[selinux-policy/f16] +- Add httpd_can_connect_ldap() interface +- NetworkManager needs to write to /sys/class/net/ib*/mod
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Dec 15 16:20:18 UTC 2011
commit cb24e588c30fe29f01ca938bfc0a47d57dca0c3b
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Dec 15 17:20:10 2011 +0100
+- Add httpd_can_connect_ldap() interface
+- NetworkManager needs to write to /sys/class/net/ib*/mode
+- Dont audit writes to leaked file descriptors or redirected output for nacl
+- Add label for /var/lib/iscan/interpreter
+- Add labeling for /sbin/iscsiuio
+- Allow all jabberd domain to read system state
+- Allow munin services plugins to use NSCD services
+- More fixes for boinc
policy-F16.patch | 355 ++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 12 ++-
2 files changed, 224 insertions(+), 143 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index c3ef4df..0ae075c 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4900,10 +4900,10 @@ index 0000000..1553356
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..8eccbc2
+index 0000000..9da72e0
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,181 @@
+@@ -0,0 +1,187 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -4932,6 +4932,7 @@ index 0000000..8eccbc2
+#
+# chrome_sandbox local policy
+#
++
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
@@ -5085,6 +5086,11 @@ index 0000000..8eccbc2
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++
++optional_policy(`
++ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
++')
++
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
index 37475dd..7db4a01 100644
--- a/policy/modules/apps/cpufreqselector.te
@@ -5645,10 +5651,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..5597c91 100644
+index f5afe78..eeeebbb 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,861 @@
+@@ -1,44 +1,879 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -5882,6 +5888,24 @@ index f5afe78..5597c91 100644
+
+########################################
+## <summary>
++## Dontaudit write gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`gnome_dontaudit_write_config_files',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ dontaudit $1 gnome_home_type:file write;
++')
++
++########################################
++## <summary>
+## manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
@@ -6528,7 +6552,7 @@ index f5afe78..5597c91 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +863,92 @@ interface(`gnome_role',`
+@@ -46,37 +881,92 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -6632,7 +6656,7 @@ index f5afe78..5597c91 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +956,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +974,53 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -6697,7 +6721,7 @@ index f5afe78..5597c91 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1010,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1028,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -6719,7 +6743,7 @@ index f5afe78..5597c91 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1028,299 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1046,299 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -12726,7 +12750,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..63712be 100644
+index 3fae11a..a768ca5 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -12952,18 +12976,19 @@ index 3fae11a..63712be 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +391,8 @@ ifdef(`distro_suse', `
+@@ -375,8 +391,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
++/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +401,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +402,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -23928,7 +23953,7 @@ index 0b827c5..b2d6129 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..7a32618 100644
+index 30861ec..2006219 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -24035,7 +24060,7 @@ index 30861ec..7a32618 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +134,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +134,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -24044,10 +24069,11 @@ index 30861ec..7a32618 100644
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
++kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +155,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +156,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -24056,7 +24082,7 @@ index 30861ec..7a32618 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +166,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +167,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -24066,7 +24092,7 @@ index 30861ec..7a32618 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +175,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +176,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -24075,7 +24101,7 @@ index 30861ec..7a32618 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,15 +187,23 @@ fs_read_nfs_files(abrt_t)
+@@ -131,15 +188,23 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -24102,7 +24128,7 @@ index 30861ec..7a32618 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +214,11 @@ optional_policy(`
