[selinux-policy/f15/master] +- Make telepathy working with confined users +- Allow colord signal +- prelink_cron_system_t needs
Miroslav Grepl
mgrepl at fedoraproject.org
Wed May 4 22:25:58 UTC 2011
commit 4dbc45470a345317f39366d8f979125d3cb8385d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu May 5 00:27:17 2011 +0000
+- Make telepathy working with confined users
+- Allow colord signal
+- prelink_cron_system_t needs to be able to detect systemd
+- Allow cupsd_config_t to read user's symlinks in /tmp
policy-F15.patch | 595 ++++++++++++++++++++++++++++++---------------------
selinux-policy.spec | 8 +-
2 files changed, 353 insertions(+), 250 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 9e94667..1b291a4 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1362,7 +1362,7 @@ index c633aea..c489eec 100644
optional_policy(`
seutil_use_newrole_fds(gcc_config_t)
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..a8ef22f 100644
+index af55369..2abb1a0 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1436,11 +1436,13 @@ index af55369..a8ef22f 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +163,26 @@ optional_policy(`
+@@ -148,17 +163,28 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
- init_exec(prelink_cron_system_t)
++ fs_search_cgroup_dirs(prelink_cron_system_t)
++
+ init_telinit(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
@@ -3452,10 +3454,10 @@ index 00a19e3..55075f9 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..f9149e7 100644
+index f5afe78..4c9bd12 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,43 +1,523 @@
+@@ -1,44 +1,605 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -3699,11 +3701,10 @@ index f5afe78..f9149e7 100644
+## manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+#
+interface(`gnome_manage_config',`
+ gen_require(`
@@ -3941,6 +3942,65 @@ index f5afe78..f9149e7 100644
+## <summary>
+## read gconf config files
+## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_read_gconf_config',`
++ gen_require(`
++ type gconf_etc_t;
++ ')
++
++ allow $1 gconf_etc_t:dir list_dir_perms;
++ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
++ files_search_etc($1)
++')
++
++#######################################
++## <summary>
++## Manage gconf config files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_gconf_config',`
++ gen_require(`
++ type gconf_etc_t;
++ ')
++
++ allow $1 gconf_etc_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
++')
++
++########################################
++## <summary>
++## Execute gconf programs in
++## in the caller domain.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++#
++interface(`gnome_exec_gconf',`
++ gen_require(`
++ type gconfd_exec_t;
++ ')
++
++ can_exec($1, gconfd_exec_t)
++')
++
++########################################
++## <summary>
++## Execute gnome keyringd in the caller domain.
++## </summary>
## <param name="domain">
## <summary>
-## User domain for the role
@@ -3949,60 +4009,98 @@ index f5afe78..f9149e7 100644
## </param>
#
-interface(`gnome_role',`
-+interface(`gnome_read_gconf_config',`
++interface(`gnome_exec_keyringd',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
-+ type gconf_etc_t;
++ type gkeyringd_exec_t;
')
- role $1 types gconfd_t;
--
++ can_exec($1, gkeyringd_exec_t)
++ corecmd_search_bin($1)
++')
++
++########################################
++## <summary>
++## Read gconf home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_read_gconf_home_files',`
++ gen_require(`
++ type gconf_home_t;
++ type data_home_t;
++ ')
+
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
-+ allow $1 gconf_etc_t:dir list_dir_perms;
-+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
-+ files_search_etc($1)
++ userdom_search_user_home_dirs($1)
++ allow $1 gconf_home_t:dir list_dir_perms;
++ allow $1 data_home_t:dir list_dir_perms;
++ read_files_pattern($1, gconf_home_t, gconf_home_t)
++ read_files_pattern($1, data_home_t, data_home_t)
++ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
++ read_lnk_files_pattern($1, data_home_t, data_home_t)
+')
- ps_process_pattern($2, gconfd_t)
-+#######################################
++########################################
+## <summary>
-+## Manage gconf config files
++## Search gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`gnome_manage_gconf_config',`
-+ gen_require(`
-+ type gconf_etc_t;
-+ ')
++interface(`gnome_search_gkeyringd_tmp_dirs',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
-+ allow $1 gconf_etc_t:dir list_dir_perms;
-+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
++ files_search_tmp($1)
++ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
')
########################################
## <summary>
-## Execute gconf programs in
-+## Execute gconf programs in
- ## in the caller domain.
+-## in the caller domain.
