[selinux-policy/f15/master] - Fixes for colord and vnstatd policy - telepathy needs to dbus chat with unconfined_t and unconfine
Miroslav Grepl
mgrepl at fedoraproject.org
Mon May 2 09:01:24 UTC 2011
commit 74137caec8eac7141f08cd54c968152c78bfcaba
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon May 2 11:02:20 2011 +0000
- Fixes for colord and vnstatd policy
- telepathy needs to dbus chat with unconfined_t and unconfined_dbusd_t
- Remove dbus.patch and move it to policy-F15.patch
policy-F15.patch | 468 +++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 9 +-
2 files changed, 315 insertions(+), 162 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index de55537..9e94667 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -3452,7 +3452,7 @@ index 00a19e3..55075f9 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..b1b6bf6 100644
+index f5afe78..f9149e7 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,43 +1,523 @@
@@ -3511,7 +3511,7 @@ index f5afe78..b1b6bf6 100644
+## </param>
+## <param name="user_domain">
+## <summary>
-+## The user domain associated with the role.
++## The user domain associated with the role.
+## </summary>
+## </param>
+#
@@ -3558,7 +3558,7 @@ index f5afe78..b1b6bf6 100644
+ allow $1_gkeyringd_t $3:dbus send_msg;
+ allow $3 $1_gkeyringd_t:dbus send_msg;
+ optional_policy(`
-+ dbus_session_domain($1_gkeyringd_t, gkeyringd_exec_t)
++ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_bus_client($1_gkeyringd_t)
+ gnome_home_dir_filetrans($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
@@ -8793,10 +8793,10 @@ index 0000000..8a7ed4f
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
new file mode 100644
-index 0000000..6878d68
+index 0000000..16ff623
--- /dev/null
+++ b/policy/modules/apps/telepathy.if
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,264 @@
+
+## <summary>Telepathy framework.</summary>
+
@@ -8827,8 +8827,6 @@ index 0000000..6878d68
+ type telepathy_$1_tmp_t;
+ files_tmp_file(telepathy_$1_tmp_t)
+ ubac_constrained(telepathy_$1_tmp_t)
-+
-+ dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
+')
+
+#######################################
@@ -8850,6 +8848,22 @@ index 0000000..6878d68
+template(`telepathy_dbus_session_role', `
+ gen_require(`
+ attribute telepathy_domain;
++ type telepathy_gabble_t;
++ type telepathy_sofiasip_t;
++ type telepathy_idle_t;
++ type telepathy_mission_control_t;
++ type telepathy_salut_t;
++ type telepathy_sunshine_t;
++ type telepathy_stream_engine_t;
++ type telepathy_msn_t;
++ type telepathy_gabble_exec_t;
++ type telepathy_sofiasip_exec_t;
++ type telepathy_idle_exec_t;
++ type telepathy_mission_control_exec_t;
++ type telepathy_salut_exec_t;
++ type telepathy_sunshine_exec_t;
++ type telepathy_stream_engine_exec_t;
++ type telepathy_msn_exec_t;
+ ')
+
+ role $1 types telepathy_domain;
@@ -8864,6 +8878,15 @@ index 0000000..6878d68
+ telepathy_gabble_stream_connect($2)
+ telepathy_msn_stream_connect($2)
+ telepathy_salut_stream_connect($2)
++
++ dbus_session_domain($2, telepathy_gabble_exec_t, telepathy_gabble_t)
++ dbus_session_domain($2, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
++ dbus_session_domain($2, telepathy_idle_exec_t, telepathy_idle_t)
++ dbus_session_domain($2, telepathy_mission_control_exec_t, telepathy_mission_control_t)
++ dbus_session_domain($2, telepathy_salut_exec_t, telepathy_salut_t)
++ dbus_session_domain($2, telepathy_sunshine_exec_t, telepathy_sunshine_t)
++ dbus_session_domain($2, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
++ dbus_session_domain($2, telepathy_msn_exec_t, telepathy_msn_t)
+')
+
+########################################
@@ -8946,7 +8969,6 @@ index 0000000..6878d68
+ files_search_tmp($1)
+')
+
-+
+########################################
+## <summary>
+## Stream connect to Telepathy Salut
@@ -8990,12 +9012,61 @@ index 0000000..6878d68
+ ps_process_pattern($1, telepathy_mission_control_t)
+')
+
++########################################
++## <summary>
++## Execute telepathy executable
++## in the specified domain.
