[selinux-policy/f15/master] - gpg_t needs to talk to gnome-keyring - nscd wants to read /usr/tmp->/var/tmp to generate randomzia
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 1 15:23:02 UTC 2011
commit 274cd19872e6fe4b0eb5b17fb00fc9557b24b5a0
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 1 16:22:32 2011 +0000
- gpg_t needs to talk to gnome-keyring
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
- enforce MCS labeling on nodes
- Allow arpwatch to read meminfo
- Allow gnomeclock to send itself signals
- init relabels /dev/.udev files on boot
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_
- nautilus checks access on /media directory before mounting usb sticks, dontaudit acc
- dnsmasq can run as a dbus service, needs acquire service
- mysql_admin should be allowed to connect to mysql service
- virt creates monitor sockets in the users home dir
policy-F15.patch | 572 ++++++++++++++++++++++++++++++---------------------
selinux-policy.spec | 15 ++-
2 files changed, 353 insertions(+), 234 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 9807101..e59db95 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -208,7 +208,7 @@ index 4705ab6..262b5ba 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
-index 358ce7c..60afbfe 100644
+index 358ce7c..0f1d444 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto }
@@ -234,10 +234,13 @@ index 358ce7c..60afbfe 100644
#
# MCS policy for SELinux-enabled databases
#
-@@ -144,4 +147,7 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -144,4 +147,10 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
++mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
++ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
++
+mlsconstrain packet { send recv }
+ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
+
@@ -2971,10 +2974,10 @@ index 00a19e3..1354800 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..61398d8 100644
+index f5afe78..c9d74ee 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,43 +1,511 @@
+@@ -1,43 +1,519 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -3057,6 +3060,12 @@ index f5afe78..61398d8 100644
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+
++ corecmd_bin_domtrans(gkeyringd_$1_t, $1_t)
++ corecmd_shell_domtrans(gkeyringd_$1_t, $1_t)
++ allow gkeyringd_$1_t $3:process sigkill;
++ allow $3 gkeyringd_$1_t:fd use;
++ allow $3 gkeyringd_$1_t:fifo_file rw_fifo_file_perms;
++
+ ps_process_pattern(gkeyringd_$1_t, $3)
+
+ ps_process_pattern($3, gkeyringd_$1_t)
@@ -3115,11 +3124,13 @@ index f5afe78..61398d8 100644
+#
+interface(`gnome_stream_connect_gkeyringd',`
+ gen_require(`
-+ type gkeyringd_t, gkeyringd_tmp_t;
++ attribute gkeyringd_domain;
++ type gkeyringd_tmp_t;
++ type gconf_tmp_t;
+ ')
+
-+ stream_connect_pattern($2, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_t)
-+ gnome_search_gconf_tmp_dirs($2)
++ allow $1 gconf_tmp_t:dir search_dir_perms;
++ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+')
+
+########################################
@@ -3503,7 +3514,7 @@ index f5afe78..61398d8 100644
## in the caller domain.
## </summary>
## <param name="domain">
-@@ -56,27 +524,26 @@ interface(`gnome_exec_gconf',`
+@@ -56,27 +532,26 @@ interface(`gnome_exec_gconf',`
########################################
## <summary>
@@ -3539,7 +3550,7 @@ index f5afe78..61398d8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +551,41 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +559,41 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -3592,7 +3603,7 @@ index f5afe78..61398d8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +593,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +601,13 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -3609,7 +3620,7 @@ index f5afe78..61398d8 100644
')
########################################
-@@ -151,40 +623,258 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +631,258 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -4173,7 +4184,7 @@ index 40e0a2a..f4a103c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..504280f 100644
+index 9050e8c..1407f21 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -4238,18 +4249,19 @@ index 9050e8c..504280f 100644
mta_write_config(gpg_t)
-@@ -142,6 +158,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -142,6 +158,11 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ gnome_read_config(gpg_t)
++ gnome_stream_connect_gkeyringd(gpg_t)
+')
+
+optional_policy(`
mozilla_read_user_home_files(gpg_t)
mozilla_write_user_home_files(gpg_t)
')
-@@ -151,10 +171,10 @@ optional_policy(`
+@@ -151,10 +172,10 @@ optional_policy(`
xserver_rw_xdm_pipes(gpg_t)
')
@@ -4264,7 +4276,7 @@ index 9050e8c..504280f 100644
########################################
#
-@@ -205,6 +225,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,6 +226,7 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -4272,7 +4284,7 @@ index 9050e8c..504280f 100644
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-@@ -245,6 +266,7 @@ userdom_search_user_home_dirs(gpg_agent_t)
