[selinux-policy/f14/master] - Make kernel_t domain MLS trusted for lowering the level of file. - Add label for /var/lib/tftpboot

Fri Jan 7 13:53:01 UTC 2011

commit 0c51660d0e1cc80b5175f2a9bbebd5a8f0fde590
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri Jan 7 14:52:38 2011 +0000

    - Make kernel_t domain MLS trusted for lowering the level of file.
    - Add label for /var/lib/tftpboot/grub directory
    - Fixes for mpd policy
    - Fix amanda_search_lib interface

 booleans-targeted.conf |    2 +-
 policy-F14.patch       |  266 ++++++++++++++++++++++++++++++++++++++----------
 selinux-policy.spec    |    8 ++-
 3 files changed, 222 insertions(+), 54 deletions(-)
---

diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index c7f8c40..a5d2a50 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -28,7 +28,7 @@ allow_ftpd_anon_write = false
 
 # Allow gssd to read temp directory.
 # 
-allow_gssd_read_tmp = false
+allow_gssd_read_tmp = true
 
 # Allow Apache to modify public filesused for public file transfer services.
 # 
diff --git a/policy-F14.patch b/policy-F14.patch
index d4abbec..90e5965 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -363,6 +363,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
  manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
  manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
  files_search_var_lib(alsa_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.9.7/policy/modules/admin/amanda.if
+--- nsaserefpolicy/policy/modules/admin/amanda.if	2010-10-12 22:42:51.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/admin/amanda.if	2011-01-07 14:20:44.420042287 +0100
+@@ -59,11 +59,11 @@
+ #
+ interface(`amanda_search_lib',`
+ 	gen_require(`
+-		type amanda_usr_lib_t;
++		type amanda_var_lib_t;
+ 	')
+ 
+ 	files_search_usr($1)
+-	allow $1 amanda_usr_lib_t:dir search_dir_perms;
++	allow $1 amanda_var_lib_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.9.7/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2010-10-12 22:42:51.000000000 +0200
 +++ serefpolicy-3.9.7/policy/modules/admin/anaconda.te	2010-11-05 14:02:26.401653043 +0100
@@ -462,8 +479,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
  	apache_exec_modules(certwatch_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.9.7/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2010-10-12 22:42:51.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/admin/consoletype.te	2010-11-05 14:02:26.403649559 +0100
-@@ -85,10 +85,7 @@
++++ serefpolicy-3.9.7/policy/modules/admin/consoletype.te	2011-01-05 10:57:38.790042250 +0100
+@@ -48,6 +48,7 @@
+ mls_file_write_all_levels(consoletype_t)
+ 
+ term_use_all_terms(consoletype_t)
++term_use_ptmx(consoletype_t)
+ 
+ init_use_fds(consoletype_t)
+ init_use_script_ptys(consoletype_t)
+@@ -85,10 +86,7 @@
  ')
  
  optional_policy(`
@@ -1890,7 +1915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  	optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.9.7/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-10-12 22:42:51.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/admin/usermanage.te	2010-11-05 14:02:26.429649744 +0100
++++ serefpolicy-3.9.7/policy/modules/admin/usermanage.te	2011-01-07 10:32:45.063051683 +0100
 @@ -88,9 +88,7 @@
  # for SSP
  dev_read_urand(chfn_t)
@@ -1902,7 +1927,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  # allow checking if a shell is executable
  corecmd_check_exec_shell(chfn_t)
-@@ -291,17 +289,18 @@
+@@ -194,8 +192,7 @@
+ selinux_compute_relabel_context(groupadd_t)
+ selinux_compute_user_contexts(groupadd_t)
+ 
+-term_use_all_ttys(groupadd_t)
+-term_use_all_ptys(groupadd_t)
++term_use_all_terms(groupadd_t)
+ 
+ init_use_fds(groupadd_t)
+ init_read_utmp(groupadd_t)
+@@ -291,17 +288,18 @@
  selinux_compute_relabel_context(passwd_t)
  selinux_compute_user_contexts(passwd_t)
  
@@ -1925,7 +1960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  domain_use_interactive_fds(passwd_t)
  
