[selinux-policy/f16] - Add exim_exec_t label for /usr/sbin/exim_tidydb - Call init_dontaudit_rw_stream_socket() interface
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Sep 6 11:51:51 UTC 2011
commit e4c2e134dd1edf1c9e44bb7e1366538a2ac3a94e
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Sep 6 13:51:15 2011 +0200
- Add exim_exec_t label for /usr/sbin/exim_tidydb
- Call init_dontaudit_rw_stream_socket() interface in mta policy
- sssd need to search /var/cache/krb5rcache directory
- Allow corosync to relabel own tmp files
- Allow zarafa domains to send system log messages
- Allow ssh to do tunneling
- Allow initrc scripts to sendto init_t unix_stream_socket
- Changes to make sure dmsmasq and virt directories are labeled corr
- Changes needed to allow sysadm_t to manage systemd unit files
- init is passing file descriptors to dbus and on to system daemons
- Allow sulogin additional access Reported by dgrift and Jeremy Mill
- Steve Grubb believes that wireshark does not need this access
- Fix /var/run/initramfs to stop restorecon from looking at
- pki needs another port
- Add more labels for cluster scripts
- Allow apps that manage cgroup_files to manage cgroup link files
- Fix label on nfs-utils scripts directories
- Allow gatherd to read /dev/rand and /dev/urand
policy-F16.patch | 468 ++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 22 +++-
2 files changed, 339 insertions(+), 151 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 9da3d36..213601a 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -10871,7 +10871,7 @@ index be9246b..e3de8fa 100644
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
-index 8bfe97d..9e4ad2c 100644
+index 8bfe97d..95a3d06 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -15,6 +15,7 @@ ubac_constrained(wireshark_t)
@@ -10882,6 +10882,15 @@ index 8bfe97d..9e4ad2c 100644
userdom_user_home_content(wireshark_home_t)
type wireshark_tmp_t;
+@@ -34,7 +35,7 @@ ubac_constrained(wireshark_tmpfs_t)
+ # Local Policy
+ #
+
+-allow wireshark_t self:capability { net_admin net_raw setgid };
++allow wireshark_t self:capability { net_admin net_raw };
+ allow wireshark_t self:process { signal getsched };
+ allow wireshark_t self:fifo_file { getattr read write };
+ allow wireshark_t self:shm destroy;
@@ -85,6 +86,8 @@ fs_search_auto_mountpoints(wireshark_t)
libs_read_lib_files(wireshark_t)
@@ -10968,7 +10977,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..f8f940f 100644
+index 3fae11a..d653b7f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -11119,7 +11128,18 @@ index 3fae11a..f8f940f 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -286,6 +290,7 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +271,10 @@ ifdef(`distro_gentoo',`
+ /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/checkquorum -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
+@@ -286,6 +294,7 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -11127,7 +11147,7 @@ index 3fae11a..f8f940f 100644
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -293,8 +298,10 @@ ifdef(`distro_gentoo',`
+@@ -293,8 +302,10 @@ ifdef(`distro_gentoo',`
/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11139,18 +11159,21 @@ index 3fae11a..f8f940f 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -307,9 +314,8 @@ ifdef(`distro_redhat', `
+@@ -306,10 +317,11 @@ ifdef(`distro_redhat', `
+ /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/.*/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +325,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +331,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11162,7 +11185,7 @@ index 3fae11a..f8f940f 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +371,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +377,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -11171,7 +11194,7 @@ index 3fae11a..f8f940f 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +383,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +389,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11182,7 +11205,7 @@ index 3fae11a..f8f940f 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +394,4 @@ ifdef(`distro_suse', `
+@@ -385,3 +400,4 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -12323,7 +12346,7 @@ index 4f3b542..5a41e58 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..85d03ed 100644
+index 99b71cb..39dfc9f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,14 @@ attribute netif_type;
@@ -12444,8 +12467,9 @@ index 99b71cb..85d03ed 100644
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+-network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,18001,s0) #8443 is mod_nss default port #18001 is used for jboss
- network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
++network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -12497,10 +12521,10 @@ index 99b71cb..85d03ed 100644
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
+network_port(piranha, tcp,3636,s0)
-+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9446, s0)
-+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
-+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
-+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
++network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
++network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
++network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
+network_port(pki_ra, tcp,12888-12889,s0)
+network_port(pki_tps, tcp,7888-7889,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
@@ -16175,7 +16199,7 @@ index 22821ff..20251b0 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..63e494f 100644
+index 97fcdac..5923a0a 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -16309,15 +16333,16 @@ index 97fcdac..63e494f 100644
dev_search_sysfs($1)
')
-@@ -803,6 +870,7 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +870,8 @@ interface(`fs_manage_cgroup_files',`
')
manage_files_pattern($1, cgroup_t, cgroup_t)
++ manage_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
-@@ -1107,6 +1175,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1107,6 +1176,24 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
