[selinux-policy/f17] * Mon Aug 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-146 - Allow tmpreaper to delete unlabele
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Aug 20 12:33:01 UTC 2012
commit faa5da813a888f5e199371fd3764d79254c93758
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Aug 20 14:32:28 2012 +0200
* Mon Aug 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-146
- Allow tmpreaper to delete unlabeled files
- Backport selinux_login_config fixes from F18 for sssd
- Allow thumb drives to create shared memory and semaphores
- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working
- Allow dlm_controld to execute dlm_stonith labeled as bin_t
- Allow GFS2 working on F17
- Allow thumb to gettatr on all fs
- Allow condor domains to read kernel sysctls
- Allow condor_master to connect to amqp
- Allow abrt to read mozilla_plugin config files
- Backport squid policy with support for lightsquid
- Allow useradd to modify /etc/default/useradd
- dovecot_auth_t uses ldap for user auth
- Dontaudit mozilla_plugin attempts to ipc_lock
- Allow tmpreaper to search unlabeled /tmp/kdecache-root
- Allow jockey to list the contents of modeprobe.d
- Allow web plugins to connect to the asterisk ports
policy-F16.patch | 831 +++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 21 ++-
2 files changed, 622 insertions(+), 230 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index b7ad125..362f223 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -67235,7 +67235,7 @@ index d5aaf0e..6b16aef 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..5f12852 100644
+index 6a5004b..2fd53ed 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -67246,11 +67246,13 @@ index 6a5004b..5f12852 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -18,33 +19,46 @@ role system_r types tmpreaper_t;
+@@ -18,33 +19,50 @@ role system_r types tmpreaper_t;
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+kernel_read_system_state(tmpreaper_t)
++kernel_delete_unlabeled(tmpreaper_t)
++kernel_list_unlabeled(tmpreaper_t)
+
dev_read_urand(tmpreaper_t)
@@ -67266,6 +67268,8 @@ index 6a5004b..5f12852 100644
+files_setattr_usr_dirs(tmpreaper_t)
files_getattr_all_dirs(tmpreaper_t)
files_getattr_all_files(tmpreaper_t)
++kernel_list_unlabeled(tmpreaper_t)
++kernel_delete_unlabeled(tmpreaper_t)
+mcs_file_read_all(tmpreaper_t)
+mcs_file_write_all(tmpreaper_t)
@@ -67297,7 +67301,7 @@ index 6a5004b..5f12852 100644
')
optional_policy(`
-@@ -52,7 +66,9 @@ optional_policy(`
+@@ -52,7 +70,9 @@ optional_policy(`
')
optional_policy(`
@@ -67307,7 +67311,7 @@ index 6a5004b..5f12852 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +82,13 @@ optional_policy(`
+@@ -66,9 +86,13 @@ optional_policy(`
')
optional_policy(`
@@ -67581,7 +67585,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..032ccdd 100644
+index 441cf22..2a700a2 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -67790,7 +67794,7 @@ index 441cf22..032ccdd 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,10 +472,13 @@ corecmd_exec_shell(useradd_t)
+@@ -448,29 +472,31 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -67805,7 +67809,9 @@ index 441cf22..032ccdd 100644
files_search_var_lib(useradd_t)
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
-@@ -460,17 +487,15 @@ fs_search_auto_mountpoints(useradd_t)
++files_manage_etc_files(useradd_t)
+
+ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -67830,7 +67836,7 @@ index 441cf22..032ccdd 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -478,6 +503,7 @@ auth_rw_faillog(useradd_t)
+@@ -478,6 +504,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -67838,7 +67844,18 @@ index 441cf22..032ccdd 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -495,24 +521,20 @@ seutil_read_file_contexts(useradd_t)
+@@ -490,29 +517,31 @@ logging_send_syslog_msg(useradd_t)
+
+ miscfiles_read_localization(useradd_t)
+
++seutil_semanage_policy(useradd_t)
++seutil_manage_file_contexts(useradd_t)
++seutil_manage_config(useradd_t)
++seutil_manage_login_config(useradd_t)
++seutil_manage_default_contexts(useradd_t)
++
+ seutil_read_config(useradd_t)
+ seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
seutil_domtrans_semanage(useradd_t)
seutil_domtrans_setfiles(useradd_t)
@@ -67851,10 +67868,10 @@ index 441cf22..032ccdd 100644
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
+userdom_delete_all_user_home_content(useradd_t)
@@ -68155,10 +68172,10 @@ index 0000000..efebae7
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..b4247ae
+index 0000000..a0c979d
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,185 @@
+@@ -0,0 +1,186 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -68217,6 +68234,7 @@ index 0000000..b4247ae
+
+corenet_all_recvfrom_unlabeled(chrome_sandbox_t)
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
++corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
+corenet_tcp_connect_streaming_port(chrome_sandbox_t)
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
@@ -71235,10 +71253,10 @@ index 0000000..fb58f33
+')
diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
new file mode 100644
-index 0000000..0316d53
+index 0000000..daf38ab
--- /dev/null
+++ b/policy/modules/apps/jockey.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,53 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -71290,6 +71308,7 @@ index 0000000..0316d53
+optional_policy(`
+ modutils_domtrans_insmod(jockey_t)
