[selinux-policy/f16] - Add labeling for udev - Add cloudform policy - Fixes for bootloader policy
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Oct 20 14:53:01 UTC 2011
commit 0c7e38070202408b91c7ed029e9ff1758a51e09a
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Oct 20 16:52:46 2011 +0200
- Add labeling for udev
- Add cloudform policy
- Fixes for bootloader policy
modules-targeted.conf | 7 +
policy-F16.patch | 647 ++++++++++++++++++++++++++++++++++++++++++-------
selinux-policy.spec | 7 +-
3 files changed, 576 insertions(+), 85 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 8f079c6..2645cf6 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2486,3 +2486,10 @@ nova = module
# rabbitmq daemons
#
rabbitmq = module
+
+# Layer: services
+# Module: cloudform
+#
+# cloudform daemons
+#
+cloudform = module
diff --git a/policy-F16.patch b/policy-F16.patch
index af52c93..d98ece3 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -511,7 +511,7 @@ index 7a6f06f..e117271 100644
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
-index 63eb96b..98307a8 100644
+index 63eb96b..d7a6063 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
@@ -539,6 +539,15 @@ index 63eb96b..98307a8 100644
########################################
## <summary>
## Execute bootloader interactively and do
+@@ -106,7 +124,7 @@ interface(`bootloader_rw_tmp_files',`
+ ')
+
+ files_search_tmp($1)
+- allow $1 bootloader_tmp_t:file rw_file_perms;
++ allow $1 bootloader_tmp_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
@@ -128,3 +146,22 @@ interface(`bootloader_create_runtime_file',`
allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
files_boot_filetrans($1, boot_runtime_t, file)
@@ -563,7 +572,7 @@ index 63eb96b..98307a8 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index d3da8f2..9e5a1d0 100644
+index d3da8f2..a10844b 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -23,7 +23,7 @@ role system_r types bootloader_t;
@@ -600,7 +609,14 @@ index d3da8f2..9e5a1d0 100644
term_dontaudit_manage_pty_dirs(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
-@@ -101,6 +103,7 @@ files_read_usr_src_files(bootloader_t)
+@@ -95,12 +97,14 @@ domain_use_interactive_fds(bootloader_t)
+ files_create_boot_dirs(bootloader_t)
+ files_manage_boot_files(bootloader_t)
+ files_manage_boot_symlinks(bootloader_t)
++files_manage_kernel_modules(bootloader_t)
+ files_read_etc_files(bootloader_t)
+ files_exec_etc_files(bootloader_t)
+ files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
files_read_kernel_modules(bootloader_t)
@@ -608,7 +624,7 @@ index d3da8f2..9e5a1d0 100644
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
-@@ -108,6 +111,7 @@ files_manage_etc_runtime_files(bootloader_t)
+@@ -108,6 +112,7 @@ files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
@@ -616,11 +632,11 @@ index d3da8f2..9e5a1d0 100644
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
-@@ -115,19 +119,21 @@ init_rw_script_pipes(bootloader_t)
+@@ -115,19 +120,21 @@ init_rw_script_pipes(bootloader_t)
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
-+libs_use_ld_so(bootloader_t)
++libs_exec_ld_so(bootloader_t)
+
+auth_use_nsswitch(bootloader_t)
@@ -641,7 +657,7 @@ index d3da8f2..9e5a1d0 100644
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -162,8 +168,10 @@ ifdef(`distro_redhat',`
+@@ -162,8 +169,10 @@ ifdef(`distro_redhat',`
files_manage_isid_type_blk_files(bootloader_t)
files_manage_isid_type_chr_files(bootloader_t)
@@ -654,7 +670,7 @@ index d3da8f2..9e5a1d0 100644
optional_policy(`
unconfined_domain(bootloader_t)
-@@ -171,6 +179,10 @@ ifdef(`distro_redhat',`
+@@ -171,6 +180,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -665,7 +681,7 @@ index d3da8f2..9e5a1d0 100644
fstools_exec(bootloader_t)
')
-@@ -180,6 +192,10 @@ optional_policy(`
+@@ -180,6 +193,10 @@ optional_policy(`
')
optional_policy(`
@@ -676,7 +692,7 @@ index d3da8f2..9e5a1d0 100644
kudzu_domtrans(bootloader_t)
')
-@@ -192,15 +208,13 @@ optional_policy(`
+@@ -192,15 +209,13 @@ optional_policy(`
optional_policy(`
modutils_exec_insmod(bootloader_t)
@@ -1891,10 +1907,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..7da376a
+index 0000000..23bef3c
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,310 @@
+@@ -0,0 +1,333 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
@@ -1914,6 +1930,14 @@ index 0000000..7da376a
+')
+
+optional_policy(`
++ gen_require(`
++ type quota_nld_t;
++ ')
++
++ permissive quota_nld_t;
++')
++
++optional_policy(`
+ gen_require(`
+ type bootloader_t;
+ ')
@@ -2205,6 +2229,21 @@ index 0000000..7da376a
+ permissive virt_qmf_t;
+')
+
++# for cloudform daemons
