[selinux-policy/f16] - Add glance policy - Allow mdadm setsched - /var/run/initramfs should not be relabeled with a resto
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Aug 30 14:19:10 UTC 2011
commit 1d11433e558c4e8103ab1eb2504916bd414cfbbd
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Aug 30 16:18:49 2011 +0200
- Add glance policy
- Allow mdadm setsched
- /var/run/initramfs should not be relabeled with a restorecon run
- memcache can be setup to override sys_resource
- Allow httpd_t to read tetex data
- Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.
policy-F16.patch | 755 +++++++++++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 10 +-
2 files changed, 654 insertions(+), 111 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index d704566..9da3d36 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -47,6 +47,29 @@ index 16e8b13..87925e6 100644
.EX
httpd_sys_content_ra_t
.EE
+diff --git a/policy/constraints b/policy/constraints
+index 1308871..c994c93 100644
+--- a/policy/constraints
++++ b/policy/constraints
+@@ -107,9 +107,17 @@ constrain process { transition noatsecure siginh rlimitinh }
+
+ constrain process dyntransition
+ (
+- u1 == u2 and r1 == r2
++ u1 == u2
++ or ( t1 == can_change_process_identity and t2 == process_user_target )
++);
++
++constrain process dyntransition
++(
++ r1 == r2
++ or ( t1 == can_change_process_identity and t2 == process_user_target )
+ );
+
++
+ # These permissions do not have ubac constraints:
+ # fork
+ # setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index bf24160..468e0fd 100644
--- a/policy/flask/access_vectors
@@ -1612,10 +1635,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..3b8c1e9
+index 0000000..bb587b1
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,217 @@
+@@ -0,0 +1,228 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
@@ -1833,6 +1856,17 @@ index 0000000..3b8c1e9
+
+ permissive telepathy_logger_t;
+')
++
++optional_policy(`
++ gen_require(`
++ type glance_registry_t;
++ type glance_api_t;
++ ')
++
++ permissive glance_registry_t;
++ permissive glance_api_t;
++')
++
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -6227,7 +6261,7 @@ index 40e0a2a..93d212c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..65d207a 100644
+index 9050e8c..538d39e 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -6338,7 +6372,7 @@ index 9050e8c..65d207a 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -205,6 +229,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -6346,7 +6380,13 @@ index 9050e8c..65d207a 100644
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-@@ -239,12 +264,13 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+
+-allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
++allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
+ allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+ # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+@@ -239,19 +264,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
@@ -6361,6 +6401,14 @@ index 9050e8c..65d207a 100644
')
tunable_policy(`gpg_agent_env_file',`
+ # write ~/.gpg-agent-info or a similar to the users home dir
+ # or subdir (gpg-agent --write-env-file option)
+ #
+- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
++ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
+ userdom_manage_user_home_content_dirs(gpg_agent_t)
+ userdom_manage_user_home_content_files(gpg_agent_t)
+ ')
@@ -332,6 +358,9 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
@@ -12275,7 +12323,7 @@ index 4f3b542..5a41e58 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..2039d50 100644
+index 99b71cb..85d03ed 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,14 @@ attribute netif_type;
@@ -12370,7 +12418,7 @@ index 99b71cb..2039d50 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,9 +126,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,14 +126,20 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -12385,7 +12433,13 @@ index 99b71cb..2039d50 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -114,12 +146,13 @@ network_port(hadoop_namenode, tcp,8020,s0)
+ network_port(giftd, tcp,1213,s0)
+ network_port(git, tcp,9418,s0, udp,9418,s0)
++network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
+ network_port(gopher, tcp,70,s0, udp,70,s0)
+ network_port(gpsd, tcp,2947,s0)
+ network_port(hadoop_datanode, tcp,50010,s0)
+@@ -114,12 +147,13 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
@@ -12400,7 +12454,7 @@ index 99b71cb..2039d50 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +162,25 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +163,25 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -12429,7 +12483,7 @@ index 99b71cb..2039d50 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -155,13 +193,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+@@ -155,13 +194,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
@@ -12452,7 +12506,7 @@ index 99b71cb..2039d50 100644
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -179,30 +225,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,30 +226,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -12492,7 +12546,7 @@ index 99b71cb..2039d50 100644