++## search gconf homedir (.local)
## </summary>
## <param name="domain">
-@@ -56,27 +536,26 @@ interface(`gnome_exec_gconf',`
+ ## <summary>
+@@ -46,37 +607,37 @@ interface(`gnome_role',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_exec_gconf',`
++interface(`gnome_search_gconf',`
+ gen_require(`
+- type gconfd_exec_t;
++ type gconf_home_t;
+ ')
+
+- can_exec($1, gconfd_exec_t)
++ allow $1 gconf_home_t:dir search_dir_perms;
++ userdom_search_user_home_dirs($1)
+ ')
########################################
## <summary>
-## Read gconf config files.
-+## Execute gnome keyringd in the caller domain.
++## Set attributes of Gnome config dirs.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -4012,54 +4110,48 @@ index f5afe78..f9149e7 100644
## </param>
#
-template(`gnome_read_gconf_config',`
-+interface(`gnome_exec_keyringd',`
++interface(`gnome_setattr_config_dirs',`
gen_require(`
- type gconf_etc_t;
-+ type gkeyringd_exec_t;
++ type gnome_home_t;
')
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ can_exec($1, gkeyringd_exec_t)
-+ corecmd_search_bin($1)
++ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
++ files_search_home($1)
')
-#######################################
+########################################
## <summary>
-## Create, read, write, and delete gconf config files.
-+## Read gconf home files
++## Manage generic gnome home files.
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +563,43 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +645,37 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
-interface(`gnome_manage_gconf_config',`
-+interface(`gnome_read_gconf_home_files',`
++interface(`gnome_manage_generic_home_files',`
gen_require(`
- type gconf_etc_t;
-+ type gconf_home_t;
-+ type data_home_t;
++ type gnome_home_t;
')
- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
+ userdom_search_user_home_dirs($1)
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ allow $1 data_home_t:dir list_dir_perms;
-+ read_files_pattern($1, gconf_home_t, gconf_home_t)
-+ read_files_pattern($1, data_home_t, data_home_t)
-+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
-+ read_lnk_files_pattern($1, data_home_t, data_home_t)
++ manage_files_pattern($1, gnome_home_t, gnome_home_t)
')
########################################
## <summary>
-## gconf connection template.
-+## Search gkeyringd temporary directories.
++## Manage generic gnome home directories.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -4069,140 +4161,76 @@ index f5afe78..f9149e7 100644
## </param>
#
-interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_search_gkeyringd_tmp_dirs',`
++interface(`gnome_manage_generic_home_dirs',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
-+ type gkeyringd_tmp_t;
++ type gnome_home_t;
')
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-+ files_search_tmp($1)
-+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
++ userdom_search_user_home_dirs($1)
++ allow $1 gnome_home_t:dir manage_dir_perms;
')
########################################
## <summary>
-## Run gconfd in gconfd domain.
-+## search gconf homedir (.local)
++## Append gconf home files
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +607,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +683,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
-interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_search_gconf',`
++interface(`gnome_append_gconf_home_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
+ type gconf_home_t;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+ allow $1 gconf_home_t:dir search_dir_perms;
-+ userdom_search_user_home_dirs($1)
++ append_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
-@@ -151,40 +637,328 @@ interface(`gnome_setattr_config_dirs',`
-
- ########################################
## <summary>
--## Read gnome homedir content (.config)
-+## Manage generic gnome home files.
+-## Set attributes of Gnome config dirs.
++## manage gconf home files
## </summary>
--## <param name="user_domain">
-+## <param name="domain">
+ ## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -140,51 +701,307 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
--template(`gnome_read_config',`
-+interface(`gnome_manage_generic_home_files',`
+-interface(`gnome_setattr_config_dirs',`
++interface(`gnome_manage_gconf_home_files',`
gen_require(`
- type gnome_home_t;
+- type gnome_home_t;
++ type gconf_home_t;
')
-- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
-- read_files_pattern($1, gnome_home_t, gnome_home_t)
-- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
+- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+- files_search_home($1)
++ allow $1 gconf_home_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
## <summary>
--## manage gnome homedir content (.config)
-+## Manage generic gnome home directories.