++
++optional_policy(`
++ gen_require(`
++ type deltacloudd_t;
++ type iwhd_t;
++ type mongod_t;
++ type thin_t;
++ ')
++
++ permissive deltacloudd_t;
++ permissive iwhd_t;
++ permissive mongod_t;
++ permissive thin_t;
++')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -2404,11 +2443,23 @@ index af55369..ec838bd 100644
+ ')
+ miscfiles_read_man_pages(prelink_t)
+')
+diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc
+index f387230..a59bf52 100644
+--- a/policy/modules/admin/quota.fc
++++ b/policy/modules/admin/quota.fc
+@@ -17,3 +17,7 @@ ifdef(`distro_redhat',`
+ ',`
+ /sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+ ')
++
++/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
++
++/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
-index bf75d99..1698e8f 100644
+index bf75d99..9e3153a 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
-@@ -83,3 +83,36 @@ interface(`quota_manage_flags',`
+@@ -83,3 +83,55 @@ interface(`quota_manage_flags',`
files_search_var_lib($1)
manage_files_pattern($1, quota_flag_t, quota_flag_t)
')
@@ -2445,11 +2496,44 @@ index bf75d99..1698e8f 100644
+ files_spool_filetrans($1, quota_db_t, file, "aquota.user")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.group")
+')
++
++#######################################
++## <summary>
++## Transition to quota_nld.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`quota_domtrans_nld',`
++ gen_require(`
++ type quota_nld_t, quota_nld_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
++')
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
-index 5dd42f5..f13ac41 100644
+index 5dd42f5..4d272f2 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
-@@ -72,7 +72,7 @@ init_use_script_ptys(quota_t)
+@@ -15,6 +15,13 @@ files_type(quota_db_t)
+ type quota_flag_t;
+ files_type(quota_flag_t)
+
++type quota_nld_t;
++type quota_nld_exec_t;
++init_daemon_domain(quota_nld_t, quota_nld_exec_t)
++
++type quota_nld_var_run_t;
++files_pid_file(quota_nld_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -72,7 +79,7 @@ init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
@@ -2458,6 +2542,41 @@ index 5dd42f5..f13ac41 100644
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
+@@ -82,3 +89,34 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(quota_t)
+ ')
++
++#######################################
++#
++# Local policy
++#
++
++allow quota_nld_t self:fifo_file rw_fifo_file_perms;
++allow quota_nld_t self:netlink_socket create_socket_perms;
++allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
++files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
++
++kernel_read_network_state(quota_nld_t)
++
++files_read_etc_files(quota_nld_t)
++
++auth_use_nsswitch(quota_nld_t)
++
++init_read_utmp(quota_nld_t)
++
++logging_send_syslog_msg(quota_nld_t)
++
++miscfiles_read_localization(quota_nld_t)
++
++userdom_use_user_terminals(quota_nld_t)
++
++optional_policy(`
++ dbus_system_bus_client(quota_nld_t)
++ dbus_connect_system_bus(quota_nld_t)
++')
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
index 7077413..6bc0fa8 100644
--- a/policy/modules/admin/readahead.fc
@@ -22906,7 +23025,7 @@ index 0b827c5..46e3aa9 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..b11c27f 100644
+index 30861ec..4b0f7cc 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -22991,7 +23110,7 @@ index 30861ec..b11c27f 100644
+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
dontaudit abrt_t self:capability sys_rawio;
-allow abrt_t self:process { signal signull setsched getsched };
-+allow abrt_t self:process { sigkill signal signull setsched getsched };
++allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
@@ -26714,10 +26833,10 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..1442451
+index 0000000..e841806
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,174 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -26875,6 +26994,8 @@ index 0000000..1442451
+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
++domain_read_all_domains_state(boinc_project_t)
++
+dev_read_rand(boinc_project_t)
+dev_read_urand(boinc_project_t)
+dev_read_sysfs(boinc_project_t)
@@ -28764,6 +28885,264 @@ index 6077339..d10acd2 100644
dev_read_lvm_control(clogd_t)
dev_manage_generic_blk_files(clogd_t)
+diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
+new file mode 100644
+index 0000000..2c745ea
+--- /dev/null
++++ b/policy/modules/services/cloudform.fc
+@@ -0,0 +1,16 @@
++/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
++
++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
++/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