+@@ -245,6 +267,7 @@ userdom_search_user_home_dirs(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -4280,7 +4292,7 @@ index 9050e8c..504280f 100644
')
tunable_policy(`gpg_agent_env_file',`
-@@ -332,6 +354,9 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -332,6 +355,9 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -4290,7 +4302,7 @@ index 9050e8c..504280f 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +367,21 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -342,11 +368,21 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -4312,7 +4324,7 @@ index 9050e8c..504280f 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +391,28 @@ optional_policy(`
+@@ -356,4 +392,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -8869,7 +8881,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..75c0fdf 100644
+index 34c9d01..5574b5c 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -8902,7 +8914,16 @@ index 34c9d01..75c0fdf 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -232,6 +232,9 @@ ifdef(`distro_gentoo',`
+@@ -177,6 +177,8 @@ ifdef(`distro_gentoo',`
+ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
++/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /usr
+ #
+@@ -232,6 +234,9 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
@@ -8912,7 +8933,7 @@ index 34c9d01..75c0fdf 100644
/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -247,6 +250,8 @@ ifdef(`distro_gentoo',`
+@@ -247,6 +252,8 @@ ifdef(`distro_gentoo',`
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8921,7 +8942,7 @@ index 34c9d01..75c0fdf 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -307,6 +312,7 @@ ifdef(`distro_redhat', `
+@@ -307,6 +314,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -8929,7 +8950,7 @@ index 34c9d01..75c0fdf 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +322,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +324,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -9310,10 +9331,10 @@ index 8ac94e4..c02f095 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index efaf808..321f9ad 100644
+index efaf808..d1ceca8 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
-@@ -146,8 +146,8 @@ interface(`dev_relabel_all_dev_nodes',`
+@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
relabelfrom_dirs_pattern($1, device_t, device_node)
relabelfrom_files_pattern($1, device_t, device_node)
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
@@ -9324,7 +9345,32 @@ index efaf808..321f9ad 100644
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
')
-@@ -209,6 +209,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
+
+ ########################################
+ ## <summary>
++## Allow full relabeling (to and from) of all device files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`dev_relabel_all_dev_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ relabel_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
+ ## List all of the device nodes in a device directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
########################################
## <summary>
@@ -9349,7 +9395,7 @@ index efaf808..321f9ad 100644
## Add entries to directories in /dev.
## </summary>
## <param name="domain">
-@@ -336,6 +354,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
+@@ -336,6 +373,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
########################################
## <summary>
@@ -9374,7 +9420,7 @@ index efaf808..321f9ad 100644
## Read and write generic files in /dev.
## </summary>
## <param name="domain">
-@@ -516,6 +552,24 @@ interface(`dev_getattr_generic_chr_files',`
+@@ -516,6 +571,24 @@ interface(`dev_getattr_generic_chr_files',`
########################################
## <summary>
@@ -9399,7 +9445,7 @@ index efaf808..321f9ad 100644
## Dontaudit getattr for generic character device files.
## </summary>
## <param name="domain">
-@@ -552,6 +606,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+@@ -552,6 +625,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
########################################
## <summary>
@@ -9424,7 +9470,7 @@ index efaf808..321f9ad 100644
## Read and write generic character device files.
## </summary>
## <param name="domain">
-@@ -570,6 +642,24 @@ interface(`dev_rw_generic_chr_files',`
+@@ -570,6 +661,24 @@ interface(`dev_rw_generic_chr_files',`
########################################
## <summary>
@@ -9449,7 +9495,7 @@ index efaf808..321f9ad 100644
## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
-@@ -679,6 +769,24 @@ interface(`dev_delete_generic_symlinks',`
+@@ -679,6 +788,24 @@ interface(`dev_delete_generic_symlinks',`
########################################
## <summary>
@@ -9474,7 +9520,7 @@ index efaf808..321f9ad 100644
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1088,6 +1196,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1088,6 +1215,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -9517,7 +9563,7 @@ index efaf808..321f9ad 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1350,6 +1494,24 @@ interface(`dev_getattr_autofs_dev',`