-@@ -332,6 +331,7 @@
+@@ -332,6 +330,7 @@
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -1933,7 +1968,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  optional_policy(`
  	nscd_domtrans(passwd_t)
-@@ -426,7 +426,7 @@
+@@ -381,8 +380,7 @@
+ fs_getattr_xattr_fs(sysadm_passwd_t)
+ fs_search_auto_mountpoints(sysadm_passwd_t)
+ 
+-term_use_all_ttys(sysadm_passwd_t)
+-term_use_all_ptys(sysadm_passwd_t)
++term_use_all_terms(sysadm_passwd_t)
+ 
+ auth_manage_shadow(sysadm_passwd_t)
+ auth_relabel_shadow(sysadm_passwd_t)
+@@ -426,7 +424,7 @@
  # Useradd local policy
  #
  
@@ -1942,7 +1987,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -498,12 +498,8 @@
+@@ -469,8 +467,7 @@
+ selinux_compute_relabel_context(useradd_t)
+ selinux_compute_user_contexts(useradd_t)
+ 
+-term_use_all_ttys(useradd_t)
+-term_use_all_ptys(useradd_t)
++term_use_all_terms(useradd_t)
+ 
+ auth_domtrans_chk_passwd(useradd_t)
+ auth_rw_lastlog(useradd_t)
+@@ -498,12 +495,8 @@
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
@@ -10433,7 +10488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.9.7/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/kernel.te	2010-11-23 10:16:46.974397100 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/kernel.te	2011-01-07 10:48:11.095291107 +0100
 @@ -52,6 +52,7 @@
  fs_type(debugfs_t)
  allow debugfs_t self:filesystem associate;
@@ -10460,7 +10515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -268,19 +271,29 @@
+@@ -268,19 +271,30 @@
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -10473,6 +10528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  
  mls_process_read_up(kernel_t)
  mls_process_write_down(kernel_t)
++mls_file_downgrade(kernel_t)
  mls_file_write_all_levels(kernel_t)
  mls_file_read_all_levels(kernel_t)
 +mls_socket_write_all_levels(kernel_t) 
@@ -10490,7 +10546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  optional_policy(`
  	hotplug_search_config(kernel_t)
  ')
-@@ -357,6 +370,10 @@
+@@ -357,6 +371,10 @@
  	unconfined_domain_noaudit(kernel_t)
  ')
  
@@ -10689,7 +10745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
 +/lib/udev/devices/pts	-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.9.7/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/terminal.if	2010-11-05 14:02:26.558900072 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/terminal.if	2011-01-07 10:36:13.526042624 +0100
 @@ -292,9 +292,11 @@
  interface(`term_dontaudit_use_console',`
  	gen_require(`
@@ -12903,7 +12959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.9.7/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/abrt.te	2010-11-18 15:36:30.856398611 +0100
++++ serefpolicy-3.9.7/policy/modules/services/abrt.te	2011-01-07 14:18:32.638042294 +0100
 @@ -5,6 +5,14 @@
  # Declarations
  #
@@ -13011,7 +13067,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  	policykit_dbus_chat(abrt_t)
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
-@@ -178,12 +206,18 @@
+@@ -170,6 +198,7 @@
+ 	rpm_manage_pid_files(abrt_t)
+ 	rpm_read_db(abrt_t)
+ 	rpm_signull(abrt_t)
++	rpm_manage_log(abrt_t)
+ ')
+ 
+ # to run mailx plugin
+@@ -178,12 +207,18 @@
  ')
  
  optional_policy(`
@@ -13031,7 +13095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +237,7 @@
+@@ -203,6 +238,7 @@
  domain_read_all_domains_state(abrt_helper_t)
  
  files_read_etc_files(abrt_helper_t)
@@ -13039,7 +13103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  
  fs_list_inotifyfs(abrt_helper_t)
  fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +251,8 @@
+@@ -216,7 +252,8 @@
  term_dontaudit_use_all_ttys(abrt_helper_t)
  term_dontaudit_use_all_ptys(abrt_helper_t)
  