@@ -16342,7 +16367,7 @@ index 97fcdac..63e494f 100644
## Do not audit attempts to read all
## noxattrfs files.
## </summary>
-@@ -1265,6 +1351,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1352,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
@@ -16385,7 +16410,7 @@ index 97fcdac..63e494f 100644
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
-@@ -1279,7 +1401,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1402,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -16394,7 +16419,7 @@ index 97fcdac..63e494f 100644
')
########################################
-@@ -1542,6 +1664,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1665,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -16420,7 +16445,7 @@ index 97fcdac..63e494f 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -2148,6 +2289,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2290,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -16428,7 +16453,7 @@ index 97fcdac..63e494f 100644
')
########################################
-@@ -2480,6 +2622,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2623,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -16436,7 +16461,7 @@ index 97fcdac..63e494f 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2661,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2662,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -16444,7 +16469,7 @@ index 97fcdac..63e494f 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2688,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2689,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -16470,7 +16495,7 @@ index 97fcdac..63e494f 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2584,6 +2747,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2748,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -16513,7 +16538,7 @@ index 97fcdac..63e494f 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +2797,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2798,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -16522,7 +16547,7 @@ index 97fcdac..63e494f 100644
')
########################################
-@@ -2736,7 +2935,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2936,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -16531,7 +16556,7 @@ index 97fcdac..63e494f 100644
## </summary>
## </param>
#
-@@ -2772,7 +2971,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +2972,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -16540,7 +16565,7 @@ index 97fcdac..63e494f 100644
## </summary>
## </param>
#
-@@ -2965,6 +3164,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3165,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -16548,7 +16573,7 @@ index 97fcdac..63e494f 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3205,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3206,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -16556,7 +16581,7 @@ index 97fcdac..63e494f 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3246,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3247,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -16564,7 +16589,7 @@ index 97fcdac..63e494f 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3958,6 +4160,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4161,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -16607,7 +16632,7 @@ index 97fcdac..63e494f 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4175,6 +4413,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4414,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -16632,7 +16657,7 @@ index 97fcdac..63e494f 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4457,6 +4713,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4714,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -16641,7 +16666,7 @@ index 97fcdac..63e494f 100644
')
########################################
-@@ -4503,7 +4761,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4762,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -16650,7 +16675,7 @@ index 97fcdac..63e494f 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5124,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5125,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -18811,7 +18836,7 @@ index 2be17d2..afb3532 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..7ef880f 100644
+index e14b961..ba7c72e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -19080,16 +19105,19 @@ index e14b961..7ef880f 100644
')
optional_policy(`
-@@ -332,7 +404,7 @@ optional_policy(`
+@@ -332,7 +404,10 @@ optional_policy(`
')
optional_policy(`
- thunderbird_role(sysadm_r, sysadm_t)
+ systemd_passwd_agent_run(sysadm_t, sysadm_r)
++ systemd_config_all_services(sysadm_t)
++ systemd_manage_all_unit_files(sysadm_t)
++ systemd_manage_all_unit_lnk_files(sysadm_t)
')
optional_policy(`
-@@ -343,19 +415,15 @@ optional_policy(`
+@@ -343,19 +418,15 @@ optional_policy(`
')
optional_policy(`
@@ -19111,7 +19139,7 @@ index e14b961..7ef880f 100644
')
optional_policy(`
-@@ -367,45 +435,45 @@ optional_policy(`
+@@ -367,45 +438,45 @@ optional_policy(`
')
optional_policy(`
@@ -19168,7 +19196,7 @@ index e14b961..7ef880f 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,6 +507,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +510,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -19176,7 +19204,7 @@ index e14b961..7ef880f 100644
')
optional_policy(`
-@@ -446,11 +515,62 @@ ifndef(`distro_redhat',`
+@@ -446,11 +518,62 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -27797,7 +27825,7 @@ index 5220c9d..a2e6830 100644
