[selinux-policy/f15] +- Add logging_syslogd_can_sendmail boolean +- Add support for exim and confined users +- support fo
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Sep 22 14:52:06 UTC 2011
commit aeef654b2435297e18741ac921c7cf8f08a7ca84
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Sep 22 16:51:46 2011 +0200
+- Add logging_syslogd_can_sendmail boolean
+- Add support for exim and confined users
+- support for ommail module to send logs via mail
+- Add execmem_execmod() to execmem role
+- Allow pptp to send generic signal to kernel threads
+- Fix kerberos_manage_host_rcache() interface
policy-F15.patch | 620 +++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 10 +-
2 files changed, 437 insertions(+), 193 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index b4f1dad..70cc165 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -873,7 +873,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..0e77aea 100644
+index 75ce30f..c79d7db 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t)
@@ -937,6 +937,31 @@ index 75ce30f..0e77aea 100644
files_getattr_all_file_type_fs(logwatch_t)
')
+@@ -145,3 +164,24 @@ optional_policy(`
+ samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
+ ')
++
++########################################
++#
++# Logwatch mail Local policy
++#
++
++allow logwatch_mail_t self:capability { dac_read_search dac_override };
++
++manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
++
++dev_read_rand(logwatch_mail_t)
++dev_read_urand(logwatch_mail_t)
++dev_read_sysfs(logwatch_mail_t)
++
++logging_read_all_logs(logwatch_mail_t)
++
++mta_read_home(logwatch_mail_t)
++
++optional_policy(`
++ cron_use_system_job_fds(logwatch_mail_t)
++')
diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc
index 56c43c0..0641226 100644
--- a/policy/modules/admin/mcelog.fc
@@ -3272,10 +3297,10 @@ index 0000000..4540090
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..ddcbf4f
+index 0000000..254774b
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,139 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -3350,6 +3375,10 @@ index 0000000..ddcbf4f
+ chrome_role($2, $1_execmem_t)
+ ')
+
++ optional_policy(`
++ execmem_execmod($1_execmem_t)
++ ')
++
+ # needed by plasma-desktop
+ optional_policy(`
+ gnome_read_usr_config($1_execmem_t)
@@ -3408,7 +3437,7 @@ index 0000000..ddcbf4f
+ type execmem_exec_t;
+ ')
+
-+ allow $1 execmem_exec_t:chr_file execmod;
++ allow $1 execmem_exec_t:file execmod;
+')
+
diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
@@ -12598,7 +12627,7 @@ index 16108f6..a02d2cc 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..cbbfe21 100644
+index 958ca84..f0bb052 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -12858,7 +12887,15 @@ index 958ca84..cbbfe21 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3104,6 +3290,7 @@ interface(`files_getattr_home_dir',`
+@@ -2681,6 +2867,7 @@ interface(`files_manage_etc_runtime_files',`
+ ')
+
+ manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
++ read_lnk_files_pattern($1, etc_t, etc_runtime_t)
+ ')
+
+ ########################################
+@@ -3104,6 +3291,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@@ -12866,7 +12903,7 @@ index 958ca84..cbbfe21 100644
')
########################################
-@@ -3124,6 +3311,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3124,6 +3312,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@@ -12874,7 +12911,7 @@ index 958ca84..cbbfe21 100644
')
########################################
-@@ -3287,6 +3475,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
+@@ -3287,6 +3476,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
dontaudit $1 lost_found_t:dir getattr;
')
@@ -12899,7 +12936,7 @@ index 958ca84..cbbfe21 100644
########################################
## <summary>
## Create, read, write, and delete objects in
-@@ -3365,6 +3571,43 @@ interface(`files_list_mnt',`
+@@ -3365,6 +3572,43 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -12943,7 +12980,7 @@ index 958ca84..cbbfe21 100644
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3438,6 +3681,24 @@ interface(`files_read_mnt_files',`
+@@ -3438,6 +3682,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -12968,7 +13005,7 @@ index 958ca84..cbbfe21 100644
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3729,6 +3990,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3729,6 +3991,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13068,7 +13105,7 @@ index 958ca84..cbbfe21 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3858,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -3858,6 +4213,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -13093,7 +13130,7 @@ index 958ca84..cbbfe21 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -3914,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,6 +4287,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -13126,7 +13163,7 @@ index 958ca84..cbbfe21 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3968,7 +4366,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,7 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -13135,7 +13172,7 @@ index 958ca84..cbbfe21 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3976,17 +4374,95 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3976,12 +4375,90 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -13148,11 +13185,10 @@ index 958ca84..cbbfe21 100644
- allow $1 tmpfile:dir { search_dir_perms setattr };
+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ## <summary>
--## List all tmp directories.