@@ -13049,7 +13113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +260,18 @@
+@@ -224,4 +261,18 @@
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -17345,8 +17409,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.9.7/policy/modules/services/cobbler.fc
 --- nsaserefpolicy/policy/modules/services/cobbler.fc	2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/cobbler.fc	2010-11-05 14:02:26.615901791 +0100
-@@ -1,7 +1,32 @@
++++ serefpolicy-3.9.7/policy/modules/services/cobbler.fc	2011-01-07 11:47:43.865042388 +0100
+@@ -1,7 +1,33 @@
 -/etc/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_etc_t, s0)
 -/etc/rc\.d/init\.d/cobblerd --	gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
  
@@ -17360,6 +17424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 +/var/lib/cobbler(/.*)?					gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 +
 +/var/lib/tftpboot/etc(/.*)?				gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/grub(/.*)?             gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 +/var/lib/tftpboot/images(/.*)?                        	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 +/var/lib/tftpboot/memdisk			--      gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 +/var/lib/tftpboot/menu\.c32			--      gen_context(system_u:object_r:cobbler_var_lib_t,s0)
@@ -24388,8 +24453,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.9.7/policy/modules/services/mock.te
 --- nsaserefpolicy/policy/modules/services/mock.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/mock.te	2010-11-05 14:02:26.714916688 +0100
-@@ -0,0 +1,99 @@
++++ serefpolicy-3.9.7/policy/modules/services/mock.te	2011-01-07 10:56:33.999042315 +0100
+@@ -0,0 +1,101 @@
 +policy_module(mock,1.0.0)
 +
 +########################################
@@ -24421,6 +24486,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
 +#
 +
 +allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++# Needed because mock can run java and mono withing build environment
++allow mock_t self:process { execmem execstack };
 +allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
 +dontaudit mock_t self:process { siginh noatsecure rlimitinh };
 +allow mock_t self:fifo_file manage_fifo_file_perms;
@@ -24880,8 +24947,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.9.7/policy/modules/services/mpd.te
 --- nsaserefpolicy/policy/modules/services/mpd.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/mpd.te	2011-01-03 09:01:26.100042370 +0100
-@@ -0,0 +1,127 @@
++++ serefpolicy-3.9.7/policy/modules/services/mpd.te	2011-01-07 14:05:16.237042445 +0100
+@@ -0,0 +1,143 @@
 +policy_module(mpd, 1.0.0)
 +
 +########################################
@@ -24893,7 +24960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +type mpd_exec_t;
 +init_daemon_domain(mpd_t, mpd_exec_t)
 +
-+permissive mpd_t;
++#permissive mpd_t;
 +
 +type mpd_initrc_exec_t;
 +init_script_file(mpd_initrc_exec_t)
@@ -24951,6 +25018,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
 +files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
 +
++# needed by pulseaudio
++kernel_getattr_proc(mpd_t)
 +kernel_read_system_state(mpd_t)
 +kernel_read_kernel_sysctls(mpd_t)
 +
@@ -24965,6 +25034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +corenet_tcp_bind_soundd_port(mpd_t)
 +
 +dev_read_sound(mpd_t)
++dev_write_sound(mpd_t)
 +dev_read_sysfs(mpd_t)
 +
 +files_read_usr_files(mpd_t)
@@ -24997,6 +25067,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +')
 +
 +optional_policy(`
++	consolekit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
 +	dbus_system_bus_client(mpd_t)
 +')
 +
@@ -25007,8 +25081,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +')
 +
 +optional_policy(`
++	rtkit_daemon_dontaudit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
 +	udev_read_db(mpd_t)
 +')
++
++optional_policy(`   
++    xserver_dontaudit_stream_connect(mpd_t)
++    xserver_dontaudit_read_xdm_pid(mpd_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.9.7/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2010-10-12 22:42:48.000000000 +0200
 +++ serefpolicy-3.9.7/policy/modules/services/mta.fc	2010-11-05 14:02:26.724901297 +0100
@@ -25823,7 +25906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +miscfiles_read_localization(munin_plugin_domain)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.9.7/policy/modules/services/mysql.if
 --- nsaserefpolicy/policy/modules/services/mysql.if	2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/mysql.if	2010-12-22 13:16:48.806042370 +0100
++++ serefpolicy-3.9.7/policy/modules/services/mysql.if	2011-01-05 10:55:41.877042746 +0100
 @@ -18,6 +18,24 @@
  	domtrans_pattern($1, mysqld_exec_t, mysqld_t)
  ')
@@ -25849,7 +25932,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  ########################################
  ## <summary>
  ##	Send a generic signal to MySQL.
-@@ -73,6 +91,7 @@
+@@ -36,6 +54,24 @@
+ 	allow $1 mysqld_t:process signal;
+ ')
+ 
++######################################
++## <summary>
++##  Send a null signal to mysql.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`mysql_signull',`
++    gen_require(`
++        type mysqld_t;
++    ')
++
++    allow $1 mysqld_t:process signull;
++')
++
+ ########################################
+ ## <summary>
+ ##	Allow the specified domain to connect to postgresql with a tcp socket.
+@@ -73,6 +109,7 @@
  		type mysqld_t, mysqld_var_run_t, mysqld_db_t;
  	')
  