++/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
++/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
++
++/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
++/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
++/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
++
++/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
++/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
++
+diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
+new file mode 100644
+index 0000000..917f8d4
+--- /dev/null
++++ b/policy/modules/services/cloudform.if
+@@ -0,0 +1,23 @@
++## <summary>cloudform policy</summary>
++
++#######################################
++## <summary>
++## Creates types and rules for a basic
++## cloudform daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`cloudform_domain_template',`
++ gen_require(`
++ attribute cloudform_domain;
++ ')
++
++ type $1_t, cloudform_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++')
+diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
+new file mode 100644
+index 0000000..1fb3787
+--- /dev/null
++++ b/policy/modules/services/cloudform.te
+@@ -0,0 +1,201 @@
++policy_module(cloudform, 1.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute cloudform_domain;
++
++cloudform_domain_template(deltacloudd)
++cloudform_domain_template(iwhd)
++cloudform_domain_template(mongod)
++cloudform_domain_template(thin)
++
++type deltacloudd_tmp_t;
++files_tmp_file(deltacloudd_tmp_t)
++
++type iwhd_initrc_exec_t;
++init_script_file(iwhd_initrc_exec_t)
++
++type iwhd_var_lib_t;
++files_type(iwhd_var_lib_t)
++
++type iwhd_var_run_t;
++files_pid_file(iwhd_var_run_t)
++
++type mongod_initrc_exec_t;
++init_script_file(mongod_initrc_exec_t)
++
++type mongod_log_t;
++logging_log_file(mongod_log_t)
++
++type mongod_var_lib_t;
++files_type(mongod_var_lib_t)
++
++type mongod_tmp_t;
++files_tmp_file(mongod_tmp_t)
++
++type mongod_var_run_t;
++files_pid_file(mongod_var_run_t)
++
++type thin_var_run_t;
++files_pid_file(thin_var_run_t)
++
++type iwhd_log_t;
++logging_log_file(iwhd_log_t)
++
++########################################
++#
++# cloudform_domain local policy
++#
++
++allow cloudform_domain self:fifo_file rw_fifo_file_perms;
++allow cloudform_domain self:tcp_socket create_stream_socket_perms;
++
++dev_read_urand(cloudform_domain)
++
++files_read_etc_files(cloudform_domain)
++
++miscfiles_read_certs(cloudform_domain)
++miscfiles_read_localization(cloudform_domain)
++
++########################################
++#
++# deltacloudd local policy
++#
++
++allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
++allow deltacloudd_t self:udp_socket create_socket_perms;
++
++allow deltacloudd_t self:process signal;
++
++allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
++allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
++allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
++manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
++files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
++
++corecmd_exec_bin(deltacloudd_t)
++
++corenet_tcp_bind_generic_node(deltacloudd_t)
++corenet_tcp_bind_generic_port(deltacloudd_t)
++
++files_read_usr_files(deltacloudd_t)
++
++logging_send_syslog_msg(deltacloudd_t)
++
++optional_policy(`
++ sysnet_read_config(deltacloudd_t)
++')
++
++########################################
++#
++# iwhd local policy
++#
++
++allow iwhd_t self:capability { chown kill };
++allow iwhd_t self:process { fork };
++
++allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
++allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
++manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
++
++manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
++logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
++
++manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
++manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
++files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
++
++kernel_read_system_state(iwhd_t)
++
++corenet_tcp_bind_generic_node(iwhd_t)
++#type=AVC msg=audit(1319039371.089:62273): avc: denied { name_connect } for pid=9628 comm="iwhd" dest=27017 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
++#type=AVC msg=audit(1319039371.089:62274): avc: denied { name_bind } for pid=9625 comm="iwhd" src=9090 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
++
++dev_read_rand(iwhd_t)
++dev_read_urand(iwhd_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(iwhd_t)
++ fs_manage_nfs_dirs(iwhd_t)
++ fs_manage_nfs_files(iwhd_t)
++ fs_manage_nfs_symlinks(iwhd_t)
++')
++
++########################################
++#
++# mongod local policy
++#
++
++#WHY?