++')
++
++########################################
++## <summary>
+## Relabel a file from the type used in /tmp.
+## </summary>
+## <param name="domain">
@@ -13227,15 +13263,10 @@ index 958ca84..cbbfe21 100644
+ ')
+
+ allow $1 tmpfile:dir { search_dir_perms setattr };
-+')
-+
-+########################################
-+## <summary>
-+## List all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4127,6 +4603,16 @@ interface(`files_purge_tmp',`
+ ')
+
+ ########################################
+@@ -4127,6 +4604,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -13252,7 +13283,7 @@ index 958ca84..cbbfe21 100644
')
########################################
-@@ -4736,6 +5222,24 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5223,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -13277,7 +13308,7 @@ index 958ca84..cbbfe21 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5071,6 +5575,25 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5576,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -13303,7 +13334,7 @@ index 958ca84..cbbfe21 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5084,6 +5607,8 @@ interface(`files_search_locks',`
+@@ -5084,6 +5608,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -13312,7 +13343,7 @@ index 958ca84..cbbfe21 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5103,11 +5628,50 @@ interface(`files_dontaudit_search_locks',`
+@@ -5103,11 +5629,50 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -13363,7 +13394,7 @@ index 958ca84..cbbfe21 100644
## Add and remove entries in the /var/lock
## directories.
## </summary>
-@@ -5122,6 +5686,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5122,6 +5687,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -13371,7 +13402,7 @@ index 958ca84..cbbfe21 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5140,7 +5705,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5140,7 +5706,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -13380,7 +13411,7 @@ index 958ca84..cbbfe21 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5156,12 +5721,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5722,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -13397,7 +13428,7 @@ index 958ca84..cbbfe21 100644
')
########################################
-@@ -5180,7 +5745,7 @@ interface(`files_manage_generic_locks',`
+@@ -5180,7 +5746,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -13406,7 +13437,7 @@ index 958ca84..cbbfe21 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5207,6 +5772,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5773,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -13434,7 +13465,7 @@ index 958ca84..cbbfe21 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5221,7 +5807,7 @@ interface(`files_read_all_locks',`
+@@ -5221,7 +5808,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -13443,7 +13474,7 @@ index 958ca84..cbbfe21 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5243,7 +5829,7 @@ interface(`files_manage_all_locks',`
+@@ -5243,7 +5830,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -13452,7 +13483,7 @@ index 958ca84..cbbfe21 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5275,7 +5861,7 @@ interface(`files_lock_filetrans',`
+@@ -5275,7 +5862,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -13461,7 +13492,7 @@ index 958ca84..cbbfe21 100644
filetrans_pattern($1, var_lock_t, $2, $3)
')
-@@ -5332,9 +5918,47 @@ interface(`files_search_pids',`
+@@ -5332,9 +5919,47 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -13509,7 +13540,7 @@ index 958ca84..cbbfe21 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5410,6 +6034,24 @@ interface(`files_write_generic_pid_pipes',`
+@@ -5410,6 +6035,24 @@ interface(`files_write_generic_pid_pipes',`
allow $1 var_run_t:fifo_file write;
')
@@ -13534,7 +13565,7 @@ index 958ca84..cbbfe21 100644
########################################
## <summary>
## Create an object in the process ID directory, with a private type.
-@@ -5542,6 +6184,80 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6185,80 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -13615,7 +13646,7 @@ index 958ca84..cbbfe21 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6275,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6276,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -13660,7 +13691,7 @@ index 958ca84..cbbfe21 100644
')
########################################
-@@ -5844,3 +6598,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6599,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -15396,7 +15427,7 @@ index 3994e57..a1923fe 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..c5b2825 100644
+index f3acfee..680e28a 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -15580,11 +15611,29 @@ index f3acfee..c5b2825 100644
')
########################################
-@@ -1475,3 +1538,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1475,3 +1538,40 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
+
++####################################
++## <summary>
++## Getattr on the virtio console.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_getattr_virtio_console',`
++ gen_require(`
++ type virtio_device_t;
++ ')
++
++ allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
++')
++
+#####################################
+## <summary>
+## Read from and write to the virtio console.