+@@ -150,6 +215,11 @@ optional_policy(`
')
optional_policy(`
@@ -24114,7 +24140,7 @@ index 30861ec..7a32618 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +236,7 @@ optional_policy(`
+@@ -167,6 +237,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -24122,7 +24148,7 @@ index 30861ec..7a32618 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +248,35 @@ optional_policy(`
+@@ -178,12 +249,35 @@ optional_policy(`
')
optional_policy(`
@@ -24159,7 +24185,7 @@ index 30861ec..7a32618 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +293,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +294,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -24188,7 +24214,7 @@ index 30861ec..7a32618 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +316,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +317,128 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -25565,10 +25591,10 @@ index 6480167..e12bbc0 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..248682c 100644
+index 3136c6a..2aee986 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,130 +18,203 @@ policy_module(apache, 2.2.1)
+@@ -18,130 +18,210 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -25734,6 +25760,13 @@ index 3136c6a..248682c 100644
+gen_tunable(httpd_can_connect_ftp, false)
+
+## <desc>
++## <p>
++## Allow httpd to connect to the ldap port
++## </p>
++## </desc>
++gen_tunable(httpd_can_connect_ldap, false)
++
++## <desc>
+## <p>
+## Allow httpd to read home directories
+## </p>
@@ -25828,7 +25861,7 @@ index 3136c6a..248682c 100644
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -166,7 +239,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +246,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -25837,7 +25870,7 @@ index 3136c6a..248682c 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +250,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +257,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -25847,7 +25880,7 @@ index 3136c6a..248682c 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +292,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +299,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -25866,7 +25899,7 @@ index 3136c6a..248682c 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +312,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +319,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -25877,7 +25910,7 @@ index 3136c6a..248682c 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +323,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +330,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -25885,7 +25918,7 @@ index 3136c6a..248682c 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +345,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +352,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -25909,7 +25942,7 @@ index 3136c6a..248682c 100644
########################################
#
# Apache server local policy
-@@ -281,11 +381,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +388,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -25923,7 +25956,7 @@ index 3136c6a..248682c 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +431,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +438,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -25934,7 +25967,7 @@ index 3136c6a..248682c 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +458,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +465,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -25944,7 +25977,7 @@ index 3136c6a..248682c 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +471,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +478,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -25961,7 +25994,7 @@ index 3136c6a..248682c 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +488,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +495,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -25977,7 +26010,7 @@ index 3136c6a..248682c 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +501,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +508,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -25985,7 +26018,7 @@ index 3136c6a..248682c 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +513,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +520,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26089,7 +26122,7 @@ index 3136c6a..248682c 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +620,47 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +627,51 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -26108,6 +26141,10 @@ index 3136c6a..248682c 100644
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
++tunable_policy(`httpd_can_connect_ldap',`
++ corenet_tcp_connect_ldap_port(httpd_t)
++')
++
tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
@@ -26139,7 +26176,7 @@ index 3136c6a..248682c 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +670,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +681,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -26156,7 +26193,7 @@ index 3136c6a..248682c 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +694,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +705,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -26177,7 +26214,7 @@ index 3136c6a..248682c 100644