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -215,7 +266,7 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,7 +267,7 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -12501,7 +12555,7 @@ index 99b71cb..2039d50 100644
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
-@@ -229,6 +280,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +281,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -12509,7 +12563,7 @@ index 99b71cb..2039d50 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +290,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +291,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -12518,7 +12572,7 @@ index 99b71cb..2039d50 100644
########################################
#
-@@ -282,9 +336,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +337,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -16121,7 +16175,7 @@ index 22821ff..20251b0 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..e2e6c3b 100644
+index 97fcdac..63e494f 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -16230,15 +16284,16 @@ index 97fcdac..e2e6c3b 100644
dev_search_sysfs($1)
')
-@@ -724,6 +787,7 @@ interface(`fs_read_cgroup_files',`
+@@ -724,6 +787,8 @@ interface(`fs_read_cgroup_files',`
')
read_files_pattern($1, cgroup_t, cgroup_t)
++ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
-@@ -743,6 +807,7 @@ interface(`fs_write_cgroup_files', `
+@@ -743,6 +808,7 @@ interface(`fs_write_cgroup_files', `
')
write_files_pattern($1, cgroup_t, cgroup_t)
@@ -16246,7 +16301,7 @@ index 97fcdac..e2e6c3b 100644
dev_search_sysfs($1)
')
-@@ -763,6 +828,7 @@ interface(`fs_rw_cgroup_files',`
+@@ -763,6 +829,7 @@ interface(`fs_rw_cgroup_files',`
')
rw_files_pattern($1, cgroup_t, cgroup_t)
@@ -16254,7 +16309,7 @@ index 97fcdac..e2e6c3b 100644
dev_search_sysfs($1)
')
-@@ -803,6 +869,7 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +870,7 @@ interface(`fs_manage_cgroup_files',`
')
manage_files_pattern($1, cgroup_t, cgroup_t)
@@ -16262,7 +16317,7 @@ index 97fcdac..e2e6c3b 100644
dev_search_sysfs($1)
')
-@@ -1107,6 +1174,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1107,6 +1175,24 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
@@ -16287,7 +16342,7 @@ index 97fcdac..e2e6c3b 100644
## Do not audit attempts to read all
## noxattrfs files.
## </summary>
-@@ -1265,6 +1350,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1351,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
@@ -16330,7 +16385,7 @@ index 97fcdac..e2e6c3b 100644
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
-@@ -1279,7 +1400,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1401,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -16339,7 +16394,7 @@ index 97fcdac..e2e6c3b 100644
')
########################################
-@@ -1542,6 +1663,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1664,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -16365,7 +16420,7 @@ index 97fcdac..e2e6c3b 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -2148,6 +2288,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2289,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -16373,7 +16428,7 @@ index 97fcdac..e2e6c3b 100644
')
########################################
-@@ -2480,6 +2621,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2622,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -16381,7 +16436,7 @@ index 97fcdac..e2e6c3b 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2660,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2661,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -16389,7 +16444,7 @@ index 97fcdac..e2e6c3b 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2687,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2688,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -16415,7 +16470,7 @@ index 97fcdac..e2e6c3b 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2584,6 +2746,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2747,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -16458,7 +16513,7 @@ index 97fcdac..e2e6c3b 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +2796,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2797,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -16467,7 +16522,7 @@ index 97fcdac..e2e6c3b 100644
')
########################################
-@@ -2736,7 +2934,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2935,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -16476,7 +16531,7 @@ index 97fcdac..e2e6c3b 100644
## </summary>
## </param>
#
-@@ -2772,7 +2970,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +2971,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -16485,7 +16540,7 @@ index 97fcdac..e2e6c3b 100644
