[selinux-policy/f17] * Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-112 - upowered needs to setsched on the
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 10 10:10:00 UTC 2012
commit 571c88df1bcf38a08af1a094bf68550234f831b7
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 10 12:09:47 2012 +0200
* Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-112
- upowered needs to setsched on the kernel
- Allow mpd_t to manage log files
- Allow xdm_t to create /var/run/systemd/multi-session-x
- Add rules for missedfont.log to be used by thumb.fc
- Additional access required for virt_qmf_t
- Allow dhclient to dbus chat with the firewalld
- Add label for lvmetad
- Allow systemd_logind_t to remove userdomain sock_files
- Allow cups to execute usr_t files
- Fix labeling on nvidia shared libraries
- wdmd_t needs access to sssd and /etc/passwd
- Add boolean to allow ftp servers to run in passive mode
- Allow namepspace_init_t to relabelto/from a different user system_u from t
- Fix using httpd_use_fusefs
- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it
policy-F16.patch | 345 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 19 +++-
2 files changed, 249 insertions(+), 115 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 8e93f9c..aa998e5 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -67442,10 +67442,10 @@ index 0000000..8d7c751
+')
diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
new file mode 100644
-index 0000000..5ddf179
+index 0000000..2f7149c
--- /dev/null
+++ b/policy/modules/apps/namespace.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,45 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -67473,6 +67473,7 @@ index 0000000..5ddf179
+corecmd_exec_shell(namespace_init_t)
+
+domain_use_interactive_fds(namespace_init_t)
++domain_obj_id_change_exemption(namespace_init_t)
+
+files_read_etc_files(namespace_init_t)
+files_polyinstantiate_all(namespace_init_t)
@@ -70572,11 +70573,12 @@ index 2533ea0..92f0ecb 100644
+')
diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
new file mode 100644
-index 0000000..930fa33
+index 0000000..3a7c395
--- /dev/null
+++ b/policy/modules/apps/thumb.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,15 @@
+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
++HOME_DIR/missfont\.log gen_context(system_u:object_r:thumb_home_t,s0)
+
+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
@@ -70592,10 +70594,10 @@ index 0000000..930fa33
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if
new file mode 100644
-index 0000000..79515db
+index 0000000..9127cec
--- /dev/null
+++ b/policy/modules/apps/thumb.if
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,125 @@
+
+## <summary>policy for thumb</summary>
+
@@ -70677,6 +70679,7 @@ index 0000000..79515db
+
+ allow $2 thumb_t:dbus send_msg;
+ allow thumb_t $2:dbus send_msg;
++ thumb_filetrans_home_content($2)
+')
+
+########################################
@@ -70699,12 +70702,33 @@ index 0000000..79515db
+ allow $1 thumb_t:dbus send_msg;
+ allow thumb_t $1:dbus send_msg;
+')
++
++########################################
++## <summary>
++## Create thumb content in the user home directory
++## with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`thumb_filetrans_home_content',`
++
++ gen_require(`
++ type thumb_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
++ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
++')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..95befd6
+index 0000000..62dd2ef
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,97 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -70744,6 +70768,7 @@ index 0000000..95befd6
+manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
+manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -75575,7 +75600,7 @@ index 6a1e4d1..ffaa90a 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..d8ec4d2 100644
+index fae1ab1..6d455ba 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -75676,7 +75701,7 @@ index fae1ab1..d8ec4d2 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,256 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -75799,6 +75824,10 @@ index fae1ab1..d8ec4d2 100644
+')
+
+optional_policy(`
++ thumb_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
+ userdom_filetrans_home_content(unconfined_domain_type)
+')
@@ -95973,7 +96002,7 @@ index 305ddf4..4d70951 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..c50598f 100644
+index 0f28095..a1527a7 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -96042,7 +96071,7 @@ index 0f28095..c50598f 100644
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-@@ -220,6 +228,7 @@ corecmd_exec_bin(cupsd_t)
+@@ -220,11 +228,13 @@ corecmd_exec_bin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
@@ -96050,7 +96079,13 @@ index 0f28095..c50598f 100644
files_list_spool(cupsd_t)
files_read_etc_files(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
-@@ -270,12 +279,6 @@ files_dontaudit_list_home(cupsd_t)
+ # read python modules
+ files_read_usr_files(cupsd_t)
++files_exec_usr_files(cupsd_t)
+ # for /var/lib/defoma
+ files_read_var_lib_files(cupsd_t)
+ files_list_world_readable(cupsd_t)
+@@ -270,12 +280,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
@@ -96063,7 +96098,7 @@ index 0f28095..c50598f 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -287,6 +290,8 @@ optional_policy(`
+@@ -287,6 +291,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -96072,7 +96107,7 @@ index 0f28095..c50598f 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -297,8 +302,10 @@ optional_policy(`