')
optional_policy(`
-@@ -513,7 +718,13 @@ optional_policy(`
+@@ -513,7 +729,13 @@ optional_policy(`
')
optional_policy(`
@@ -26192,7 +26229,7 @@ index 3136c6a..248682c 100644
')
optional_policy(`
-@@ -528,7 +739,19 @@ optional_policy(`
+@@ -528,7 +750,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -26213,7 +26250,7 @@ index 3136c6a..248682c 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +760,13 @@ optional_policy(`
+@@ -537,8 +771,13 @@ optional_policy(`
')
optional_policy(`
@@ -26228,7 +26265,7 @@ index 3136c6a..248682c 100644
')
')
-@@ -556,7 +784,13 @@ optional_policy(`
+@@ -556,7 +795,13 @@ optional_policy(`
')
optional_policy(`
@@ -26242,7 +26279,7 @@ index 3136c6a..248682c 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +801,7 @@ optional_policy(`
+@@ -567,6 +812,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -26250,7 +26287,7 @@ index 3136c6a..248682c 100644
')
optional_policy(`
-@@ -577,6 +812,20 @@ optional_policy(`
+@@ -577,6 +823,20 @@ optional_policy(`
')
optional_policy(`
@@ -26271,7 +26308,7 @@ index 3136c6a..248682c 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +840,11 @@ optional_policy(`
+@@ -591,6 +851,11 @@ optional_policy(`
')
optional_policy(`
@@ -26283,7 +26320,7 @@ index 3136c6a..248682c 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +857,12 @@ optional_policy(`
+@@ -603,6 +868,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -26296,7 +26333,7 @@ index 3136c6a..248682c 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +876,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +887,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -26309,7 +26346,7 @@ index 3136c6a..248682c 100644
########################################
#
-@@ -654,28 +918,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +929,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -26353,7 +26390,7 @@ index 3136c6a..248682c 100644
')
########################################
-@@ -685,6 +951,8 @@ optional_policy(`
+@@ -685,6 +962,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -26362,7 +26399,7 @@ index 3136c6a..248682c 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +967,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +978,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -26388,7 +26425,7 @@ index 3136c6a..248682c 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1013,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1024,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -26421,7 +26458,7 @@ index 3136c6a..248682c 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1060,25 @@ optional_policy(`
+@@ -769,6 +1071,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -26447,7 +26484,7 @@ index 3136c6a..248682c 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1099,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1110,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -26465,7 +26502,7 @@ index 3136c6a..248682c 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1118,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1129,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -26522,7 +26559,7 @@ index 3136c6a..248682c 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1169,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1180,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -26553,7 +26590,7 @@ index 3136c6a..248682c 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1204,20 @@ optional_policy(`
+@@ -842,10 +1215,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -26574,7 +26611,7 @@ index 3136c6a..248682c 100644
')
########################################
-@@ -891,11 +1263,49 @@ optional_policy(`
+@@ -891,11 +1274,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -27777,10 +27814,10 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..e841806
+index 0000000..1441c62
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,174 @@
+@@ -0,0 +1,172 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -27788,6 +27825,8 @@ index 0000000..e841806
+# Declarations
+#
+
++attribute boinc_domain;
++
+type boinc_t;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
@@ -27814,6 +27853,37 @@ index 0000000..e841806
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
++#######################################
++#
++# boinc domain local policy
++#
++
++allow boinc_domain self:fifo_file rw_fifo_file_perms;
++allow boinc_domain self:sem create_sem_perms;
++
++# needs read /proc/interrupts
++kernel_read_system_state(boinc_domain)
++
++corecmd_exec_bin(boinc_domain)
++corecmd_exec_shell(boinc_domain)
++
++dev_read_rand(boinc_domain)
++dev_read_urand(boinc_domain)
++dev_read_sysfs(boinc_domain)
++
++domain_read_all_domains_state(boinc_domain)
++
++files_read_etc_files(boinc_domain)
++files_read_etc_runtime_files(boinc_domain)
++files_read_usr_files(boinc_domain)
++
++miscfiles_read_fonts(boinc_domain)
++miscfiles_read_localization(boinc_domain)
++
++optional_policy(`
++ sysnet_dns_name_resolve(boinc_domain)
++')
++
+########################################
+#
+# boinc local policy
@@ -27822,10 +27892,8 @@ index 0000000..e841806
+allow boinc_t self:capability { kill };