+@@ -1350,6 +1513,24 @@ interface(`dev_getattr_autofs_dev',`
########################################
## <summary>
@@ -9542,7 +9588,7 @@ index efaf808..321f9ad 100644
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
-@@ -1597,6 +1759,24 @@ interface(`dev_rw_cpu_microcode',`
+@@ -1597,6 +1778,24 @@ interface(`dev_rw_cpu_microcode',`
########################################
## <summary>
@@ -9567,7 +9613,7 @@ index efaf808..321f9ad 100644
## Read and write the the hardware SSL accelerator.
## </summary>
## <param name="domain">
-@@ -1979,6 +2159,24 @@ interface(`dev_read_kmsg',`
+@@ -1979,6 +2178,24 @@ interface(`dev_read_kmsg',`
########################################
## <summary>
@@ -9592,7 +9638,7 @@ index efaf808..321f9ad 100644
## Write to the kernel messages device
## </summary>
## <param name="domain">
-@@ -3048,24 +3246,6 @@ interface(`dev_rw_printer',`
+@@ -3048,24 +3265,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -9617,7 +9663,7 @@ index efaf808..321f9ad 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3613,6 +3793,24 @@ interface(`dev_manage_smartcard',`
+@@ -3613,6 +3812,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
@@ -9642,7 +9688,7 @@ index efaf808..321f9ad 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3773,6 +3971,24 @@ interface(`dev_rw_sysfs',`
+@@ -3773,6 +3990,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -9667,7 +9713,7 @@ index efaf808..321f9ad 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -3960,6 +4176,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3960,6 +4195,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@@ -9692,7 +9738,7 @@ index efaf808..321f9ad 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4270,11 +4504,10 @@ interface(`dev_write_video_dev',`
+@@ -4270,11 +4523,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -10122,7 +10168,7 @@ index 3517db2..f798a69 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ed203b2..03346fd 100644
+index ed203b2..0a4f89a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -10398,7 +10444,7 @@ index ed203b2..03346fd 100644
########################################
## <summary>
## Create, read, write, and delete objects in
-@@ -3365,6 +3553,24 @@ interface(`files_list_mnt',`
+@@ -3365,6 +3553,43 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -10420,10 +10466,29 @@ index ed203b2..03346fd 100644
+ dontaudit $1 mnt_t:dir list_dir_perms;
+')
+
++########################################
++## <summary>
++## Do not audit attempts to check the
++## write access on mnt files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_access_check_mnt',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ dontaudit $1 mnt_t:file_class_set audit_access;
++')
++
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3438,6 +3644,24 @@ interface(`files_read_mnt_files',`
+@@ -3438,6 +3663,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -10448,7 +10513,7 @@ index ed203b2..03346fd 100644
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3729,6 +3953,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3729,6 +3972,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -10548,7 +10613,7 @@ index ed203b2..03346fd 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3914,6 +4231,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,6 +4250,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -10581,7 +10646,7 @@ index ed203b2..03346fd 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3968,7 +4311,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,7 +4330,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -10590,7 +10655,7 @@ index ed203b2..03346fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3976,17 +4319,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3976,17 +4338,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -10612,7 +10677,7 @@ index ed203b2..03346fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3994,74 +4337,77 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -3994,45 +4356,123 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -10668,82 +10733,36 @@ index ed203b2..03346fd 100644
#
-interface(`files_getattr_all_tmp_files',`
+interface(`files_relabel_all_tmp_files',`
- gen_require(`
- attribute tmpfile;
-+ type var_t;
- ')
-
-- allow $1 tmpfile:file getattr;
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
-+## Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- dontaudit $1 tmpfile:sock_file getattr;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
-
- ########################################
- ## <summary>
--## Read all tmp files.
-+## List all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4069,7 +4415,82 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_all_tmp_files',`
-+interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
++ type var_t;
+ ')
+
-+ allow $1 tmpfile:dir list_dir_perms;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
++## Set the attributes of all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain not to audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ dontaudit $1 tmpfile:file getattr;
++ allow $1 tmpfile:dir { search_dir_perms setattr };
+')
+
+########################################
+## <summary>
-+## Allow attempts to get the attributes
-+## of all tmp files.
++## List all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10751,18 +10770,18 @@ index ed203b2..03346fd 100644
+## </summary>
+## </param>
+#
-+interface(`files_getattr_all_tmp_files',`
++interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file getattr;
++ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
++## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10770,17 +10789,18 @@ index ed203b2..03346fd 100644
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ dontaudit $1 tmpfile:sock_file getattr;
++ dontaudit $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
-+## Read all tmp files.
