read_usr_files(kdumpgui_t)
+
++fs_read_dos_files(kdumpgui_t)
++
+ storage_raw_read_fixed_disk(kdumpgui_t)
+ storage_raw_write_fixed_disk(kdumpgui_t)
+
+@@ -47,6 +49,12 @@ miscfiles_read_localization(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
@@ -11881,7 +11890,7 @@ index 4f3b542..5a41e58 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..68a36f8 100644
+index 99b71cb..fd75b96 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,14 @@ attribute netif_type;
@@ -12034,7 +12043,7 @@ index 99b71cb..68a36f8 100644
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
+network_port(piranha, tcp,3636,s0)
-+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9946, s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9446, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
@@ -12102,8 +12111,8 @@ index 99b71cb..68a36f8 100644
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
-+portcon udp 1024-65536 gen_context(system_u:object_r:unreserved_port_t, s0)
-+portcon tcp 1024-65536 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
########################################
#
@@ -16438,7 +16447,7 @@ index ca7e808..23a065c 100644
+')
+
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..02ff02d7 100644
+index 1700ef2..6b7eabb 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -16458,7 +16467,7 @@ index 1700ef2..02ff02d7 100644
dev_add_entry_generic_dirs($1)
')
-@@ -808,3 +811,358 @@ interface(`storage_unconfined',`
+@@ -808,3 +811,368 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -16559,6 +16568,16 @@ index 1700ef2..02ff02d7 100644
+ dev_filetrans($1, removable_device_t, blk_file, "cm207")
+ dev_filetrans($1, removable_device_t, blk_file, "cm208")
+ dev_filetrans($1, removable_device_t, blk_file, "cm209")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
@@ -17832,7 +17851,7 @@ index 2be17d2..1a6d9d1 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..a9aeb68 100644
+index e14b961..9db59b0 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -18007,7 +18026,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -225,12 +278,20 @@ optional_policy(`
+@@ -225,17 +278,29 @@ optional_policy(`
')
optional_policy(`
@@ -18028,7 +18047,16 @@ index e14b961..a9aeb68 100644
ntp_stub()
corenet_udp_bind_ntp_port(sysadm_t)
')
-@@ -253,19 +314,19 @@ optional_policy(`
+
+ optional_policy(`
++ nx_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
+ oav_run_update(sysadm_t, sysadm_r)
+ ')
+
+@@ -253,19 +318,19 @@ optional_policy(`
')
optional_policy(`
@@ -18052,7 +18080,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -274,10 +335,7 @@ optional_policy(`
+@@ -274,10 +339,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -18064,7 +18092,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -302,12 +360,18 @@ optional_policy(`
+@@ -302,12 +364,18 @@ optional_policy(`
')
optional_policy(`
@@ -18084,7 +18112,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -332,7 +396,7 @@ optional_policy(`
+@@ -332,7 +400,7 @@ optional_policy(`
')
optional_policy(`
@@ -18093,7 +18121,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -343,19 +407,15 @@ optional_policy(`
+@@ -343,19 +411,15 @@ optional_policy(`
')
optional_policy(`
@@ -18115,7 +18143,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -367,45 +427,45 @@ optional_policy(`
+@@ -367,45 +431,45 @@ optional_policy(`
')
optional_policy(`
@@ -18172,7 +18200,7 @@ index e14b961..a9aeb68 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,6 +499,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +503,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -18180,20 +18208,20 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -446,11 +507,62 @@ ifndef(`distro_redhat',`
+@@ -446,11 +511,62 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- irc_role(sysadm_r, sysadm_t)
+ java_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ lockdev_role(sysadm_r, sysadm_t)
')
optional_policy(`
- java_role(sysadm_r, sysadm_t)
-+ lockdev_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
@@ -18955,10 +18983,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..f35e36b
+index 0000000..fc2c9ec
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,549 @@
+@@ -0,0 +1,553 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -19368,6 +19396,10 @@ index 0000000..f35e36b
+')
+
+optional_policy(`
++ nx_filetrans_named_content(unconfined_t)
++')
++
++optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
@@ -20052,13 +20084,14 @@ index 0b827c5..e03a970 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..ced411a 100644
+index 30861ec..5f4db0c 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
-@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