++allow mongod_t self:process execmem;
++
++allow mongod_t self:process setsched;
++
++allow mongod_t self:process { fork signal };
++
++allow mongod_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
++manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
++
++manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
++manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
++
++manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
++
++manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++
++corenet_tcp_bind_generic_node(mongod_t)
++#temporary
++corenet_tcp_bind_generic_port(mongod_t)
++
++domain_use_interactive_fds(mongod_t)
++
++optional_policy(`
++ sysnet_dns_name_resolve(mongod_t)
++')
++
++########################################
++#
++# thin local policy
++#
++
++allow thin_t self:capability { setuid kill setgid dac_override };
++
++allow thin_t self:netlink_route_socket r_netlink_socket_perms;
++allow thin_t self:udp_socket create_socket_perms;
++allow thin_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
++files_pid_filetrans(thin_t, thin_var_run_t, { file })
++
++corecmd_exec_bin(thin_t)
++
++corenet_tcp_bind_generic_node(thin_t)
++corenet_tcp_bind_ntop_port(thin_t)
++corenet_tcp_connect_postgresql_port(thin_t)
++#type=AVC msg=audit(1319039370.469:62271): avc: denied { name_connect } for pid=9540 comm="thin" dest=3002 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
++
++files_read_usr_files(thin_t)
++
++fs_search_auto_mountpoints(thin_t)
++
++init_read_utmp(thin_t)
++
++kernel_read_kernel_sysctls(thin_t)
++
++optional_policy(`
++ sysnet_read_config(thin_t)
++')
++
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
index 049e2b6..dcc7de8 100644
--- a/policy/modules/services/cmirrord.fc
@@ -36087,6 +36466,20 @@ index 0000000..1f39a80
+ lldpad_dgram_send(fcoemon_t)
+')
+
+diff --git a/policy/modules/services/fetchmail.fc b/policy/modules/services/fetchmail.fc
+index 455c620..c263c70 100644
+--- a/policy/modules/services/fetchmail.fc
++++ b/policy/modules/services/fetchmail.fc
+@@ -1,3 +1,9 @@
++#
++# /HOME
++#
++HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
++/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
++
+
+ #
+ # /etc
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
index 6537214..7d64c0a 100644
--- a/policy/modules/services/fetchmail.if
@@ -36100,20 +36493,43 @@ index 6537214..7d64c0a 100644
files_list_etc($1)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
-index 3459d93..c39305a 100644
+index 3459d93..3d4e162 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
-@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
- userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+@@ -10,6 +10,9 @@ type fetchmail_exec_t;
+ init_daemon_domain(fetchmail_t, fetchmail_exec_t)
+ application_executable_file(fetchmail_exec_t)
- optional_policy(`
-+ kerberos_use(fetchmail_t)
-+')
++type fetchmail_home_t;
++userdom_user_home_content(fetchmail_home_t)
++
+ type fetchmail_var_run_t;
+ files_pid_file(fetchmail_var_run_t)
+
+@@ -41,6 +44,11 @@ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
+
++list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
++read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
++userdom_search_user_home_dirs(fetchmail_t)
++userdom_search_admin_dir(fetchmail_t)
++
+ kernel_read_kernel_sysctls(fetchmail_t)
+ kernel_list_proc(fetchmail_t)
+ kernel_getattr_proc_files(fetchmail_t)
+@@ -85,7 +93,10 @@ miscfiles_read_generic_certs(fetchmail_t)
+ sysnet_read_config(fetchmail_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+-userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
- procmail_domtrans(fetchmail_t)
- ')
++ kerberos_use(fetchmail_t)
++')
+ optional_policy(`
+ procmail_domtrans(fetchmail_t)
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 9b7036a..4770f61 100644
--- a/policy/modules/services/finger.te
@@ -42731,7 +43147,7 @@ index 256166a..6321a93 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..fff3a52 100644
+index 343cee3..e5c33d1 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -42753,7 +43169,16 @@ index 343cee3..fff3a52 100644
')
optional_policy(`
-@@ -158,6 +159,7 @@ template(`mta_base_mail_template',`
+@@ -128,6 +129,8 @@ template(`mta_base_mail_template',`
+ # Write to /var/spool/mail and /var/spool/mqueue.
+ manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
+ manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
++ read_lnk_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
++ read_lnk_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
+
+ # Check available space.
+ fs_getattr_xattr_fs($1_mail_t)
+@@ -158,6 +161,7 @@ template(`mta_base_mail_template',`
## User domain for the role
## </summary>
## </param>
@@ -42761,7 +43186,7 @@ index 343cee3..fff3a52 100644
#
interface(`mta_role',`
gen_require(`
-@@ -169,11 +171,19 @@ interface(`mta_role',`
+@@ -169,11 +173,19 @@ interface(`mta_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
@@ -42782,7 +43207,7 @@ index 343cee3..fff3a52 100644
')
########################################
-@@ -220,6 +230,25 @@ interface(`mta_agent_executable',`
+@@ -220,6 +232,25 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
@@ -42808,7 +43233,7 @@ index 343cee3..fff3a52 100644
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -306,7 +335,6 @@ interface(`mta_mailserver_sender',`
+@@ -306,7 +337,6 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -42816,7 +43241,7 @@ index 343cee3..fff3a52 100644
')
typeattribute $1 mailserver_delivery;
-@@ -330,12 +358,6 @@ interface(`mta_mailserver_user_agent',`
+@@ -330,12 +360,6 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -42829,7 +43254,7 @@ index 343cee3..fff3a52 100644
')
########################################
-@@ -350,9 +372,8 @@ interface(`mta_mailserver_user_agent',`
+@@ -350,9 +374,8 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -42840,7 +43265,7 @@ index 343cee3..fff3a52 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -391,12 +412,17 @@ interface(`mta_send_mail',`
+@@ -391,12 +414,17 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -42860,7 +43285,7 @@ index 343cee3..fff3a52 100644
')
########################################
-@@ -409,7 +435,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +437,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -42868,7 +43293,7 @@ index 343cee3..fff3a52 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +445,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +447,24 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -42893,7 +43318,7 @@ index 343cee3..fff3a52 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +481,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +483,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -42920,7 +43345,7 @@ index 343cee3..fff3a52 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -474,7 +537,8 @@ interface(`mta_write_config',`
+@@ -474,7 +539,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -42930,7 +43355,7 @@ index 343cee3..fff3a52 100644
')
########################################
-@@ -494,6 +558,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +560,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -42938,7 +43363,7 @@ index 343cee3..fff3a52 100644
')
########################################
-@@ -532,7 +597,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +599,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -42947,7 +43372,7 @@ index 343cee3..fff3a52 100644
')
########################################
-@@ -552,7 +617,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +619,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -42956,7 +43381,7 @@ index 343cee3..fff3a52 100644
')
#######################################
-@@ -646,8 +711,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +713,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -42967,7 +43392,7 @@ index 343cee3..fff3a52 100644
')
#######################################
-@@ -680,6 +745,25 @@ interface(`mta_spool_filetrans',`
+@@ -680,6 +747,25 @@ interface(`mta_spool_filetrans',`
filetrans_pattern($1, mail_spool_t, $2, $3)
')