- ## </summary>
--## <param name="user_domain">
-+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`gnome_manage_config',`
-+interface(`gnome_manage_generic_home_dirs',`
- gen_require(`
- type gnome_home_t;
- ')
-
-+ userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir manage_dir_perms;
-- allow $1 gnome_home_t:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Append gconf home files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_append_gconf_home_files',`
-+ gen_require(`
-+ type gconf_home_t;
-+ ')
-+
-+ append_files_pattern($1, gconf_home_t, gconf_home_t)
-+')
-+
-+########################################
-+## <summary>
-+## manage gconf home files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_manage_gconf_home_files',`
-+ gen_require(`
-+ type gconf_home_t;
-+ ')
-+
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
-+')
-+
-+########################################
-+## <summary>
+-## Read gnome homedir content (.config)
+## Connect to gnome over an unix stream socket.
-+## </summary>
+ ## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="user_domain">
-+## <summary>
+ ## <param name="user_domain">
+ ## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
@@ -4222,12 +4250,14 @@ index f5afe78..f9149e7 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-template(`gnome_read_config',`
+interface(`gnome_list_home_config',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ type config_home_t;
+ ')
+
@@ -4266,23 +4296,28 @@ index f5afe78..f9149e7 100644
+interface(`gnome_read_home_config',`
+ gen_require(`
+ type config_home_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+- read_files_pattern($1, gnome_home_t, gnome_home_t)
+- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+ list_dirs_pattern($1, config_home_t, config_home_t)
+ read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
-+')
-+
-+########################################
-+## <summary>
-+## manage gnome homedir content (.config)
-+## </summary>
+ ')
+
+ ########################################
+ ## <summary>
+ ## manage gnome homedir content (.config)
+ ## </summary>
+-## <param name="user_domain">
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_manage_config',`
+template(`gnome_manage_home_config',`
+ gen_require(`
+ type config_home_t;
@@ -4368,10 +4403,12 @@ index f5afe78..f9149e7 100644
+## </param>
+#
+interface(`gnome_home_dir_filetrans',`
-+ gen_require(`
-+ type gnome_home_t;
-+ ')
-+
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
userdom_search_user_home_dirs($1)
')
@@ -4444,6 +4481,49 @@ index f5afe78..f9149e7 100644
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
+')
+
++#######################################
++## <summary>
++## Execute gnome-keyring executable
++## in the specified domain.
++## </summary>
++## <desc>
++## <p>
++## Execute a telepathy executable
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## <p>
++## This interface was added to handle
++## the ssh-agent policy.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`gnome_command_domtrans_gkeyringd', `
++ gen_require(`
++ type gkeyringd_exec_t;
++ ')
++
++ allow $2 gkeyringd_exec_t:file entrypoint;
++ domain_transition_pattern($1, gkeyringd_exec_t, $2)
++ type_transition $1 gkeyringd_exec_t:process $2;
++')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 2505654..95f89db 100644
--- a/policy/modules/apps/gnome.te
@@ -8793,7 +8873,7 @@ index 0000000..8a7ed4f
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
new file mode 100644
-index 0000000..16ff623
+index 0000000..7023ea2
--- /dev/null
+++ b/policy/modules/apps/telepathy.if
@@ -0,0 +1,264 @@
@@ -8879,14 +8959,14 @@ index 0000000..16ff623
+ telepathy_msn_stream_connect($2)
+ telepathy_salut_stream_connect($2)
+
-+ dbus_session_domain($2, telepathy_gabble_exec_t, telepathy_gabble_t)
-+ dbus_session_domain($2, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
-+ dbus_session_domain($2, telepathy_idle_exec_t, telepathy_idle_t)
-+ dbus_session_domain($2, telepathy_mission_control_exec_t, telepathy_mission_control_t)
-+ dbus_session_domain($2, telepathy_salut_exec_t, telepathy_salut_t)
-+ dbus_session_domain($2, telepathy_sunshine_exec_t, telepathy_sunshine_t)
-+ dbus_session_domain($2, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
-+ dbus_session_domain($2, telepathy_msn_exec_t, telepathy_msn_t)
++ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
++ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
++ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
++ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
++ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
++ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
++ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
++ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
+')
+
+########################################
@@ -14104,7 +14184,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..fb6c6bd 100644
+index 2be17d2..01d3647 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,51 @@ policy_module(staff, 2.2.0)
@@ -14273,9 +14353,9 @@ index 2be17d2..fb6c6bd 100644
+ sudo_role_template(staff, staff_r, staff_t)
+')
+
-+optional_policy(`
-+ telepathy_dbus_session_role(staff_r, staff_t)
-+')
++#optional_policy(`
++ #telepathy_dbus_session_role(staff_r, staff_t, staff)
++#')
+
+optional_policy(`
+ userhelper_console_role_template(staff, staff_r, staff_usertype)
@@ -15376,10 +15456,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..693d944
+index 0000000..dc3f3b7
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,503 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -15666,6 +15746,7 @@ index 0000000..693d944
+ optional_policy(`
+ gnomeclock_dbus_chat(unconfined_usertype)
+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
++ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
+ ')
+
+ optional_policy(`
