[selinux-policy/f15] +- Allow gnomeclock to send system log msgs +- Users that use X and spice need to use the virtio dev
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Dec 2 14:00:21 UTC 2011
commit 430cd7d4cfb3dd3a2463382e4229e79823cf882e
Author: Miroslav <mgrepl at redhat.com>
Date: Fri Dec 2 15:00:12 2011 +0100
+- Allow gnomeclock to send system log msgs
+- Users that use X and spice need to use the virtio device
+- squashfs supports extended attributes
+- Allow system_cronjob to dbus chat with NetworkManager
+- Allow all postfix domains to use the fifo_file
+- Allow squid to check the network state
+- Allow spamd to send mai
policy-F15.patch | 435 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 11 ++-
2 files changed, 277 insertions(+), 169 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index cf7f93e..6c38aff 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -991,7 +991,7 @@ index 75ce30f..c79d7db 100644
+ cron_use_system_job_fds(logwatch_mail_t)
+')
diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc
-index 56c43c0..0641226 100644
+index 56c43c0..409bbfc 100644
--- a/policy/modules/admin/mcelog.fc
+++ b/policy/modules/admin/mcelog.fc
@@ -1 +1,5 @@
@@ -999,9 +999,9 @@ index 56c43c0..0641226 100644
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
+
-+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
++/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..ef8bc09 100644
+index 5671977..034908d 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
@@ -1031,7 +1031,7 @@ index 5671977..ef8bc09 100644
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+files_pid_filetrans(mcelog_t, mcelog_var_run_t, sock_file )
++files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file } )
+
kernel_read_system_state(mcelog_t)
@@ -10403,7 +10403,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..77900bf 100644
+index 34c9d01..94d031b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -10513,6 +10513,29 @@ index 34c9d01..77900bf 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+@@ -372,8 +387,6 @@ ifdef(`distro_suse', `
+ /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+
+ /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
+ /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -382,3 +395,13 @@ ifdef(`distro_suse', `
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
+ ')
++
++#
++# /usr/lib
++#
++
++/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..24018ce 100644
--- a/policy/modules/kernel/corecommands.if
@@ -14966,10 +14989,18 @@ index dfe361a..8617d89 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e49c148..4d6bbf4 100644
+index e49c148..c0b99b5 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
-@@ -52,6 +52,7 @@ type anon_inodefs_t;
+@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_task squashfs gen_context(system_u:object_r:fs_t,s0);
+
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -52,6 +53,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -14977,7 +15008,7 @@ index e49c148..4d6bbf4 100644
type bdev_t;
fs_type(bdev_t)
-@@ -67,10 +68,11 @@ fs_type(capifs_t)
+@@ -67,10 +69,11 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
@@ -14990,7 +15021,7 @@ index e49c148..4d6bbf4 100644
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
-@@ -100,12 +102,22 @@ type hugetlbfs_t;
+@@ -100,12 +103,22 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -15013,20 +15044,23 @@ index e49c148..4d6bbf4 100644
type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
-@@ -148,6 +160,12 @@ fs_type(squash_t)
- genfscon squash / gen_context(system_u:object_r:squash_t,s0)
- files_mountpoint(squash_t)
-
+@@ -143,10 +156,11 @@ fs_type(spufs_t)
+ genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+ files_mountpoint(spufs_t)
+
+-type squash_t;
+-fs_type(squash_t)
+-genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+-files_mountpoint(squash_t)
+type sysv_t;
+fs_noxattr_type(sysv_t)
+files_mountpoint(sysv_t)
+genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
+genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
-+
+
type vmblock_t;
fs_noxattr_type(vmblock_t)
- files_mountpoint(vmblock_t)
-@@ -168,6 +186,7 @@ fs_type(tmpfs_t)
+@@ -168,6 +182,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -15034,7 +15068,7 @@ index e49c148..4d6bbf4 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -247,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -247,6 +262,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -15043,7 +15077,7 @@ index e49c148..4d6bbf4 100644
files_mountpoint(removable_t)
#
-@@ -266,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -266,6 +283,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -24672,10 +24706,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..2d54d11
+index 0000000..9b61bfa
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,150 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -24683,6 +24717,13 @@ index 0000000..2d54d11
+# Declarations
+#
+
++## <desc>
++## <p>
++## Allow colord domain to connect to the network using TCP.