@@ -42993,7 +43418,7 @@ index 343cee3..fff3a52 100644
########################################
## <summary>
## Read and write the mail spool.
-@@ -697,8 +781,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +783,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -43004,7 +43429,7 @@ index 343cee3..fff3a52 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +922,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +924,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -43013,7 +43438,7 @@ index 343cee3..fff3a52 100644
')
########################################
-@@ -899,3 +983,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +985,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -43127,7 +43552,7 @@ index 343cee3..fff3a52 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..d46b314 100644
+index 64268e4..c84e80f 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -43374,7 +43799,7 @@ index 64268e4..d46b314 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(user_mail_t)
fs_manage_cifs_symlinks(user_mail_t)
-@@ -292,3 +316,44 @@ optional_policy(`
+@@ -292,3 +316,46 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -43401,6 +43826,8 @@ index 64268e4..d46b314 100644
+kernel_read_network_state(user_mail_domain)
+kernel_request_load_module(user_mail_domain)
+
++files_read_usr_files(user_mail_domain)
++
+optional_policy(`
+ # postfix needs this for newaliases
+ files_getattr_tmp_dirs(user_mail_domain)
@@ -64372,7 +64799,7 @@ index 28ad538..59742f4 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..e3720d4 100644
+index 73554ec..6a25dd6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -64384,8 +64811,14 @@ index 73554ec..e3720d4 100644
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
-@@ -80,6 +82,12 @@ interface(`auth_use_pam',`
+@@ -78,8 +80,18 @@ interface(`auth_use_pam',`
+ ')
+
optional_policy(`
++ locallogin_getattr_home_content($1)
++ ')
++
++ optional_policy(`
nis_authenticate($1)
')
+
@@ -64397,7 +64830,7 @@ index 73554ec..e3720d4 100644
')
########################################
-@@ -95,9 +103,12 @@ interface(`auth_use_pam',`
+@@ -95,9 +107,12 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -64410,7 +64843,7 @@ index 73554ec..e3720d4 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -105,14 +116,17 @@ interface(`auth_login_pgm_domain',`
+@@ -105,14 +120,17 @@ interface(`auth_login_pgm_domain',`
# Needed for pam_selinux_permit to cleanup properly
domain_read_all_domains_state($1)
@@ -64428,7 +64861,7 @@ index 73554ec..e3720d4 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -123,13 +137,19 @@ interface(`auth_login_pgm_domain',`
+@@ -123,13 +141,19 @@ interface(`auth_login_pgm_domain',`
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
@@ -64449,7 +64882,7 @@ index 73554ec..e3720d4 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +165,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +169,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -64458,7 +64891,7 @@ index 73554ec..e3720d4 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,9 +177,83 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +181,83 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -64498,7 +64931,7 @@ index 73554ec..e3720d4 100644
+
+ optional_policy(`
+ fprintd_dbus_chat($1)
-+ ')
+ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
@@ -64538,13 +64971,13 @@ index 73554ec..e3720d4 100644
+interface(`authlogin_rw_pipes',`
+ gen_require(`
+ attribute polydomain;
- ')
++ ')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
')
########################################
-@@ -368,13 +464,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -368,13 +468,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -64561,7 +64994,7 @@ index 73554ec..e3720d4 100644
')
########################################
-@@ -421,6 +519,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +523,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -64587,7 +65020,7 @@ index 73554ec..e3720d4 100644
')
########################################
-@@ -736,7 +853,47 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +857,47 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -64636,7 +65069,7 @@ index 73554ec..e3720d4 100644
')
#######################################
-@@ -932,9 +1089,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1093,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -64670,7 +65103,7 @@ index 73554ec..e3720d4 100644
')
########################################
-@@ -1387,6 +1565,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1569,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -64696,7 +65129,7 @@ index 73554ec..e3720d4 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1541,24 +1738,6 @@ interface(`auth_manage_login_records',`
+@@ -1541,24 +1742,6 @@ interface(`auth_manage_login_records',`
########################################
## <summary>
@@ -64721,7 +65154,7 @@ index 73554ec..e3720d4 100644
## Use nsswitch to look up user, password, group, or
## host information.
## </summary>
-@@ -1578,54 +1757,11 @@ interface(`auth_relabel_login_records',`
+@@ -1578,54 +1761,11 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -64779,7 +65212,7 @@ index 73554ec..e3720d4 100644
')
########################################
-@@ -1659,3 +1795,33 @@ interface(`auth_unconfined',`
+@@ -1659,3 +1799,33 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -68362,14 +68795,32 @@ index be6a81b..9a27055 100644
/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
-index 0e3c2a9..3272623 100644
+index 0e3c2a9..40adf5a 100644
--- a/policy/modules/system/locallogin.if
+++ b/policy/modules/system/locallogin.if
-@@ -129,3 +129,41 @@ interface(`locallogin_domtrans_sulogin',`
+@@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',`
domtrans_pattern($1, sulogin_exec_t, sulogin_t)
')
+
++#######################################
++## <summary>
++## Allow domain to gettatr local login home content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`locallogin_getattr_home_content',`
++ gen_require(`
++ type local_login_home_t;
++ ')
++
++ getattr_files_pattern($1, local_login_home_t, local_login_home_t)
++')
++
+########################################
+## <summary>
+## create local login content in the in the /root directory
@@ -69457,7 +69908,7 @@ index 532181a..2410551 100644
/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 9c0faab..5d93844 100644
+index 9c0faab..4178c09 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -69469,10 +69920,28 @@ index 9c0faab..5d93844 100644
')
getattr_files_pattern($1, modules_object_t, modules_dep_t)
-@@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',`
+@@ -39,6 +39,44 @@ interface(`modutils_read_module_deps',`
########################################
## <summary>
++## Read the dependencies of kernel modules.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`modutils_delete_module_deps',`
++ gen_require(`
++ type modules_dep_t;
++ ')
++
++ delete_files_pattern($1, modules_dep_t, modules_dep_t)
++')
++
++########################################
++## <summary>
+## list the configuration options used when
+## loading modules.