## </summary>
## </param>
#
-@@ -2965,6 +3163,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3164,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -16493,7 +16548,7 @@ index 97fcdac..e2e6c3b 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3204,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3205,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -16501,7 +16556,7 @@ index 97fcdac..e2e6c3b 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3245,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3246,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -16509,7 +16564,7 @@ index 97fcdac..e2e6c3b 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3958,6 +4159,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4160,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -16552,7 +16607,7 @@ index 97fcdac..e2e6c3b 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4175,6 +4412,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4413,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -16577,7 +16632,7 @@ index 97fcdac..e2e6c3b 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4457,6 +4712,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4713,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -16586,7 +16641,7 @@ index 97fcdac..e2e6c3b 100644
')
########################################
-@@ -4503,7 +4760,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4761,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -16595,7 +16650,7 @@ index 97fcdac..e2e6c3b 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5123,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5124,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -22560,7 +22615,7 @@ index 6480167..13d57b7 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..ee04348 100644
+index 3136c6a..fddb752 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -22972,7 +23027,7 @@ index 3136c6a..ee04348 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,9 +505,20 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +505,100 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -22993,7 +23048,12 @@ index 3136c6a..ee04348 100644
logging_send_syslog_msg(httpd_t)
miscfiles_read_localization(httpd_t)
-@@ -416,34 +530,74 @@ seutil_dontaudit_search_config(httpd_t)
+ miscfiles_read_fonts(httpd_t)
+ miscfiles_read_public_files(httpd_t)
+ miscfiles_read_generic_certs(httpd_t)
++miscfiles_read_tetex_data(httpd_t)
+
+ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -23070,7 +23130,7 @@ index 3136c6a..ee04348 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +610,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +611,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -23081,7 +23141,7 @@ index 3136c6a..ee04348 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +624,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +625,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -23111,7 +23171,7 @@ index 3136c6a..ee04348 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +654,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +655,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -23128,7 +23188,7 @@ index 3136c6a..ee04348 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +678,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +679,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -23149,7 +23209,7 @@ index 3136c6a..ee04348 100644
')
optional_policy(`
-@@ -513,7 +702,13 @@ optional_policy(`
+@@ -513,7 +703,13 @@ optional_policy(`
')
optional_policy(`
@@ -23164,7 +23224,7 @@ index 3136c6a..ee04348 100644
')
optional_policy(`
-@@ -528,7 +723,19 @@ optional_policy(`
+@@ -528,7 +724,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -23185,7 +23245,7 @@ index 3136c6a..ee04348 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +744,13 @@ optional_policy(`
+@@ -537,8 +745,13 @@ optional_policy(`
')
optional_policy(`
@@ -23200,7 +23260,7 @@ index 3136c6a..ee04348 100644
')
')
-@@ -556,7 +768,13 @@ optional_policy(`
+@@ -556,7 +769,13 @@ optional_policy(`
')
optional_policy(`
@@ -23214,7 +23274,7 @@ index 3136c6a..ee04348 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +785,7 @@ optional_policy(`
+@@ -567,6 +786,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -23222,7 +23282,7 @@ index 3136c6a..ee04348 100644
')
optional_policy(`
-@@ -577,6 +796,20 @@ optional_policy(`
+@@ -577,6 +797,20 @@ optional_policy(`
')
optional_policy(`
@@ -23243,7 +23303,7 @@ index 3136c6a..ee04348 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +824,11 @@ optional_policy(`
+@@ -591,6 +825,11 @@ optional_policy(`
')
optional_policy(`
@@ -23255,7 +23315,7 @@ index 3136c6a..ee04348 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +841,12 @@ optional_policy(`
+@@ -603,6 +842,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -23268,7 +23328,7 @@ index 3136c6a..ee04348 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +860,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +861,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -23281,7 +23341,7 @@ index 3136c6a..ee04348 100644
########################################
#
-@@ -654,28 +902,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +903,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -23325,7 +23385,7 @@ index 3136c6a..ee04348 100644
')
########################################
-@@ -685,6 +935,8 @@ optional_policy(`
