[selinux-policy/f14/master] - Allow aisexec domtrans to corosync domain - Allow kadmind setsched - Allow mailman to read/write

Miroslav Grepl mgrepl at fedoraproject.org
Tue May 10 10:53:20 UTC 2011 

commit 51be3241e2bec707c016d7849bcf86481a96ed81
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue May 10 12:54:59 2011 +0000

    - Allow aisexec domtrans to corosync domain
    - Allow kadmind setsched
    - Allow mailman to read/write  postfix master pipes
    - Remove remote_login_tmp_t and allow remote_login to create and manage user tmp files
    - Allow spamd to send mail
    - Allow sshd getcap
    - Add tgtd_var_run_t type
    - Allow vnstatd to read system state

 policy-F14.patch    |  264 ++++++++++++++++++++++++++++++++++++++++-----------
 selinux-policy.spec |   12 ++-
 2 files changed, 219 insertions(+), 57 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index db755c2..21d24af 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -3740,7 +3740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.9.7/policy/modules/apps/gnome.te
 --- nsaserefpolicy/policy/modules/apps/gnome.te	2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/gnome.te	2011-03-18 16:33:37.244630000 +0000
++++ serefpolicy-3.9.7/policy/modules/apps/gnome.te	2011-05-09 17:54:19.836771000 +0000
 @@ -6,11 +6,24 @@
  #
  
@@ -3793,7 +3793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
  ##############################
  #
  # Local Policy
-@@ -75,3 +100,91 @@
+@@ -75,3 +100,93 @@
  	xserver_use_xdm_fds(gconfd_t)
  	xserver_rw_xdm_pipes(gconfd_t)
  ')
@@ -3866,6 +3866,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
 +files_read_etc_files(gnomesystemmm_t)
 +files_read_usr_files(gnomesystemmm_t)
 +
++fs_getattr_xattr_fs(gnomesystemmm_t)
++
 +miscfiles_read_localization(gnomesystemmm_t)
 +
 +userdom_read_all_users_state(gnomesystemmm_t)
@@ -5124,8 +5126,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespace.te serefpolicy-3.9.7/policy/modules/apps/namespace.te
 --- nsaserefpolicy/policy/modules/apps/namespace.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/namespace.te	2011-02-25 17:40:39.232542296 +0000
-@@ -0,0 +1,38 @@
++++ serefpolicy-3.9.7/policy/modules/apps/namespace.te	2011-04-27 08:06:00.240000005 +0000
+@@ -0,0 +1,40 @@
 +policy_module(namespace,1.0.0)
 +
 +########################################
@@ -5157,6 +5159,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespac
 +files_read_etc_files(namespace_init_t)
 +files_polyinstantiate_all(namespace_init_t)
 +
++auth_use_nsswitch(namespace_init_t)
++
 +miscfiles_read_localization(namespace_init_t)
 +
 +userdom_manage_user_home_content_dirs(namespace_init_t)
@@ -14590,6 +14594,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide
  #
  interface(`aide_run',`
  	gen_require(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.te serefpolicy-3.9.7/policy/modules/services/aide.te
+--- nsaserefpolicy/policy/modules/services/aide.te	2010-10-12 20:42:49.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/aide.te	2011-04-26 10:43:50.248000004 +0000
+@@ -32,8 +32,14 @@
+ logging_log_filetrans(aide_t, aide_log_t, file)
+ 
+ files_read_all_files(aide_t)
++files_read_boot_symlinks(aide_t)
++
++mls_file_read_to_clearance(aide_t)
++mls_file_write_to_clearance(aide_t)
+ 
+ logging_send_audit_msgs(aide_t)
++# AIDE can be configured to log to syslog
++logging_send_syslog_msg(aide_t)
+ 
+ seutil_use_newrole_fds(aide_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.9.7/policy/modules/services/aisexec.if
 --- nsaserefpolicy/policy/modules/services/aisexec.if	2010-10-12 20:42:49.000000000 +0000
 +++ serefpolicy-3.9.7/policy/modules/services/aisexec.if	2011-02-25 17:40:39.594533386 +0000
@@ -14607,7 +14629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
  interface(`aisexec_domtrans',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.9.7/policy/modules/services/aisexec.te
 --- nsaserefpolicy/policy/modules/services/aisexec.te	2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/aisexec.te	2011-02-25 17:40:39.602533189 +0000
++++ serefpolicy-3.9.7/policy/modules/services/aisexec.te	2011-04-27 08:06:36.993000004 +0000
 @@ -32,7 +32,7 @@
  # aisexec local policy
  #
@@ -14617,7 +14639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
  allow aisexec_t self:process { setrlimit setsched signal };
  allow aisexec_t self:fifo_file rw_fifo_file_perms;
  allow aisexec_t self:sem create_sem_perms;
-@@ -81,6 +81,9 @@
+@@ -81,11 +81,18 @@
  