## <summary>
## Allow the specified domain to read corosync's log files.
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..f0f7e1a 100644
+index 04969e5..0e76440 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
@@ -27811,7 +27839,7 @@ index 04969e5..f0f7e1a 100644
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
-@@ -41,6 +41,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
+@@ -41,9 +41,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
@@ -27820,7 +27848,11 @@ index 04969e5..f0f7e1a 100644
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
-@@ -63,8 +65,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
++allow corosync_t corosync_tmp_t:file { relabelfrom relabelto };
+
+ manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+ manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+@@ -63,8 +66,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
@@ -27832,7 +27864,7 @@ index 04969e5..f0f7e1a 100644
corenet_udp_bind_netsupport_port(corosync_t)
-@@ -73,6 +78,7 @@ dev_read_urand(corosync_t)
+@@ -73,6 +79,7 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
@@ -27840,7 +27872,7 @@ index 04969e5..f0f7e1a 100644
auth_use_nsswitch(corosync_t)
-@@ -83,19 +89,42 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,19 +90,44 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -27878,12 +27910,14 @@ index 04969e5..f0f7e1a 100644
- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
++ rhcs_getattr_fenced(corosync_t)
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
+ rhcs_manage_cluster_lib_files(corosync_t)
++ rhcs_relabel_cluster_lib_files(corosync_t)
')
optional_policy(`
@@ -30153,7 +30187,7 @@ index 1a1becd..d4357ec 100644
')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..3136cb7 100644
+index 1bff6ee..c6db074 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -30235,7 +30269,7 @@ index 1bff6ee..3136cb7 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +171,155 @@ optional_policy(`
+@@ -151,12 +171,156 @@ optional_policy(`
')
optional_policy(`
@@ -30267,6 +30301,7 @@ index 1bff6ee..3136cb7 100644
+init_stream_connect(system_bus_type)
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
++init_rw_stream_sockets(system_bus_type)
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
@@ -31738,10 +31773,10 @@ index 0000000..6fd8e9f
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
-index 0000000..cc83e0b
+index 0000000..43c82e7
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
-@@ -0,0 +1,184 @@
+@@ -0,0 +1,185 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -31850,6 +31885,7 @@ index 0000000..cc83e0b
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
+corenet_sendrecv_all_client_packets(dirsrv_t)
+
++dev_read_sysfs(dirsrv_t)
+dev_read_urand(dirsrv_t)
+
+files_read_etc_files(dirsrv_t)
@@ -31974,7 +32010,7 @@ index b886676..ad3210e 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..c4abec3 100644
+index 9bd812b..2385a2c 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
@@ -32015,7 +32051,7 @@ index 9bd812b..c4abec3 100644
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -163,17 +163,79 @@ interface(`dnsmasq_delete_pid_files',`
+@@ -163,17 +163,80 @@ interface(`dnsmasq_delete_pid_files',`
## </summary>
## </param>
#
@@ -32089,6 +32125,7 @@ index 9bd812b..c4abec3 100644
+
+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
++ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
+')
+
+########################################
@@ -33070,16 +33107,18 @@ index 0000000..d409571
+')
+
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
-index 298f066..c2570df 100644
+index 298f066..b54de69 100644
--- a/policy/modules/services/exim.fc
+++ b/policy/modules/services/exim.fc
-@@ -1,3 +1,6 @@
+@@ -1,4 +1,8 @@
+
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
++/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+ /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
index 6bef7f8..464669c 100644
--- a/policy/modules/services/exim.if
@@ -35592,21 +35631,22 @@ index a627b34..c4cfc6d 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..d9232fe 100644
+index 03742d8..b28c4f9 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
-@@ -24,8 +24,8 @@ files_pid_file(gpsd_var_run_t)
+@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
# gpsd local policy
#
-allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
-allow gpsd_t self:process setsched;
+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
++dontaudit gpsd_t self:capability { dac_read_search dac_override sys_ptrace };
+allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,14 +38,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+@@ -38,14 +39,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
@@ -35629,7 +35669,7 @@ index 03742d8..d9232fe 100644
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
-@@ -56,6 +63,12 @@ logging_send_syslog_msg(gpsd_t)
+@@ -56,6 +64,12 @@ logging_send_syslog_msg(gpsd_t)
miscfiles_read_localization(gpsd_t)
optional_policy(`
@@ -36907,7 +36947,7 @@ index 3525d24..e065744 100644