+@@ -685,6 +936,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -23334,7 +23394,7 @@ index 3136c6a..ee04348 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +951,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +952,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -23360,7 +23420,7 @@ index 3136c6a..ee04348 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +997,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +998,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -23393,7 +23453,7 @@ index 3136c6a..ee04348 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1044,25 @@ optional_policy(`
+@@ -769,6 +1045,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -23419,7 +23479,7 @@ index 3136c6a..ee04348 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1083,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1084,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -23437,7 +23497,7 @@ index 3136c6a..ee04348 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1102,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1103,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -23494,7 +23554,7 @@ index 3136c6a..ee04348 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1153,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1154,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -23525,7 +23585,7 @@ index 3136c6a..ee04348 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1188,20 @@ optional_policy(`
+@@ -842,10 +1189,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -23546,7 +23606,7 @@ index 3136c6a..ee04348 100644
')
########################################
-@@ -891,11 +1247,48 @@ optional_policy(`
+@@ -891,11 +1248,48 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -34912,6 +34972,432 @@ index 7382f85..2ef543c 100644
+#
+git_role_template(git_shell)
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
+diff --git a/policy/modules/services/glance.fc b/policy/modules/services/glance.fc
+new file mode 100644
+index 0000000..7d27335
+--- /dev/null
++++ b/policy/modules/services/glance.fc
+@@ -0,0 +1,14 @@
++
++/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0)
++
++/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
++
++/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0)
++
++/var/log/glance(/.*)? gen_context(system_u:object_r:glance_log_t,s0)
++
++/var/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0)
++
++/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
++
++/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
+diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if
+new file mode 100644
+index 0000000..3b1870a
+--- /dev/null
++++ b/policy/modules/services/glance.if
+@@ -0,0 +1,272 @@
++
++## <summary>policy for glance</summary>
++
++
++########################################
++## <summary>
++## Transition to glance.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`glance_domtrans_registry',`
++ gen_require(`
++ type glance_registry_t, glance_registry_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, glance_registry_exec_t, glance_registry_t)
++')
++
++########################################
++## <summary>
++## Transition to glance.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`glance_domtrans_api',`
++ gen_require(`
++ type glance_api_t, glance_api_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, glance_api_exec_t, glance_api_t)
++')
++
++
++########################################
++## <summary>
++## Read glance's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`glance_read_log',`
++ gen_require(`
++ type glance_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, glance_log_t, glance_log_t)
++')
++
++########################################
++## <summary>
++## Append to glance log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glance_append_log',`
++ gen_require(`
++ type glance_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, glance_log_t, glance_log_t)
++')
++
++########################################
++## <summary>
++## Manage glance log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glance_manage_log',`
++ gen_require(`
++ type glance_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, glance_log_t, glance_log_t)
++ manage_files_pattern($1, glance_log_t, glance_log_t)
++ manage_lnk_files_pattern($1, glance_log_t, glance_log_t)
++')
++
++########################################
++## <summary>
++## Search glance lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glance_search_lib',`
++ gen_require(`
++ type glance_var_lib_t;
++ ')
++
++ allow $1 glance_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read glance lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glance_read_lib_files',`
++ gen_require(`
++ type glance_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage glance lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glance_manage_lib_files',`
++ gen_require(`
++ type glance_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage glance lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glance_manage_lib_dirs',`
++ gen_require(`