+allow boinc_t self:process { setsched sigkill };
+
-+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
-+allow boinc_t self:sem create_sem_perms;
+allow boinc_t self:shm create_shm_perms;
+
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -27843,15 +27911,9 @@ index 0000000..e841806
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
-+# needs read /proc/interrupts
-+kernel_read_system_state(boinc_t)
-+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
-+corecmd_exec_bin(boinc_t)
-+corecmd_exec_shell(boinc_t)
-+
+corenet_all_recvfrom_unlabeled(boinc_t)
+corenet_all_recvfrom_netlabel(boinc_t)
+corenet_tcp_sendrecv_generic_if(boinc_t)
@@ -27868,18 +27930,8 @@ index 0000000..e841806
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
+
-+dev_list_sysfs(boinc_t)
-+dev_read_rand(boinc_t)
-+dev_read_urand(boinc_t)
-+dev_read_sysfs(boinc_t)
-+
-+domain_read_all_domains_state(boinc_t)
-+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
-+files_read_etc_files(boinc_t)
-+files_read_usr_files(boinc_t)
-+
+fs_getattr_all_fs(boinc_t)
+
+term_getattr_all_ptys(boinc_t)
@@ -27887,14 +27939,11 @@ index 0000000..e841806
+
+init_read_utmp(boinc_t)
+
-+miscfiles_read_localization(boinc_t)
-+miscfiles_read_generic_certs(boinc_t)
-+
+logging_send_syslog_msg(boinc_t)
+
-+sysnet_dns_name_resolve(boinc_t)
-+
-+mta_send_mail(boinc_t)
++optional_policy(`
++ mta_send_mail(boinc_t)
++')
+
+########################################
+#
@@ -27928,29 +27977,15 @@ index 0000000..e841806
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+
-+kernel_read_system_state(boinc_project_t)
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+
-+corecmd_exec_bin(boinc_project_t)
-+corecmd_exec_shell(boinc_project_t)
-+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
-+domain_read_all_domains_state(boinc_project_t)
-+
-+dev_read_rand(boinc_project_t)
-+dev_read_urand(boinc_project_t)
-+dev_read_sysfs(boinc_project_t)
+dev_rw_xserver_misc(boinc_project_t)
+
-+files_read_etc_files(boinc_project_t)
-+files_read_etc_runtime_files(boinc_project_t)
-+files_read_usr_files(boinc_project_t)
-+
-+miscfiles_read_fonts(boinc_project_t)
-+miscfiles_read_localization(boinc_project_t)
++files_dontaudit_search_home(boinc_project_t)
+
+optional_policy(`
+ java_exec(boinc_project_t)
@@ -40747,10 +40782,10 @@ index 9878499..81fcd0f 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..a666df2 100644
+index da2127e..24e20b0 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
-@@ -5,90 +5,150 @@ policy_module(jabber, 1.8.0)
+@@ -5,90 +5,148 @@ policy_module(jabber, 1.8.0)
# Declarations
#
@@ -40828,45 +40863,43 @@ index da2127e..a666df2 100644
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
-+
+
+-dev_read_sysfs(jabberd_t)
+-# For SSL
+-dev_read_rand(jabberd_t)
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
-+
+
+-domain_use_interactive_fds(jabberd_t)
+fs_getattr_all_fs(jabberd_router_t)
--dev_read_sysfs(jabberd_t)
--# For SSL
--dev_read_rand(jabberd_t)
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
+miscfiles_read_generic_certs(jabberd_router_t)
--domain_use_interactive_fds(jabberd_t)
+-fs_getattr_all_fs(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
+optional_policy(`
+ kerberos_use(jabberd_router_t)
+')
--files_read_etc_files(jabberd_t)
--files_read_etc_runtime_files(jabberd_t)
+-logging_send_syslog_msg(jabberd_t)
+optional_policy(`
+ nis_use_ypbind(jabberd_router_t)
+')
--fs_getattr_all_fs(jabberd_t)
--fs_search_auto_mountpoints(jabberd_t)
+-miscfiles_read_localization(jabberd_t)
+#####################################
+#
+# Local policy for other jabberd components
+#
-
--logging_send_syslog_msg(jabberd_t)
++
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
--miscfiles_read_localization(jabberd_t)
-+kernel_read_system_state(jabberd_t)
-
-sysnet_read_config(jabberd_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
@@ -40882,8 +40915,8 @@ index da2127e..a666df2 100644
optional_policy(`
- seutil_sigchld_newrole(jabberd_t)
+ udev_read_db(jabberd_t)
- ')
-
++')
++
+######################################
+#
+# Local policy for pyicq-t
@@ -40898,8 +40931,6 @@ index da2127e..a666df2 100644
+files_search_spool(pyicqt_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
+
-+kernel_read_system_state(pyicqt_t)
-+
+corenet_tcp_bind_jabber_router_port(pyicqt_t)
+corenet_tcp_connect_jabber_router_port(pyicqt_t)
+
@@ -40916,14 +40947,14 @@ index da2127e..a666df2 100644
+libs_use_shared_libs(pyicqt_t)
+
+# needed for pyicq-t-mysql
- optional_policy(`
-- udev_read_db(jabberd_t)
++optional_policy(`
+ corenet_tcp_connect_mysqld_port(pyicqt_t)
')
-+
-+optional_policy(`
+
+ optional_policy(`
+- udev_read_db(jabberd_t)
+ sysnet_use_ldap(pyicqt_t)
-+')
+ ')
+
+#######################################
+#
@@ -40935,6 +40966,8 @@ index da2127e..a666df2 100644
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
+
++kernel_read_system_state(jabberd_domain)
++
+corenet_all_recvfrom_unlabeled(jabberd_domain)
+corenet_all_recvfrom_netlabel(jabberd_domain)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
@@ -45206,7 +45239,7 @@ index c358d8f..fec6a97 100644
allow $1 munin_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..9850f4d 100644