@@ -25857,7 +25965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
  	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
  ')
-@@ -252,7 +271,7 @@
+@@ -252,7 +289,7 @@
  	')
  
  	logging_search_logs($1)
@@ -25866,7 +25974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  ')
  
  ######################################
-@@ -329,10 +348,9 @@
+@@ -329,10 +366,9 @@
  #
  interface(`mysql_admin',`
  	gen_require(`
@@ -25880,7 +25988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  	')
  
  	allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +361,17 @@
+@@ -343,13 +379,17 @@
  	role_transition $2 mysqld_initrc_exec_t system_r;
  	allow $2 system_r;
  
@@ -25900,7 +26008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.9.7/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/mysql.te	2010-11-15 10:46:22.654148291 +0100
++++ serefpolicy-3.9.7/policy/modules/services/mysql.te	2011-01-05 10:57:13.941041475 +0100
 @@ -6,9 +6,9 @@
  #
  
@@ -25966,7 +26074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  files_read_etc_files(mysqld_safe_t)
  files_read_usr_files(mysqld_safe_t)
  files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-@@ -183,6 +186,8 @@
+@@ -183,11 +186,14 @@
  
  hostname_exec(mysqld_safe_t)
  
@@ -25975,6 +26083,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  miscfiles_read_localization(mysqld_safe_t)
  
  mysql_manage_db_files(mysqld_safe_t)
+ mysql_read_config(mysqld_safe_t)
+ mysql_search_pid_files(mysqld_safe_t)
++mysql_signull(mysqld_safe_t)
+ mysql_write_log(mysqld_safe_t)
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.9.7/policy/modules/services/nagios.if
 --- nsaserefpolicy/policy/modules/services/nagios.if	2010-10-12 22:42:50.000000000 +0200
 +++ serefpolicy-3.9.7/policy/modules/services/nagios.if	2010-12-03 10:05:15.156153251 +0100
@@ -36745,7 +36859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.9.7/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/virt.te	2010-11-05 14:02:26.858649759 +0100
++++ serefpolicy-3.9.7/policy/modules/services/virt.te	2011-01-07 14:27:06.569042442 +0100
 @@ -5,57 +5,66 @@
  # Declarations
  #
@@ -37040,9 +37154,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  logging_send_syslog_msg(virtd_t)
 +logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
  
++selinux_validate_context(virtd_t)
++
 +seutil_read_config(virtd_t)
  seutil_read_default_contexts(virtd_t)
 +seutil_read_file_contexts(virtd_t)
@@ -37062,7 +37176,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +440,8 @@
+@@ -313,6 +388,10 @@
+ ')
+ 
+ optional_policy(`
++	dmidecode_domtrans(virtd_t)
++')
++
++optional_policy(`
+ 	dbus_system_bus_client(virtd_t)
+ 
+ 	optional_policy(`
+@@ -365,6 +444,8 @@
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -37071,7 +37196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  optional_policy(`
-@@ -396,12 +473,25 @@
+@@ -396,12 +477,25 @@
  