@@ -15883,7 +15964,7 @@ index 0000000..693d944
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..b56a290 100644
+index e5bfdd4..4ac582b 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,15 +12,74 @@ role user_r;
@@ -15953,9 +16034,9 @@ index e5bfdd4..b56a290 100644
+ setroubleshoot_dontaudit_stream_connect(user_t)
+')
+
-+optional_policy(`
-+ telepathy_dbus_session_role(user_r, user_t)
-+')
++#optional_policy(`
++ #telepathy_dbus_session_role(user_r, user_t, user)
++#')
+
+optional_policy(`
vlock_run(user_t, user_r)
@@ -16003,7 +16084,7 @@ index 0ecc786..dbf2710 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..9d37855 100644
+index e88b95f..69ade9e 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -16092,9 +16173,10 @@ index e88b95f..9d37855 100644
+
+optional_policy(`
+ gnome_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
@@ -16104,10 +16186,9 @@ index e88b95f..9d37855 100644
+
+optional_policy(`
+ mono_role_template(xguest, xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ mozilla_run_plugin(xguest_t, xguest_r)
+')
+
@@ -16162,9 +16243,9 @@ index e88b95f..9d37855 100644
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
')
+
-+ optional_policy(`
-+ telepathy_dbus_session_role(xguest_r, xguest_t)
-+ ')
++# optional_policy(`
++ #telepathy_dbus_session_role(xguest_r, xguest_t, xguest)
++# ')
+')
+
+optional_policy(`
@@ -21777,10 +21858,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..ee24611
+index 0000000..52ad073
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,109 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -21807,6 +21888,9 @@ index 0000000..ee24611
+#
+# colord local policy
+#
++
++allow colord_t self:process signal;
++
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:udp_socket create_socket_perms;
@@ -21845,6 +21929,7 @@ index 0000000..ee24611
+
+domain_use_interactive_fds(colord_t)
+
++files_list_mnt(colord_t)
+files_read_etc_files(colord_t)
+files_read_usr_files(colord_t)
+
@@ -23072,7 +23157,7 @@ index 305ddf4..777091a 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..cda064a 100644
+index 0f28095..a3a6265 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -23184,11 +23269,12 @@ index 0f28095..cda064a 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +438,10 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +438,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_rw_user_tmp_files(cupsd_config_t)
++userdom_read_user_tmp_symlinks(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
@@ -23197,7 +23283,7 @@ index 0f28095..cda064a 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +465,10 @@ optional_policy(`
+@@ -453,6 +466,10 @@ optional_policy(`
')
optional_policy(`
@@ -23208,7 +23294,7 @@ index 0f28095..cda064a 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +483,10 @@ optional_policy(`
+@@ -467,6 +484,10 @@ optional_policy(`
')
optional_policy(`
@@ -23219,7 +23305,7 @@ index 0f28095..cda064a 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,13 +607,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +608,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -23239,7 +23325,7 @@ index 0f28095..cda064a 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +630,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +631,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -23250,7 +23336,7 @@ index 0f28095..cda064a 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -23259,7 +23345,7 @@ index 0f28095..cda064a 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -23267,7 +23353,7 @@ index 0f28095..cda064a 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -25802,7 +25888,7 @@ index 6bef7f8..464669c 100644
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index f28f64b..18c3c33 100644
+index f28f64b..0b19f11 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
@@ -25813,7 +25899,7 @@ index f28f64b..18c3c33 100644
-## Allow exim to connect to databases (postgres, mysql)
-## </p>
+## <p>
-+## Allow exim to connect to databases (postgres, mysql)
++## Allow exim to connect to databases (PostgreSQL, MySQL)
+## </p>
## </desc>
gen_tunable(exim_can_connect_db, false)
@@ -26084,7 +26170,7 @@ index 0000000..84d1768
+')
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
new file mode 100644
-index 0000000..b439f82
+index 0000000..0e3e71d
--- /dev/null
+++ b/policy/modules/services/firewalld.te
@@ -0,0 +1,70 @@
@@ -26115,7 +26201,7 @@ index 0000000..b439f82
+#
+# firewalld local policy
+#
-+
++dontaudit firewalld_t self:capability sys_tty_config;
+allow firewalld_t self:fifo_file rw_fifo_file_perms;
+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -31437,14 +31523,14 @@ index 64268e4..0d7da33 100644
+ exim_manage_log(user_mail_domain)
+')
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
-index fd71d69..2e9f2a3 100644
+index fd71d69..bf90863 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
@@ -51,6 +51,7 @@
/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-+/usr/share/munin/plugins/munin_* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@@ -35876,7 +35962,7 @@ index 09aeffa..dd70b14 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 8ed5067..f31634f 100644
+index 8ed5067..a5603cd 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,16 +19,16 @@ gen_require(`
@@ -35887,7 +35973,7 @@ index 8ed5067..f31634f 100644
-## Allow unprived users to execute DDL statement
-## </p>
+## <p>
-+## Allow unprived users to execute DDL statement
++## Allow unprivileged users to execute DDL statement
+## </p>
## </desc>
gen_tunable(sepgsql_enable_users_ddl, true)
@@ -36586,7 +36672,7 @@ index 2855a44..0456b11 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..69fa687 100644
+index 64c5f95..ebb9b4d 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -36604,7 +36690,7 @@ index 64c5f95..69fa687 100644
## <p>
-## Allow Puppet client to manage all file
-## types.