++## </summary>
++## <desc>
++## <p>
++## Execute a telepathy executable
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## <p>
++## This interface was added to handle
++## the ssh-agent policy.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`telepathy_command_domtrans', `
++ gen_require(`
++ attribute telepathy_executable;
++ ')
++
++ allow $2 telepathy_executable:file entrypoint;
++ domain_transition_pattern($1, telepathy_executable, $2)
++ type_transition $1 telepathy_executable:process $2;
++
++ # needs to dbus chat with unconfined_t and unconfined_dbusd_t
++ optional_policy(`
++ telepathy_dbus_chat($1)
++ telepathy_dbus_chat($2)
++ ')
++')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..a225c3b
+index 0000000..665dce1
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,353 @@
+@@ -0,0 +1,364 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -9081,8 +9152,6 @@ index 0000000..a225c3b
+files_read_etc_files(telepathy_msn_t)
+files_read_usr_files(telepathy_msn_t)
+
-+auth_use_nsswitch(telepathy_msn_t)
-+
+init_read_state(telepathy_msn_t)
+
+libs_exec_ldconfig(telepathy_msn_t)
@@ -9091,8 +9160,6 @@ index 0000000..a225c3b
+
+miscfiles_read_all_certs(telepathy_msn_t)
+
-+sysnet_read_config(telepathy_msn_t)
-+
+userdom_read_all_users_state(telepathy_msn_t)
+
+optional_policy(`
@@ -9141,9 +9208,9 @@ index 0000000..a225c3b
+files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
+
-+miscfiles_read_all_certs(telepathy_gabble_t)
++fs_getattr_all_fs(telepathy_gabble_t)
+
-+sysnet_read_config(telepathy_gabble_t)
++miscfiles_read_all_certs(telepathy_gabble_t)
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_gabble_t)
@@ -9178,8 +9245,6 @@ index 0000000..a225c3b
+
+files_read_etc_files(telepathy_idle_t)
+
-+sysnet_read_config(telepathy_idle_t)
-+
+#######################################
+#
+# Telepathy Mission-Control local policy.
@@ -9207,8 +9272,6 @@ index 0000000..a225c3b
+ fs_manage_cifs_files(telepathy_mission_control_t)
+')
+
-+auth_use_nsswitch(telepathy_mission_control_t)
-+
+# ~/.cache/.mc_connections.
+optional_policy(`
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
@@ -9239,8 +9302,6 @@ index 0000000..a225c3b
+
+files_read_etc_files(telepathy_salut_t)
+
-+sysnet_read_config(telepathy_salut_t)
-+
+optional_policy(`
+ dbus_system_bus_client(telepathy_salut_t)
+
@@ -9261,11 +9322,11 @@ index 0000000..a225c3b
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
+corenet_udp_bind_all_ports(telepathy_sofiasip_t)
++corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
++corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
+
+kernel_request_load_module(telepathy_sofiasip_t)
+
-+sysnet_read_config(telepathy_sofiasip_t)
-+
+#######################################
+#
+# Telepathy Sunshine local policy.
@@ -9315,9 +9376,9 @@ index 0000000..a225c3b
+
+fs_search_auto_mountpoints(telepathy_domain)
+
-+miscfiles_read_localization(telepathy_domain)
++auth_use_nsswitch(telepathy_domain)
+
-+sysnet_dns_name_resolve(telepathy_domain)
++miscfiles_read_localization(telepathy_domain)
+
+# This interface does not facilitate files_search_tmp which appears to be a bug.