  allow virt_domain self:capability { dac_read_search dac_override kill };
  allow virt_domain self:process { execmem execstack signal getsched signull };
@@ -37098,7 +37223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +512,7 @@
+@@ -422,6 +516,7 @@
  corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
@@ -37106,7 +37231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,10 +520,12 @@
+@@ -429,10 +524,12 @@
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -37119,7 +37244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,6 +533,11 @@
+@@ -440,6 +537,11 @@
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -37131,7 +37256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  term_use_all_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
-@@ -457,8 +555,117 @@
+@@ -457,8 +559,117 @@
  ')
  
  optional_policy(`
@@ -37649,7 +37774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.9.7/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/xserver.if	2010-11-05 14:02:26.868650362 +0100
++++ serefpolicy-3.9.7/policy/modules/services/xserver.if	2011-01-07 14:01:38.250051627 +0100
 @@ -19,9 +19,10 @@
  interface(`xserver_restricted_role',`
  	gen_require(`
@@ -38039,16 +38164,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -805,7 +869,7 @@
+@@ -805,7 +869,25 @@
  	')
  
  	files_search_pids($1)
 -	allow $1 xdm_var_run_t:file read_file_perms;
 +	read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
++')
++
++#######################################
++## <summary>
++##  Dontaudit Read XDM pid files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`xserver_dontaudit_read_xdm_pid',`
++    gen_require(`
++        type xdm_var_run_t;
++    ')
++
++	dontaudit $1 xdm_var_run_t:file read_file_perms;
  ')
  
  ########################################
-@@ -897,7 +961,7 @@
+@@ -897,7 +979,7 @@
  	')
  
  	logging_search_logs($1)
@@ -38057,7 +38200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -916,7 +980,7 @@
+@@ -916,7 +998,7 @@
  		type xserver_log_t;
  	')
  
@@ -38066,7 +38209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -963,6 +1027,45 @@
+@@ -963,6 +1045,45 @@
  
  ########################################
  ## <summary>
@@ -38112,7 +38255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -976,7 +1079,7 @@
+@@ -976,7 +1097,7 @@
  		type xdm_tmp_t;
  	')
  
@@ -38121,7 +38264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1038,6 +1141,24 @@
+@@ -1038,6 +1159,24 @@
  
  ########################################
  ## <summary>
@@ -38146,7 +38289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Do not audit attempts to get the attributes of
  ##	xdm temporary named sockets.
  ## </summary>
-@@ -1052,7 +1173,7 @@
+@@ -1052,7 +1191,7 @@
  		type xdm_tmp_t;
  	')
  
@@ -38155,7 +38298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1070,8 +1191,10 @@
+@@ -1070,8 +1209,10 @@
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -38167,15 +38310,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1185,6 +1308,7 @@
+@@ -1185,6 +1326,26 @@
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
 +	allow xserver_t $1:shm rw_shm_perms;
++')
++
++#######################################
++## <summary>
++##  Dontaudit attempts to connect to xserver
++##  over an unix stream socket.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain to not audit.
++##  </summary>
++## </param>
++#
++interface(`xserver_dontaudit_stream_connect',`
++    gen_require(`
++        type xserver_t, xserver_tmp_t;
++    ')
++
++    stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
  ')
  
  ########################################
-@@ -1210,7 +1334,7 @@
+@@ -1210,7 +1371,7 @@
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -38184,7 +38346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1220,13 +1344,23 @@
+@@ -1220,13 +1381,23 @@
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -38209,7 +38371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1243,10 +1377,355 @@
+@@ -1243,10 +1414,355 @@
  #
  interface(`xserver_unconfined',`
  	gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 441f5cc..54f7812 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.7
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,12 @@ exit 0
 %endif
 
 %changelog
+* Fri Jan 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-21
+- Make kernel_t domain MLS trusted for lowering the level of file.
+- Add label for /var/lib/tftpboot/grub directory
+- Fixes for mpd policy
+- Fix amanda_search_lib interface
+
 * Tue Jan 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-20
 - Fixes for iscsi policy
 - Allow dmesg to read system state
