[selinux-policy/f16] - Make nvidia* to be labeled correctly
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Nov 2 11:48:31 UTC 2011
commit 2b48e0889c6725d584a70bdaa1f58a877b48bb81
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Nov 2 12:48:18 2011 +0100
- Make nvidia* to be labeled correctly
policy-F16.patch | 391 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 1 +
2 files changed, 241 insertions(+), 151 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 142d456..b066667 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3865,10 +3865,10 @@ index 975af1a..634c47a 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 2731fa1..22beabf 100644
+index 2731fa1..11212f2 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,110 @@ attribute sudodomain;
+@@ -7,3 +7,111 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
@@ -3925,7 +3925,7 @@ index 2731fa1..22beabf 100644
+files_list_tmp(sudodomain)
+
+fs_search_auto_mountpoints(sudodomain)
-+fs_getattr_xattr_fs(sudodomain)
++fs_getattr_all_fs(sudodomain)
+
+selinux_validate_context(sudodomain)
+selinux_compute_relabel_context(sudodomain)
@@ -3946,6 +3946,7 @@ index 2731fa1..22beabf 100644
+
+logging_send_audit_msgs(sudodomain)
+logging_send_syslog_msg(sudodomain)
++logging_set_audit_parameters(sudodomain)
+
+miscfiles_read_localization(sudodomain)
+
@@ -8029,7 +8030,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..6c95832 100644
+index fbb5c5a..8fe4551 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -8067,7 +8068,14 @@ index fbb5c5a..6c95832 100644
')
########################################
-@@ -203,6 +213,15 @@ interface(`mozilla_domtrans_plugin',`
+@@ -197,12 +207,21 @@ interface(`mozilla_domtrans',`
+ #
+ interface(`mozilla_domtrans_plugin',`
+ gen_require(`
+- type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
++ type mozilla_plugin_t, mozilla_plugin_exec_t;
+ class dbus send_msg;
+ ')
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
allow mozilla_plugin_t $1:process signull;
@@ -14337,7 +14345,7 @@ index 6cf8784..12bd6fc 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..60394ec 100644
+index f820f3b..c2a334f 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -14629,7 +14637,34 @@ index f820f3b..60394ec 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -2358,7 +2504,97 @@ interface(`dev_filetrans_lirc',`
+@@ -1648,6 +1794,26 @@ interface(`dev_filetrans_cardmgr',`
+
+ ########################################
+ ## <summary>
++## Automatic type transition to the type
++## for xserver misc device nodes when
++## created in /dev.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_filetrans_xserver_misc',`
++ gen_require(`
++ type device_t, xserver_misc_device_t;
++ ')
++
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file )
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the CPU
+ ## microcode and id interfaces.
+ ## </summary>
+@@ -2358,7 +2524,97 @@ interface(`dev_filetrans_lirc',`
########################################
## <summary>
@@ -14728,7 +14763,7 @@ index f820f3b..60394ec 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2681,7 +2917,7 @@ interface(`dev_write_misc',`
+@@ -2681,7 +2937,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -14737,7 +14772,7 @@ index f820f3b..60394ec 100644
## </summary>
## </param>
#
-@@ -2931,8 +3167,8 @@ interface(`dev_dontaudit_write_mtrr',`
+@@ -2931,8 +3187,8 @@ interface(`dev_dontaudit_write_mtrr',`
type mtrr_device_t;
')
@@ -14748,7 +14783,7 @@ index f820f3b..60394ec 100644
')
########################################
-@@ -3210,24 +3446,6 @@ interface(`dev_rw_printer',`
+@@ -3210,24 +3466,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -14773,7 +14808,7 @@ index f820f3b..60394ec 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3811,6 +4029,42 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3811,6 +4049,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -14816,7 +14851,7 @@ index f820f3b..60394ec 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3902,25 +4156,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3902,25 +4176,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -14842,7 +14877,7 @@ index f820f3b..60394ec 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -3972,6 +4207,42 @@ interface(`dev_rw_sysfs',`
+@@ -3972,6 +4227,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -14885,7 +14920,7 @@ index f820f3b..60394ec 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4069,6 +4340,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4360,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -14911,7 +14946,7 @@ index f820f3b..60394ec 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4495,6 +4785,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4805,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -14936,7 +14971,34 @@ index f820f3b..60394ec 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4784,3 +5092,794 @@ interface(`dev_unconfined',`
+@@ -4695,6 +5023,26 @@ interface(`dev_rw_xserver_misc',`
+
+ ########################################
+ ## <summary>
++## Read and write X server miscellaneous devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_manage_xserver_misc',`
++ gen_require(`
++ type device_t, xserver_misc_device_t;
++ ')
++
++ manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
++
++ dev_filetrans_xserver_named_dev($1)
++')
++
++########################################
++## <summary>
+ ## Read and write to the zero device (/dev/zero).