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..be8a805 100644
+index 604f67b..588823c 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -36944,16 +36984,17 @@ index 604f67b..be8a805 100644
')
files_search_etc($1)
-@@ -103,7 +102,7 @@ interface(`kerberos_use',`
+@@ -103,7 +102,8 @@ interface(`kerberos_use',`
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
- allow $1 krb5_host_rcache_t:file getattr;
++ allow $1 krb5_host_rcache_t:dir search_dir_perms;
+ allow $1 krb5_host_rcache_t:file getattr_file_perms;
')
optional_policy(`
-@@ -218,6 +217,25 @@ interface(`kerberos_rw_keytab',`
+@@ -218,6 +218,25 @@ interface(`kerberos_rw_keytab',`
########################################
## <summary>
@@ -36979,7 +37020,7 @@ index 604f67b..be8a805 100644
## Create a derived type for kerberos keytab
## </summary>
## <param name="prefix">
-@@ -235,7 +253,7 @@ template(`kerberos_keytab_template',`
+@@ -235,7 +254,7 @@ template(`kerberos_keytab_template',`
type $1_keytab_t;
files_type($1_keytab_t)
@@ -36988,15 +37029,16 @@ index 604f67b..be8a805 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -289,6 +307,7 @@ interface(`kerberos_manage_host_rcache',`
+@@ -289,6 +308,8 @@ interface(`kerberos_manage_host_rcache',`
seutil_read_file_contexts($1)
+ files_rw_generic_tmp_dir($1)
++ allow $1 krb5_host_rcache_t:dir search_dir_perms;
allow $1 krb5_host_rcache_t:file manage_file_perms;
files_search_tmp($1)
')
-@@ -296,28 +315,6 @@ interface(`kerberos_manage_host_rcache',`
+@@ -296,28 +317,6 @@ interface(`kerberos_manage_host_rcache',`
########################################
## <summary>
@@ -37025,7 +37067,7 @@ index 604f67b..be8a805 100644
## All of the rules required to administrate
## an kerberos environment
## </summary>
-@@ -338,9 +335,8 @@ interface(`kerberos_admin',`
+@@ -338,9 +337,8 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -37036,7 +37078,7 @@ index 604f67b..be8a805 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +374,108 @@ interface(`kerberos_admin',`
+@@ -378,3 +376,108 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -40358,7 +40400,7 @@ index 343cee3..f8c4fb6 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..8d3091f 100644
+index 64268e4..142fbfb 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -40404,9 +40446,11 @@ index 64268e4..8d3091f 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -80,8 +71,14 @@ term_dontaudit_use_unallocated_ttys(system_mail_t)
+@@ -79,9 +70,16 @@ selinux_getattr_fs(system_mail_t)
+ term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
++init_dontaudit_rw_stream_socket(system_mail_t)
-userdom_use_user_terminals(system_mail_t)
+userdom_use_inherited_user_terminals(system_mail_t)
@@ -40420,7 +40464,7 @@ index 64268e4..8d3091f 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,14 +89,21 @@ optional_policy(`
+@@ -92,14 +90,21 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -40445,7 +40489,7 @@ index 64268e4..8d3091f 100644
')
optional_policy(`
-@@ -111,6 +115,8 @@ optional_policy(`
+@@ -111,6 +116,8 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -40454,7 +40498,7 @@ index 64268e4..8d3091f 100644
')
optional_policy(`
-@@ -124,12 +130,9 @@ optional_policy(`
+@@ -124,12 +131,9 @@ optional_policy(`
')
optional_policy(`
@@ -40469,7 +40513,7 @@ index 64268e4..8d3091f 100644
')
optional_policy(`
-@@ -146,6 +149,10 @@ optional_policy(`
+@@ -146,6 +150,10 @@ optional_policy(`
')
optional_policy(`
@@ -40480,7 +40524,7 @@ index 64268e4..8d3091f 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,22 +165,13 @@ optional_policy(`
+@@ -158,22 +166,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -40506,7 +40550,7 @@ index 64268e4..8d3091f 100644
')
optional_policy(`
-@@ -189,6 +187,10 @@ optional_policy(`
+@@ -189,9 +188,17 @@ optional_policy(`
')
optional_policy(`
@@ -40517,7 +40561,14 @@ index 64268e4..8d3091f 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,15 +201,16 @@ optional_policy(`
++optional_policy(`
++ abrt_rw_fifo_file(mta_user_agent)
++')
++
+ # should break this up among sections:
+
+ optional_policy(`
+@@ -199,15 +206,16 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -40538,7 +40589,7 @@ index 64268e4..8d3091f 100644
########################################
#
# Mailserver delivery local policy
-@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +228,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -40548,7 +40599,7 @@ index 64268e4..8d3091f 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +246,10 @@ optional_policy(`
+@@ -242,6 +251,10 @@ optional_policy(`
')
optional_policy(`
@@ -40559,7 +40610,7 @@ index 64268e4..8d3091f 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +257,25 @@ optional_policy(`
+@@ -249,16 +262,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -40587,7 +40638,7 @@ index 64268e4..8d3091f 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -292,3 +309,44 @@ optional_policy(`
+@@ -292,3 +314,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -48241,7 +48292,7 @@ index c2ba53b..853eeb5 100644