  miscfiles_read_localization(aisexec_t)
  
@@ -14627,6 +14649,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
  optional_policy(`
  	ccs_stream_connect(aisexec_t)
  ')
+ 
+ optional_policy(`
++    corosync_domtrans(aisexec_t)
++')
++
++optional_policy(`
+ 	# to communication with RHCS
+ 	rhcs_rw_dlm_controld_semaphores(aisexec_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ajaxterm.fc serefpolicy-3.9.7/policy/modules/services/ajaxterm.fc
 --- nsaserefpolicy/policy/modules/services/ajaxterm.fc	1970-01-01 00:00:00.000000000 +0000
 +++ serefpolicy-3.9.7/policy/modules/services/ajaxterm.fc	2011-02-25 17:40:39.604533140 +0000
@@ -20541,7 +20572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
  	snmp_stream_connect(cyrus_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.9.7/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/dbus.if	2011-02-25 17:40:39.814527971 +0000
++++ serefpolicy-3.9.7/policy/modules/services/dbus.if	2011-05-09 19:33:49.199771000 +0000
 @@ -41,9 +41,9 @@
  template(`dbus_role_template',`
  	gen_require(`
@@ -20642,7 +20673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  
  	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  	files_search_var_lib($1)
-@@ -431,14 +441,27 @@
+@@ -431,14 +441,28 @@
  
  	domtrans_pattern(system_dbusd_t, $2, $1)
  
@@ -20652,6 +20683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  	dbus_connect_system_bus($1)
  
 +	init_stream_connect($1)
++	init_use_fds($1)
 +
  	ps_process_pattern(system_dbusd_t, $1)
  
@@ -20671,7 +20703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
  	')
  ')
-@@ -497,3 +520,22 @@
+@@ -497,3 +521,22 @@
  
  	typeattribute $1 dbusd_unconfined;
  ')
@@ -24809,7 +24841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.9.7/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/kerberos.te	2011-03-25 08:27:15.309630001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/kerberos.te	2011-04-26 10:31:21.790000005 +0000
 @@ -6,9 +6,9 @@
  #
  
@@ -24851,6 +24883,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  # types for KDC principal file(s)
  type krb5kdc_principal_t;
+@@ -80,7 +80,7 @@
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+ dontaudit kadmind_t self:capability sys_tty_config;
+-allow kadmind_t self:process { setfscreate signal_perms };
++allow kadmind_t self:process { setfscreate setsched signal_perms };
+ allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow kadmind_t self:unix_dgram_socket { connect create write };
+ allow kadmind_t self:tcp_socket connected_stream_socket_perms;
 @@ -93,9 +93,9 @@
  dontaudit kadmind_t krb5_conf_t:file write;
  