++ type glance_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Read glance PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glance_read_pid_files',`
++ gen_require(`
++ type glance_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, glance_var_run_t, glance_var_run_t)
++')
++
++########################################
++## <summary>
++## Manage glance PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glance_manage_pid_files',`
++ gen_require(`
++ type glance_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, glance_var_run_t, glance_var_run_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an glance environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`glance_admin',`
++ gen_require(`
++ type glance_registry_t;
++ type glance_api_t;
++ type glance_log_t;
++ type glance_var_lib_t;
++ type glance_var_run_t;
++ type glance_registry_initrc_exec_t;
++ type glance_api_initrc_exec_t;
++ ')
++
++ allow $1 glance_registry_t:process { ptrace signal_perms };
++ ps_process_pattern($1, glance_registry_t)
++
++ allow $1 glance_api_t:process { ptrace signal_perms };
++ ps_process_pattern($1, glance_api_t)
++
++ init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 glance_registry_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ init_labeled_script_domtrans($1, glance_api_initrc_exec_t)
++ role_transition $2 glance_api_initrc_exec_t system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, glance_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, glance_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, glance_var_run_t)
++
++')
++
+diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
+new file mode 100644
+index 0000000..030a521
+--- /dev/null
++++ b/policy/modules/services/glance.te
+@@ -0,0 +1,122 @@
++policy_module(glance, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type glance_registry_t;
++type glance_registry_exec_t;
++init_daemon_domain(glance_registry_t, glance_registry_exec_t)
++
++type glance_registry_initrc_exec_t;
++init_script_file(glance_registry_initrc_exec_t)
++
++type glance_api_t;
++type glance_api_exec_t;
++init_daemon_domain(glance_api_t, glance_api_exec_t)
++
++type glance_api_initrc_exec_t;
++init_script_file(glance_api_initrc_exec_t)
++
++type glance_log_t;
++logging_log_file(glance_log_t)
++
++type glance_var_lib_t;
++files_type(glance_var_lib_t)
++
++type glance_tmp_t;
++files_tmp_file(glance_tmp_t)
++
++type glance_var_run_t;
++files_pid_file(glance_var_run_t)
++
++########################################
++#
++# glance-registry local policy
++#
++
++allow glance_registry_t self:fifo_file rw_fifo_file_perms;
++allow glance_registry_t self:unix_stream_socket create_stream_socket_perms;
++allow glance_registry_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(glance_registry_t, glance_log_t, glance_log_t)
++manage_files_pattern(glance_registry_t, glance_log_t, glance_log_t)
++logging_log_filetrans(glance_registry_t, glance_log_t, { dir file })
++
++manage_dirs_pattern(glance_registry_t, glance_var_lib_t, glance_var_lib_t)
++manage_files_pattern(glance_registry_t, glance_var_lib_t, glance_var_lib_t)
++files_var_lib_filetrans(glance_registry_t, glance_var_lib_t, { dir file })
++
++manage_dirs_pattern(glance_registry_t, glance_var_run_t, glance_var_run_t)
++manage_files_pattern(glance_registry_t, glance_var_run_t, glance_var_run_t)
++files_pid_filetrans(glance_registry_t, glance_var_run_t, { dir file })
++
++kernel_read_system_state(glance_registry_t)
++
++corecmd_exec_bin(glance_registry_t)
++
++corenet_tcp_bind_generic_node(glance_registry_t)
++corenet_tcp_bind_glance_registry_port(glance_registry_t)
++
++dev_read_urand(glance_registry_t)
++
++domain_use_interactive_fds(glance_registry_t)
++
++files_read_etc_files(glance_registry_t)
++files_read_usr_files(glance_registry_t)
++
++miscfiles_read_localization(glance_registry_t)
++
++sysnet_dns_name_resolve(glance_registry_t)
++
++########################################
++#
++# glance-api local policy
++#
++
++allow glance_api_t self:fifo_file rw_fifo_file_perms;
++allow glance_api_t self:unix_stream_socket create_stream_socket_perms;
++allow glance_api_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
++manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
++files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
++can_exec(glance_api_t, glance_tmp_t)
++
++manage_dirs_pattern(glance_api_t, glance_log_t, glance_log_t)
++manage_files_pattern(glance_api_t, glance_log_t, glance_log_t)
++logging_log_filetrans(glance_api_t, glance_log_t, { dir file })
++
++manage_dirs_pattern(glance_api_t, glance_var_lib_t, glance_var_lib_t)
++manage_files_pattern(glance_api_t, glance_var_lib_t, glance_var_lib_t)
++files_var_lib_filetrans(glance_api_t, glance_var_lib_t, { dir file })
++
++manage_dirs_pattern(glance_api_t, glance_var_run_t, glance_var_run_t)
++manage_files_pattern(glance_api_t, glance_var_run_t, glance_var_run_t)
++files_pid_filetrans(glance_api_t, glance_var_run_t, { dir file })
++
++kernel_read_system_state(glance_api_t)
++
++corecmd_exec_bin(glance_api_t)
++corecmd_exec_shell(glance_api_t)
++