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
-index de37806..175c89b 100644
+index de37806..a21e737 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -13,7 +13,7 @@
@@ -48289,7 +48340,32 @@ index de37806..175c89b 100644
## </param>
#
interface(`rhcs_domtrans_dlm_controld',`
-@@ -169,9 +168,8 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -133,6 +132,24 @@ interface(`rhcs_domtrans_fenced',`
+ domtrans_pattern($1, fenced_exec_t, fenced_t)
+ ')
+
++#####################################
++## <summary>
++## Allow a domain to getattr on fenced executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rhcs_getattr_fenced',`
++ gen_require(`
++ type fenced_t, fenced_exec_t;
++ ')
++
++ allow $1 fenced_exec_t:file getattr;
++')
++
+ ######################################
+ ## <summary>
+ ## Allow read and write access to fenced semaphores.
+@@ -169,9 +186,8 @@ interface(`rhcs_stream_connect_fenced',`
type fenced_var_run_t, fenced_t;
')
@@ -48300,7 +48376,7 @@ index de37806..175c89b 100644
')
#####################################
-@@ -335,6 +333,65 @@ interface(`rhcs_rw_groupd_shm',`
+@@ -335,6 +351,65 @@ interface(`rhcs_rw_groupd_shm',`
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
@@ -48366,7 +48442,7 @@ index de37806..175c89b 100644
######################################
## <summary>
## Execute a domain transition to run qdiskd.
-@@ -353,3 +410,60 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -353,3 +428,80 @@ interface(`rhcs_domtrans_qdiskd',`
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')
@@ -48427,8 +48503,28 @@ index de37806..175c89b 100644
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
++
++####################################
++## <summary>
++## Allow domain to relabel cluster lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_relabel_cluster_lib_files',`
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..ac994a8 100644
+index 93c896a..8c29c39 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,13 +6,22 @@ policy_module(rhcs, 1.1.0)
@@ -48477,7 +48573,15 @@ index 93c896a..ac994a8 100644
#####################################
#
# dlm_controld local policy
-@@ -55,20 +70,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -46,6 +61,7 @@ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fence
+ stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+ kernel_read_system_state(dlm_controld_t)
++kernel_rw_net_sysctls(dlm_controld_t)
+
+ dev_rw_dlm_control(dlm_controld_t)
+ dev_rw_sysfs(dlm_controld_t)
+@@ -55,20 +71,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -48500,7 +48604,7 @@ index 93c896a..ac994a8 100644
can_exec(fenced_t, fenced_exec_t)
-@@ -82,8 +94,13 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -82,8 +95,13 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -48514,7 +48618,7 @@ index 93c896a..ac994a8 100644
corenet_tcp_connect_http_port(fenced_t)
dev_read_sysfs(fenced_t)
-@@ -105,8 +122,24 @@ tunable_policy(`fenced_can_network_connect',`
+@@ -105,8 +123,24 @@ tunable_policy(`fenced_can_network_connect',`
')
optional_policy(`
@@ -48540,7 +48644,7 @@ index 93c896a..ac994a8 100644
')
optional_policy(`
-@@ -114,13 +147,37 @@ optional_policy(`
+@@ -114,13 +148,37 @@ optional_policy(`
lvm_read_config(fenced_t)
')
@@ -48579,7 +48683,7 @@ index 93c896a..ac994a8 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +196,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +197,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -48590,7 +48694,7 @@ index 93c896a..ac994a8 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +207,10 @@ optional_policy(`
+@@ -154,9 +208,10 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -48602,7 +48706,7 @@ index 93c896a..ac994a8 100644
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -168,8 +222,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +223,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -48612,7 +48716,7 @@ index 93c896a..ac994a8 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -199,6 +252,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -199,6 +253,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -48621,7 +48725,7 @@ index 93c896a..ac994a8 100644
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +262,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +263,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -48632,7 +48736,7 @@ index 93c896a..ac994a8 100644
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +274,28 @@ optional_policy(`
+@@ -223,18 +275,28 @@ optional_policy(`
# rhcs domains common policy
#
@@ -51390,10 +51494,10 @@ index 0000000..8aef188
+
diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te
new file mode 100644
-index 0000000..785c2f3
+index 0000000..ea10ecc
--- /dev/null
+++ b/policy/modules/services/sblim.te
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,105 @@
+policy_module(sblim, 1.0.0)
+
+########################################
@@ -51433,6 +51537,9 @@ index 0000000..785c2f3
+
+corenet_tcp_connect_repository_port(sblim_gatherd_t)
+
++dev_read_rand(sblim_gatherd_t)