@@ -25588,7 +25629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
  	files_read_var_lib_symlinks(mailman_$1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.9.7/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/mailman.te	2011-02-25 17:40:40.126520291 +0000
++++ serefpolicy-3.9.7/policy/modules/services/mailman.te	2011-04-26 09:55:44.715000005 +0000
 @@ -61,14 +61,18 @@
  # Mailman mail local policy
  #
@@ -25610,7 +25651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
  files_search_spool(mailman_mail_t)
  
  fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -81,6 +85,10 @@
+@@ -81,11 +85,16 @@
  ')
  
  optional_policy(`
@@ -25621,7 +25662,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
  	cron_read_pipes(mailman_mail_t)
  ')
  
-@@ -104,6 +112,8 @@
+ optional_policy(`
+ 	postfix_search_spool(mailman_mail_t)
++	postfix_rw_master_pipes(mailman_mail_t)
+ ')
+ 
+ ########################################
+@@ -104,6 +113,8 @@
  
  kernel_read_proc_symlinks(mailman_queue_t)
  
@@ -25630,7 +25677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
  auth_domtrans_chk_passwd(mailman_queue_t)
  
  files_dontaudit_search_pids(mailman_queue_t)
-@@ -125,4 +135,4 @@
+@@ -125,4 +136,4 @@
  
  optional_policy(`
  	su_exec(mailman_queue_t)
@@ -31474,7 +31521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.9.7/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/postfix.te	2011-02-25 17:40:40.390513793 +0000
++++ serefpolicy-3.9.7/policy/modules/services/postfix.te	2011-05-02 10:17:02.194000005 +0000
 @@ -5,6 +5,14 @@
  # Declarations
  #
@@ -31698,7 +31745,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
  
  postfix_list_spool(postfix_postdrop_t)
-@@ -519,7 +563,7 @@
+@@ -507,6 +551,8 @@
+ # Postfix qmgr local policy
+ #
+ 
++allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms;
++
+ stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+ 
+ rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
+@@ -519,7 +565,7 @@
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -31707,7 +31763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +583,7 @@
+@@ -539,7 +585,7 @@
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -31716,7 +31772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +632,16 @@
+@@ -588,10 +634,16 @@
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -31733,7 +31789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  optional_policy(`
-@@ -611,8 +661,8 @@
+@@ -611,8 +663,8 @@
  # Postfix virtual local policy
  #
  
@@ -31743,7 +31799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
  
-@@ -630,3 +680,8 @@
+@@ -630,3 +682,8 @@
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -34241,8 +34297,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.9.7/policy/modules/services/remotelogin.te
 --- nsaserefpolicy/policy/modules/services/remotelogin.te	2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/remotelogin.te	2011-03-18 14:14:10.428630000 +0000
-@@ -49,6 +49,8 @@
++++ serefpolicy-3.9.7/policy/modules/services/remotelogin.te	2011-05-09 19:22:41.903771002 +0000
+@@ -10,9 +10,6 @@
+ auth_login_pgm_domain(remote_login_t)
+ auth_login_entry_type(remote_login_t)
+ 
+-type remote_login_tmp_t;
+-files_tmp_file(remote_login_tmp_t)
+-
+ ########################################
+ #
+ # Remote login remote policy
+@@ -34,10 +31,6 @@
+ allow remote_login_t self:msg { send receive };
+ allow remote_login_t self:key write;
+ 
+-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+-
+ kernel_read_system_state(remote_login_t)
+ kernel_read_kernel_sysctls(remote_login_t)
+ 
+@@ -49,6 +42,8 @@
  fs_search_auto_mountpoints(remote_login_t)
  
  term_relabel_all_ptys(remote_login_t)
@@ -34251,15 +34328,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
  
  auth_rw_login_records(remote_login_t)
  auth_rw_faillog(remote_login_t)
-@@ -87,6 +89,7 @@
+@@ -87,6 +82,10 @@
  # since very weak authentication is used.
  userdom_signal_unpriv_users(remote_login_t)
  userdom_spec_domtrans_unpriv_users(remote_login_t)
-+userdom_rw_user_tmp_files(remote_login_t)
++userdom_manage_user_tmp_dirs(remote_login_t)
++userdom_manage_user_tmp_files(remote_login_t)
++userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
++userdom_use_user_ptys(remote_login_t)
  