@@ -23926,10 +23975,10 @@ index 0000000..ed13d1e
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..2dfd363
+index 0000000..979ed78
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,64 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -23974,9 +24023,13 @@ index 0000000..2dfd363
+kernel_read_network_state(collectd_t)
+kernel_read_system_state(collectd_t)
+
++dev_read_sysfs(collectd_t)
++
+files_read_etc_files(collectd_t)
+files_read_usr_files(collectd_t)
+
++fs_getattr_all_fs(collectd_t)
++
+miscfiles_read_localization(collectd_t)
+
+logging_send_syslog_msg(collectd_t)
@@ -24587,7 +24640,7 @@ index 2eefc08..34ab5ce 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..372d2c1 100644
+index 35241ed..a75e22c 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -24874,7 +24927,7 @@ index 35241ed..372d2c1 100644
')
########################################
-@@ -627,7 +678,66 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +678,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -24921,25 +24974,6 @@ index 35241ed..372d2c1 100644
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+')
-+
-+#######################################
-+## <summary>
-+## Search the directory containing user cron tables.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_manage_system_spool',`
-+ gen_require(`
-+ type cron_system_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index f7583ab..20a0261 100644
@@ -25800,7 +25834,7 @@ index a8b93c0..831ce70 100644
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..fd9938d 100644
+index 0d5711c..bdb2f9b 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -25990,38 +26024,38 @@ index 0d5711c..fd9938d 100644
')
########################################
-@@ -431,14 +479,29 @@ interface(`dbus_system_domain',`
-
- domtrans_pattern(system_dbusd_t, $2, $1)
-
-+ fs_search_all($1)
-+
- dbus_system_bus_client($1)
- dbus_connect_system_bus($1)
+@@ -420,27 +468,17 @@ interface(`dbus_system_bus_unconfined',`
+ #
+ interface(`dbus_system_domain',`
+ gen_require(`
++ attribute system_bus_type;
+ type system_dbusd_t;
+ role system_r;
+ ')
-+ init_stream_connect($1)
-+ init_dgram_send($1)
-+ init_use_fds($1)
++ typeattribute $1 system_bus_type;
+
- ps_process_pattern(system_dbusd_t, $1)
-
-+ userdom_dontaudit_search_admin_dir($1)
- userdom_read_all_users_state($1)
+ domain_type($1)
+ domain_entry_file($1, $2)
+- role system_r types $1;
+-
+ domtrans_pattern(system_dbusd_t, $2, $1)
+-
+- dbus_system_bus_client($1)
+- dbus_connect_system_bus($1)
+-
+- ps_process_pattern(system_dbusd_t, $1)
+-
+- userdom_read_all_users_state($1)
+-
- ifdef(`hide_broken_symptoms', `
-+ optional_policy(`
-+ rpm_script_dbus_chat($1)
-+ ')
-+
-+ optional_policy(`
-+ unconfined_dbus_send($1)
-+ ')
-+
-+ ifdef(`hide_broken_symptoms',`
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- ')
+- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+- ')
')
-@@ -497,3 +560,23 @@ interface(`dbus_unconfined',`
+
+ ########################################
+@@ -497,3 +535,23 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -26046,10 +26080,18 @@ index 0d5711c..fd9938d 100644
+')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 86d09b4..8e05351 100644
+index 86d09b4..6e36725 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
-@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
+@@ -10,6 +10,7 @@ gen_require(`
+ #
+
+ attribute dbusd_unconfined;
++attribute system_bus_type;
+ attribute session_bus_type;
+
+ type dbusd_etc_t;
+@@ -36,6 +37,7 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
@@ -26057,7 +26099,7 @@ index 86d09b4..8e05351 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -52,9 +53,9 @@ ifdef(`enable_mls',`
+@@ -52,9 +54,9 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
@@ -26069,7 +26111,7 @@ index 86d09b4..8e05351 100644
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -74,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+@@ -74,9 +76,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@@ -26081,7 +26123,7 @@ index 86d09b4..8e05351 100644
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -111,6 +113,8 @@ auth_read_pam_console_data(system_dbusd_t)
+@@ -111,6 +114,8 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -26090,7 +26132,7 @@ index 86d09b4..8e05351 100644
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
-@@ -121,7 +125,9 @@ files_read_usr_files(system_dbusd_t)
+@@ -121,7 +126,9 @@ files_read_usr_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -26100,7 +26142,7 @@ index 86d09b4..8e05351 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,10 +147,18 @@ optional_policy(`
+@@ -141,10 +148,18 @@ optional_policy(`
')
optional_policy(`