++corenet_tcp_bind_generic_node(glance_api_t)
++corenet_tcp_bind_hplip_port(glance_api_t)
++
++dev_read_urand(glance_api_t)
++
++domain_use_interactive_fds(glance_api_t)
++
++files_read_etc_files(glance_api_t)
++files_read_usr_files(glance_api_t)
++
++libs_exec_ldconfig(glance_api_t)
++
++miscfiles_read_localization(glance_api_t)
++
++sysnet_read_config(glance_api_t)
++
++sysnet_dns_name_resolve(glance_api_t)
++
++
diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc
index 462de63..5df751b 100644
--- a/policy/modules/services/gnomeclock.fc
@@ -38671,6 +39157,19 @@ index db4fd6f..5008a6c 100644
+ files_list_pids($1)
admin_pattern($1, memcached_var_run_t)
')
+diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te
+index b681608..08b1b49 100644
+--- a/policy/modules/services/memcached.te
++++ b/policy/modules/services/memcached.te
+@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
+ # memcached local policy
+ #
+
+-allow memcached_t self:capability { setuid setgid };
++allow memcached_t self:capability { setuid setgid sys_resource };
+ dontaudit memcached_t self:capability sys_tty_config;
+ allow memcached_t self:process { setrlimit signal_perms };
+ allow memcached_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 55a3e2f..bc489e0 100644
--- a/policy/modules/services/milter.fc
@@ -55259,7 +55758,7 @@ index 7c5d8d8..d83a9a2 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..9c42952 100644
+index 3eca020..2ffbc3a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -55771,7 +56270,7 @@ index 3eca020..9c42952 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +611,176 @@ optional_policy(`
+@@ -457,8 +611,177 @@ optional_policy(`
')
optional_policy(`
@@ -55821,6 +56320,7 @@ index 3eca020..9c42952 100644
+corenet_tcp_sendrecv_generic_node(virsh_t)
+corenet_tcp_connect_soundd_port(virsh_t)
+
++dev_read_rand(virsh_t)
+dev_read_urand(virsh_t)
+dev_read_sysfs(virsh_t)
+
@@ -60943,7 +61443,7 @@ index 94fd8dd..3e8f08e 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..f131c5a 100644
+index 29a9565..b400c03 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -61128,8 +61628,7 @@ index 29a9565..f131c5a 100644
+storage_raw_rw_fixed_disk(init_t)
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ modutils_domtrans_insmod(init_t)
+')
+
@@ -61233,30 +61732,31 @@ index 29a9565..f131c5a 100644
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ lvm_rw_pipes(init_t)
-+')
-+
-+optional_policy(`
-+ consolekit_manage_log(init_t)
')
optional_policy(`
-+ dbus_connect_system_bus(init_t)
- dbus_system_bus_client(init_t)
-+ dbus_delete_pid_files(init_t)
++ consolekit_manage_log(init_t)
+')
+
+optional_policy(`
++ dbus_connect_system_bus(init_t)
+ dbus_system_bus_client(init_t)
++ dbus_delete_pid_files(init_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
@@ -61637,7 +62137,18 @@ index 29a9565..f131c5a 100644
')
optional_policy(`
-@@ -649,6 +968,11 @@ optional_policy(`
+@@ -632,6 +951,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ glance_manage_pid_files(initrc_t)
++')
++
++optional_policy(`
+ gpm_setattr_gpmctl(initrc_t)
+ ')
+
+@@ -649,6 +972,11 @@ optional_policy(`
')
optional_policy(`
@@ -61649,7 +62160,7 @@ index 29a9565..f131c5a 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1013,7 @@ optional_policy(`
+@@ -689,6 +1017,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -61657,7 +62168,7 @@ index 29a9565..f131c5a 100644
')
optional_policy(`
-@@ -706,7 +1031,13 @@ optional_policy(`
+@@ -706,7 +1035,13 @@ optional_policy(`
')
optional_policy(`
@@ -61671,7 +62182,7 @@ index 29a9565..f131c5a 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1060,10 @@ optional_policy(`
+@@ -729,6 +1064,10 @@ optional_policy(`
')
optional_policy(`
@@ -61682,7 +62193,7 @@ index 29a9565..f131c5a 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1073,20 @@ optional_policy(`
+@@ -738,10 +1077,20 @@ optional_policy(`
')
optional_policy(`
@@ -61703,7 +62214,7 @@ index 29a9565..f131c5a 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1095,10 @@ optional_policy(`
+@@ -750,6 +1099,10 @@ optional_policy(`
')
optional_policy(`
@@ -61714,7 +62225,7 @@ index 29a9565..f131c5a 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1120,6 @@ optional_policy(`
+@@ -771,8 +1124,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -61723,7 +62234,7 @@ index 29a9565..f131c5a 100644
')
optional_policy(`
-@@ -790,10 +1137,12 @@ optional_policy(`
+@@ -790,10 +1141,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -61736,7 +62247,7 @@ index 29a9565..f131c5a 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1154,6 @@ optional_policy(`
+@@ -805,7 +1158,6 @@ optional_policy(`
')
optional_policy(`
@@ -61744,7 +62255,7 @@ index 29a9565..f131c5a 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1163,24 @@ optional_policy(`
+@@ -815,11 +1167,24 @@ optional_policy(`
')
optional_policy(`
@@ -61770,7 +62281,7 @@ index 29a9565..f131c5a 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1190,25 @@ optional_policy(`
+@@ -829,6 +1194,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -61796,7 +62307,7 @@ index 29a9565..f131c5a 100644