++dev_read_urand(sblim_gatherd_t)
++
+domain_read_all_domains_state(sblim_gatherd_t)
+
+fs_getattr_all_fs(sblim_gatherd_t)
@@ -52983,7 +53090,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..76e8829 100644
+index 22adaca..ba5d941 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -53054,7 +53161,7 @@ index 22adaca..76e8829 100644
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
-@@ -181,16 +179,17 @@ template(`ssh_server_template', `
+@@ -181,16 +179,18 @@ template(`ssh_server_template', `
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -53066,6 +53173,7 @@ index 22adaca..76e8829 100644
+ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
++ allow $1_t self:tun_socket create_socket_perms;
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:shm create_shm_perms;
@@ -53075,7 +53183,7 @@ index 22adaca..76e8829 100644
term_create_pty($1_t, $1_devpts_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-@@ -206,6 +205,7 @@ template(`ssh_server_template', `
+@@ -206,6 +206,7 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
kernel_read_network_state($1_t)
@@ -53083,7 +53191,7 @@ index 22adaca..76e8829 100644
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
-@@ -220,8 +220,11 @@ template(`ssh_server_template', `
+@@ -220,8 +221,11 @@ template(`ssh_server_template', `
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
@@ -53096,7 +53204,7 @@ index 22adaca..76e8829 100644
fs_dontaudit_getattr_all_fs($1_t)
-@@ -234,6 +237,7 @@ template(`ssh_server_template', `
+@@ -234,6 +238,7 @@ template(`ssh_server_template', `
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
@@ -53104,7 +53212,7 @@ index 22adaca..76e8829 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -243,13 +247,17 @@ template(`ssh_server_template', `
+@@ -243,13 +248,17 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
@@ -53124,7 +53232,7 @@ index 22adaca..76e8829 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
fs_read_nfs_symlinks($1_t)
-@@ -268,6 +276,14 @@ template(`ssh_server_template', `
+@@ -268,6 +277,14 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
@@ -53139,7 +53247,7 @@ index 22adaca..76e8829 100644
')
########################################
-@@ -290,11 +306,11 @@ template(`ssh_server_template', `
+@@ -290,11 +307,11 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
@@ -53152,7 +53260,7 @@ index 22adaca..76e8829 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,7 +343,7 @@ template(`ssh_role_template',`
+@@ -327,7 +344,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -53161,7 +53269,7 @@ index 22adaca..76e8829 100644
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +354,7 @@ template(`ssh_role_template',`
+@@ -338,6 +355,7 @@ template(`ssh_role_template',`
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
@@ -53169,7 +53277,7 @@ index 22adaca..76e8829 100644
##############################
#
-@@ -359,7 +376,7 @@ template(`ssh_role_template',`
+@@ -359,7 +377,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -53178,7 +53286,7 @@ index 22adaca..76e8829 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +398,6 @@ template(`ssh_role_template',`
+@@ -381,7 +399,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -53186,7 +53294,7 @@ index 22adaca..76e8829 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +409,13 @@ template(`ssh_role_template',`
+@@ -393,14 +410,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -53204,7 +53312,7 @@ index 22adaca..76e8829 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +492,9 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +493,9 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -53215,7 +53323,7 @@ index 22adaca..76e8829 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +510,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +511,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -53224,7 +53332,7 @@ index 22adaca..76e8829 100644
')
########################################
-@@ -586,6 +602,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +603,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -53249,7 +53357,7 @@ index 22adaca..76e8829 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +652,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +653,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -53258,7 +53366,7 @@ index 22adaca..76e8829 100644
files_search_pids($1)
')
-@@ -680,6 +714,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +715,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -53291,7 +53399,7 @@ index 22adaca..76e8829 100644
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +755,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +756,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -53300,7 +53408,7 @@ index 22adaca..76e8829 100644
')
######################################
-@@ -735,3 +795,62 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +796,62 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -53364,7 +53472,7 @@ index 22adaca..76e8829 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..a85027d 100644