+@@ -5,7 +5,17 @@ policy_module(abrt, 1.2.0)
# Declarations
#
+-type abrt_t;
+## <desc>
+## <p>
+## Allow ABRT to modify public files
@@ -20067,14 +20100,17 @@ index 30861ec..ced411a 100644
+## </desc>
+gen_tunable(abrt_anon_write, false)
+
- type abrt_t;
++attribute abrt_domain;
++
++type abrt_t, abrt_domain;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -32,6 +40,12 @@ files_type(abrt_var_cache_t)
+
+@@ -32,9 +42,15 @@ files_type(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
-+type abrt_dump_oops_t;
++type abrt_dump_oops_t, abrt_domain;
+type abrt_dump_oops_exec_t;
+init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+
@@ -20082,8 +20118,12 @@ index 30861ec..ced411a 100644
+
# type needed to allow all domains
# to handle /var/cache/abrt
- type abrt_helper_t;
-@@ -43,14 +57,37 @@ ifdef(`enable_mcs',`
+-type abrt_helper_t;
++type abrt_helper_t, abrt_domain;
+ type abrt_helper_exec_t;
+ application_domain(abrt_helper_t, abrt_helper_exec_t)
+ role system_r types abrt_helper_t;
+@@ -43,14 +59,37 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -20091,12 +20131,12 @@ index 30861ec..ced411a 100644
+# Support for ABRT retrace server
+#
+
-+type abrt_retrace_worker_t;
++type abrt_retrace_worker_t, abrt_domain;
+type abrt_retrace_worker_exec_t;
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+role system_r types abrt_retrace_worker_t;
+
-+type abrt_retrace_coredump_t;
++type abrt_retrace_coredump_t, abrt_domain;
+type abrt_retrace_coredump_exec_t;
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
@@ -20123,7 +20163,7 @@ index 30861ec..ced411a 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +96,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +98,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -20131,7 +20171,7 @@ index 30861ec..ced411a 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -69,6 +107,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -69,6 +109,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -20139,7 +20179,7 @@ index 30861ec..ced411a 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +123,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -20147,8 +20187,11 @@ index 30861ec..ced411a 100644
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
kernel_read_ring_buffer(abrt_t)
- kernel_read_system_state(abrt_t)
-@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+-kernel_read_system_state(abrt_t)
+ kernel_rw_kernel_sysctl(abrt_t)
+
+ corecmd_exec_bin(abrt_t)
+@@ -104,6 +144,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -20156,7 +20199,7 @@ index 30861ec..ced411a 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +154,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -20166,7 +20209,7 @@ index 30861ec..ced411a 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +163,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -20175,7 +20218,7 @@ index 30861ec..ced411a 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,15 +175,23 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -20183,9 +20226,10 @@ index 30861ec..ced411a 100644
+sysnet_dns_name_resolve(abrt_t)
logging_read_generic_logs(abrt_t)
- logging_send_syslog_msg(abrt_t)
-@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t)
- miscfiles_read_localization(abrt_t)
+-logging_send_syslog_msg(abrt_t)
+
+ miscfiles_read_generic_certs(abrt_t)
+-miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
@@ -20201,7 +20245,7 @@ index 30861ec..ced411a 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +203,11 @@ optional_policy(`
+@@ -150,6 +202,11 @@ optional_policy(`
')
optional_policy(`
@@ -20213,7 +20257,7 @@ index 30861ec..ced411a 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +225,7 @@ optional_policy(`
+@@ -167,6 +224,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -20221,7 +20265,7 @@ index 30861ec..ced411a 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +237,18 @@ optional_policy(`
+@@ -178,12 +236,18 @@ optional_policy(`
')
optional_policy(`
@@ -20241,7 +20285,7 @@ index 30861ec..ced411a 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +264,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -20249,12 +20293,18 @@ index 30861ec..ced411a 100644
+
domain_read_all_domains_state(abrt_helper_t)
- files_read_etc_files(abrt_helper_t)
+-files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t)
+
+ auth_use_nsswitch(abrt_helper_t)
+
+-logging_send_syslog_msg(abrt_helper_t)
+-
+-miscfiles_read_localization(abrt_helper_t)
+-
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -20264,7 +20314,7 @@ index 30861ec..ced411a 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +287,124 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -20272,7 +20322,7 @@ index 30861ec..ced411a 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