-+## Allow Puppet master to use connect to mysql and postgresql database
++## Allow Puppet master to use connect to MySQL and PostgreSQL database
## </p>
## </desc>
-gen_tunable(puppet_manage_all_files, false)
@@ -47085,10 +47171,10 @@ index c26ecf5..b906c48 100644
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
new file mode 100644
-index 0000000..72059b2
+index 0000000..28cd477
--- /dev/null
+++ b/policy/modules/services/zarafa.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,33 @@
+
+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
+
@@ -47102,6 +47188,8 @@ index 0000000..72059b2
+
+/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
+
++/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
++
+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
+
+/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
@@ -47110,6 +47198,7 @@ index 0000000..72059b2
+/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
+/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
++/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
+/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
+
+/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
@@ -47117,6 +47206,7 @@ index 0000000..72059b2
+/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
+/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
++/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
new file mode 100644
@@ -47248,10 +47338,10 @@ index 0000000..8a909f5
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
-index 0000000..fec9997
+index 0000000..850b8b5
--- /dev/null
+++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,146 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
@@ -47262,6 +47352,7 @@ index 0000000..fec9997
+attribute zarafa_domain;
+
+zarafa_domain_template(monitor)
++zarafa_domain_template(indexer)
+zarafa_domain_template(ical)
+zarafa_domain_template(server)
+zarafa_domain_template(spooler)
@@ -47283,6 +47374,8 @@ index 0000000..fec9997
+type zarafa_share_t;
+files_type(zarafa_share_t)
+
++permissive zarafa_indexer_t;
++
+########################################
+#
+# zarafa-deliver local policy
@@ -47311,6 +47404,8 @@ index 0000000..fec9997
+manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
+
++stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
++
+corenet_tcp_bind_zarafa_port(zarafa_server_t)
+
+files_read_usr_files(zarafa_server_t)
@@ -55967,7 +56062,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..f690d75 100644
+index 28b88de..b7339b1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -56893,7 +56988,7 @@ index 28b88de..f690d75 100644
##############################
#
# Local policy
-@@ -874,45 +1030,114 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1030,116 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -56952,6 +57047,8 @@ index 28b88de..f690d75 100644
+ optional_policy(`
+ gnome_read_usr_config($1_usertype)
+ gnome_role_gkeyringd($1, $1_r, $1_t)
++ # cjp: telepathy F15 bugs
++ telepathy_dbus_session_role($1_r, $1_t, $1)
')
optional_policy(`
@@ -57019,7 +57116,7 @@ index 28b88de..f690d75 100644
')
')
-@@ -947,7 +1172,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1174,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -57028,7 +57125,7 @@ index 28b88de..f690d75 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1181,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1183,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -57142,7 +57239,7 @@ index 28b88de..f690d75 100644
')
')
-@@ -1039,7 +1293,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1295,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -57151,7 +57248,7 @@ index 28b88de..f690d75 100644
')
##############################
-@@ -1066,6 +1320,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1322,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -57159,7 +57256,7 @@ index 28b88de..f690d75 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1329,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1331,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -57169,7 +57266,7 @@ index 28b88de..f690d75 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1346,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1348,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -57177,7 +57274,7 @@ index 28b88de..f690d75 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1364,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1366,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -57191,7 +57288,7 @@ index 28b88de..f690d75 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,15 +1381,19 @@ template(`userdom_admin_user_template',`
+@@ -1119,15 +1383,19 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -57211,7 +57308,7 @@ index 28b88de..f690d75 100644
term_use_all_terms($1_t)
-@@ -1141,7 +1407,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1409,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -57223,7 +57320,7 @@ index 28b88de..f690d75 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1479,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1481,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -57232,7 +57329,7 @@ index 28b88de..f690d75 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1493,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1495,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -57240,7 +57337,7 @@ index 28b88de..f690d75 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1509,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1511,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -57248,7 +57345,7 @@ index 28b88de..f690d75 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1552,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1554,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -57286,7 +57383,7 @@ index 28b88de..f690d75 100644