+index 2dad3c8..be7b7a3 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -53488,18 +53596,19 @@ index 2dad3c8..a85027d 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -138,7 +144,10 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,7 +144,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
+corenet_tcp_bind_generic_node(ssh_t)
+corenet_tcp_bind_all_unreserved_ports(ssh_t)
++corenet_rw_tun_tap_dev(ssh_t)
+dev_read_rand(ssh_t)
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -162,21 +171,28 @@ logging_read_generic_logs(ssh_t)
+@@ -162,21 +172,28 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -53534,7 +53643,7 @@ index 2dad3c8..a85027d 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +212,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +213,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@@ -53550,7 +53659,7 @@ index 2dad3c8..a85027d 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,19 +230,14 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +231,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -53572,7 +53681,7 @@ index 2dad3c8..a85027d 100644
#################################
#
# sshd local policy
-@@ -232,33 +248,43 @@ optional_policy(`
+@@ -232,33 +249,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -53625,7 +53734,7 @@ index 2dad3c8..a85027d 100644
')
optional_policy(`
-@@ -266,11 +292,24 @@ optional_policy(`
+@@ -266,11 +293,24 @@ optional_policy(`
')
optional_policy(`
@@ -53651,7 +53760,7 @@ index 2dad3c8..a85027d 100644
')
optional_policy(`
-@@ -284,6 +323,15 @@ optional_policy(`
+@@ -284,6 +324,15 @@ optional_policy(`
')
optional_policy(`
@@ -53667,7 +53776,7 @@ index 2dad3c8..a85027d 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +340,26 @@ optional_policy(`
+@@ -292,26 +341,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -53713,7 +53822,7 @@ index 2dad3c8..a85027d 100644
') dnl endif TODO
########################################
-@@ -322,19 +370,25 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +371,25 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -53740,7 +53849,7 @@ index 2dad3c8..a85027d 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,10 +405,7 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,10 +406,7 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -55264,7 +55373,7 @@ index 2124b6a..55b5012 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..d83a9a2 100644
+index 7c5d8d8..72e3065 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,44 @@
@@ -55460,7 +55569,7 @@ index 7c5d8d8..d83a9a2 100644
+ type virt_var_run_t;
+ ')
+
-+ filetrans_pattern($1, virt_var_run_t, $2, $3)
++ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+')
+
+########################################
@@ -55758,7 +55867,7 @@ index 7c5d8d8..d83a9a2 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..2ffbc3a 100644
+index 3eca020..60a0e6a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -55998,7 +56107,8 @@ index 3eca020..2ffbc3a 100644
+allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow virtd_t self:tcp_socket create_stream_socket_perms;
- allow virtd_t self:tun_socket create_socket_perms;
+-allow virtd_t self:tun_socket create_socket_perms;
++allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow virtd_t self:rawip_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -59341,7 +59451,7 @@ index 21ae664..3e448dd 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..afe5e5f 100644
+index 9fb4747..6e2c42a 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -59385,7 +59495,15 @@ index 9fb4747..afe5e5f 100644
#######################################
#
# zarafa-ical local policy
-@@ -136,6 +156,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
+@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
+
+ files_read_usr_files(zarafa_server_t)
+
+-logging_send_syslog_msg(zarafa_server_t)
+ logging_send_audit_msgs(zarafa_server_t)
+
+ sysnet_dns_name_resolve(zarafa_server_t)
+@@ -136,6 +155,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
@@ -59422,12 +59540,13 @@ index 9fb4747..afe5e5f 100644
########################################
#
# zarafa domains local policy
-@@ -156,6 +206,4 @@ kernel_read_system_state(zarafa_domain)
+@@ -156,6 +205,6 @@ kernel_read_system_state(zarafa_domain)
files_read_etc_files(zarafa_domain)
-auth_use_nsswitch(zarafa_domain)
--
++logging_send_syslog_msg(zarafa_domain)
+
miscfiles_read_localization(zarafa_domain)
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 6b87605..347f754 100644
@@ -61443,7 +61562,7 @@ index 94fd8dd..3e8f08e 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..b400c03 100644
+index 29a9565..0635313 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -61525,7 +61644,7 @@ index 29a9565..b400c03 100644
-allow init_t initrc_t:unix_stream_socket connectto;
+allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
-+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
++allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
-# For /var/run/shutdown.pid.