+ modutils_read_module_config(jockey_t)
++ modutils_list_module_config(jockey_t)
+')
diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
new file mode 100644
@@ -71848,7 +71867,7 @@ index 93ac529..82f8e65 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..2c0357f 100644
+index fbb5c5a..67c1168 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -71991,7 +72010,7 @@ index fbb5c5a..2c0357f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +361,100 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,118 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -72022,10 +72041,11 @@ index fbb5c5a..2c0357f 100644
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_t;
-+ ')
-+
+ ')
+
+- allow $1 mozilla_plugin_tmpfs_t:file unlink;
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
-+')
+ ')
+
+#######################################
+## <summary>
@@ -72067,6 +72087,24 @@ index fbb5c5a..2c0357f 100644
+
+########################################
+## <summary>
++## read mozilla_plugin rw files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mozilla_plugin_read_rw_files',`
++ gen_require(`
++ type mozilla_plugin_rw_t;
++ ')
++
++ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++')
++
++########################################
++## <summary>
+## Create mozilla content in the user home directory
+## with an correct label.
+## </summary>
@@ -72080,9 +72118,8 @@ index fbb5c5a..2c0357f 100644
+
+ gen_require(`
+ type mozilla_home_t;
- ')
-
-- allow $1 mozilla_plugin_tmpfs_t:file unlink;
++ ')
++
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
@@ -72097,10 +72134,10 @@ index fbb5c5a..2c0357f 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
- ')
++')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..68d2dee 100644
+index 2e9318b..78aa11d 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -72236,7 +72273,7 @@ index 2e9318b..68d2dee 100644
-allow mozilla_plugin_t self:process { setsched signal_perms execmem };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
-allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+dontaudit mozilla_plugin_t self:capability { sys_nice sys_tty_config };
++dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_tty_config };
+
+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -72272,7 +72309,7 @@ index 2e9318b..68d2dee 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,31 +347,46 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,31 +347,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -72296,6 +72333,7 @@ index 2e9318b..68d2dee 100644
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
++corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
corenet_tcp_connect_generic_port(mozilla_plugin_t)
-corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
@@ -72326,7 +72364,7 @@ index 2e9318b..68d2dee 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +395,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +396,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -72334,7 +72372,7 @@ index 2e9318b..68d2dee 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,15 +403,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +404,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -72356,7 +72394,7 @@ index 2e9318b..68d2dee 100644
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -383,35 +430,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,35 +431,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -72404,7 +72442,7 @@ index 2e9318b..68d2dee 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,24 +460,33 @@ optional_policy(`
+@@ -421,24 +461,33 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -72442,7 +72480,7 @@ index 2e9318b..68d2dee 100644
')
optional_policy(`
-@@ -446,10 +494,105 @@ optional_policy(`
+@@ -446,10 +495,105 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -76346,10 +76384,10 @@ index 0000000..9127cec
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..105338a
+index 0000000..b5f5dd2
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,113 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -76386,6 +76424,8 @@ index 0000000..105338a
+allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
+allow thumb_t self:udp_socket create_socket_perms;
+allow thumb_t self:tcp_socket create_socket_perms;
++allow thumb_t self:shm create_shm_perms;
++allow thumb_t self:sem create_sem_perms;
+
+manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
+manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
@@ -76420,6 +76460,7 @@ index 0000000..105338a
+files_read_usr_files(thumb_t)
+files_read_non_security_files(thumb_t)
+
++fs_getattr_all_fs(thumb_t)
+fs_read_dos_files(thumb_t)
+
+auth_use_nsswitch(thumb_t)
@@ -85042,7 +85083,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 6346378..4221c9d 100644
+index 6346378..2d3af1c 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -345,13 +345,8 @@ interface(`kernel_load_module',`
@@ -85118,7 +85159,58 @@ index 6346378..4221c9d 100644
')
########################################
-@@ -2293,7 +2324,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2249,6 +2280,24 @@ interface(`kernel_sigchld_unlabeled',`
+ allow $1 unlabeled_t:process sigchld;
+ ')
+
++#######################################
++## <summary>
++## Search unlabeled directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_search_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## List unlabeled directories.