- ')
++')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -20282,7 +20332,7 @@ index 30861ec..ced411a 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
-+')
+ ')
+
+#######################################
+#
@@ -20299,20 +20349,13 @@ index 30861ec..ced411a 100644
+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+
-+kernel_read_system_state(abrt_retrace_coredump_t)
-+
+corecmd_exec_bin(abrt_retrace_coredump_t)
+corecmd_exec_shell(abrt_retrace_coredump_t)
+
+dev_read_urand(abrt_retrace_coredump_t)
+
-+files_read_etc_files(abrt_retrace_coredump_t)
+files_read_usr_files(abrt_retrace_coredump_t)
+
-+logging_send_syslog_msg(abrt_retrace_coredump_t)
-+
-+miscfiles_read_localization(abrt_retrace_coredump_t)
-+
+sysnet_dns_name_resolve(abrt_retrace_coredump_t)
+
+# to install debuginfo packages
@@ -20346,20 +20389,13 @@ index 30861ec..ced411a 100644
+
+can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+
-+kernel_read_system_state(abrt_retrace_worker_t)
-+
+corecmd_exec_bin(abrt_retrace_worker_t)
+corecmd_exec_shell(abrt_retrace_worker_t)
+
+dev_read_urand(abrt_retrace_worker_t)
+
-+files_read_etc_files(abrt_retrace_worker_t)
+files_read_usr_files(abrt_retrace_worker_t)
+
-+logging_send_syslog_msg(abrt_retrace_worker_t)
-+
-+miscfiles_read_localization(abrt_retrace_worker_t)
-+
+sysnet_dns_name_resolve(abrt_retrace_worker_t)
+
+optional_policy(`
@@ -20386,16 +20422,23 @@ index 30861ec..ced411a 100644
+
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
-+kernel_read_system_state(abrt_dump_oops_t)
+
+domain_use_interactive_fds(abrt_dump_oops_t)
+
-+files_read_etc_files(abrt_dump_oops_t)
-+
+logging_read_generic_logs(abrt_dump_oops_t)
-+logging_send_syslog_msg(abrt_dump_oops_t)
+
-+miscfiles_read_localization(abrt_dump_oops_t)
++#######################################
++#
++# Local policy for all abrt domain
++#
++
++kernel_read_system_state(abrt_domain)
++
++files_read_etc_files(abrt_domain)
++
++logging_send_syslog_msg(abrt_domain)
++
++miscfiles_read_localization(abrt_domain)
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index c0f858d..d639ae0 100644
--- a/policy/modules/services/accountsd.if
@@ -26424,7 +26467,7 @@ index 5220c9d..a2e6830 100644
## <summary>
## Allow the specified domain to read corosync's log files.
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..4e1d434 100644
+index 04969e5..f0f7e1a 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
@@ -26467,7 +26510,7 @@ index 04969e5..4e1d434 100644
auth_use_nsswitch(corosync_t)
-@@ -83,19 +89,37 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,19 +89,42 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -26488,13 +26531,17 @@ index 04969e5..4e1d434 100644
- rhcs_rw_dlm_controld_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
-
-- rhcs_rw_fenced_semaphores(corosync_t)
++
+optional_policy(`
-+ drbd_domtrans(corosync_t)
++ dbus_system_bus_client(corosync_t)
+')
+
+optional_policy(`
++ drbd_domtrans(corosync_t)
++')
+
+- rhcs_rw_fenced_semaphores(corosync_t)
++optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
@@ -26506,6 +26553,7 @@ index 04969e5..4e1d434 100644
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
++ rhcs_manage_cluster_lib_files(corosync_t)
')
optional_policy(`
@@ -40441,7 +40489,7 @@ index ff962dd..c856c64 100644
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if
-index 79a225c..cbb2bce 100644
+index 79a225c..d82b231 100644
--- a/policy/modules/services/nx.if
+++ b/policy/modules/services/nx.if
@@ -33,8 +33,10 @@ interface(`nx_read_home_files',`
@@ -40463,13 +40511,31 @@ index 79a225c..cbb2bce 100644
allow $1 nx_server_var_lib_t:dir search_dir_perms;
')
-@@ -81,5 +84,6 @@ interface(`nx_var_lib_filetrans',`
+@@ -81,5 +84,24 @@ interface(`nx_var_lib_filetrans',`
type nx_server_var_lib_t;
')
+ files_search_var_lib($1)
filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
')
++
++########################################
++## <summary>
++## Transition to nx named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nx_filetrans_named_content',`
++ gen_require(`
++ type nx_server_home_ssh_t, nx_server_var_lib_t;
++ ')
++
++ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
++')
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index ebb9582..1c72c6e 100644
--- a/policy/modules/services/nx.te
@@ -45959,7 +46025,7 @@ index c2ba53b..853eeb5 100644
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
-index de37806..229a3c7 100644
+index de37806..175c89b 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -13,7 +13,7 @@