@@ -26119,11 +26161,52 @@ index 86d09b4..8e05351 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -162,5 +176,12 @@ optional_policy(`
+@@ -160,7 +175,53 @@ optional_policy(`
+
+ ########################################
#
- # Unconfined access to this module
+-# Unconfined access to this module
++# system_bus_type rules
#
--
+
++role system_r types system_bus_type;
++
++fs_search_all(system_bus_type)
++
++dbus_system_bus_client(system_bus_type)
++dbus_connect_system_bus(system_bus_type)
++
++init_stream_connect(system_bus_type)
++init_dgram_send(system_bus_type)
++init_use_fds(system_bus_type)
++init_rw_stream_sockets(system_bus_type)
++
++ps_process_pattern(system_dbusd_t, system_bus_type)
++
++userdom_dontaudit_search_admin_dir(system_bus_type)
++userdom_read_all_users_state(system_bus_type)
++
++optional_policy(`
++ abrt_stream_connect(system_bus_type)
++')
++
++optional_policy(`
++ rpm_script_dbus_chat(system_bus_type)
++')
++
++optional_policy(`
++ unconfined_dbus_send(system_bus_type)
++')
++
++ifdef(`hide_broken_symptoms',`
++ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
++')
++
++
++########################################
++#
++# Unconfined access to this module
++#
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
@@ -28197,7 +28280,7 @@ index 298f066..b54de69 100644
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
-index 6bef7f8..464669c 100644
+index 6bef7f8..885cd43 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -5,9 +5,9 @@
@@ -28212,10 +28295,35 @@ index 6bef7f8..464669c 100644
## </param>
#
interface(`exim_domtrans',`
-@@ -20,6 +20,24 @@ interface(`exim_domtrans',`
+@@ -20,6 +20,49 @@ interface(`exim_domtrans',`
########################################
## <summary>
++## Execute the mailman program in the mailman domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to allow the mailman domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`exim_run',`
++ gen_require(`
++ type exim_t;
++ ')
++
++ exim_domtrans($1)
++ role $2 types exim_t;
++')
++
++########################################
++## <summary>
+## Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
@@ -28237,7 +28345,7 @@ index 6bef7f8..464669c 100644
## Do not audit attempts to read,
## exim tmp files
## </summary>
-@@ -101,9 +119,9 @@ interface(`exim_read_log',`
+@@ -101,9 +144,9 @@ interface(`exim_read_log',`
## exim log files.
## </summary>
## <param name="domain">
@@ -28249,7 +28357,7 @@ index 6bef7f8..464669c 100644
## </param>
#
interface(`exim_append_log',`
-@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',`
+@@ -194,3 +237,46 @@ interface(`exim_manage_spool_files',`
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
')
@@ -28297,7 +28405,7 @@ index 6bef7f8..464669c 100644
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index f28f64b..0b19f11 100644
+index f28f64b..4e8fb56 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
@@ -28345,7 +28453,24 @@ index f28f64b..0b19f11 100644
type exim_log_t;
logging_log_file(exim_log_t)
-@@ -171,6 +174,10 @@ optional_policy(`
+@@ -79,7 +82,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
+
+ kernel_read_kernel_sysctls(exim_t)
+ kernel_read_network_state(exim_t)
+-kernel_dontaudit_read_system_state(exim_t)
++kernel_read_system_state(exim_t)
+
+ corecmd_search_bin(exim_t)
+
+@@ -110,6 +113,7 @@ files_search_usr(exim_t)
+ files_search_var(exim_t)
+ files_read_etc_files(exim_t)
+ files_read_etc_runtime_files(exim_t)
++files_read_usr_files(exim_t)
+ files_getattr_all_mountpoints(exim_t)
+
+ fs_getattr_xattr_fs(exim_t)
+@@ -171,6 +175,10 @@ optional_policy(`
')
optional_policy(`
@@ -28356,7 +28481,7 @@ index f28f64b..0b19f11 100644
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
-@@ -184,6 +191,7 @@ optional_policy(`
+@@ -184,6 +192,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -31056,7 +31181,7 @@ index 3525d24..d50a883 100644
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..820b1cc 100644
+index 604f67b..2675fb9 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -31138,16 +31263,16 @@ index 604f67b..820b1cc 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -289,6 +308,8 @@ interface(`kerberos_manage_host_rcache',`
+@@ -289,35 +308,14 @@ interface(`kerberos_manage_host_rcache',`
seutil_read_file_contexts($1)
+- allow $1 krb5_host_rcache_t:file manage_file_perms;
+ files_rw_generic_tmp_dir($1)
-+ allow $1 krb5_host_rcache_t:dir search_dir_perms;
- allow $1 krb5_host_rcache_t:file manage_file_perms;
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
files_search_tmp($1)
')
-@@ -296,28 +317,6 @@ interface(`kerberos_manage_host_rcache',`
+ ')
########################################
## <summary>
@@ -31176,7 +31301,7 @@ index 604f67b..820b1cc 100644
## All of the rules required to administrate
## an kerberos environment
## </summary>
-@@ -338,9 +337,8 @@ interface(`kerberos_admin',`