++## </p>
++## </desc>
++gen_tunable(colord_can_network_connect, false)
++
+type colord_t;
+type colord_exec_t;
+dbus_system_domain(colord_t, colord_exec_t)
@@ -24708,6 +24749,7 @@ index 0000000..2d54d11
+allow colord_t self:process signal;
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow colord_t self:tcp_socket create_stream_socket_perms;
+allow colord_t self:udp_socket create_socket_perms;
+allow colord_t self:unix_dgram_socket create_socket_perms;
+
@@ -24724,12 +24766,14 @@ index 0000000..2d54d11
+files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+
+kernel_read_network_state(colord_t)
++kernel_read_net_sysctls(colord_t)
+kernel_read_system_state(colord_t)
+kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
+
+# reads *.ini files
+corecmd_exec_bin(colord_t)
++corecmd_exec_shell(colord_t)
+
+corenet_udp_bind_generic_node(colord_t)
+corenet_udp_bind_ipp_port(colord_t)
@@ -24769,8 +24813,13 @@ index 0000000..2d54d11
+miscfiles_read_localization(colord_t)
+
+userdom_read_inherited_user_home_content_files(colord_t)
++fs_getattr_tmpfs(colord_t)
+userdom_rw_user_tmpfs_files(colord_t)
+
++tunable_policy(`colord_can_network_connect',`
++ corenet_tcp_connect_all_ports(colord_t)
++')
++
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(colord_t)
+')
@@ -25580,7 +25629,7 @@ index 35241ed..372d2c1 100644
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..319de67 100644
+index f7583ab..1ceda37 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -25947,7 +25996,18 @@ index f7583ab..319de67 100644
')
optional_policy(`
-@@ -480,7 +570,7 @@ optional_policy(`
+@@ -472,6 +562,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_dbus_chat(system_cronjob_t)
++')
++
++optional_policy(`
+ postfix_read_config(system_cronjob_t)
+ ')
+
+@@ -480,7 +574,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -25956,7 +26016,7 @@ index f7583ab..319de67 100644
')
optional_policy(`
-@@ -495,6 +585,7 @@ optional_policy(`
+@@ -495,6 +589,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -25964,7 +26024,7 @@ index f7583ab..319de67 100644
')
optional_policy(`
-@@ -502,7 +593,13 @@ optional_policy(`
+@@ -502,7 +597,13 @@ optional_policy(`
')
optional_policy(`
@@ -25978,7 +26038,7 @@ index f7583ab..319de67 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +692,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +696,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -28320,10 +28380,10 @@ index 9bd812b..c808b31 100644
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..06021d4 100644
+index fdaeeba..1859597 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
-@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -48,11 +48,14 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
@@ -28334,11 +28394,12 @@ index fdaeeba..06021d4 100644
kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
++kernel_read_network_state(dnsmasq_t)
+kernel_request_load_module(dnsmasq_t)
corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
-@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t)
+@@ -88,6 +91,8 @@ logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
@@ -28347,7 +28408,7 @@ index fdaeeba..06021d4 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +100,20 @@ optional_policy(`
+@@ -96,7 +101,20 @@ optional_policy(`
')
optional_policy(`
@@ -28368,17 +28429,17 @@ index fdaeeba..06021d4 100644
')
optional_policy(`
-@@ -114,4 +131,5 @@ optional_policy(`
+@@ -114,4 +132,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
-index bfc880b..9a1dcba 100644
+index bfc880b..9089c1a 100644
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
-@@ -25,7 +25,7 @@ ifdef(`distro_debian', `
+@@ -25,13 +25,14 @@ ifdef(`distro_debian', `
ifdef(`distro_redhat', `
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
@@ -28387,6 +28448,13 @@ index bfc880b..9a1dcba 100644
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
')
+ #
+ # /var
+ #
++/var/run/stats-mail gen_context(system_u:object_r:dovecot_var_run_t,s0)
+ /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+ /var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
index e1d7dc5..673f185 100644
--- a/policy/modules/services/dovecot.if
@@ -28481,7 +28549,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..b0a8e17 100644
+index cbe14e4..2e6b874 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -28526,7 +28594,7 @@ index cbe14e4..b0a8e17 100644
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,10 +99,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,10 +99,12 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -28535,11 +28603,12 @@ index cbe14e4..b0a8e17 100644
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
-+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
++manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -110,6 +116,8 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,6 +117,8 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
@@ -28548,7 +28617,7 @@ index cbe14e4..b0a8e17 100644
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
corenet_sendrecv_pop_server_packets(dovecot_t)
-@@ -159,6 +167,15 @@ optional_policy(`
+@@ -159,6 +168,15 @@ optional_policy(`
')
optional_policy(`
@@ -28564,7 +28633,7 @@ index cbe14e4..b0a8e17 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -179,7 +196,7 @@ optional_policy(`