++## Allow attempts to get the attributes
++## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10788,11 +10808,11 @@ index ed203b2..03346fd 100644
+## </summary>
+## </param>
+#
-+interface(`files_read_all_tmp_files',`
++interface(`files_getattr_all_tmp_files',`
gen_require(`
attribute tmpfile;
')
-@@ -4127,6 +4548,13 @@ interface(`files_purge_tmp',`
+@@ -4127,6 +4567,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -10806,7 +10826,7 @@ index ed203b2..03346fd 100644
')
########################################
-@@ -4736,6 +5164,24 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5183,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -10831,7 +10851,7 @@ index ed203b2..03346fd 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5071,6 +5517,24 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5536,24 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -10856,7 +10876,7 @@ index ed203b2..03346fd 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5156,12 +5620,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5639,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -10873,7 +10893,7 @@ index ed203b2..03346fd 100644
')
########################################
-@@ -5207,6 +5671,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5690,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -10901,7 +10921,7 @@ index ed203b2..03346fd 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5335,6 +5820,43 @@ interface(`files_search_pids',`
+@@ -5335,6 +5839,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -10945,7 +10965,7 @@ index ed203b2..03346fd 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5542,6 +6064,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6083,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -11008,7 +11028,7 @@ index ed203b2..03346fd 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6137,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6156,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -11053,7 +11073,7 @@ index ed203b2..03346fd 100644
')
########################################
-@@ -5844,3 +6460,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6479,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12987,7 +13007,7 @@ index 2be17d2..62c9b17 100644
+')
+
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..23c81fa 100644
+index 4a8d146..8839731 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
@@ -13190,7 +13210,7 @@ index 4a8d146..23c81fa 100644
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,18 +366,10 @@ optional_policy(`
+@@ -343,19 +366,15 @@ optional_policy(`
')
optional_policy(`
@@ -13203,13 +13223,16 @@ index 4a8d146..23c81fa 100644
optional_policy(`
- uml_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- unconfined_domtrans(sysadm_t)
++ unconfined_domtrans(sysadm_t)
')
-@@ -367,17 +382,14 @@ optional_policy(`
+ optional_policy(`
+- unconfined_domtrans(sysadm_t)
++ udev_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -367,17 +386,14 @@ optional_policy(`
')
optional_policy(`
@@ -13229,7 +13252,7 @@ index 4a8d146..23c81fa 100644
')
optional_policy(`
-@@ -389,7 +401,7 @@ optional_policy(`
+@@ -389,7 +405,7 @@ optional_policy(`
')
optional_policy(`
@@ -13238,7 +13261,7 @@ index 4a8d146..23c81fa 100644
')
optional_policy(`
-@@ -404,8 +416,15 @@ optional_policy(`
+@@ -404,8 +420,15 @@ optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
@@ -13254,7 +13277,7 @@ index 4a8d146..23c81fa 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -452,5 +471,60 @@ ifndef(`distro_redhat',`
+@@ -452,5 +475,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
@@ -17365,6 +17388,21 @@ index c804110..bdefbe1 100644
ps_process_pattern($1, arpwatch_t)
arpwatch_initrc_domtrans($1)
+diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
+index 804135f..af04567 100644
+--- a/policy/modules/services/arpwatch.te
++++ b/policy/modules/services/arpwatch.te
+@@ -47,8 +47,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+ files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+
+ kernel_read_network_state(arpwatch_t)
++# meminfo
++kernel_read_system_state(arpwatch_t)
+ kernel_read_kernel_sysctls(arpwatch_t)
+-kernel_list_proc(arpwatch_t)
+ kernel_read_proc_symlinks(arpwatch_t)
+ kernel_request_load_module(arpwatch_t)
+
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
index 8b8143e..c1a2b96 100644
--- a/policy/modules/services/asterisk.if
@@ -23079,7 +23117,7 @@ index 9bd812b..c808b31 100644
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..dc4eb3d 100644
+index fdaeeba..df87ba8 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -23102,7 +23140,7 @@ index fdaeeba..dc4eb3d 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,10 +99,18 @@ optional_policy(`
+@@ -96,7 +99,16 @@ optional_policy(`
')
optional_policy(`
@@ -23111,17 +23149,15 @@ index fdaeeba..dc4eb3d 100644
+
+optional_policy(`