+@@ -297,8 +303,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -96083,7 +96118,7 @@ index 0f28095..c50598f 100644
')
')
-@@ -311,10 +318,22 @@ optional_policy(`
+@@ -311,10 +319,22 @@ optional_policy(`
')
optional_policy(`
@@ -96106,7 +96141,7 @@ index 0f28095..c50598f 100644
mta_send_mail(cupsd_t)
')
-@@ -322,6 +341,8 @@ optional_policy(`
+@@ -322,6 +342,8 @@ optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -96115,7 +96150,7 @@ index 0f28095..c50598f 100644
')
optional_policy(`
-@@ -371,8 +392,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -96126,7 +96161,7 @@ index 0f28095..c50598f 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +415,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +416,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -96137,7 +96172,7 @@ index 0f28095..c50598f 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +451,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +452,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -96151,7 +96186,7 @@ index 0f28095..c50598f 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +479,10 @@ optional_policy(`
+@@ -453,6 +480,10 @@ optional_policy(`
')
optional_policy(`
@@ -96162,7 +96197,7 @@ index 0f28095..c50598f 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +497,10 @@ optional_policy(`
+@@ -467,6 +498,10 @@ optional_policy(`
')
optional_policy(`
@@ -96173,7 +96208,7 @@ index 0f28095..c50598f 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -537,6 +571,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +572,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -96181,7 +96216,7 @@ index 0f28095..c50598f 100644
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +622,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +623,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -96214,7 +96249,7 @@ index 0f28095..c50598f 100644
')
########################################
-@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +674,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -96223,7 +96258,7 @@ index 0f28095..c50598f 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +719,9 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +720,9 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -96233,7 +96268,7 @@ index 0f28095..c50598f 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +734,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -97658,7 +97693,7 @@ index f706b99..d41e4fe 100644
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..f5e84bd 100644
+index f231f17..fb64f1d 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -16,6 +16,7 @@ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
@@ -97750,7 +97785,7 @@ index f231f17..f5e84bd 100644
optional_policy(`
dbus_system_bus_client(devicekit_disk_t)
-@@ -178,55 +194,84 @@ optional_policy(`
+@@ -178,55 +194,85 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -97799,6 +97834,7 @@ index f231f17..f5e84bd 100644
+kernel_rw_vm_sysctls(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
++kernel_setsched(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
@@ -97840,7 +97876,7 @@ index f231f17..f5e84bd 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,7 +280,12 @@ optional_policy(`
+@@ -235,7 +281,12 @@ optional_policy(`
')
optional_policy(`
@@ -97853,7 +97889,7 @@ index f231f17..f5e84bd 100644
')
optional_policy(`
-@@ -261,14 +311,21 @@ optional_policy(`
+@@ -261,14 +312,21 @@ optional_policy(`
')
optional_policy(`
@@ -97876,7 +97912,7 @@ index f231f17..f5e84bd 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +333,30 @@ optional_policy(`
+@@ -276,9 +334,30 @@ optional_policy(`
')
optional_policy(`
@@ -101218,10 +101254,10 @@ index 0000000..b468a30
+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
new file mode 100644
-index 0000000..62acfff
+index 0000000..c4c7510
--- /dev/null
+++ b/policy/modules/services/firewalld.if
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,130 @@
+## <summary>policy for firewalld</summary>
+
+########################################
@@ -101286,6 +101322,27 @@ index 0000000..62acfff
+
+########################################
+## <summary>
++## Send and receive messages from
++## firewalld over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`firewalld_dbus_chat',`
++ gen_require(`
++ type firewalld_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 firewalld_t:dbus send_msg;
++ allow firewalld_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an firewalld environment
+## </summary>
@@ -101587,10 +101644,10 @@ index 9d3201b..6e75e3d 100644
+ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..c183d8c 100644
+index 8a74a83..14b822a 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
-@@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false)
+@@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false)
## <desc>
## <p>
@@ -101601,6 +101658,13 @@ index 8a74a83..c183d8c 100644
+
+## <desc>
+## <p>
++## Allow ftp servers to use bind to all unreserved ports for passive mode
++## </p>
++## </desc>
++gen_tunable(ftpd_use_passive_mode, false)
++
++## <desc>
++## <p>
+## Allow ftp servers to connect to all ports > 1023
+## </p>
+## </desc>
@@ -101611,7 +101675,7 @@ index 8a74a83..c183d8c 100644
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
-@@ -48,7 +62,7 @@ gen_tunable(ftp_home_dir, false)
+@@ -48,7 +69,7 @@ gen_tunable(ftp_home_dir, false)