@@ -46084,7 +46150,7 @@ index de37806..229a3c7 100644
######################################
## <summary>
## Execute a domain transition to run qdiskd.
-@@ -353,3 +410,41 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -353,3 +410,60 @@ interface(`rhcs_domtrans_qdiskd',`
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')
@@ -46126,6 +46192,25 @@ index de37806..229a3c7 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
++
++#####################################
++## <summary>
++## Allow domain to manage cluster lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_manage_cluster_lib_files',`
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
index 93c896a..2331615 100644
--- a/policy/modules/services/rhcs.te
@@ -54471,7 +54556,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..1772fa2 100644
+index 130ced9..b6fb17a 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -54556,11 +54641,12 @@ index 130ced9..1772fa2 100644
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -106,12 +116,23 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,24 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ xserver_read_xdm_etc_files($2)
++ xserver_xdm_append_log($2)
+
+ modutils_run_insmod(xserver_t, $1)
@@ -54580,7 +54666,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -143,13 +164,15 @@ interface(`xserver_role',`
+@@ -143,13 +165,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -54598,7 +54684,7 @@ index 130ced9..1772fa2 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +185,6 @@ interface(`xserver_role',`
+@@ -162,7 +186,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -54606,7 +54692,7 @@ index 130ced9..1772fa2 100644
')
#######################################
-@@ -197,7 +219,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +220,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -54615,7 +54701,7 @@ index 130ced9..1772fa2 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +249,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +250,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
@@ -54624,7 +54710,7 @@ index 130ced9..1772fa2 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -255,7 +277,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
@@ -54633,7 +54719,7 @@ index 130ced9..1772fa2 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +313,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +314,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -54651,7 +54737,7 @@ index 130ced9..1772fa2 100644
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -342,19 +364,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +365,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -54678,7 +54764,7 @@ index 130ced9..1772fa2 100644
')
##############################
-@@ -386,6 +412,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -54694,7 +54780,7 @@ index 130ced9..1772fa2 100644
')
#######################################
-@@ -444,8 +479,9 @@ template(`xserver_object_types_template',`
+@@ -444,8 +480,9 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -54706,7 +54792,7 @@ index 130ced9..1772fa2 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +492,18 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +493,18 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
@@ -54727,7 +54813,7 @@ index 130ced9..1772fa2 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +515,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +516,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -54756,7 +54842,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -517,6 +566,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -54764,7 +54850,7 @@ index 130ced9..1772fa2 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -549,6 +599,24 @@ interface(`xserver_domtrans_xauth',`
+@@ -549,6 +600,24 @@ interface(`xserver_domtrans_xauth',`
########################################
## <summary>
@@ -54789,7 +54875,7 @@ index 130ced9..1772fa2 100644
## Create a Xauthority file in the user home directory.
## </summary>
## <param name="domain">
-@@ -598,6 +666,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +667,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -54797,7 +54883,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -615,7 +684,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +685,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -54806,7 +54892,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -638,6 +707,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +708,25 @@ interface(`xserver_rw_console',`
########################################
## <summary>
@@ -54832,7 +54918,7 @@ index 130ced9..1772fa2 100644
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
-@@ -651,7 +739,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +740,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -54841,7 +54927,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -670,7 +758,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +759,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -54850,7 +54936,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -688,7 +776,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +777,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -54859,7 +54945,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -703,12 +791,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +792,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -54873,7 +54959,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -724,11 +811,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +812,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -54907,7 +54993,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -752,6 +859,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +860,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -54933,7 +55019,7 @@ index 130ced9..1772fa2 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -765,7 +891,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +892,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -54942,7 +55028,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -805,7 +931,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +932,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -54970,7 +55056,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -828,6 +973,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +974,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -54995,7 +55081,7 @@ index 130ced9..1772fa2 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -897,7 +1060,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1061,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -55004,7 +55090,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -916,7 +1079,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1080,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -55013,7 +55099,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -963,6 +1126,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1127,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -55059,7 +55145,7 @@ index 130ced9..1772fa2 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1178,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1179,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -55068,7 +55154,7 @@ index 130ced9..1772fa2 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1240,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1241,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -55111,7 +55197,7 @@ index 130ced9..1772fa2 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1290,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1291,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -55120,7 +55206,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -1070,8 +1308,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1309,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -55132,7 +55218,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -1185,6 +1425,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1426,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -55159,7 +55245,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -1210,7 +1470,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1471,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -55168,7 +55254,7 @@ index 130ced9..1772fa2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1480,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1481,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -55193,7 +55279,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -1243,10 +1513,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1514,458 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -60891,7 +60977,7 @@ index e5836d3..b32b945 100644
+#')
+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..7d88511 100644
+index a0b379d..2a55eab 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,9 +32,8 @@ role system_r types sulogin_t;
@@ -60954,7 +61040,7 @@ index a0b379d..7d88511 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -225,6 +226,7 @@ files_read_etc_files(sulogin_t)
+@@ -225,11 +226,14 @@ files_read_etc_files(sulogin_t)
files_dontaudit_search_isid_type_dirs(sulogin_t)
auth_read_shadow(sulogin_t)
@@ -60962,7 +61048,14 @@ index a0b379d..7d88511 100644
init_getpgid_script(sulogin_t)
-@@ -238,14 +240,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
+ logging_send_syslog_msg(sulogin_t)
+
++miscfiles_read_localization(sulogin_t)
++
+ seutil_read_config(sulogin_t)
+ seutil_read_default_contexts(sulogin_t)
+
+@@ -238,14 +242,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -60988,7 +61081,7 @@ index a0b379d..7d88511 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +267,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +269,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -64088,7 +64181,7 @@ index ff80d0a..752e031 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..76e53a6 100644
+index 34d0ec5..ba27f13 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -64241,7 +64334,7 @@ index 34d0ec5..76e53a6 100644
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -213,6 +253,10 @@ optional_policy(`
+@@ -213,6 +253,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -64249,10 +64342,11 @@ index 34d0ec5..76e53a6 100644
+')
+optional_policy(`
+ systemd_passwd_agent_domtrans(dhcpc_t)
++ systemd_signal_passwd_agent(dhcpc_t)
')
optional_policy(`
-@@ -255,6 +299,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +300,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -64260,7 +64354,7 @@ index 34d0ec5..76e53a6 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +321,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +322,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -64272,7 +64366,7 @@ index 34d0ec5..76e53a6 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,11 +349,12 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +350,12 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -64287,7 +64381,7 @@ index 34d0ec5..76e53a6 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +363,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +364,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -64306,7 +64400,7 @@ index 34d0ec5..76e53a6 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +385,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +386,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -64321,7 +64415,7 @@ index 34d0ec5..76e53a6 100644
')
optional_policy(`
-@@ -335,6 +401,18 @@ optional_policy(`
+@@ -335,6 +402,18 @@ optional_policy(`
')
optional_policy(`
@@ -64340,7 +64434,7 @@ index 34d0ec5..76e53a6 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +434,9 @@ optional_policy(`
+@@ -356,3 +435,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -64377,10 +64471,10 @@ index 0000000..3248032
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..11fbd0f
+index 0000000..7501ef8
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,360 @@
+@@ -0,0 +1,377 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -64670,6 +64764,23 @@ index 0000000..11fbd0f
+ allow $2 systemd_passwd_agent_t:process signal;
+')
+
++########################################
++## <summary>
++## Send generic signals to systemd_passwd_agent processes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_signal_passwd_agent',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ allow $1 systemd_passwd_agent_t:process signal;
++')
+
+######################################
+## <summary>
@@ -64688,12 +64799,12 @@ index 0000000..11fbd0f
+ type systemd_passwd_agent_t;
+ ')
+
-+ type systemd_$1_device_t;
++ type systemd_$1_device_t;
+ files_type(systemd_$1_device_t)
+ dev_associate(systemd_$1_device_t)
+
-+ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
-+ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
+ allow $1_t systemd_$1_device_t:file manage_file_perms;
+ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
+
@@ -64743,10 +64854,10 @@ index 0000000..11fbd0f
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..038db18
+index 0000000..0185280
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,317 @@
+@@ -0,0 +1,319 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -64826,6 +64937,8 @@ index 0000000..038db18
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
+
+dev_read_sysfs(systemd_logind_t)
++dev_setattr_input_dev(systemd_logind_t)
++dev_setattr_mouse_dev(systemd_logind_t)
+
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0cc3f5c..9887ba9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 12%{?dist}
+Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -452,6 +452,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 2 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-13
+- Add abrt_domain attribute
+- Allow corosync to manage cluster lib files
+- Allow corosync to connect to the system DBUS
+
* Mon Aug 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-12
- Add sblim, uuidd policies
- Allow kernel_t dyntrasition to init_t
More information about the scm-commits
mailing list