dbus_system_bus_client(dnsmasq_t)
- ')
-
- optional_policy(`
-+ ppp_read_pid_files(dnsmasq_t)
++ dbus_connect_system_bus(dnsmasq_t)
+')
+
+optional_policy(`
- seutil_sigchld_newrole(dnsmasq_t)
++ ppp_read_pid_files(dnsmasq_t)
')
-@@ -114,4 +125,5 @@ optional_policy(`
+ optional_policy(`
+@@ -114,4 +126,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
@@ -25133,10 +25169,15 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..9507bbb 100644
+index 4fde46b..74db53c 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -19,7 +19,10 @@ allow gnomeclock_t self:process { getattr getsched };
+@@ -15,11 +15,14 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+ #
+
+ allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+-allow gnomeclock_t self:process { getattr getsched };
++allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
@@ -29015,7 +29056,7 @@ index f17583b..8f01394 100644
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..a12d5ea 100644
+index e9c0982..f11e4f2 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -29099,7 +29140,7 @@ index e9c0982..a12d5ea 100644
')
allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +379,17 @@ interface(`mysql_admin',`
+@@ -343,13 +379,19 @@ interface(`mysql_admin',`
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@@ -29116,6 +29157,8 @@ index e9c0982..a12d5ea 100644
+ files_list_tmp($1)
admin_pattern($1, mysqld_tmp_t)
++
++ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 0a0d63c..579f237 100644
@@ -44430,7 +44473,7 @@ index bea0ade..a0feb45 100644
optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 54d122b..46929ca 100644
+index 54d122b..b86897f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
@@ -44476,7 +44519,16 @@ index 54d122b..46929ca 100644
allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
-@@ -394,3 +409,13 @@ optional_policy(`
+@@ -99,6 +114,8 @@ dev_read_urand(chkpwd_t)
+ files_read_etc_files(chkpwd_t)
+ # for nscd
+ files_dontaudit_search_var(chkpwd_t)
++files_read_usr_symlinks(chkpwd_t)
++files_list_tmp(chkpwd_t)
+
+ fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+
+@@ -394,3 +411,13 @@ optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -45378,7 +45430,7 @@ index cc83689..2657c0b 100644
+ allow $1 init_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 77e8ca8..e8bf933 100644
+index 77e8ca8..2abb81b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -45523,7 +45575,7 @@ index 77e8ca8..e8bf933 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +229,99 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +229,100 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -45559,6 +45611,7 @@ index 77e8ca8..e8bf933 100644
+ dev_read_generic_chr_files(init_t)
+ dev_relabel_generic_dev_dirs(init_t)
+ dev_relabel_all_dev_nodes(init_t)
++ dev_relabel_all_dev_files(init_t)
+ dev_manage_sysfs_dirs(init_t)
+
+ files_mounton_all_mountpoints(init_t)
@@ -45623,7 +45676,7 @@ index 77e8ca8..e8bf933 100644
')
optional_policy(`
-@@ -199,10 +329,24 @@ optional_policy(`
+@@ -199,10 +330,25 @@ optional_policy(`
')
optional_policy(`
@@ -45637,6 +45690,7 @@ index 77e8ca8..e8bf933 100644
optional_policy(`
+ udev_read_db(init_t)
++ udev_relabelto_db(init_t)
+')
+
+optional_policy(`
@@ -45648,7 +45702,7 @@ index 77e8ca8..e8bf933 100644
unconfined_domain(init_t)
')
-@@ -212,7 +356,7 @@ optional_policy(`
+@@ -212,7 +358,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -45657,7 +45711,7 @@ index 77e8ca8..e8bf933 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +385,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +387,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -45672,7 +45726,7 @@ index 77e8ca8..e8bf933 100644
init_write_initctl(initrc_t)
-@@ -258,11 +404,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +406,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -45696,7 +45750,7 @@ index 77e8ca8..e8bf933 100644
corecmd_exec_all_executables(initrc_t)
-@@ -279,6 +437,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +439,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -45704,7 +45758,7 @@ index 77e8ca8..e8bf933 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +450,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +452,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -45712,7 +45766,7 @@ index 77e8ca8..e8bf933 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +458,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +460,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -45728,7 +45782,7 @@ index 77e8ca8..e8bf933 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +483,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +485,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -45740,7 +45794,7 @@ index 77e8ca8..e8bf933 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +502,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +504,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -45754,7 +45808,7 @@ index 77e8ca8..e8bf933 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +517,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +519,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -45763,7 +45817,7 @@ index 77e8ca8..e8bf933 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +531,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +533,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -45771,7 +45825,7 @@ index 77e8ca8..e8bf933 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +543,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +545,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -45779,7 +45833,7 @@ index 77e8ca8..e8bf933 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +564,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +566,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -45795,7 +45849,7 @@ index 77e8ca8..e8bf933 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -478,7 +649,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +651,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -45804,7 +45858,7 @@ index 77e8ca8..e8bf933 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -524,6 +695,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +697,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -45828,7 +45882,7 @@ index 77e8ca8..e8bf933 100644
')
optional_policy(`
-@@ -531,10 +719,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +721,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -45846,7 +45900,7 @@ index 77e8ca8..e8bf933 100644
')
optional_policy(`
-@@ -549,6 +744,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +746,39 @@ ifdef(`distro_suse',`
')
')
@@ -45886,7 +45940,7 @@ index 77e8ca8..e8bf933 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +789,8 @@ optional_policy(`
+@@ -561,6 +791,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -45895,7 +45949,7 @@ index 77e8ca8..e8bf933 100644
')
optional_policy(`
-@@ -577,6 +807,7 @@ optional_policy(`
+@@ -577,6 +809,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -45903,7 +45957,7 @@ index 77e8ca8..e8bf933 100644
')
optional_policy(`
-@@ -589,6 +820,11 @@ optional_policy(`
+@@ -589,6 +822,11 @@ optional_policy(`
')
optional_policy(`
@@ -45915,7 +45969,7 @@ index 77e8ca8..e8bf933 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +841,13 @@ optional_policy(`
+@@ -605,9 +843,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -45929,7 +45983,7 @@ index 77e8ca8..e8bf933 100644
')
optional_policy(`
-@@ -706,7 +946,13 @@ optional_policy(`
+@@ -706,7 +948,13 @@ optional_policy(`
')
optional_policy(`
@@ -45943,7 +45997,7 @@ index 77e8ca8..e8bf933 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +975,10 @@ optional_policy(`
+@@ -729,6 +977,10 @@ optional_policy(`
')
optional_policy(`
@@ -45954,7 +46008,7 @@ index 77e8ca8..e8bf933 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +988,20 @@ optional_policy(`
+@@ -738,10 +990,20 @@ optional_policy(`
')
optional_policy(`
@@ -45975,7 +46029,7 @@ index 77e8ca8..e8bf933 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1010,10 @@ optional_policy(`
+@@ -750,6 +1012,10 @@ optional_policy(`
')
optional_policy(`
@@ -45986,7 +46040,7 @@ index 77e8ca8..e8bf933 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1035,6 @@ optional_policy(`
+@@ -771,8 +1037,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -45995,7 +46049,7 @@ index 77e8ca8..e8bf933 100644
')
optional_policy(`
-@@ -781,14 +1043,21 @@ optional_policy(`
+@@ -781,14 +1045,21 @@ optional_policy(`
')
optional_policy(`
@@ -46017,7 +46071,7 @@ index 77e8ca8..e8bf933 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1079,19 @@ optional_policy(`
+@@ -810,11 +1081,19 @@ optional_policy(`
')
optional_policy(`
@@ -46038,7 +46092,7 @@ index 77e8ca8..e8bf933 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1101,25 @@ optional_policy(`
+@@ -824,6 +1103,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -46064,7 +46118,7 @@ index 77e8ca8..e8bf933 100644
')
optional_policy(`
-@@ -849,3 +1145,59 @@ optional_policy(`
+@@ -849,3 +1147,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -50225,7 +50279,7 @@ index d1c22f3..44fe366 100644
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..cea695c 100644
+index 025348a..ad5bfd8 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -50261,11 +50315,62 @@ index 025348a..cea695c 100644
')
########################################
-@@ -231,3 +233,36 @@ interface(`udev_manage_pid_files',`
+@@ -214,6 +216,24 @@ interface(`udev_rw_db',`
+
+ ########################################
+ ## <summary>
++## Allow process to modify relabelto udev database
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`udev_relabelto_db',`
++ gen_require(`
++ type udev_tbl_t;
++ ')
++
++ allow $1 udev_tbl_t:file relabelto_file_perms;
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete
+ ## udev pid files.