+@@ -338,9 +336,8 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -31187,7 +31312,7 @@ index 604f67b..820b1cc 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +376,41 @@ interface(`kerberos_admin',`
+@@ -378,3 +375,41 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -33848,7 +33973,7 @@ index 256166a..15daf47 100644
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..7de6f4d 100644
+index 343cee3..5991e63 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -33878,7 +34003,7 @@ index 343cee3..7de6f4d 100644
#
interface(`mta_role',`
gen_require(`
-@@ -169,7 +171,7 @@ interface(`mta_role',`
+@@ -169,11 +171,15 @@ interface(`mta_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
@@ -33887,7 +34012,15 @@ index 343cee3..7de6f4d 100644
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
-@@ -220,6 +222,25 @@ interface(`mta_agent_executable',`
+ allow mta_user_agent $2:fifo_file { read write };
++
++ optional_policy(`
++ exim_run($2, $1)
++ ')
+ ')
+
+ ########################################
+@@ -220,6 +226,25 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
@@ -33913,7 +34046,7 @@ index 343cee3..7de6f4d 100644
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -306,7 +327,6 @@ interface(`mta_mailserver_sender',`
+@@ -306,7 +331,6 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -33921,7 +34054,7 @@ index 343cee3..7de6f4d 100644
')
typeattribute $1 mailserver_delivery;
-@@ -330,12 +350,6 @@ interface(`mta_mailserver_user_agent',`
+@@ -330,12 +354,6 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -33934,7 +34067,7 @@ index 343cee3..7de6f4d 100644
')
########################################
-@@ -350,9 +364,8 @@ interface(`mta_mailserver_user_agent',`
+@@ -350,9 +368,8 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -33945,7 +34078,7 @@ index 343cee3..7de6f4d 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -362,6 +375,10 @@ interface(`mta_send_mail',`
+@@ -362,6 +379,10 @@ interface(`mta_send_mail',`
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
@@ -33956,7 +34089,7 @@ index 343cee3..7de6f4d 100644
')
########################################
-@@ -391,12 +408,15 @@ interface(`mta_send_mail',`
+@@ -391,12 +412,15 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -33974,7 +34107,7 @@ index 343cee3..7de6f4d 100644
')
########################################
-@@ -409,7 +429,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +433,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -33982,7 +34115,7 @@ index 343cee3..7de6f4d 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +439,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +443,24 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -34007,7 +34140,7 @@ index 343cee3..7de6f4d 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +475,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +479,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -34034,7 +34167,7 @@ index 343cee3..7de6f4d 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -474,7 +531,8 @@ interface(`mta_write_config',`
+@@ -474,7 +535,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -34044,7 +34177,7 @@ index 343cee3..7de6f4d 100644
')
########################################
-@@ -494,6 +552,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +556,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -34052,7 +34185,7 @@ index 343cee3..7de6f4d 100644
')
########################################
-@@ -552,7 +611,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +615,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -34061,7 +34194,7 @@ index 343cee3..7de6f4d 100644
')
#######################################
-@@ -646,8 +705,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +709,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -34072,7 +34205,7 @@ index 343cee3..7de6f4d 100644
')
#######################################
-@@ -697,8 +756,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +760,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -34083,7 +34216,7 @@ index 343cee3..7de6f4d 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +897,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +901,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -34092,7 +34225,7 @@ index 343cee3..7de6f4d 100644
')
########################################
-@@ -899,3 +958,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +962,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -36570,10 +36703,10 @@ index 0000000..9ef0492
+')
diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
new file mode 100644
-index 0000000..aa9b047
+index 0000000..4f821d5
--- /dev/null
+++ b/policy/modules/services/passenger.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,90 @@