+userdom_stream_connect(telepathy_domain)
@@ -9339,7 +9400,8 @@ index 0000000..a225c3b
+')
+
+optional_policy(`
-+ nis_use_ypbind(telepathy_domain)
++ gnome_read_generic_cache_files(telepathy_domain)
++ gnome_write_generic_cache_files(telepathy_domain)
+')
+
+optional_policy(`
@@ -9349,6 +9411,26 @@ index 0000000..a225c3b
+optional_policy(`
+ xserver_rw_xdm_pipes(telepathy_domain)
+')
++
++permissive telepathy_gabble_t;
++permissive telepathy_sofiasip_t;
++permissive telepathy_idle_t;
++permissive telepathy_mission_control_t;
++permissive telepathy_salut_t;
++permissive telepathy_sunshine_t;
++permissive telepathy_stream_engine_t;
++permissive telepathy_msn_t;
++
++
++# Just for F15
++
++optional_policy(`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ role unconfined_r types telepathy_domain;
++')
diff --git a/policy/modules/apps/userhelper.fc b/policy/modules/apps/userhelper.fc
index e70b0e8..cd83b89 100644
--- a/policy/modules/apps/userhelper.fc
@@ -12437,7 +12519,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..79b4c0f 100644
+index dfe361a..6d0cc0b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -13107,6 +13189,15 @@ index dfe361a..79b4c0f 100644
')
########################################
+@@ -4317,7 +4737,7 @@ interface(`fs_unmount_all_fs',`
+ ## <desc>
+ ## <p>
+ ## Allow the specified domain to
+-## et the attributes of all filesystems.
++## get the attributes of all filesystems.
+ ## Example attributes:
+ ## </p>
+ ## <ul>
@@ -4681,3 +5101,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
@@ -14013,7 +14104,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..db5a937 100644
+index 2be17d2..fb6c6bd 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,51 @@ policy_module(staff, 2.2.0)
@@ -14068,7 +14159,7 @@ index 2be17d2..db5a937 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +66,139 @@ optional_policy(`
+@@ -27,25 +66,137 @@ optional_policy(`
')
optional_policy(`
@@ -14090,8 +14181,6 @@ index 2be17d2..db5a937 100644
+
+optional_policy(`
+ gnome_role(staff_r, staff_t)
-+ gnome_role_gkeyringd(staff, staff_r, staff_t)
-+ permissive staff_gkeyringd_t;
+')
+
+optional_policy(`
@@ -14210,7 +14299,7 @@ index 2be17d2..db5a937 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -89,10 +242,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +240,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -14221,7 +14310,7 @@ index 2be17d2..db5a937 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +284,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -14232,7 +14321,7 @@ index 2be17d2..db5a937 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +317,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +315,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -15287,10 +15376,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..805d0ea
+index 0000000..693d944
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,503 @@
+@@ -0,0 +1,502 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -15588,6 +15677,10 @@ index 0000000..805d0ea
+ ')
+
+ optional_policy(`
++ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
++ ')
++
++ optional_policy(`
+ oddjob_dbus_chat(unconfined_usertype)
+ ')
+
@@ -15709,10 +15802,6 @@ index 0000000..805d0ea
+')
+
+optional_policy(`
-+ telepathy_dbus_session_role(unconfined_r, unconfined_t)
-+')
-+
-+optional_policy(`
+ vbetool_run(unconfined_t, unconfined_r)
+')
+
@@ -15793,12 +15882,11 @@ index 0000000..805d0ea
+#
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..dc6b88f 100644
+index e5bfdd4..b56a290 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,75 @@ role user_r;
+@@ -12,15 +12,74 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -15825,7 +15913,6 @@ index e5bfdd4..dc6b88f 100644
+
+optional_policy(`
+ gnome_role(user_r, user_t)
-+
+')
+
+optional_policy(`
@@ -15874,7 +15961,7 @@ index e5bfdd4..dc6b88f 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +122,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +121,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -15885,7 +15972,7 @@ index e5bfdd4..dc6b88f 100644
gpg_role(user_r, user_t)
')
-@@ -118,11 +174,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +173,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -15898,7 +15985,7 @@ index e5bfdd4..dc6b88f 100644
')
optional_policy(`
-@@ -157,3 +209,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +208,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -21690,10 +21777,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..32289dc
+index 0000000..ee24611
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,105 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -21711,6 +21798,9 @@ index 0000000..32289dc
+type colord_tmp_t;
+files_tmp_file(colord_tmp_t)
+
++type colord_tmpfs_t;
++files_tmpfs_file(colord_tmpfs_t)
++
+permissive colord_t;
+
+########################################
@@ -21726,6 +21816,10 @@ index 0000000..32289dc
+manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
+
++manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
++manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
++fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
++
+manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -23324,7 +23418,7 @@ index a8b93c0..831ce70 100644
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..cee56c8 100644
+index 0d5711c..d2d4d9d 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -23483,7 +23577,38 @@ index 0d5711c..cee56c8 100644
')
########################################
-@@ -431,14 +473,28 @@ interface(`dbus_system_domain',`
+@@ -321,6 +363,12 @@ interface(`dbus_connect_session_bus',`
+ ## Allow a application domain to be started
+ ## by the session dbus.
+ ## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix of the dbus session domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
+ ## <param name="domain">
+ ## <summary>
+ ## Type to be used as a domain.
+@@ -335,13 +383,13 @@ interface(`dbus_connect_session_bus',`
+ #
+ interface(`dbus_session_domain',`
+ gen_require(`
+- attribute session_bus_type;
++ type $1_dbusd_t;
+ ')
+
+- domtrans_pattern(session_bus_type, $2, $1)
++ domtrans_pattern($1_dbusd_t, $2, $3)
+
+- dbus_session_bus_client($1)
+- dbus_connect_session_bus($1)
++ dbus_session_bus_client($3)
++ dbus_connect_session_bus($3)
+ ')
+
+ ########################################
+@@ -431,14 +479,28 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -23513,7 +23638,7 @@ index 0d5711c..cee56c8 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +553,23 @@ interface(`dbus_unconfined',`
+@@ -497,3 +559,23 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -32178,7 +32303,7 @@ index 2324d9e..8069487 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..8f8c519 100644
+index 0619395..863ba2d 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -32239,7 +32364,15 @@ index 0619395..8f8c519 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -133,30 +155,37 @@ logging_send_syslog_msg(NetworkManager_t)
+@@ -100,6 +122,7 @@ dev_read_rand(NetworkManager_t)
+ dev_read_urand(NetworkManager_t)
+ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+ dev_getattr_all_chr_files(NetworkManager_t)
++dev_rw_wireless(NetworkManager_t)
+
+ fs_getattr_all_fs(NetworkManager_t)
+ fs_search_auto_mountpoints(NetworkManager_t)
+@@ -133,30 +156,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -32279,7 +32412,7 @@ index 0619395..8f8c519 100644
')
optional_policy(`
-@@ -172,14 +201,21 @@ optional_policy(`
+@@ -172,14 +202,21 @@ optional_policy(`
')
optional_policy(`
@@ -32302,7 +32435,7 @@ index 0619395..8f8c519 100644
')
')
-@@ -202,6 +238,17 @@ optional_policy(`
+@@ -202,6 +239,17 @@ optional_policy(`
')
optional_policy(`
@@ -32320,7 +32453,7 @@ index 0619395..8f8c519 100644
iptables_domtrans(NetworkManager_t)
')
-@@ -219,6 +266,11 @@ optional_policy(`
+@@ -219,6 +267,11 @@ optional_policy(`
')
optional_policy(`
@@ -32332,7 +32465,7 @@ index 0619395..8f8c519 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +315,7 @@ optional_policy(`
+@@ -263,6 +316,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -35269,7 +35402,7 @@ index 46bee12..37bd751 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..3703671 100644
+index 06e37d4..745830e 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -35496,7 +35629,16 @@ index 06e37d4..3703671 100644
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-@@ -519,7 +564,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -507,6 +552,8 @@ optional_policy(`
+ # Postfix qmgr local policy
+ #
+
++allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms;
++
+ stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+ rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
+@@ -519,7 +566,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -35505,7 +35647,7 @@ index 06e37d4..3703671 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +584,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +586,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -35514,7 +35656,7 @@ index 06e37d4..3703671 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +633,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +635,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -35531,7 +35673,7 @@ index 06e37d4..3703671 100644
')
optional_policy(`
-@@ -611,8 +662,8 @@ optional_policy(`
+@@ -611,8 +664,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -35541,7 +35683,7 @@ index 06e37d4..3703671 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +681,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +683,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -44475,10 +44617,10 @@ index 0000000..b9104b7
+')
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
new file mode 100644
-index 0000000..a7de540
+index 0000000..90b8072
--- /dev/null
+++ b/policy/modules/services/vnstatd.te
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,78 @@
+policy_module(vnstatd, 1.0.0)
+
+########################################
@@ -44516,10 +44658,15 @@ index 0000000..a7de540
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
+
++kernel_read_network_state(vnstatd_t)
++kernel_read_system_state(vnstatd_t)
++
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
++fs_getattr_xattr_fs(vnstatd_t)
++
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
@@ -48398,7 +48545,7 @@ index 354ce93..f97fbb7 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..e83c909 100644
+index cc83689..55a53e0 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -48684,7 +48831,7 @@ index cc83689..e83c909 100644
')
########################################
-@@ -688,19 +843,24 @@ interface(`init_telinit',`
+@@ -688,19 +843,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -48701,6 +48848,7 @@ index cc83689..e83c909 100644
type init_t;
')
++ ps_process_pattern($1, init_t)
+ allow $1 init_t:process signal;
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
@@ -48710,7 +48858,7 @@ index cc83689..e83c909 100644
')
')
-@@ -773,18 +933,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +934,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -48734,7 +48882,7 @@ index cc83689..e83c909 100644
')
')
-@@ -800,23 +961,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +962,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -48784,7 +48932,7 @@ index cc83689..e83c909 100644
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -868,9 +1051,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1052,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -48799,7 +48947,7 @@ index cc83689..e83c909 100644
files_search_etc($1)
')
-@@ -1079,6 +1267,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1268,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -48824,7 +48972,7 @@ index cc83689..e83c909 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1336,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1337,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -48838,7 +48986,7 @@ index cc83689..e83c909 100644