+ ## </summary>
+@@ -231,3 +251,62 @@ interface(`udev_manage_pid_files',`
files_search_var_lib($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
+
++#######################################
++## <summary>
++## Execute udev in the udev domain, and
++## allow the specified role the udev domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the iptables domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`udev_run',`
++ gen_require(`
++ type iptables_t;
++ ')
++
++ udev_domtrans($1)
++ role $2 types udev_t;
++')
++
+########################################
+## <summary>
+## Create a domain for processes
@@ -51205,7 +51310,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..2dc7b3f 100644
+index 28b88de..296513f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -51219,7 +51324,7 @@ index 28b88de..2dc7b3f 100644
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,100 @@ template(`userdom_base_user_template',`
+@@ -43,69 +44,101 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -51312,6 +51417,7 @@ index 28b88de..2dc7b3f 100644
+ files_read_etc_files($1_usertype)
+ files_list_mnt($1_usertype)
+ files_read_mnt_files($1_usertype)
++ files_dontaudit_access_check_mnt($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
+ files_read_usr_src_files($1_usertype)
@@ -51369,7 +51475,7 @@ index 28b88de..2dc7b3f 100644
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +148,16 @@ template(`userdom_base_user_template',`
+@@ -116,6 +149,16 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -51386,7 +51492,7 @@ index 28b88de..2dc7b3f 100644
')
#######################################
-@@ -149,6 +191,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +192,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -51395,7 +51501,7 @@ index 28b88de..2dc7b3f 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +210,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +211,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -51423,7 +51529,7 @@ index 28b88de..2dc7b3f 100644
')
#######################################
-@@ -218,8 +241,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +242,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -51435,7 +51541,7 @@ index 28b88de..2dc7b3f 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +254,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +255,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -51467,7 +51573,7 @@ index 28b88de..2dc7b3f 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +276,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +277,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -51497,7 +51603,7 @@ index 28b88de..2dc7b3f 100644
')
')
-@@ -289,6 +317,8 @@ interface(`userdom_manage_tmp_role',`
+@@ -289,6 +318,8 @@ interface(`userdom_manage_tmp_role',`
type user_tmp_t;
')
@@ -51506,7 +51612,7 @@ index 28b88de..2dc7b3f 100644
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-@@ -297,6 +327,45 @@ interface(`userdom_manage_tmp_role',`
+@@ -297,6 +328,45 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -51552,7 +51658,7 @@ index 28b88de..2dc7b3f 100644
')
#######################################
-@@ -316,6 +385,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +386,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -51560,7 +51666,7 @@ index 28b88de..2dc7b3f 100644
files_search_tmp($1)
')
-@@ -350,6 +420,8 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -350,6 +421,8 @@ interface(`userdom_manage_tmpfs_role',`
type user_tmpfs_t;
')
@@ -51569,7 +51675,7 @@ index 28b88de..2dc7b3f 100644
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-@@ -360,46 +432,41 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -360,46 +433,41 @@ interface(`userdom_manage_tmpfs_role',`
#######################################
## <summary>
@@ -51638,7 +51744,7 @@ index 28b88de..2dc7b3f 100644
')
#######################################
-@@ -430,6 +497,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +498,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -51646,7 +51752,7 @@ index 28b88de..2dc7b3f 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -490,7 +558,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +559,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -51655,7 +51761,7 @@ index 28b88de..2dc7b3f 100644
##############################
#
-@@ -500,73 +568,79 @@ template(`userdom_common_user_template',`
+@@ -500,73 +569,79 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -51774,7 +51880,7 @@ index 28b88de..2dc7b3f 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +648,114 @@ template(`userdom_common_user_template',`
+@@ -574,67 +649,114 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -51907,7 +52013,7 @@ index 28b88de..2dc7b3f 100644
')
optional_policy(`
-@@ -650,41 +771,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +772,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -51969,7 +52075,7 @@ index 28b88de..2dc7b3f 100644
')
#######################################
-@@ -712,13 +842,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +843,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -52001,7 +52107,7 @@ index 28b88de..2dc7b3f 100644
userdom_change_password_template($1)
-@@ -736,72 +879,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +880,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -52110,7 +52216,7 @@ index 28b88de..2dc7b3f 100644
')
')
-@@ -833,6 +975,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +976,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -52120,7 +52226,7 @@ index 28b88de..2dc7b3f 100644
##############################
#
# Local policy
-@@ -874,45 +1019,107 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1020,107 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -52239,7 +52345,7 @@ index 28b88de..2dc7b3f 100644
')
')
-@@ -947,7 +1154,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1155,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -52248,7 +52354,7 @@ index 28b88de..2dc7b3f 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1163,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1164,77 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -52356,7 +52462,7 @@ index 28b88de..2dc7b3f 100644
')
')
-@@ -1039,7 +1269,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1270,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -52365,7 +52471,7 @@ index 28b88de..2dc7b3f 100644
')
##############################
-@@ -1066,6 +1296,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1297,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -52373,7 +52479,7 @@ index 28b88de..2dc7b3f 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1305,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1306,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -52383,7 +52489,7 @@ index 28b88de..2dc7b3f 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1322,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1323,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -52391,7 +52497,7 @@ index 28b88de..2dc7b3f 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,6 +1340,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,6 +1341,8 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -52400,7 +52506,7 @@ index 28b88de..2dc7b3f 100644