## <desc>
## <p>
## Allow anon internal-sftp to upload files, used for
@@ -101620,7 +101684,7 @@ index 8a74a83..c183d8c 100644
## public_content_rw_t.
## </p>
## </desc>
-@@ -70,6 +84,14 @@ gen_tunable(sftpd_enable_homedirs, false)
+@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false)
## </desc>
gen_tunable(sftpd_full_access, false)
@@ -101635,7 +101699,7 @@ index 8a74a83..c183d8c 100644
type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
-@@ -85,6 +107,9 @@ files_config_file(ftpd_etc_t)
+@@ -85,6 +114,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -101645,7 +101709,7 @@ index 8a74a83..c183d8c 100644
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
-@@ -115,6 +140,10 @@ ifdef(`enable_mcs',`
+@@ -115,6 +147,10 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')
@@ -101656,7 +101720,7 @@ index 8a74a83..c183d8c 100644
########################################
#
# anon-sftp local policy
-@@ -122,6 +151,7 @@ ifdef(`enable_mcs',`
+@@ -122,6 +158,7 @@ ifdef(`enable_mcs',`
files_read_etc_files(anon_sftpd_t)
@@ -101664,7 +101728,7 @@ index 8a74a83..c183d8c 100644
miscfiles_read_public_files(anon_sftpd_t)
tunable_policy(`sftpd_anon_write',`
-@@ -133,7 +163,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +170,7 @@ tunable_policy(`sftpd_anon_write',`
# ftpd local policy
#
@@ -101673,7 +101737,7 @@ index 8a74a83..c183d8c 100644
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +181,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +188,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -101681,7 +101745,7 @@ index 8a74a83..c183d8c 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +192,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +199,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -101697,7 +101761,7 @@ index 8a74a83..c183d8c 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -177,7 +206,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -177,7 +213,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
@@ -101706,7 +101770,7 @@ index 8a74a83..c183d8c 100644
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
-@@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
+@@ -196,9 +232,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
@@ -101718,7 +101782,7 @@ index 8a74a83..c183d8c 100644
corenet_sendrecv_ftp_server_packets(ftpd_t)
domain_use_interactive_fds(ftpd_t)
-@@ -212,13 +240,11 @@ fs_search_auto_mountpoints(ftpd_t)
+@@ -212,13 +247,11 @@ fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)
@@ -101734,7 +101798,7 @@ index 8a74a83..c183d8c 100644
init_rw_utmp(ftpd_t)
-@@ -261,7 +287,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+@@ -261,7 +294,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
@@ -101742,12 +101806,16 @@ index 8a74a83..c183d8c 100644
+ files_manage_non_security_files(ftpd_t)
+')
+
++tunable_policy(`ftpd_use_passive_mode',`
++ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
++')
++
+tunable_policy(`ftpd_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
-@@ -270,10 +300,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +311,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -101765,7 +101833,7 @@ index 8a74a83..c183d8c 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,6 +342,10 @@ optional_policy(`
+@@ -309,6 +353,10 @@ optional_policy(`
')
optional_policy(`
@@ -101776,7 +101844,7 @@ index 8a74a83..c183d8c 100644
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
-@@ -316,6 +353,25 @@ optional_policy(`
+@@ -316,6 +364,25 @@ optional_policy(`
')
optional_policy(`
@@ -101802,7 +101870,7 @@ index 8a74a83..c183d8c 100644
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -347,16 +403,17 @@ optional_policy(`
+@@ -347,16 +414,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -101822,7 +101890,7 @@ index 8a74a83..c183d8c 100644
########################################
#
-@@ -365,18 +422,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +433,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -101859,7 +101927,7 @@ index 8a74a83..c183d8c 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +466,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +477,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -108682,6 +108750,16 @@ index 83f002c..fa8a3d5 100644
corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
+diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc
+index ddc14d6..c74bf3d 100644
+--- a/policy/modules/services/mpd.fc
++++ b/policy/modules/services/mpd.fc
+@@ -6,3 +6,5 @@
+ /var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
+ /var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
+ /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
++
++/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
index d72276f..cb8c563 100644
--- a/policy/modules/services/mpd.if
@@ -108700,7 +108778,7 @@ index d72276f..cb8c563 100644
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
-index 7f68872..36ff69d 100644
+index 7f68872..72c1f8a 100644
--- a/policy/modules/services/mpd.te
+++ b/policy/modules/services/mpd.te
@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -108713,7 +108791,18 @@ index 7f68872..36ff69d 100644
manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-@@ -103,6 +106,10 @@ logging_send_syslog_msg(mpd_t)
+@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+
+ read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
+
++manage_dirs_pattern(mpd_t, mpd_log_t, mpd_log_t)
++manage_files_pattern(mpd_t, mpd_log_t, mpd_log_t)
++logging_log_filetrans(mpd_t, mpd_log_t, { dir file lnk_file })
++
+ manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+ manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+ manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+@@ -103,6 +110,10 @@ logging_send_syslog_msg(mpd_t)
miscfiles_read_localization(mpd_t)
@@ -108724,7 +108813,7 @@ index 7f68872..36ff69d 100644
optional_policy(`
alsa_read_rw_config(mpd_t)
')
-@@ -122,5 +129,14 @@ optional_policy(`
+@@ -122,5 +133,14 @@ optional_policy(`
')
optional_policy(`
@@ -130426,7 +130515,7 @@ index 7c5d8d8..c542fe7 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..794917a 100644
+index 3eca020..9386b72 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -131001,7 +131090,7 @@ index 3eca020..794917a 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +645,393 @@ files_search_all(virt_domain)
+@@ -440,25 +645,396 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -131361,11 +131450,14 @@ index 3eca020..794917a 100644
+#
+# virt_qmf local policy
+#
-+allow virt_qmf_t self:process signal;
++allow virt_qmf_t self:capability { sys_nice sys_tty_config };
++allow virt_qmf_t self:process { setsched signal };
+allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
+allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
+allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
++allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
+
++kernel_read_system_state(virt_qmf_t)
+kernel_read_network_state(virt_qmf_t)
+
+dev_list_sysfs(virt_qmf_t)
@@ -131624,10 +131716,10 @@ index 0000000..8e3570d
+')
diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
new file mode 100644
-index 0000000..c0f3e2f
+index 0000000..b6db3b3
--- /dev/null
+++ b/policy/modules/services/wdmd.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,47 @@
+policy_module(wdmd,1.0.0)
+
+########################################
@@ -131670,6 +131762,8 @@ index 0000000..c0f3e2f
+
+fs_read_anon_inodefs_files(wdmd_t)
+
++auth_use_nsswitch(wdmd_t)
++
+logging_send_syslog_msg(wdmd_t)
+
+miscfiles_read_localization(wdmd_t)
@@ -131684,7 +131778,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..44a9ef5 100644
+index 4966c94..bc7b581 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,34 @@
@@ -131787,7 +131881,7 @@ index 4966c94..44a9ef5 100644
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-@@ -90,17 +115,44 @@ ifdef(`distro_debian', `
+@@ -90,17 +115,45 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -131825,6 +131919,7 @@ index 4966c94..44a9ef5 100644
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
++/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -133072,7 +133167,7 @@ index 130ced9..4a0455e 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..b0f5722 100644
+index 143c893..2659b5c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -133610,7 +133705,7 @@ index 143c893..b0f5722 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +610,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +610,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -133635,6 +133730,7 @@ index 143c893..b0f5722 100644