')
########################################
-@@ -1375,6 +1576,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1577,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -48866,7 +49014,7 @@ index cc83689..e83c909 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1683,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1684,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -48892,7 +49040,7 @@ index cc83689..e83c909 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1760,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1761,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -48917,7 +49065,7 @@ index cc83689..e83c909 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1674,7 +1933,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1934,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -48926,7 +49074,7 @@ index cc83689..e83c909 100644
')
########################################
-@@ -1715,6 +1974,74 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1975,74 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -49001,7 +49149,7 @@ index cc83689..e83c909 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2076,139 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2077,139 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -49142,7 +49290,7 @@ index cc83689..e83c909 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..f00a023 100644
+index ea29513..51b8e22 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -49301,7 +49449,7 @@ index ea29513..f00a023 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +234,119 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +234,120 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -49365,7 +49513,8 @@ index ea29513..f00a023 100644
+ fs_relabel_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_files(init_t)
+ fs_mount_all_fs(init_t)
-+ fs_remount_autofs(init_t)
++ fs_unmount_all_fs(init_t)
++ fs_remount_all_fs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_relabel_cgroup_dirs(init_t)
+ fs_search_cgroup_dirs(daemon)
@@ -49421,7 +49570,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -199,10 +354,25 @@ optional_policy(`
+@@ -199,10 +355,25 @@ optional_policy(`
')
optional_policy(`
@@ -49447,7 +49596,7 @@ index ea29513..f00a023 100644
unconfined_domain(init_t)
')
-@@ -212,7 +382,7 @@ optional_policy(`
+@@ -212,7 +383,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -49456,7 +49605,7 @@ index ea29513..f00a023 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +411,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +412,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -49472,7 +49621,7 @@ index ea29513..f00a023 100644
init_write_initctl(initrc_t)
-@@ -258,20 +431,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +432,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -49509,7 +49658,7 @@ index ea29513..f00a023 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +464,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +465,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -49517,7 +49666,7 @@ index ea29513..f00a023 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +477,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +478,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -49525,7 +49674,7 @@ index ea29513..f00a023 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +485,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +486,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -49541,7 +49690,7 @@ index ea29513..f00a023 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +503,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +504,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -49549,7 +49698,7 @@ index ea29513..f00a023 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +511,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +512,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -49561,7 +49710,7 @@ index ea29513..f00a023 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +530,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +531,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -49575,7 +49724,7 @@ index ea29513..f00a023 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +545,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +546,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -49584,7 +49733,7 @@ index ea29513..f00a023 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +559,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +560,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -49592,7 +49741,7 @@ index ea29513..f00a023 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +571,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +572,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -49600,7 +49749,7 @@ index ea29513..f00a023 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +592,12 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +593,12 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -49616,7 +49765,7 @@ index ea29513..f00a023 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -458,6 +655,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +656,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -49627,7 +49776,7 @@ index ea29513..f00a023 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +679,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +680,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -49636,7 +49785,7 @@ index ea29513..f00a023 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +694,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +695,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -49644,7 +49793,7 @@ index ea29513..f00a023 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +724,29 @@ ifdef(`distro_redhat',`
+@@ -522,8 +725,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -49674,7 +49823,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -531,10 +754,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +755,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -49692,7 +49841,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -549,6 +779,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +780,39 @@ ifdef(`distro_suse',`