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
-@@ -1119,15 +1356,19 @@ template(`userdom_admin_user_template',`
+@@ -1119,15 +1357,19 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -52420,7 +52526,7 @@ index 28b88de..2dc7b3f 100644
term_use_all_terms($1_t)
-@@ -1142,6 +1383,7 @@ template(`userdom_admin_user_template',`
+@@ -1142,6 +1384,7 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -52428,7 +52534,7 @@ index 28b88de..2dc7b3f 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1452,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1453,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -52437,7 +52543,7 @@ index 28b88de..2dc7b3f 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1466,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1467,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -52445,7 +52551,7 @@ index 28b88de..2dc7b3f 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1482,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1483,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -52453,7 +52559,7 @@ index 28b88de..2dc7b3f 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1525,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1526,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -52491,7 +52597,7 @@ index 28b88de..2dc7b3f 100644
ubac_constrained($1)
')
-@@ -1395,6 +1667,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1668,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52499,7 +52605,7 @@ index 28b88de..2dc7b3f 100644
files_search_home($1)
')
-@@ -1441,6 +1714,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1715,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -52514,7 +52620,7 @@ index 28b88de..2dc7b3f 100644
')
########################################
-@@ -1456,9 +1737,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1738,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -52526,7 +52632,7 @@ index 28b88de..2dc7b3f 100644
')
########################################
-@@ -1515,10 +1798,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1799,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -52539,7 +52645,7 @@ index 28b88de..2dc7b3f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,35 +1809,71 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,35 +1810,71 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -52632,7 +52738,7 @@ index 28b88de..2dc7b3f 100644
## </summary>
## </param>
## <param name="target_domain">
-@@ -1589,6 +1908,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1909,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -52641,7 +52747,7 @@ index 28b88de..2dc7b3f 100644
')
########################################
-@@ -1603,10 +1924,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1925,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -52656,7 +52762,7 @@ index 28b88de..2dc7b3f 100644
')
########################################
-@@ -1649,6 +1972,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1973,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -52682,7 +52788,7 @@ index 28b88de..2dc7b3f 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2042,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2043,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -52715,7 +52821,7 @@ index 28b88de..2dc7b3f 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2078,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2079,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -52733,7 +52839,7 @@ index 28b88de..2dc7b3f 100644
')
########################################
-@@ -1810,8 +2175,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2176,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -52743,7 +52849,7 @@ index 28b88de..2dc7b3f 100644
')
########################################
-@@ -1827,21 +2191,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2192,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -52769,7 +52875,7 @@ index 28b88de..2dc7b3f 100644
########################################
## <summary>
## Do not audit attempts to execute user home files.
-@@ -2182,7 +2540,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2541,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -52778,7 +52884,7 @@ index 28b88de..2dc7b3f 100644
')
########################################
-@@ -2435,13 +2793,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2794,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -52794,7 +52900,7 @@ index 28b88de..2dc7b3f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2821,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2822,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -52821,7 +52927,7 @@ index 28b88de..2dc7b3f 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3154,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3155,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -52830,7 +52936,7 @@ index 28b88de..2dc7b3f 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3170,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3171,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -52846,7 +52952,7 @@ index 28b88de..2dc7b3f 100644
')
########################################
-@@ -2917,7 +3258,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3259,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -52855,7 +52961,7 @@ index 28b88de..2dc7b3f 100644
')
########################################
-@@ -2972,7 +3313,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3314,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -52902,7 +53008,7 @@ index 28b88de..2dc7b3f 100644
')
########################################
-@@ -3009,6 +3388,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3389,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -52910,7 +53016,7 @@ index 28b88de..2dc7b3f 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3519,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3520,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c172a58..e937066 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.15
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,19 @@ exit 0
%endif
%changelog
+* Tue Mar 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.15-5
+- gpg_t needs to talk to gnome-keyring
+- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
+- enforce MCS labeling on nodes
+- Allow arpwatch to read meminfo
+- Allow gnomeclock to send itself signals
+- init relabels /dev/.udev files on boot
+- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t
+- nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t
+- dnsmasq can run as a dbus service, needs acquire service
+- mysql_admin should be allowed to connect to mysql service
+- virt creates monitor sockets in the users home dir
+
* Fri Feb 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.15-4
- Allow sysadm type people to look at usb devices
- Cron needs to be able to run shutdown
More information about the scm-commits
mailing list