  # Search for mail spool file.
  mta_getattr_spool(remote_login_t)
-@@ -114,7 +117,6 @@
+@@ -114,7 +113,6 @@
  ')
  
  optional_policy(`
@@ -37197,7 +37277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.9.7/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/spamassassin.te	2011-03-25 10:21:53.251630001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/spamassassin.te	2011-05-10 08:30:04.924771002 +0000
 @@ -6,54 +6,93 @@
  #
  
@@ -37586,6 +37666,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  ')
  
  optional_policy(`
+@@ -446,6 +542,7 @@
+ optional_policy(`
+ 	sendmail_stub(spamd_t)
+ 	mta_read_config(spamd_t)
++	mta_send_mail(spamd_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.9.7/policy/modules/services/squid.if
 --- nsaserefpolicy/policy/modules/services/squid.if	2010-10-12 20:42:49.000000000 +0000
 +++ serefpolicy-3.9.7/policy/modules/services/squid.if	2011-02-25 17:40:40.556509706 +0000
@@ -37678,7 +37766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.9.7/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/ssh.if	2011-04-04 15:42:53.154000001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/ssh.if	2011-04-26 09:30:24.640000005 +0000
 @@ -32,10 +32,10 @@
  ## </param>
  #
@@ -37755,7 +37843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
  	allow $1_t self:fifo_file rw_fifo_file_perms;
 -	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
-+	allow $1_t self:process { signal getsched setsched setrlimit setexec };
++	allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
  	allow $1_t self:tcp_socket create_stream_socket_perms;
  	allow $1_t self:udp_socket create_socket_perms;
  	# ssh agent connections:
@@ -38819,6 +38907,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
  	inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.fc serefpolicy-3.9.7/policy/modules/services/tgtd.fc
+--- nsaserefpolicy/policy/modules/services/tgtd.fc	2010-10-12 20:42:48.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/tgtd.fc	2011-04-20 13:49:55.422000005 +0000
+@@ -1,3 +1,4 @@
+ /etc/rc\.d/init\.d/tgtd		--	gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+ /usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t,s0)
+ /var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t,s0)
++/var/run/tgtd.*         -s  gen_context(system_u:object_r:tgtd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.9.7/policy/modules/services/tgtd.if
 --- nsaserefpolicy/policy/modules/services/tgtd.if	2010-10-12 20:42:48.000000000 +0000
 +++ serefpolicy-3.9.7/policy/modules/services/tgtd.if	2011-02-25 17:40:40.614508278 +0000
@@ -38869,8 +38965,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.9.7/policy/modules/services/tgtd.te
 --- nsaserefpolicy/policy/modules/services/tgtd.te	2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/tgtd.te	2011-02-25 17:40:40.614508278 +0000
-@@ -29,7 +29,7 @@
++++ serefpolicy-3.9.7/policy/modules/services/tgtd.te	2011-04-20 13:49:39.062000005 +0000
+@@ -21,6 +21,9 @@
+ type tgtd_var_lib_t;
+ files_type(tgtd_var_lib_t)
+ 
++type tgtd_var_run_t;
++files_pid_file(tgtd_var_run_t)
++
+ ########################################
+ #
+ # TGTD personal policy.
+@@ -29,7 +32,7 @@
  allow tgtd_t self:capability sys_resource;
  allow tgtd_t self:process { setrlimit signal };
  allow tgtd_t self:fifo_file rw_fifo_file_perms;
@@ -38879,7 +38985,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
  allow tgtd_t self:shm create_shm_perms;
  allow tgtd_t self:sem create_sem_perms;
  allow tgtd_t self:tcp_socket create_stream_socket_perms;
-@@ -57,10 +57,18 @@
+@@ -46,6 +49,11 @@
+ manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+ files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
+ 
++manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
++
+ kernel_read_fs_sysctls(tgtd_t)
+ 
+ corenet_all_recvfrom_netlabel(tgtd_t)
+@@ -57,10 +65,18 @@
  corenet_tcp_bind_iscsi_port(tgtd_t)
  corenet_sendrecv_iscsi_server_packets(tgtd_t)
  