+@@ -179,7 +197,7 @@ optional_policy(`
# dovecot auth local policy
#
@@ -28573,7 +28642,7 @@ index cbe14e4..b0a8e17 100644
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-@@ -189,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -189,6 +207,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -28583,7 +28652,7 @@ index cbe14e4..b0a8e17 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -200,6 +220,8 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -200,6 +221,8 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -28592,7 +28661,7 @@ index cbe14e4..b0a8e17 100644
logging_send_audit_msgs(dovecot_auth_t)
logging_send_syslog_msg(dovecot_auth_t)
-@@ -235,6 +257,8 @@ optional_policy(`
+@@ -235,6 +258,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -28601,7 +28670,7 @@ index cbe14e4..b0a8e17 100644
')
optional_policy(`
-@@ -242,6 +266,8 @@ optional_policy(`
+@@ -242,6 +267,8 @@ optional_policy(`
')
optional_policy(`
@@ -28610,7 +28679,7 @@ index cbe14e4..b0a8e17 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -249,23 +275,42 @@ optional_policy(`
+@@ -249,23 +276,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -28655,7 +28724,7 @@ index cbe14e4..b0a8e17 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -301,5 +346,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -301,5 +347,15 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -29534,7 +29603,7 @@ index 0000000..0e3e71d
+ policykit_dbus_chat(firewalld_t)
+')
diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if
-index ebad8c4..c02062c 100644
+index ebad8c4..eeddf7b 100644
--- a/policy/modules/services/fprintd.if
+++ b/policy/modules/services/fprintd.if
@@ -5,9 +5,9 @@
@@ -29549,9 +29618,11 @@ index ebad8c4..c02062c 100644
## </param>
#
interface(`fprintd_domtrans',`
-@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
+@@ -37,5 +37,5 @@ interface(`fprintd_dbus_chat',`
+
allow $1 fprintd_t:dbus send_msg;
allow fprintd_t $1:dbus send_msg;
++ allow fprintd_t $1:file read;
')
-
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
@@ -30658,10 +30729,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..4417f4e 100644
+index 4fde46b..a1f7269 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -9,24 +9,31 @@ type gnomeclock_t;
+@@ -9,24 +9,33 @@ type gnomeclock_t;
type gnomeclock_exec_t;
dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
@@ -30688,15 +30759,16 @@ index 4fde46b..4417f4e 100644
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
--auth_use_nsswitch(gnomeclock_t)
+fs_getattr_xattr_fs(gnomeclock_t)
++
+ auth_use_nsswitch(gnomeclock_t)
-clock_domtrans(gnomeclock_t)
-+auth_use_nsswitch(gnomeclock_t)
++logging_send_syslog_msg(gnomeclock_t)
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +42,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +44,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -38919,10 +38991,10 @@ index 55e62d2..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..c22af86 100644
+index 46bee12..f4b60ab 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
-@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
+@@ -34,11 +34,13 @@ template(`postfix_domain_template',`
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
@@ -38933,7 +39005,11 @@ index 46bee12..c22af86 100644
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_$1_t self:unix_stream_socket connectto;
-@@ -50,7 +51,7 @@ template(`postfix_domain_template',`
++ allow postfix_$1_t self:fifo_file rw_fifo_file_perms;
+
+ allow postfix_master_t postfix_$1_t:process signal;
+ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+@@ -50,7 +52,7 @@ template(`postfix_domain_template',`
can_exec(postfix_$1_t, postfix_$1_exec_t)
@@ -38942,7 +39018,7 @@ index 46bee12..c22af86 100644
allow postfix_$1_t postfix_master_t:process sigchld;
-@@ -77,6 +78,7 @@ template(`postfix_domain_template',`
+@@ -77,6 +79,7 @@ template(`postfix_domain_template',`
files_read_etc_files(postfix_$1_t)
files_read_etc_runtime_files(postfix_$1_t)
@@ -38950,7 +39026,7 @@ index 46bee12..c22af86 100644
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
-@@ -115,7 +117,7 @@ template(`postfix_server_domain_template',`
+@@ -115,7 +118,7 @@ template(`postfix_server_domain_template',`
type postfix_$1_tmp_t;
files_tmp_file(postfix_$1_tmp_t)
@@ -38959,7 +39035,7 @@ index 46bee12..c22af86 100644
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
allow postfix_$1_t self:udp_socket create_socket_perms;
-@@ -165,6 +167,8 @@ template(`postfix_user_domain_template',`
+@@ -165,6 +168,8 @@ template(`postfix_user_domain_template',`
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
@@ -38968,7 +39044,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -272,7 +276,8 @@ interface(`postfix_read_local_state',`
+@@ -272,7 +277,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
@@ -38978,7 +39054,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -290,7 +295,27 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +296,27 @@ interface(`postfix_read_master_state',`
type postfix_master_t;
')
@@ -39007,7 +39083,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -376,6 +401,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +402,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -39033,7 +39109,7 @@ index 46bee12..c22af86 100644