@@ -63436,7 +63555,7 @@ index e5836d3..c76046b 100644
- unconfined_domain(ldconfig_t)
-')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..2a55eab 100644
+index a0b379d..b823395 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,9 +32,8 @@ role system_r types sulogin_t;
@@ -63499,8 +63618,19 @@ index a0b379d..2a55eab 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -225,11 +226,14 @@ files_read_etc_files(sulogin_t)
+@@ -215,6 +216,7 @@ allow sulogin_t self:sem create_sem_perms;
+ allow sulogin_t self:msgq create_msgq_perms;
+ allow sulogin_t self:msg { send receive };
+
++kernel_read_crypto_sysctls(sulogin_t)
+ kernel_read_system_state(sulogin_t)
+
+ fs_search_auto_mountpoints(sulogin_t)
+@@ -223,13 +225,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+ files_read_etc_files(sulogin_t)
+ # because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
++files_search_pids(sulogin_t)
auth_read_shadow(sulogin_t)
+auth_use_nsswitch(sulogin_t)
@@ -63514,13 +63644,14 @@ index a0b379d..2a55eab 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +242,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +244,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
-sysadm_shell_domtrans(sulogin_t)
+term_use_console(sulogin_t)
+term_use_unallocated_ttys(sulogin_t)
++term_use_generic_ptys(sulogin_t)
+
+ifdef(`enable_mls',`
+ sysadm_shell_domtrans(sulogin_t)
@@ -63540,7 +63671,7 @@ index a0b379d..2a55eab 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +269,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -66963,7 +67094,7 @@ index 34d0ec5..ac52258 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..839455d
+index 0000000..9eaa38e
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,19 @@
@@ -66975,7 +67106,7 @@ index 0000000..839455d
+
+/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
-+/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
@@ -66985,13 +67116,13 @@ index 0000000..839455d
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
-+/var/run/initramfs <<none>>
++/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..fc27830
+index 0000000..fdb31d8
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,377 @@
+@@ -0,0 +1,414 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -67351,6 +67482,43 @@ index 0000000..fc27830
+
+########################################
+## <summary>
++## manage all systemd unit files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_manage_all_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++## <summary>
++## manage all systemd unit lnk_files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_manage_all_unit_lnk_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++
++########################################
++## <summary>
+## Allow the specified domain to connect to
+## systemd_logger with a unix socket.
+## </summary>
@@ -67371,7 +67539,7 @@ index 0000000..fc27830
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a91d3dd
+index 0000000..1a24c0a
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,352 @@
@@ -67446,7 +67614,7 @@ index 0000000..a91d3dd
+
+manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
-+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, systemd_logind_sessions_t)
++manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e39ed40..d9ad8a4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 23%{?dist}
+Release: 24%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,26 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Sep 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-24
+- Add exim_exec_t label for /usr/sbin/exim_tidydb
+- Call init_dontaudit_rw_stream_socket() interface in mta policy
+- sssd need to search /var/cache/krb5rcache directory
+- Allow corosync to relabel own tmp files
+- Allow zarafa domains to send system log messages
+- Allow ssh to do tunneling
+- Allow initrc scripts to sendto init_t unix_stream_socket
+- Changes to make sure dmsmasq and virt directories are labeled correctly
+- Changes needed to allow sysadm_t to manage systemd unit files
+- init is passing file descriptors to dbus and on to system daemons
+- Allow sulogin additional access Reported by dgrift and Jeremy Miller
+- Steve Grubb believes that wireshark does not need this access
+- Fix /var/run/initramfs to stop restorecon from looking at
+- pki needs another port
+- Add more labels for cluster scripts
+- Allow apps that manage cgroup_files to manage cgroup link files
+- Fix label on nfs-utils scripts directories
+- Allow gatherd to read /dev/rand and /dev/urand
+
* Tue Aug 30 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-23
- Add glance policy
- Allow mdadm setsched
More information about the scm-commits
mailing list