@@ -40677,8 +40795,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vnst
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vnstatd.te serefpolicy-3.9.7/policy/modules/services/vnstatd.te
 --- nsaserefpolicy/policy/modules/services/vnstatd.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/vnstatd.te	2011-02-25 17:40:40.710505916 +0000
-@@ -0,0 +1,72 @@
++++ serefpolicy-3.9.7/policy/modules/services/vnstatd.te	2011-05-02 10:06:58.698000005 +0000
+@@ -0,0 +1,77 @@
 +policy_module(vnstatd, 1.0.0)
 +
 +########################################
@@ -40719,10 +40837,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vnst
 +manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
 +files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
 +
++kernel_read_network_state(vnstatd_t)
++kernel_read_system_state(vnstatd_t)
++
 +domain_use_interactive_fds(vnstatd_t)
 +
 +files_read_etc_files(vnstatd_t)
 +
++fs_getattr_xattr_fs(vnstatd_t)
++
 +logging_send_syslog_msg(vnstatd_t)
 +
 +miscfiles_read_localization(vnstatd_t)
@@ -44592,7 +44715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.9.7/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/init.te	2011-02-25 17:40:40.826503061 +0000
++++ serefpolicy-3.9.7/policy/modules/system/init.te	2011-04-20 13:49:07.390000005 +0000
 @@ -16,6 +16,34 @@
  ## </desc>
  gen_tunable(init_upstart, false)
@@ -44967,7 +45090,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -380,6 +546,7 @@
+@@ -374,12 +540,14 @@
+ term_reset_tty_labels(initrc_t)
+ 
+ auth_rw_login_records(initrc_t)
++auth_manage_faillog(initrc_t)
+ auth_setattr_login_records(initrc_t)
+ auth_rw_lastlog(initrc_t)
+ auth_read_pam_pid(initrc_t)
  auth_delete_pam_pid(initrc_t)
  auth_delete_pam_console_data(initrc_t)
  auth_use_nsswitch(initrc_t)
@@ -44975,7 +45105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  libs_rw_ld_so_cache(initrc_t)
  libs_exec_lib_files(initrc_t)
-@@ -394,13 +561,14 @@
+@@ -394,13 +562,14 @@
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -44991,7 +45121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  userdom_read_user_home_content_files(initrc_t)
  # Allow access to the sysadm TTYs. Note that this will give access to the
  # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +641,7 @@
+@@ -473,7 +642,7 @@
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -45000,7 +45130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -519,6 +687,19 @@
+@@ -519,6 +688,19 @@
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -45020,7 +45150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	')
  
  	optional_policy(`
-@@ -526,10 +707,17 @@
+@@ -526,10 +708,17 @@
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -45038,7 +45168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	')
  
  	optional_policy(`
-@@ -544,6 +732,39 @@
+@@ -544,6 +733,39 @@
  	')
  ')
  