########################################
## <summary>
## Execute the master postfix program in the
-@@ -404,7 +448,6 @@ interface(`postfix_exec_master',`
+@@ -404,7 +449,6 @@ interface(`postfix_exec_master',`
## Domain allowed access.
## </summary>
## </param>
@@ -39041,7 +39117,7 @@ index 46bee12..c22af86 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -416,6 +459,24 @@ interface(`postfix_stream_connect_master',`
+@@ -416,6 +460,24 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
@@ -39066,7 +39142,7 @@ index 46bee12..c22af86 100644
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
-@@ -462,7 +523,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -462,7 +524,7 @@ interface(`postfix_domtrans_postqueue',`
## </summary>
## </param>
#
@@ -39075,7 +39151,7 @@ index 46bee12..c22af86 100644
gen_require(`
type postfix_postqueue_exec_t;
')
-@@ -529,6 +590,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +591,25 @@ interface(`postfix_domtrans_smtp',`
########################################
## <summary>
@@ -39101,7 +39177,7 @@ index 46bee12..c22af86 100644
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
-@@ -539,10 +619,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +620,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -39114,7 +39190,7 @@ index 46bee12..c22af86 100644
files_search_spool($1)
')
-@@ -558,10 +638,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +639,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -39127,7 +39203,7 @@ index 46bee12..c22af86 100644
files_search_spool($1)
')
-@@ -577,11 +657,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +658,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -39141,7 +39217,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -596,11 +676,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +677,11 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -39155,7 +39231,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +702,103 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -39260,7 +39336,7 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..4781d16 100644
+index 06e37d4..e0427ce 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,10 +1,18 @@
@@ -39327,12 +39403,12 @@ index 06e37d4..4781d16 100644
files_type(postfix_spool_flush_t)
type postfix_public_t;
-@@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -94,23 +106,24 @@ mta_mailserver_delivery(postfix_virtual_t)
# chown is to set the correct ownership of queue dirs
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+-allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+allow postfix_master_t self:process setrlimit;
- allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
-allow postfix_master_t self:process setrlimit;
@@ -39357,7 +39433,7 @@ index 06e37d4..4781d16 100644
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-@@ -130,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+@@ -130,7 +143,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
@@ -39366,7 +39442,7 @@ index 06e37d4..4781d16 100644
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -150,6 +163,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -39376,7 +39452,7 @@ index 06e37d4..4781d16 100644
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +183,10 @@ corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -39387,7 +39463,7 @@ index 06e37d4..4781d16 100644
term_dontaudit_search_ptys(postfix_master_t)
-@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +240,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -39406,7 +39482,7 @@ index 06e37d4..4781d16 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -249,6 +274,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+@@ -249,6 +273,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
@@ -39417,17 +39493,15 @@ index 06e37d4..4781d16 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,8 +293,8 @@ optional_policy(`
+@@ -264,7 +292,6 @@ optional_policy(`
# Postfix local local policy
#
-allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
-+allow postfix_local_t self:fifo_file rw_fifo_file_perms;
# connect to master process
- stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +300,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -39436,7 +39510,7 @@ index 06e37d4..4781d16 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +315,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -39455,7 +39529,7 @@ index 06e37d4..4781d16 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -304,9 +340,22 @@ optional_policy(`
+@@ -304,9 +338,22 @@ optional_policy(`
')
optional_policy(`
@@ -39478,15 +39552,7 @@ index 06e37d4..4781d16 100644
########################################
#
# Postfix map local policy
-@@ -372,6 +421,7 @@ optional_policy(`
- # Postfix pickup local policy
- #
-
-+allow postfix_pickup_t self:fifo_file rw_fifo_file_perms;
- allow postfix_pickup_t self:tcp_socket create_socket_perms;
-
- stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -379,19 +429,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +426,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -39510,11 +39576,9 @@ index 06e37d4..4781d16 100644
-allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
allow postfix_pipe_t self:process setrlimit;
-+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-
-@@ -401,6 +458,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +454,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -39523,7 +39587,7 @@ index 06e37d4..4781d16 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +479,7 @@ optional_policy(`
+@@ -420,6 +475,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -39531,7 +39595,7 @@ index 06e37d4..4781d16 100644
')
optional_policy(`
-@@ -436,11 +496,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +492,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -39549,16 +39613,7 @@ index 06e37d4..4781d16 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -507,6 +573,8 @@ optional_policy(`
- # Postfix qmgr local policy
- #
-
-+allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms;
-+
- stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
-
- rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +581,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -39571,7 +39626,7 @@ index 06e37d4..4781d16 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +605,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -39582,7 +39637,7 @@ index 06e37d4..4781d16 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +639,10 @@ optional_policy(`
+@@ -565,6 +633,10 @@ optional_policy(`
')
optional_policy(`
@@ -39593,7 +39648,7 @@ index 06e37d4..4781d16 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +666,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +660,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -39610,17 +39665,15 @@ index 06e37d4..4781d16 100644
')
optional_policy(`
-@@ -611,8 +695,8 @@ optional_policy(`
+@@ -611,7 +689,6 @@ optional_policy(`
# Postfix virtual local policy
#
-allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
allow postfix_virtual_t self:process { setsched setrlimit };
-+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-
-@@ -630,3 +714,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +707,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -44124,7 +44177,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..d2dac53 100644
+index e30bb63..66c73a2 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -44359,7 +44412,22 @@ index e30bb63..d2dac53 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -922,6 +931,18 @@ optional_policy(`
+@@ -850,10 +859,14 @@ domain_use_interactive_fds(winbind_t)
+
+ files_read_etc_files(winbind_t)
+ files_read_usr_symlinks(winbind_t)
++files_list_var_lib(winbind_t)
+
+ logging_send_syslog_msg(winbind_t)
+
+ miscfiles_read_localization(winbind_t)
++miscfiles_read_generic_certs(winbind_t)
++
++sysnet_use_ldap(winbind_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(winbind_t)
+ userdom_manage_user_home_content_dirs(winbind_t)
+@@ -922,6 +935,18 @@ optional_policy(`
#
optional_policy(`
@@ -44378,7 +44446,7 @@ index e30bb63..d2dac53 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +953,12 @@ optional_policy(`
+@@ -932,9 +957,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -44421,7 +44489,7 @@ index f1aea88..a5a75a8 100644
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index 22184ad..67eafee 100644
+index 22184ad..ea9e2d1 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
@@ -44458,7 +44526,15 @@ index 22184ad..67eafee 100644
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
-@@ -94,6 +94,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+@@ -55,6 +55,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
+ corenet_tcp_sendrecv_generic_node(saslauthd_t)
+ corenet_tcp_sendrecv_all_ports(saslauthd_t)
+ corenet_tcp_connect_pop_port(saslauthd_t)
++corenet_tcp_connect_zarafa_port(saslauthd_t)
+ corenet_sendrecv_pop_client_packets(saslauthd_t)
+
+ dev_read_urand(saslauthd_t)
+@@ -94,6 +95,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
@@ -45346,7 +45422,7 @@ index c954f31..7f57f22 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..29f86b2 100644
+index ec1eb1e..601a363 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,54 +6,101 @@ policy_module(spamassassin, 2.4.0)
@@ -45664,7 +45740,7 @@ index ec1eb1e..29f86b2 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +468,31 @@ files_read_var_lib_files(spamd_t)
+@@ -367,22 +468,35 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -45686,6 +45762,10 @@ index ec1eb1e..29f86b2 100644
+')
+
+optional_policy(`
++ clamav_stream_connect(spamd_t)
++')
++
++optional_policy(`
+ exim_manage_spool_dirs(spamd_t)
+ exim_manage_spool_files(spamd_t)
+')
@@ -45700,7 +45780,7 @@ index ec1eb1e..29f86b2 100644
fs_manage_cifs_files(spamd_t)
')
-@@ -399,24 +509,24 @@ optional_policy(`
+@@ -399,24 +513,24 @@ optional_policy(`
')
optional_policy(`
@@ -45732,7 +45812,7 @@ index ec1eb1e..29f86b2 100644
')
optional_policy(`
-@@ -424,9 +534,7 @@ optional_policy(`
+@@ -424,9 +538,7 @@ optional_policy(`
')
optional_policy(`
@@ -45743,7 +45823,7 @@ index ec1eb1e..29f86b2 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +545,10 @@ optional_policy(`
+@@ -437,6 +549,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -45754,7 +45834,15 @@ index ec1eb1e..29f86b2 100644
')
optional_policy(`
-@@ -451,3 +563,51 @@ optional_policy(`