+ ## </summary>
+ ## <param name="domain">
+@@ -4784,3 +5132,812 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -14975,7 +15037,6 @@ index f820f3b..60394ec 100644
+gen_require(`
+ type device_t;
+ type usb_device_t;
-+ type xserver_misc_device_t;
+ type sound_device_t;
+ type apm_bios_t;
+ type mouse_device_t;
@@ -15019,7 +15080,6 @@ index f820f3b..60394ec 100644
+ type mtrr_device_t;
+')
+
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
@@ -15094,7 +15154,6 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep")
+ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
+ filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1")
@@ -15191,8 +15250,6 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
@@ -15310,16 +15367,6 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0")
@@ -15378,20 +15425,8 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9")
+ filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
+ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
@@ -15539,17 +15574,6 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1")
@@ -15606,16 +15630,6 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9")
+ filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt")
+ filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2")
@@ -15730,6 +15744,72 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
++ dev_filetrans_xserver_named_dev($1)
++')
++
++########################################
++## <summary>
++## Create all named devices with the correct label
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_filetrans_xserver_named_dev',`
++
++ gen_require(`
++ type xserver_misc_device_t;
++ ')
++
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 08f01e7..1c2562c 100644
@@ -33594,7 +33674,7 @@ index 418a5a0..c25fbdc 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..afb61c9 100644
+index f706b99..5001351 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -33718,7 +33798,7 @@ index f706b99..afb61c9 100644
+ type devicekit_var_log_t;
+ ')
+
-+ dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
++ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
+')
+
+########################################
@@ -38717,10 +38797,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..8768e6b 100644
+index 4fde46b..4978f18 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -15,18 +15,24 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -38728,9 +38808,10 @@ index 4fde46b..8768e6b 100644
+allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
-
-+kernel_read_system_state(gnomeclock_t)
++allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
+
++kernel_read_system_state(gnomeclock_t)
+
corecmd_exec_bin(gnomeclock_t)
+corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
@@ -38749,7 +38830,7 @@ index 4fde46b..8768e6b 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +41,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -55729,7 +55810,7 @@ index 82cb169..0a29f68 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..f0f6907 100644
+index e30bb63..9010ac2 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -55773,7 +55854,7 @@ index e30bb63..f0f6907 100644
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -59767,7 +59848,7 @@ index 904f13e..464347f 100644
init_labeled_script_domtrans($1, tor_initrc_exec_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
-index c842cad..fe5deee 100644
+index c842cad..1136b10 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t)
@@ -59778,7 +59859,7 @@ index c842cad..fe5deee 100644
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -95,6 +96,7 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -95,9 +96,11 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -59786,6 +59867,10 @@ index c842cad..fe5deee 100644
# tor uses crypto and needs random
dev_read_urand(tor_t)
++dev_read_sysfs(tor_t)
+
+ domain_use_interactive_fds(tor_t)
+
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 54b8605..752697f 100644
--- a/policy/modules/services/tuned.if
@@ -60617,7 +60702,7 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..d935248 100644
+index 2124b6a..49c15d1 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -60629,7 +60714,7 @@ index 2124b6a..d935248 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,38 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,39 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -60665,6 +60750,7 @@ index 2124b6a..d935248 100644
+/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
++/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
@@ -61217,7 +61303,7 @@ index 7c5d8d8..d711fd5 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..96e71d4 100644
+index 3eca020..f6d46db 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@@ -61443,7 +61529,7 @@ index 3eca020..96e71d4 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +224,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +224,24 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -61465,14 +61551,10 @@ index 3eca020..96e71d4 100644
+')
+
+optional_policy(`
-+ xen_rw_image_files(svirt_t)
-+')
-+
-+optional_policy(`
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +255,36 @@ optional_policy(`
+@@ -174,21 +251,36 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -61515,9 +61597,11 @@ index 3eca020..96e71d4 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +296,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -199,9 +291,17 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
++manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-allow virtd_t virt_image_type:file { relabelfrom relabelto };
-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
@@ -61533,7 +61617,7 @@ index 3eca020..96e71d4 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +320,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +317,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -61549,7 +61633,7 @@ index 3eca020..96e71d4 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +348,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +345,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -61582,7 +61666,7 @@ index 3eca020..96e71d4 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +380,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +377,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -61601,14 +61685,14 @@ index 3eca020..96e71d4 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +415,29 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +412,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -61627,11 +61711,12 @@ index 3eca020..96e71d4 100644