+policy_module(passenger, 1.0.0)
+
+########################################
@@ -36628,6 +36761,11 @@ index 0000000..aa9b047
+
+can_exec(passenger_t, passenger_exec_t)
+
++#needed by puppet
++manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
++manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
++files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir })
++
+kernel_read_system_state(passenger_t)
+kernel_read_kernel_sysctls(passenger_t)
+
@@ -36639,6 +36777,7 @@ index 0000000..aa9b047
+dev_read_urand(passenger_t)
+
+files_read_etc_files(passenger_t)
++files_read_usr_files(passenger_t)
+
+auth_use_nsswitch(passenger_t)
+
@@ -36655,6 +36794,8 @@ index 0000000..aa9b047
+
+optional_policy(`
+ puppet_manage_lib(passenger_t)
++ puppet_search_log(passenger_t)
++ puppet_search_pid(passenger_t)
+')
diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
index 1c2a091..ea5ae69 100644
@@ -39203,7 +39344,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..95f673b 100644
+index 2af42e7..fbb89eb 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -39295,7 +39436,7 @@ index 2af42e7..95f673b 100644
')
optional_policy(`
-@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +248,16 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -39307,6 +39448,12 @@ index 2af42e7..95f673b 100644
kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
+ kernel_read_proc_symlinks(pptp_t)
+ kernel_read_system_state(pptp_t)
++kernel_signal(pptp_t)
+
+ dev_read_sysfs(pptp_t)
+
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
index 2316653..77ef768 100644
--- a/policy/modules/services/prelude.if
@@ -39759,7 +39906,7 @@ index d4000e0..f35afa4 100644
mta_read_queue(psad_t)
')
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
-index 2855a44..b1a3fed 100644
+index 2855a44..d709712 100644
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@@ -21,7 +21,7 @@
@@ -39771,7 +39918,7 @@ index 2855a44..b1a3fed 100644
gen_require(`
type puppet_tmp_t;
')
-@@ -29,3 +29,41 @@ interface(`puppet_rw_tmp', `
+@@ -29,3 +29,79 @@ interface(`puppet_rw_tmp', `
allow $1 puppet_tmp_t:file rw_file_perms;
files_search_tmp($1)
')
@@ -39813,6 +39960,44 @@ index 2855a44..b1a3fed 100644
+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
+')
++
++######################################
++## <summary>
++## Allow the specified domain to search puppet's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_search_log',`
++ gen_require(`
++ type puppet_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 puppet_log_t:dir search_dir_perms;
++')
++
++#####################################
++## <summary>
++## Allow the specified domain to search puppet's pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_search_pid',`
++ gen_require(`
++ type puppet_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 puppet_var_run_t:dir search_dir_perms;
++')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 64c5f95..3fdd4b4 100644
--- a/policy/modules/services/puppet.te
@@ -43706,7 +43891,7 @@ index 7e94c7c..5700fb8 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..b6781d5 100644
+index 22dac1f..4ddbadd 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,6 +19,9 @@ mta_sendmail_mailserver(sendmail_t)
@@ -43743,7 +43928,17 @@ index 22dac1f..b6781d5 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -149,7 +154,9 @@ optional_policy(`
+@@ -129,6 +134,9 @@ optional_policy(`
+
+ optional_policy(`
+ exim_domtrans(sendmail_t)
++ exim_manage_spool_files(sendmail_t)
++ exim_manage_spool_dirs(sendmail_t)
++ exim_read_log(sendmail_t)
+ ')
+
+ optional_policy(`
+@@ -149,7 +157,9 @@ optional_policy(`
')
optional_policy(`
@@ -43753,7 +43948,7 @@ index 22dac1f..b6781d5 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,6 +175,10 @@ optional_policy(`
+@@ -168,6 +178,10 @@ optional_policy(`
')
optional_policy(`
@@ -43764,7 +43959,7 @@ index 22dac1f..b6781d5 100644
udev_read_db(sendmail_t)
')
-@@ -183,5 +194,5 @@ optional_policy(`
+@@ -183,5 +197,5 @@ optional_policy(`
optional_policy(`
mta_etc_filetrans_aliases(unconfined_sendmail_t)
@@ -45363,7 +45558,7 @@ index 22adaca..7cf2180 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..4474fb6 100644
+index 2dad3c8..a24b7af 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -45700,7 +45895,7 @@ index 2dad3c8..4474fb6 100644
') dnl endif TODO
########################################
-@@ -322,19 +376,25 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +376,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -45718,6 +45913,7 @@ index 2dad3c8..4474fb6 100644
+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
++kernel_read_system_state(ssh_keygen_t)
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