# Run telinit->init to shutdown.
init_telinit(xdm_t)
+init_dbus_chat(xdm_t)
++init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
libs_exec_lib_files(xdm_t)
@@ -133651,7 +133747,7 @@ index 143c893..b0f5722 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +649,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +650,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -133701,7 +133797,7 @@ index 143c893..b0f5722 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +699,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +700,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -133723,7 +133819,7 @@ index 143c893..b0f5722 100644
')
optional_policy(`
-@@ -519,12 +721,63 @@ optional_policy(`
+@@ -519,12 +722,63 @@ optional_policy(`
')
optional_policy(`
@@ -133787,7 +133883,7 @@ index 143c893..b0f5722 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +795,69 @@ optional_policy(`
+@@ -542,28 +796,69 @@ optional_policy(`
')
optional_policy(`
@@ -133866,7 +133962,7 @@ index 143c893..b0f5722 100644
')
optional_policy(`
-@@ -575,6 +869,14 @@ optional_policy(`
+@@ -575,6 +870,14 @@ optional_policy(`
')
optional_policy(`
@@ -133881,7 +133977,7 @@ index 143c893..b0f5722 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +901,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +902,8 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -133891,7 +133987,7 @@ index 143c893..b0f5722 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +916,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +917,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -133907,7 +134003,7 @@ index 143c893..b0f5722 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +943,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +944,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -133929,7 +134025,7 @@ index 143c893..b0f5722 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +963,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +964,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -133937,7 +134033,7 @@ index 143c893..b0f5722 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +990,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +991,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -133968,7 +134064,7 @@ index 143c893..b0f5722 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1022,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -133982,7 +134078,7 @@ index 143c893..b0f5722 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1041,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1042,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -133991,7 +134087,7 @@ index 143c893..b0f5722 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1048,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1049,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -134006,7 +134102,7 @@ index 143c893..b0f5722 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1107,40 @@ optional_policy(`
+@@ -778,16 +1108,40 @@ optional_policy(`
')
optional_policy(`
@@ -134048,7 +134144,7 @@ index 143c893..b0f5722 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1149,10 @@ optional_policy(`
+@@ -796,6 +1150,10 @@ optional_policy(`
')
optional_policy(`
@@ -134059,7 +134155,7 @@ index 143c893..b0f5722 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1168,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1169,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -134073,7 +134169,7 @@ index 143c893..b0f5722 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1179,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1180,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -134082,7 +134178,7 @@ index 143c893..b0f5722 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,26 +1192,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1193,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -134117,7 +134213,7 @@ index 143c893..b0f5722 100644
')
optional_policy(`
-@@ -862,6 +1214,10 @@ optional_policy(`
+@@ -862,6 +1215,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -134128,7 +134224,7 @@ index 143c893..b0f5722 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1261,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1262,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -134137,7 +134233,7 @@ index 143c893..b0f5722 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1315,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1316,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -134169,7 +134265,7 @@ index 143c893..b0f5722 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1361,31 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1362,31 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -139385,7 +139481,7 @@ index ddbd8be..fad18e0 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..75a2fbd 100644
+index 560dc48..989999b 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -28,26 +28,24 @@ ifdef(`distro_redhat',`
@@ -139419,9 +139515,12 @@ index 560dc48..75a2fbd 100644
')
ifdef(`distro_gentoo',`
-@@ -62,7 +60,6 @@ ifdef(`distro_gentoo',`
+@@ -60,9 +58,8 @@ ifdef(`distro_gentoo',`
+ #
+ # /opt
#
- /opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
+-/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
++/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -139440,7 +139539,7 @@ index 560dc48..75a2fbd 100644
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -119,64 +122,62 @@ ifdef(`distro_redhat',`
+@@ -119,64 +122,63 @@ ifdef(`distro_redhat',`
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -139507,6 +139606,7 @@ index 560dc48..75a2fbd 100644
+/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -139539,7 +139639,7 @@ index 560dc48..75a2fbd 100644
')
ifdef(`distro_gentoo',`
-@@ -195,7 +196,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -195,7 +197,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -139547,7 +139647,7 @@ index 560dc48..75a2fbd 100644