+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
-+userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
++#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
++virt_filetrans_home_content(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +456,10 @@ optional_policy(`
+@@ -313,6 +454,10 @@ optional_policy(`
')
optional_policy(`
@@ -61642,7 +61727,7 @@ index 3eca020..96e71d4 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,16 +476,23 @@ optional_policy(`
+@@ -329,16 +474,23 @@ optional_policy(`
')
optional_policy(`
@@ -61666,7 +61751,7 @@ index 3eca020..96e71d4 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +514,12 @@ optional_policy(`
+@@ -360,11 +512,12 @@ optional_policy(`
')
optional_policy(`
@@ -61684,7 +61769,7 @@ index 3eca020..96e71d4 100644
')
optional_policy(`
-@@ -394,20 +549,36 @@ optional_policy(`
+@@ -394,20 +547,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -61724,7 +61809,7 @@ index 3eca020..96e71d4 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +589,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +587,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -61737,7 +61822,7 @@ index 3eca020..96e71d4 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +601,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +599,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -61750,7 +61835,7 @@ index 3eca020..96e71d4 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +614,362 @@ files_search_all(virt_domain)
+@@ -440,25 +612,362 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -63719,7 +63804,7 @@ index 130ced9..b6fb17a 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..c3e4d56 100644
+index 143c893..40e56f1 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -64583,7 +64668,7 @@ index 143c893..c3e4d56 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,7 +1018,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +1018,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -64591,8 +64676,13 @@ index 143c893..c3e4d56 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -682,11 +1027,17 @@ dev_wx_raw_memory(xserver_t)
- dev_rw_xserver_misc(xserver_t)
+ dev_read_raw_memory(xserver_t)
+ dev_wx_raw_memory(xserver_t)
+ # for other device nodes such as the NVidia binary-only driver
+-dev_rw_xserver_misc(xserver_t)
++dev_manage_xserver_misc(xserver_t)
++dev_filetrans_xserver_misc(xserver_t)
++
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
+dev_read_raw_memory(xserver_t)
@@ -64609,7 +64699,7 @@ index 143c893..c3e4d56 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1048,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1050,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -64623,7 +64713,7 @@ index 143c893..c3e4d56 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1067,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1069,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -64632,7 +64722,7 @@ index 143c893..c3e4d56 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1074,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1076,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -64647,7 +64737,7 @@ index 143c893..c3e4d56 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1133,40 @@ optional_policy(`
+@@ -778,16 +1135,40 @@ optional_policy(`
')
optional_policy(`
@@ -64689,7 +64779,7 @@ index 143c893..c3e4d56 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1175,10 @@ optional_policy(`
+@@ -796,6 +1177,10 @@ optional_policy(`
')
optional_policy(`
@@ -64700,7 +64790,7 @@ index 143c893..c3e4d56 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1194,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1196,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -64714,7 +64804,7 @@ index 143c893..c3e4d56 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1205,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1207,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -64723,7 +64813,7 @@ index 143c893..c3e4d56 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,6 +1218,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1220,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -64733,7 +64823,7 @@ index 143c893..c3e4d56 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1228,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1230,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -64745,7 +64835,7 @@ index 143c893..c3e4d56 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1241,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1243,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -64762,7 +64852,7 @@ index 143c893..c3e4d56 100644
')
optional_policy(`
-@@ -862,6 +1256,10 @@ optional_policy(`
+@@ -862,6 +1258,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -64773,7 +64863,7 @@ index 143c893..c3e4d56 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1305,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -64782,7 +64872,7 @@ index 143c893..c3e4d56 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1357,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1359,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -64814,7 +64904,7 @@ index 143c893..c3e4d56 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1403,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1405,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -67190,7 +67280,7 @@ index 94fd8dd..b5e5c70 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..29930e4 100644
+index 29a9565..77fb967 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -67614,14 +67704,13 @@ index 29a9565..29930e4 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +512,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +512,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