@@ -45727,7 +45923,7 @@ index 2dad3c8..4474fb6 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +411,10 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +412,10 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -51261,10 +51457,17 @@ index 88df85d..2fa3974 100644
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 2952cef..a6cb01f 100644
+index 2952cef..4892b2a 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -10,6 +10,7 @@
+@@ -4,12 +4,14 @@
+ /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -51272,7 +51475,7 @@ index 2952cef..a6cb01f 100644
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', `
-@@ -27,7 +28,9 @@ ifdef(`distro_gentoo', `
+@@ -27,7 +29,9 @@ ifdef(`distro_gentoo', `
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -51282,7 +51485,7 @@ index 2952cef..a6cb01f 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
-@@ -39,6 +42,7 @@ ifdef(`distro_gentoo', `
+@@ -39,6 +43,7 @@ ifdef(`distro_gentoo', `
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
@@ -53040,7 +53243,7 @@ index cc83689..fc87c2c 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..b9f4fce 100644
+index ea29513..5219266 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -53648,7 +53851,7 @@ index ea29513..b9f4fce 100644
')
optional_policy(`
-@@ -589,6 +856,16 @@ optional_policy(`
+@@ -589,6 +856,15 @@ optional_policy(`
')
optional_policy(`
@@ -53658,14 +53861,13 @@ index ea29513..b9f4fce 100644
+
+optional_policy(`
+ cron_read_pipes(initrc_t)
-+ cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +882,13 @@ optional_policy(`
+@@ -605,9 +881,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -53679,7 +53881,7 @@ index ea29513..b9f4fce 100644
')
optional_policy(`
-@@ -649,6 +930,11 @@ optional_policy(`
+@@ -649,6 +929,11 @@ optional_policy(`
')
optional_policy(`
@@ -53691,7 +53893,7 @@ index ea29513..b9f4fce 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +992,13 @@ optional_policy(`
+@@ -706,7 +991,13 @@ optional_policy(`
')
optional_policy(`
@@ -53705,7 +53907,7 @@ index ea29513..b9f4fce 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1021,10 @@ optional_policy(`
+@@ -729,6 +1020,10 @@ optional_policy(`
')
optional_policy(`
@@ -53716,7 +53918,7 @@ index ea29513..b9f4fce 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1034,20 @@ optional_policy(`
+@@ -738,10 +1033,20 @@ optional_policy(`
')
optional_policy(`
@@ -53737,7 +53939,7 @@ index ea29513..b9f4fce 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1056,10 @@ optional_policy(`
+@@ -750,6 +1055,10 @@ optional_policy(`
')
optional_policy(`
@@ -53748,7 +53950,7 @@ index ea29513..b9f4fce 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1081,6 @@ optional_policy(`
+@@ -771,8 +1080,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -53757,7 +53959,7 @@ index ea29513..b9f4fce 100644
')
optional_policy(`
-@@ -781,14 +1089,21 @@ optional_policy(`
+@@ -781,14 +1088,21 @@ optional_policy(`
')
optional_policy(`
@@ -53779,7 +53981,7 @@ index ea29513..b9f4fce 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1115,6 @@ optional_policy(`
+@@ -800,7 +1114,6 @@ optional_policy(`
')
optional_policy(`
@@ -53787,7 +53989,7 @@ index ea29513..b9f4fce 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1124,24 @@ optional_policy(`
+@@ -810,11 +1123,24 @@ optional_policy(`
')
optional_policy(`
@@ -53813,7 +54015,7 @@ index ea29513..b9f4fce 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1151,25 @@ optional_policy(`
+@@ -824,6 +1150,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -53839,7 +54041,7 @@ index ea29513..b9f4fce 100644
')
optional_policy(`
-@@ -849,3 +1195,42 @@ optional_policy(`
+@@ -849,3 +1194,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -55197,7 +55399,7 @@ index c7cfb62..ee89659 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..9eb94a4 100644
+index 9b5a9ed..d692349 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -19,6 +19,11 @@ type auditd_log_t;
@@ -55340,8 +55542,13 @@ index 9b5a9ed..9eb94a4 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,7 +455,11 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -410,9 +453,16 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+ corenet_sendrecv_postgresql_client_packets(syslogd_t)
+ corenet_sendrecv_mysqld_client_packets(syslogd_t)
++# support for ommail module to send logs via mail
++corenet_tcp_connect_smtp_port(syslogd_t)
++
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
+dev_read_rand(syslogd_t)
@@ -55352,7 +55559,7 @@ index 9b5a9ed..9eb94a4 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -432,6 +479,7 @@ term_write_console(syslogd_t)
+@@ -432,6 +482,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -55360,7 +55567,7 @@ index 9b5a9ed..9eb94a4 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -443,6 +491,7 @@ init_use_fds(syslogd_t)