+index f17583b..171ebec 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -45301,7 +45334,7 @@ index f17583b..9850f4d 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,19 +231,17 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -221,19 +231,23 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
@@ -45311,10 +45344,19 @@ index f17583b..9850f4d 100644
-
logging_read_generic_logs(mail_munin_plugin_t)
- mta_read_config(mail_munin_plugin_t)
- mta_send_mail(mail_munin_plugin_t)
-+mta_list_queue(mail_munin_plugin_t)
- mta_read_queue(mail_munin_plugin_t)
+-mta_read_config(mail_munin_plugin_t)
+-mta_send_mail(mail_munin_plugin_t)
+-mta_read_queue(mail_munin_plugin_t)
++optional_policy(`
++ mta_read_config(mail_munin_plugin_t)
++ mta_send_mail(mail_munin_plugin_t)
++ mta_list_queue(mail_munin_plugin_t)
++ mta_read_queue(mail_munin_plugin_t)
++')
++
++optional_policy(`
++ nscd_socket_use(mail_munin_plugin_t)
++')
optional_policy(`
postfix_read_config(mail_munin_plugin_t)
@@ -45323,7 +45365,7 @@ index f17583b..9850f4d 100644
')
optional_policy(`
-@@ -245,6 +253,8 @@ optional_policy(`
+@@ -245,6 +259,8 @@ optional_policy(`
# local policy for service plugins
#
@@ -45332,7 +45374,7 @@ index f17583b..9850f4d 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +265,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +271,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -45347,7 +45389,18 @@ index f17583b..9850f4d 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +293,10 @@ optional_policy(`
+@@ -279,6 +292,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ nscd_socket_use(services_munin_plugin_t)
++')
++
++optional_policy(`
+ postgresql_stream_connect(services_munin_plugin_t)
+ ')
+
+@@ -286,6 +303,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -45358,7 +45411,7 @@ index f17583b..9850f4d 100644
##################################
#
# local policy for system plugins
-@@ -295,13 +306,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,13 +316,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -45375,7 +45428,7 @@ index f17583b..9850f4d 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +323,31 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +333,31 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -46263,7 +46316,7 @@ index 2324d9e..4f46ff8 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..c985b07 100644
+index 0619395..76e9108 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -46327,7 +46380,13 @@ index 0619395..c985b07 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -100,6 +125,7 @@ dev_read_rand(NetworkManager_t)
+@@ -95,11 +120,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
+ corenet_rw_tun_tap_dev(NetworkManager_t)
+ corenet_getattr_ppp_dev(NetworkManager_t)
+
+-dev_read_sysfs(NetworkManager_t)
++dev_rw_sysfs(NetworkManager_t)
+ dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
@@ -60939,7 +60998,7 @@ index 8294f6f..4847b43 100644
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
-index 665bf7c..d100080 100644
+index 665bf7c..a1ea37a 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t)
@@ -60961,7 +61020,7 @@ index 665bf7c..d100080 100644
allow tgtd_t self:shm create_shm_perms;
allow tgtd_t self:sem create_sem_perms;
allow tgtd_t self:tcp_socket create_stream_socket_perms;
-@@ -46,6 +49,11 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+@@ -46,6 +49,12 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
@@ -60970,10 +61029,11 @@ index 665bf7c..d100080 100644
+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
+
++kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
-@@ -57,10 +65,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
+@@ -57,10 +66,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_server_packets(tgtd_t)
@@ -70024,6 +70084,17 @@ index f3e1b57..d7fd7fb 100644
shorewall_read_config(iptables_t)
')
+diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
+index 14d9670..8391e13 100644
+--- a/policy/modules/system/iscsi.fc
++++ b/policy/modules/system/iscsi.fc
+@@ -1,5 +1,6 @@
+ /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+ /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
++/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
+ /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+ /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index ddbd8be..ac8e814 100644
--- a/policy/modules/system/iscsi.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f7c9893..e6f1750 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 66%{?dist}
+Release: 67%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Dec 15 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-67
+- Add httpd_can_connect_ldap() interface
+- NetworkManager needs to write to /sys/class/net/ib*/mode
+- Dont audit writes to leaked file descriptors or redirected output for nacl
+- Add label for /var/lib/iscan/interpreter
+- Add labeling for /sbin/iscsiuio
+- Allow all jabberd domain to read system state
+- Allow munin services plugins to use NSCD services
+- More fixes for boinc
+
* Tue Dec 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-66
- Add fixes for xguest package
More information about the scm-commits
mailing list