ubac_constrained($1)
')
-@@ -1395,6 +1694,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1696,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -57294,7 +57391,7 @@ index 28b88de..f690d75 100644
files_search_home($1)
')
-@@ -1441,6 +1741,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1743,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -57309,7 +57406,7 @@ index 28b88de..f690d75 100644
')
########################################
-@@ -1456,9 +1764,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1766,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -57321,7 +57418,7 @@ index 28b88de..f690d75 100644
')
########################################
-@@ -1515,10 +1825,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1827,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -57334,7 +57431,7 @@ index 28b88de..f690d75 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,21 +1836,57 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,21 +1838,57 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -57400,7 +57497,7 @@ index 28b88de..f690d75 100644
## <p>
## Do a domain transition to the specified
## domain when executing a program in the
-@@ -1589,6 +1935,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1937,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -57409,7 +57506,7 @@ index 28b88de..f690d75 100644
')
########################################
-@@ -1603,10 +1951,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1953,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -57424,7 +57521,7 @@ index 28b88de..f690d75 100644
')
########################################
-@@ -1649,6 +1999,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2001,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -57450,7 +57547,7 @@ index 28b88de..f690d75 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2069,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2071,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -57483,7 +57580,7 @@ index 28b88de..f690d75 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2105,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2107,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -57501,7 +57598,7 @@ index 28b88de..f690d75 100644
')
########################################
-@@ -1779,6 +2171,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2173,24 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -57526,7 +57623,7 @@ index 28b88de..f690d75 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2220,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2222,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -57536,7 +57633,7 @@ index 28b88de..f690d75 100644
')
########################################
-@@ -1827,20 +2236,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2238,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -57561,7 +57658,7 @@ index 28b88de..f690d75 100644
########################################
## <summary>
-@@ -2008,7 +2411,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2413,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -57570,7 +57667,7 @@ index 28b88de..f690d75 100644
files_search_home($1)
')
-@@ -2182,7 +2585,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2587,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -57579,7 +57676,7 @@ index 28b88de..f690d75 100644
')
########################################
-@@ -2435,13 +2838,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2840,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -57595,7 +57692,7 @@ index 28b88de..f690d75 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2866,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2868,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -57622,7 +57719,7 @@ index 28b88de..f690d75 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3199,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3201,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -57631,7 +57728,7 @@ index 28b88de..f690d75 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3215,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3217,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -57647,7 +57744,7 @@ index 28b88de..f690d75 100644
')
########################################
-@@ -2917,7 +3303,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3305,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -57656,7 +57753,7 @@ index 28b88de..f690d75 100644
')
########################################
-@@ -2972,7 +3358,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3360,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -57703,7 +57800,7 @@ index 28b88de..f690d75 100644
')
########################################
-@@ -3009,6 +3433,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3435,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -57711,7 +57808,7 @@ index 28b88de..f690d75 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3512,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3514,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -57736,7 +57833,7 @@ index 28b88de..f690d75 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3582,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3584,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a9f3ec6..1e408e7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,12 @@ exit 0
%endif
%changelog
+* Thu May 5 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-22
+- Make telepathy working with confined users
+- Allow colord signal
+- prelink_cron_system_t needs to be able to detect systemd
+- Allow cupsd_config_t to read user's symlinks in /tmp
+
* Mon May 2 2011 Dan Walsh <dwalsh at redhat.com> 3.9.16-21
- Fixes for colord and vnstatd policy
- telepathy needs to dbus chat with unconfined_t and unconfined_dbusd_t
More information about the scm-commits
mailing list