+@@ -443,6 +494,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -55368,7 +55575,7 @@ index 9b5a9ed..9eb94a4 100644
miscfiles_read_localization(syslogd_t)
-@@ -480,6 +529,10 @@ optional_policy(`
+@@ -480,6 +532,10 @@ optional_policy(`
')
optional_policy(`
@@ -55379,7 +55586,7 @@ index 9b5a9ed..9eb94a4 100644
postgresql_stream_connect(syslogd_t)
')
-@@ -488,6 +541,10 @@ optional_policy(`
+@@ -488,6 +544,10 @@ optional_policy(`
')
optional_policy(`
@@ -56639,7 +56846,7 @@ index c817fda..8bcb1fd 100644
## </summary>
## <desc>
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index 73cc8cf..4c24b25 100644
+index 73cc8cf..2980339 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -56656,7 +56863,7 @@ index 73cc8cf..4c24b25 100644
########################################
#
-@@ -23,15 +21,15 @@ files_pid_file(mdadm_var_run_t)
+@@ -23,18 +21,19 @@ files_pid_file(mdadm_var_run_t)
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
@@ -56678,7 +56885,11 @@ index 73cc8cf..4c24b25 100644
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
-@@ -52,13 +50,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
++kernel_request_load_module(mdadm_t)
+ kernel_rw_software_raid_state(mdadm_t)
+ kernel_getattr_core_if(mdadm_t)
+
+@@ -52,13 +51,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
@@ -56696,7 +56907,7 @@ index 73cc8cf..4c24b25 100644
fs_dontaudit_list_tmpfs(mdadm_t)
mls_file_read_all_levels(mdadm_t)
-@@ -68,6 +69,7 @@ mls_file_write_all_levels(mdadm_t)
+@@ -68,6 +70,7 @@ mls_file_write_all_levels(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
@@ -56704,7 +56915,7 @@ index 73cc8cf..4c24b25 100644
term_dontaudit_list_ptys(mdadm_t)
-@@ -84,6 +86,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
+@@ -84,6 +87,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
mta_send_mail(mdadm_t)
optional_policy(`
@@ -59853,7 +60064,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..dc49084 100644
+index 28b88de..36b1c3d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -61592,7 +61803,32 @@ index 28b88de..dc49084 100644
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2815,7 +3292,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3190,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ allow unpriv_userdomain $1:process sigchld;
+ ')
+
++#####################################
++## <summary>
++## Allow domain dyntrans to unpriv userdomain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_dyntransition_unpriv_users',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:process dyntransition;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute an Xserver session in all unprivileged user domains. This
+@@ -2815,7 +3310,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -61601,7 +61837,7 @@ index 28b88de..dc49084 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3308,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3326,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -61617,7 +61853,7 @@ index 28b88de..dc49084 100644
')
########################################
-@@ -2917,7 +3396,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3414,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -61626,7 +61862,7 @@ index 28b88de..dc49084 100644
')
########################################
-@@ -2972,7 +3451,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3469,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -61673,7 +61909,7 @@ index 28b88de..dc49084 100644
')
########################################
-@@ -3009,6 +3526,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3544,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -61681,7 +61917,7 @@ index 28b88de..dc49084 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3605,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3623,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -61706,7 +61942,7 @@ index 28b88de..dc49084 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3675,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3693,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d63407a..ecc8ee6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 40%{?dist}
+Release: 41%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,14 @@ exit 0
%endif
%changelog
+* Thu Sep 22 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-41
+- Add logging_syslogd_can_sendmail boolean
+- Add support for exim and confined users
+- support for ommail module to send logs via mail
+- Add execmem_execmod() to execmem role
+- Allow pptp to send generic signal to kernel threads
+- Fix kerberos_manage_host_rcache() interface
+
* Mon Sep 12 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-40
- Fixes for mock
More information about the scm-commits
mailing list