+## </summary>
@@ -69496,7 +69965,7 @@ index 9c0faab..5d93844 100644
## Read the configuration options used when
## loading modules.
## </summary>
-@@ -152,13 +172,7 @@ interface(`modutils_domtrans_insmod_uncond',`
+@@ -152,13 +190,7 @@ interface(`modutils_domtrans_insmod_uncond',`
## </param>
#
interface(`modutils_domtrans_insmod',`
@@ -69512,7 +69981,7 @@ index 9c0faab..5d93844 100644
########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..406f160 100644
+index a0eef20..2273e1a 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,9 +1,5 @@
@@ -69578,7 +70047,16 @@ index a0eef20..406f160 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -95,7 +99,6 @@ optional_policy(`
+@@ -90,12 +94,15 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ optional_policy(`
++ bootloader_rw_tmp_files(insmod_t)
++')
++
++optional_policy(`
+ rpm_rw_pipes(depmod_t)
+ rpm_manage_script_tmp_files(depmod_t)
')
optional_policy(`
@@ -69586,7 +70064,7 @@ index a0eef20..406f160 100644
unconfined_domain(depmod_t)
')
-@@ -104,11 +107,12 @@ optional_policy(`
+@@ -104,11 +111,12 @@ optional_policy(`
# insmod local policy
#
@@ -69600,7 +70078,7 @@ index a0eef20..406f160 100644
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -118,6 +122,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -118,6 +126,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
can_exec(insmod_t, insmod_exec_t)
@@ -69610,7 +70088,7 @@ index a0eef20..406f160 100644
kernel_load_module(insmod_t)
kernel_request_load_module(insmod_t)
kernel_read_system_state(insmod_t)
-@@ -126,6 +133,7 @@ kernel_write_proc_files(insmod_t)
+@@ -126,6 +137,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -69618,7 +70096,7 @@ index a0eef20..406f160 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -143,6 +151,7 @@ dev_rw_agp(insmod_t)
+@@ -143,6 +155,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -69626,7 +70104,7 @@ index a0eef20..406f160 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -161,11 +170,18 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +174,18 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -69645,7 +70123,7 @@ index a0eef20..406f160 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,41 +190,38 @@ miscfiles_read_localization(insmod_t)
+@@ -174,41 +194,38 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -69696,7 +70174,7 @@ index a0eef20..406f160 100644
')
optional_policy(`
-@@ -236,6 +249,10 @@ optional_policy(`
+@@ -236,6 +253,10 @@ optional_policy(`
')
optional_policy(`
@@ -69707,7 +70185,7 @@ index a0eef20..406f160 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -296,7 +313,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +317,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
@@ -72090,10 +72568,10 @@ index 0000000..db57bc7
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..f642930
+index 0000000..0b37d39
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,478 @@
+@@ -0,0 +1,479 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -72141,6 +72619,7 @@ index 0000000..f642930
+ corecmd_search_bin($1)
+ can_exec($1, systemd_systemctl_exec_t)
+
++ fs_list_cgroup_dirs($1)
+ systemd_list_unit_dirs($1)
+ init_list_pid_dirs($1)
+ init_read_state($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c949e76..d53a10c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 43%{?dist}
+Release: 44%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Oct 20 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-44
+- Add labeling for udev
+- Add cloudform policy
+- Fixes for bootloader policy
+
* Wed Oct 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-43
- Add policies for nova openstack
More information about the scm-commits
mailing list