-+dev_filetrans_all_named_dev(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -67631,7 +67720,7 @@ index 29a9565..29930e4 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +531,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -67639,7 +67728,7 @@ index 29a9565..29930e4 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +539,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +538,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -67651,7 +67740,7 @@ index 29a9565..29930e4 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +558,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +557,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -67665,7 +67754,7 @@ index 29a9565..29930e4 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +573,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +572,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -67674,7 +67763,7 @@ index 29a9565..29930e4 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +587,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +586,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -67682,7 +67771,7 @@ index 29a9565..29930e4 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +599,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +598,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -67690,7 +67779,7 @@ index 29a9565..29930e4 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +620,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +619,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -67712,7 +67801,7 @@ index 29a9565..29930e4 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +683,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +682,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -67723,7 +67812,7 @@ index 29a9565..29930e4 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +707,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +706,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -67732,7 +67821,7 @@ index 29a9565..29930e4 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +722,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +721,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -67740,7 +67829,7 @@ index 29a9565..29930e4 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +752,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +751,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -67774,7 +67863,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -531,10 +786,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +785,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -67797,7 +67886,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -549,6 +816,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +815,39 @@ ifdef(`distro_suse',`
')
')
@@ -67837,7 +67926,7 @@ index 29a9565..29930e4 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +861,8 @@ optional_policy(`
+@@ -561,6 +860,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -67846,7 +67935,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -577,6 +879,7 @@ optional_policy(`
+@@ -577,6 +878,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -67854,7 +67943,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -589,6 +892,17 @@ optional_policy(`
+@@ -589,6 +891,17 @@ optional_policy(`
')
optional_policy(`
@@ -67872,7 +67961,7 @@ index 29a9565..29930e4 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +919,13 @@ optional_policy(`
+@@ -605,9 +918,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -67886,7 +67975,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -632,6 +950,10 @@ optional_policy(`
+@@ -632,6 +949,10 @@ optional_policy(`
')
optional_policy(`
@@ -67897,7 +67986,7 @@ index 29a9565..29930e4 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +971,11 @@ optional_policy(`
+@@ -649,6 +970,11 @@ optional_policy(`
')
optional_policy(`
@@ -67909,7 +67998,7 @@ index 29a9565..29930e4 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1016,7 @@ optional_policy(`
+@@ -689,6 +1015,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -67917,7 +68006,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -706,7 +1034,13 @@ optional_policy(`
+@@ -706,7 +1033,13 @@ optional_policy(`
')
optional_policy(`
@@ -67931,7 +68020,7 @@ index 29a9565..29930e4 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1063,10 @@ optional_policy(`
+@@ -729,6 +1062,10 @@ optional_policy(`
')
optional_policy(`
@@ -67942,7 +68031,7 @@ index 29a9565..29930e4 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1076,20 @@ optional_policy(`
+@@ -738,10 +1075,20 @@ optional_policy(`
')
optional_policy(`
@@ -67963,7 +68052,7 @@ index 29a9565..29930e4 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1098,10 @@ optional_policy(`
+@@ -750,6 +1097,10 @@ optional_policy(`
')
optional_policy(`
@@ -67974,7 +68063,7 @@ index 29a9565..29930e4 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1123,6 @@ optional_policy(`
+@@ -771,8 +1122,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -67983,7 +68072,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -790,10 +1140,12 @@ optional_policy(`
+@@ -790,10 +1139,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -67996,7 +68085,7 @@ index 29a9565..29930e4 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1157,6 @@ optional_policy(`
+@@ -805,7 +1156,6 @@ optional_policy(`
')
optional_policy(`
@@ -68004,7 +68093,7 @@ index 29a9565..29930e4 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1166,26 @@ optional_policy(`
+@@ -815,11 +1165,26 @@ optional_policy(`
')
optional_policy(`
@@ -68032,7 +68121,7 @@ index 29a9565..29930e4 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1195,25 @@ optional_policy(`
+@@ -829,6 +1194,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -68058,7 +68147,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -844,6 +1229,10 @@ optional_policy(`
+@@ -844,6 +1228,10 @@ optional_policy(`
')
optional_policy(`
@@ -68069,7 +68158,7 @@ index 29a9565..29930e4 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1243,160 @@ optional_policy(`
+@@ -854,3 +1242,160 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4376690..de87de3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -467,6 +467,7 @@ SELinux Reference policy mls base module.
%changelog
* Tue Nov 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-53
+- Make nvidia* to be labeled correctly
- Fix abrt_manage_cache() interface
- Make filetrans rules optional so base policy will build
- Dontaudit chkpwd_t access to inherited TTYS
More information about the scm-commits
mailing list