')
')
@@ -49732,7 +49881,7 @@ index ea29513..f00a023 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +824,8 @@ optional_policy(`
+@@ -561,6 +825,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -49741,7 +49890,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -577,6 +842,7 @@ optional_policy(`
+@@ -577,6 +843,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -49749,7 +49898,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -589,6 +855,11 @@ optional_policy(`
+@@ -589,6 +856,11 @@ optional_policy(`
')
optional_policy(`
@@ -49761,7 +49910,7 @@ index ea29513..f00a023 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +876,13 @@ optional_policy(`
+@@ -605,9 +877,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -49775,7 +49924,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -649,6 +924,11 @@ optional_policy(`
+@@ -649,6 +925,11 @@ optional_policy(`
')
optional_policy(`
@@ -49787,7 +49936,7 @@ index ea29513..f00a023 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +986,13 @@ optional_policy(`
+@@ -706,7 +987,13 @@ optional_policy(`
')
optional_policy(`
@@ -49801,7 +49950,7 @@ index ea29513..f00a023 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1015,10 @@ optional_policy(`
+@@ -729,6 +1016,10 @@ optional_policy(`
')
optional_policy(`
@@ -49812,7 +49961,7 @@ index ea29513..f00a023 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1028,20 @@ optional_policy(`
+@@ -738,10 +1029,20 @@ optional_policy(`
')
optional_policy(`
@@ -49833,7 +49982,7 @@ index ea29513..f00a023 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1050,10 @@ optional_policy(`
+@@ -750,6 +1051,10 @@ optional_policy(`
')
optional_policy(`
@@ -49844,7 +49993,7 @@ index ea29513..f00a023 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1075,6 @@ optional_policy(`
+@@ -771,8 +1076,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -49853,7 +50002,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -781,14 +1083,21 @@ optional_policy(`
+@@ -781,14 +1084,21 @@ optional_policy(`
')
optional_policy(`
@@ -49875,7 +50024,7 @@ index ea29513..f00a023 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1109,6 @@ optional_policy(`
+@@ -800,7 +1110,6 @@ optional_policy(`
')
optional_policy(`
@@ -49883,7 +50032,7 @@ index ea29513..f00a023 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1118,24 @@ optional_policy(`
+@@ -810,11 +1119,24 @@ optional_policy(`
')
optional_policy(`
@@ -49909,7 +50058,7 @@ index ea29513..f00a023 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1145,25 @@ optional_policy(`
+@@ -824,6 +1146,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -49935,7 +50084,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -849,3 +1189,42 @@ optional_policy(`
+@@ -849,3 +1190,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -55067,7 +55216,7 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..352e672 100644
+index 416e668..9f3c1c1 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,27 +12,34 @@
@@ -55118,7 +55267,7 @@ index 416e668..352e672 100644
+ domain_mmap_low($1)
+
-+ mls_file_read_all_levels($1)
++ mcs_file_read_all($1)
+
+ ubac_process_exempt($1)
+
@@ -55818,7 +55967,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..4984747 100644
+index 28b88de..f690d75 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -56744,7 +56893,7 @@ index 28b88de..4984747 100644
##############################
#
# Local policy
-@@ -874,45 +1030,113 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1030,114 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -56802,6 +56951,7 @@ index 28b88de..4984747 100644
+ # bug: #682499
+ optional_policy(`
+ gnome_read_usr_config($1_usertype)
++ gnome_role_gkeyringd($1, $1_r, $1_t)
')
optional_policy(`
@@ -56869,7 +57019,7 @@ index 28b88de..4984747 100644
')
')
-@@ -947,7 +1171,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1172,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -56878,7 +57028,7 @@ index 28b88de..4984747 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1180,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1181,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -56992,7 +57142,7 @@ index 28b88de..4984747 100644
')
')
-@@ -1039,7 +1292,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1293,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -57001,7 +57151,7 @@ index 28b88de..4984747 100644
')
##############################
-@@ -1066,6 +1319,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1320,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -57009,7 +57159,7 @@ index 28b88de..4984747 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1328,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1329,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -57019,7 +57169,7 @@ index 28b88de..4984747 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1345,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1346,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -57027,7 +57177,7 @@ index 28b88de..4984747 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1363,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1364,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -57041,7 +57191,7 @@ index 28b88de..4984747 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,15 +1380,19 @@ template(`userdom_admin_user_template',`
+@@ -1119,15 +1381,19 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -57061,7 +57211,7 @@ index 28b88de..4984747 100644
term_use_all_terms($1_t)
-@@ -1141,7 +1406,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1407,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -57073,7 +57223,7 @@ index 28b88de..4984747 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1478,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1479,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -57082,7 +57232,7 @@ index 28b88de..4984747 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1492,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1493,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -57090,7 +57240,7 @@ index 28b88de..4984747 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1508,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1509,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -57098,7 +57248,7 @@ index 28b88de..4984747 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1551,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1552,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -57136,7 +57286,7 @@ index 28b88de..4984747 100644