')
optional_policy(`
-@@ -844,6 +1224,10 @@ optional_policy(`
+@@ -844,6 +1228,10 @@ optional_policy(`
')
optional_policy(`
@@ -61807,7 +62318,7 @@ index 29a9565..f131c5a 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1238,149 @@ optional_policy(`
+@@ -854,3 +1242,149 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -64826,21 +65337,24 @@ index 4d06ae3..e81b7ac 100644
seutil_sigchld_newrole(cardmgr_t)
')
diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
-index ed9c70d..b961d53 100644
+index ed9c70d..7a6f23a 100644
--- a/policy/modules/system/raid.fc
+++ b/policy/modules/system/raid.fc
-@@ -1,4 +1,10 @@
+@@ -1,6 +1,13 @@
-/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
+/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
+/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
-+
+
+#669402
+/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
+ /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
++
++/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index b1a85b5..db0d815 100644
--- a/policy/modules/system/raid.if
@@ -64871,7 +65385,7 @@ index b1a85b5..db0d815 100644
## </summary>
## <desc>
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index a19ecea..dbcca4d 100644
+index a19ecea..63c3936 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -64888,9 +65402,12 @@ index a19ecea..dbcca4d 100644
########################################
#
-@@ -25,13 +23,13 @@ allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+@@ -23,15 +21,15 @@ files_pid_file(mdadm_var_run_t)
+
+ allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
- allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+-allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
++allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
+allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -64933,6 +65450,17 @@ index a19ecea..dbcca4d 100644
term_dontaudit_list_ptys(mdadm_t)
+@@ -84,6 +86,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
+ mta_send_mail(mdadm_t)
+
+ optional_policy(`
++ cron_system_entry(mdadm_t, mdadm_exec_t)
++')
++
++optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mdadm_t)
+ ')
+
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..167c358 100644
--- a/policy/modules/system/selinuxutil.fc
@@ -66435,10 +66963,10 @@ index 34d0ec5..ac52258 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..500db64
+index 0000000..839455d
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,18 @@
+@@ -0,0 +1,19 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
@@ -66457,6 +66985,7 @@ index 0000000..500db64
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
++/var/run/initramfs <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..fc27830
@@ -66842,10 +67371,10 @@ index 0000000..fc27830
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..d1bcd34
+index 0000000..a91d3dd
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,346 @@
+@@ -0,0 +1,352 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -66932,6 +67461,7 @@ index 0000000..d1bcd34
+dev_setattr_sound_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)
++dev_setattr_all_chr_files(systemd_logind_t)
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
@@ -66986,7 +67516,7 @@ index 0000000..d1bcd34
+# Local policy
+#
+
-+allow systemd_passwd_agent_t self:capability chown;
++allow systemd_passwd_agent_t self:capability { chown sys_tty_config };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
@@ -67002,6 +67532,8 @@ index 0000000..d1bcd34
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
+
++term_read_console(systemd_passwd_agent_t)
++
+auth_use_nsswitch(systemd_passwd_agent_t)
+
+init_create_pid_dirs(systemd_passwd_agent_t)
@@ -67031,6 +67563,7 @@ index 0000000..d1bcd34
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_network_state(systemd_tmpfiles_t)
++files_delete_kernel_modules(systemd_tmpfiles_t)
+
+dev_write_kmsg(systemd_tmpfiles_t)
+
@@ -67135,6 +67668,7 @@ index 0000000..d1bcd34
+domain_use_interactive_fds(systemd_notify_t)
+
+files_read_etc_files(systemd_notify_t)
++files_read_usr_files(systemd_notify_t)
+
+fs_getattr_cgroup_files(systemd_notify_t)
+
@@ -67164,6 +67698,7 @@ index 0000000..d1bcd34
+domain_use_interactive_fds(systemd_logger_t)
+
+files_read_etc_files(systemd_logger_t)
++files_read_usr_files(systemd_logger_t)
+
+# only needs write
+term_use_generic_ptys(systemd_logger_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 23c0704..e39ed40 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 22%{?dist}
+Release: 23%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 30 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-23
+- Add glance policy
+- Allow mdadm setsched
+- /var/run/initramfs should not be relabeled with a restorecon run
+- memcache can be setup to override sys_resource
+- Allow httpd_t to read tetex data
+- Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.
+
* Mon Aug 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-22
- Allow Postfix to deliver to Dovecot LMTP socket
- Ignore bogus sys_module for lldpad
More information about the scm-commits
mailing list