+@@ -444,6 +560,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mta_send_mail(spamd_t)
+ sendmail_stub(spamd_t)
+ mta_read_config(spamd_t)
+ ')
+@@ -451,3 +568,51 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -45838,7 +45926,7 @@ index d2496bd..1d0c078 100644
allow $1 squid_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..950e65a 100644
+index 4b2230e..7b3d2db 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -45875,7 +45963,15 @@ index 4b2230e..950e65a 100644
type squid_initrc_exec_t;
init_script_file(squid_initrc_exec_t)
-@@ -169,7 +169,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -90,6 +90,7 @@ files_pid_filetrans(squid_t, squid_var_run_t, file)
+
+ kernel_read_kernel_sysctls(squid_t)
+ kernel_read_system_state(squid_t)
++kernel_read_network_state(squid_t)
+
+ files_dontaudit_getattr_boot_dirs(squid_t)
+
+@@ -169,7 +170,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
@@ -45885,7 +45981,7 @@ index 4b2230e..950e65a 100644
')
tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +186,7 @@ optional_policy(`
+@@ -185,6 +187,7 @@ optional_policy(`
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -45893,7 +45989,7 @@ index 4b2230e..950e65a 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -206,3 +208,7 @@ optional_policy(`
+@@ -206,3 +209,7 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -49381,7 +49477,7 @@ index 6f1e3c7..ecfe665 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..72b855e 100644
+index 130ced9..bd8abf2 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -49466,7 +49562,7 @@ index 130ced9..72b855e 100644
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -106,12 +116,25 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,28 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
@@ -49475,6 +49571,9 @@ index 130ced9..72b855e 100644
+ ifdef(`hide_broken_symptoms',`
+ dontaudit iceauth_t $2:socket_class_set { read write };
+ ')
++ term_use_virtio_console($2)
++
++ modutils_run_insmod(xserver_t, $1)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
@@ -49492,7 +49591,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -143,13 +166,15 @@ interface(`xserver_role',`
+@@ -143,13 +169,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -49510,7 +49609,7 @@ index 130ced9..72b855e 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +187,6 @@ interface(`xserver_role',`
+@@ -162,7 +190,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -49518,7 +49617,7 @@ index 130ced9..72b855e 100644
')
#######################################
-@@ -197,7 +221,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +224,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -49527,7 +49626,7 @@ index 130ced9..72b855e 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +251,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +254,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
@@ -49536,7 +49635,7 @@ index 130ced9..72b855e 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -255,7 +279,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +282,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
@@ -49545,7 +49644,7 @@ index 130ced9..72b855e 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +315,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +318,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -49563,7 +49662,7 @@ index 130ced9..72b855e 100644
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -342,19 +366,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +369,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -49590,7 +49689,7 @@ index 130ced9..72b855e 100644
')
##############################
-@@ -386,6 +414,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +417,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -49606,7 +49705,7 @@ index 130ced9..72b855e 100644
')
#######################################
-@@ -444,8 +481,8 @@ template(`xserver_object_types_template',`
+@@ -444,8 +484,8 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -49617,7 +49716,7 @@ index 130ced9..72b855e 100644
')
allow $2 self:shm create_shm_perms;
-@@ -458,9 +495,9 @@ template(`xserver_user_x_domain_template',`
+@@ -458,9 +498,9 @@ template(`xserver_user_x_domain_template',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -49629,7 +49728,7 @@ index 130ced9..72b855e 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +509,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +512,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -49658,7 +49757,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -517,6 +560,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +563,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -49666,7 +49765,7 @@ index 130ced9..72b855e 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +589,28 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +592,28 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -49695,7 +49794,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -598,6 +664,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +667,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -49703,7 +49802,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -615,7 +682,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +685,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -49712,7 +49811,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -651,7 +718,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +721,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -49721,7 +49820,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -670,7 +737,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +740,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -49730,7 +49829,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -688,7 +755,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +758,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -49739,7 +49838,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -703,12 +770,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +773,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -49753,7 +49852,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -724,11 +790,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +793,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -49787,7 +49886,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -765,7 +851,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +854,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -49796,7 +49895,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -805,7 +891,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +894,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -49824,7 +49923,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -826,6 +931,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -826,6 +934,24 @@ interface(`xserver_read_xdm_lib_files',`
allow $1 xdm_var_lib_t:file read_file_perms;
')
@@ -49849,7 +49948,7 @@ index 130ced9..72b855e 100644
########################################
## <summary>
## Make an X session script an entrypoint for the specified domain.
-@@ -897,7 +1020,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1023,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -49858,7 +49957,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -916,7 +1039,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1042,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -49867,7 +49966,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -963,6 +1086,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1089,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -49913,7 +50012,7 @@ index 130ced9..72b855e 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1138,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1141,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -49922,7 +50021,7 @@ index 130ced9..72b855e 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1200,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1203,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -49965,7 +50064,7 @@ index 130ced9..72b855e 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1250,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1253,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -49974,7 +50073,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -1070,8 +1268,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1271,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -49986,7 +50085,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -1185,6 +1385,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1388,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -50013,7 +50112,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -1210,7 +1430,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1433,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -50022,7 +50121,7 @@ index 130ced9..72b855e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1440,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1443,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -50047,7 +50146,7 @@ index 130ced9..72b855e 100644
')
########################################
-@@ -1243,10 +1473,392 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1476,392 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -57280,7 +57379,7 @@ index 8b5c196..98652f7 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..00f5ea9 100644
+index 15832c7..c60dff7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -57323,8 +57422,8 @@ index 15832c7..00f5ea9 100644
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
-+allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin sys_nice dac_override dac_read_search chown sys_tty_config setuid setgid };
++allow mount_t self:process { getcap getsched setsched ptrace setcap setrlimit signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 19598a2..6e5e851 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 48%{?dist}
+Release: 49%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,15 @@ exit 0
%endif
%changelog
+* Fri Dec 2 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-49
+- Allow gnomeclock to send system log msgs
+- Users that use X and spice need to use the virtio device
+- squashfs supports extended attributes
+- Allow system_cronjob to dbus chat with NetworkManager
+- Allow all postfix domains to use the fifo_file
+- Allow squid to check the network state
+- Allow spamd to send mail
+
* Wed Nov 16 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-48
- Fix typo in ssh.if
More information about the scm-commits
mailing list