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -203,86 +203,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -203,86 +204,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -139692,7 +139792,7 @@ index 560dc48..75a2fbd 100644
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -303,8 +304,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -303,8 +305,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -139702,7 +139802,7 @@ index 560dc48..75a2fbd 100644
') dnl end distro_redhat
#
-@@ -312,17 +312,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +313,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -140980,10 +141080,10 @@ index b6ec597..9c495b2 100644
optional_policy(`
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..1121047 100644
+index 879bb1e..63893d1 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -28,20 +28,24 @@ ifdef(`distro_gentoo',`
+@@ -28,23 +28,28 @@ ifdef(`distro_gentoo',`
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -141009,7 +141109,11 @@ index 879bb1e..1121047 100644
/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +92,66 @@ ifdef(`distro_gentoo',`
++/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -88,8 +93,67 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -141030,6 +141134,7 @@ index 879bb1e..1121047 100644
+/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -141078,7 +141183,7 @@ index 879bb1e..1121047 100644
#
# /var
-@@ -97,5 +159,7 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +161,7 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -144059,7 +144164,7 @@ index ff80d0a..22c9f0d 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..92fa1e9 100644
+index 34d0ec5..400efc0 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -144205,7 +144310,18 @@ index 34d0ec5..92fa1e9 100644
')
optional_policy(`
-@@ -171,6 +203,8 @@ optional_policy(`
+@@ -161,6 +193,10 @@ optional_policy(`
+ dbus_connect_system_bus(dhcpc_t)
+
+ optional_policy(`
++ firewalld_dbus_chat(dhcpc_t)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat(dhcpc_t)
+ ')
+ ')
+@@ -171,6 +207,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -144214,7 +144330,7 @@ index 34d0ec5..92fa1e9 100644
')
optional_policy(`
-@@ -192,17 +226,31 @@ optional_policy(`
+@@ -192,17 +230,31 @@ optional_policy(`
')
optional_policy(`
@@ -144246,7 +144362,7 @@ index 34d0ec5..92fa1e9 100644
')
optional_policy(`
-@@ -213,6 +261,11 @@ optional_policy(`
+@@ -213,6 +265,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -144258,7 +144374,7 @@ index 34d0ec5..92fa1e9 100644
')
optional_policy(`
-@@ -255,6 +308,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +312,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -144266,7 +144382,7 @@ index 34d0ec5..92fa1e9 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -273,11 +327,17 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+@@ -273,11 +331,17 @@ corenet_rw_tun_tap_dev(ifconfig_t)
dev_read_sysfs(ifconfig_t)
# for IPSEC setup:
dev_read_urand(ifconfig_t)
@@ -144284,7 +144400,7 @@ index 34d0ec5..92fa1e9 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -290,7 +350,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -290,7 +354,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -144293,7 +144409,7 @@ index 34d0ec5..92fa1e9 100644
init_use_fds(ifconfig_t)
init_use_script_ptys(ifconfig_t)
-@@ -301,11 +361,11 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +365,11 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -144308,7 +144424,7 @@ index 34d0ec5..92fa1e9 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +374,22 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +378,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -144331,7 +144447,7 @@ index 34d0ec5..92fa1e9 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +400,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +404,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -144346,7 +144462,7 @@ index 34d0ec5..92fa1e9 100644
')
optional_policy(`
-@@ -335,7 +416,15 @@ optional_policy(`
+@@ -335,7 +420,15 @@ optional_policy(`
')
optional_policy(`
@@ -144363,7 +144479,7 @@ index 34d0ec5..92fa1e9 100644
')
optional_policy(`
-@@ -356,3 +445,9 @@ optional_policy(`
+@@ -356,3 +449,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -145090,10 +145206,10 @@ index 0000000..a7e3666
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..f4dd2ab
+index 0000000..68bf0f6
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,402 @@
+@@ -0,0 +1,403 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -145223,6 +145339,7 @@ index 0000000..f4dd2ab
+userdom_manage_user_tmp_dirs(systemd_logind_t)
+userdom_manage_user_tmp_files(systemd_logind_t)
+userdom_manage_user_tmp_symlinks(systemd_logind_t)
++userdom_manage_user_tmp_sockets(systemd_logind_t)
+
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f194a4f..8f80045 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 111%{?dist}
+Release: 112%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -489,6 +489,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-112
+- upowered needs to setsched on the kernel
+- Allow mpd_t to manage log files
+- Allow xdm_t to create /var/run/systemd/multi-session-x
+- Add rules for missedfont.log to be used by thumb.fc
+- Additional access required for virt_qmf_t
+- Allow dhclient to dbus chat with the firewalld
+- Add label for lvmetad
+- Allow systemd_logind_t to remove userdomain sock_files
+- Allow cups to execute usr_t files
+- Fix labeling on nvidia shared libraries
+- wdmd_t needs access to sssd and /etc/passwd
+- Add boolean to allow ftp servers to run in passive mode
+- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with
+- Fix using httpd_use_fusefs
+- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox
+
* Fri Apr 6 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-111
- Rename rdate port to time port, and allow gnomeclock to connect to it
- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda
More information about the scm-commits
mailing list