@@ -45078,7 +45208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +777,8 @@
+@@ -556,6 +778,8 @@
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -45087,7 +45217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -572,6 +795,7 @@
+@@ -572,6 +796,7 @@
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -45095,7 +45225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -584,6 +808,11 @@
+@@ -584,6 +809,11 @@
  ')
  
  optional_policy(`
@@ -45107,7 +45237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -600,6 +829,9 @@
+@@ -600,6 +830,9 @@
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -45117,7 +45247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  	optional_policy(`
  		consolekit_dbus_chat(initrc_t)
-@@ -701,7 +933,13 @@
+@@ -701,7 +934,13 @@
  ')
  
  optional_policy(`
@@ -45131,7 +45261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -724,6 +962,10 @@
+@@ -724,6 +963,10 @@
  ')
  
  optional_policy(`
@@ -45142,7 +45272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -745,6 +987,10 @@
+@@ -745,6 +988,10 @@
  ')
  
  optional_policy(`
@@ -45153,7 +45283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -766,8 +1012,6 @@
+@@ -766,8 +1013,6 @@
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -45162,7 +45292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -776,14 +1020,21 @@
+@@ -776,14 +1021,21 @@
  ')
  
  optional_policy(`
@@ -45184,7 +45314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1056,19 @@
+@@ -805,11 +1057,19 @@
  ')
  
  optional_policy(`
@@ -45205,7 +45335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1078,25 @@
+@@ -819,6 +1079,25 @@
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -45231,7 +45361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -844,3 +1122,59 @@
+@@ -844,3 +1123,59 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -47622,6 +47752,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +sysnet_dns_name_resolve(showmount_t)
 +
 +userdom_use_user_terminals(showmount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.9.7/policy/modules/system/netlabel.te
+--- nsaserefpolicy/policy/modules/system/netlabel.te	2010-10-12 20:42:50.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/system/netlabel.te	2011-04-27 14:04:16.761000004 +0000
+@@ -8,6 +8,7 @@
+ type netlabel_mgmt_t;
+ type netlabel_mgmt_exec_t;
+ application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
++init_system_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
+ role system_r types netlabel_mgmt_t;
+ 
+ ########################################
+@@ -25,4 +26,6 @@
+ 
+ seutil_use_newrole_fds(netlabel_mgmt_t)
+ 
++term_use_all_terms(netlabel_mgmt_t)
++
+ userdom_use_user_terminals(netlabel_mgmt_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.fc serefpolicy-3.9.7/policy/modules/system/raid.fc
 --- nsaserefpolicy/policy/modules/system/raid.fc	2010-10-12 20:42:50.000000000 +0000
 +++ serefpolicy-3.9.7/policy/modules/system/raid.fc	2011-02-25 17:40:40.923500672 +0000
@@ -49454,7 +49602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.9.7/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/udev.te	2011-04-11 08:34:05.273000002 +0000
++++ serefpolicy-3.9.7/policy/modules/system/udev.te	2011-04-26 09:58:05.420000003 +0000
 @@ -37,6 +37,8 @@
  #
  
@@ -49529,7 +49677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  ')
  
  optional_policy(`
-@@ -233,6 +248,10 @@
+@@ -233,6 +248,14 @@
  ')
  
  optional_policy(`
@@ -49537,10 +49685,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 +')
 +
 +optional_policy(`
++	gpsd_domtrans(udev_t)
++')
++
++optional_policy(`
  	lvm_domtrans(udev_t)
  ')
  
-@@ -259,6 +278,10 @@
+@@ -259,6 +282,10 @@
  ')
  
  optional_policy(`
@@ -49551,7 +49703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -273,6 +296,11 @@
+@@ -273,6 +300,11 @@
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e600b26..f858eba 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.7
-Release: 40%{?dist}
+Release: 41%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,16 @@ exit 0
 %endif
 
 %changelog
+* Tue May 10 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-41
+- Allow aisexec domtrans to corosync domain
+- Allow kadmind setsched
+- Allow mailman to read/write  postfix master pipes
+- Remove remote_login_tmp_t and allow remote_login to create and manage user tmp files
+- Allow spamd to send mail
+- Allow sshd getcap
+- Add tgtd_var_run_t type
+- Allow vnstatd to read system state
+
 * Tue Apr 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-40
 - Add support for AEOLUS project
 - Fixes for asterisk and setroubleshoot domains

More information about the scm-commits mailing list