ubac_constrained($1)
')
-@@ -1395,6 +1693,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1694,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -57144,7 +57294,7 @@ index 28b88de..4984747 100644
files_search_home($1)
')
-@@ -1441,6 +1740,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1741,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -57159,7 +57309,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1456,9 +1763,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1764,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -57171,7 +57321,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1515,10 +1824,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1825,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -57184,7 +57334,7 @@ index 28b88de..4984747 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,21 +1835,57 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,21 +1836,57 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -57250,7 +57400,7 @@ index 28b88de..4984747 100644
## <p>
## Do a domain transition to the specified
## domain when executing a program in the
-@@ -1589,6 +1934,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1935,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -57259,7 +57409,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1603,10 +1950,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1951,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -57274,7 +57424,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1649,6 +1998,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1999,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -57300,7 +57450,7 @@ index 28b88de..4984747 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2068,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2069,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -57333,7 +57483,7 @@ index 28b88de..4984747 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2104,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2105,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -57351,7 +57501,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1779,6 +2170,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2171,24 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -57376,7 +57526,7 @@ index 28b88de..4984747 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2219,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2220,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -57386,7 +57536,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1827,20 +2235,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2236,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -57411,7 +57561,7 @@ index 28b88de..4984747 100644
########################################
## <summary>
-@@ -2008,7 +2410,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2411,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -57420,7 +57570,7 @@ index 28b88de..4984747 100644
files_search_home($1)
')
-@@ -2182,7 +2584,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2585,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -57429,7 +57579,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -2435,13 +2837,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2838,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -57445,7 +57595,7 @@ index 28b88de..4984747 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2865,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2866,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -57472,7 +57622,7 @@ index 28b88de..4984747 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3198,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3199,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -57481,7 +57631,7 @@ index 28b88de..4984747 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3214,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3215,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -57497,7 +57647,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -2917,7 +3302,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3303,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -57506,7 +57656,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -2972,7 +3357,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3358,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -57553,7 +57703,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -3009,6 +3432,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3433,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -57561,7 +57711,7 @@ index 28b88de..4984747 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3511,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3512,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -57586,7 +57736,7 @@ index 28b88de..4984747 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3581,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3582,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 30ca4e3..a9f3ec6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,12 +21,11 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-F15.patch
-patch1: policy-dbus.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -203,7 +202,6 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-%{version} -q
%patch -p1
-%patch1 -p1
%install
mkdir selinux_config
@@ -473,6 +471,11 @@ exit 0
%endif
%changelog
+* Mon May 2 2011 Dan Walsh <dwalsh at redhat.com> 3.9.16-21
+- Fixes for colord and vnstatd policy
+- telepathy needs to dbus chat with unconfined_t and unconfined_dbusd_t
+- Remove dbus.patch and move it to policy-F15.patch
+
* Fri Apr 29 2011 Dan Walsh <dwalsh at redhat.com> 3.9.16-20
- Adding in unconfined_r telepathy domains so telepathy apps will not crash on update
More information about the scm-commits
mailing list