+@@ -2269,6 +2318,25 @@ interface(`kernel_list_unlabeled',`
+
+ ########################################
+ ## <summary>
++## Delete unlabeled files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_delete_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir delete_dir_perms;
++ allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
++')
++
++########################################
++## <summary>
+ ## Read the process state (/proc/pid) of all unlabeled_t.
+ ## </summary>
+ ## <param name="domain">
+@@ -2293,7 +2361,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -85127,7 +85219,7 @@ index 6346378..4221c9d 100644
## </summary>
## </param>
#
-@@ -2475,6 +2506,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2475,6 +2543,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -85152,7 +85244,7 @@ index 6346378..4221c9d 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2619,7 +2668,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2619,7 +2705,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -85161,7 +85253,7 @@ index 6346378..4221c9d 100644
')
########################################
-@@ -2657,6 +2706,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2657,6 +2743,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -85186,7 +85278,7 @@ index 6346378..4221c9d 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2684,6 +2751,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2684,6 +2788,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -85212,7 +85304,7 @@ index 6346378..4221c9d 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2793,6 +2879,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2793,6 +2916,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -85246,7 +85338,7 @@ index 6346378..4221c9d 100644
########################################
## <summary>
-@@ -2948,6 +3061,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2948,6 +3098,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -85271,7 +85363,7 @@ index 6346378..4221c9d 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2962,4 +3093,43 @@ interface(`kernel_unconfined',`
+@@ -2962,4 +3130,43 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -85295,7 +85387,7 @@ index 6346378..4221c9d 100644
+ ')
+
+ allow $1 kernel_t:unix_stream_socket connectto;
-+')
+ ')
+
+########################################
+## <summary>
@@ -85313,7 +85405,7 @@ index 6346378..4221c9d 100644
+ ')
+
+ typeattribute $1 proc_type;
- ')
++')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d91c62f..e6f3965 100644
@@ -89954,7 +90046,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..8d391e2 100644
+index 30861ec..fd6deb5 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -90119,7 +90211,7 @@ index 30861ec..8d391e2 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +197,31 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +197,32 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -90153,10 +90245,11 @@ index 30861ec..8d391e2 100644
optional_policy(`
- nis_use_ypbind(abrt_t)
+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
++ mozilla_plugin_read_rw_files(abrt_t)
')
optional_policy(`
-@@ -167,6 +242,7 @@ optional_policy(`
+@@ -167,6 +243,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -90164,7 +90257,7 @@ index 30861ec..8d391e2 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +254,35 @@ optional_policy(`
+@@ -178,12 +255,35 @@ optional_policy(`
')
optional_policy(`
@@ -90201,7 +90294,7 @@ index 30861ec..8d391e2 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +299,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +300,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -90230,7 +90323,7 @@ index 30861ec..8d391e2 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +322,146 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +323,146 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -99783,10 +99876,10 @@ index 0000000..168f664
+')
diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
new file mode 100644
-index 0000000..97437dd
+index 0000000..b17da05
--- /dev/null
+++ b/policy/modules/services/condor.te
-@@ -0,0 +1,238 @@
+@@ -0,0 +1,236 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -99870,6 +99963,7 @@ index 0000000..97437dd
+
+kernel_read_system_state(condor_domain)
+kernel_read_network_state(condor_domain)
++kernel_read_kernel_sysctls(condor_domain)
+
+corecmd_exec_bin(condor_domain)
+corecmd_exec_shell(condor_domain)
@@ -99912,6 +100006,7 @@ index 0000000..97437dd
+
+corenet_tcp_bind_condor_port(condor_master_t)
+corenet_udp_bind_condor_port(condor_master_t)
++corenet_tcp_connect_amqp_port(condor_master_t)
+
+domain_read_all_domains_state(condor_master_t)
+
@@ -99972,8 +100067,6 @@ index 0000000..97437dd
+files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
+allow condor_schedd_t condor_schedd_tmp_t:file { relabelfrom relabelto };
+
-+kernel_read_kernel_sysctls(condor_schedd_t)
-+
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
+auth_use_nsswitch(condor_schedd_t)
@@ -99998,8 +100091,6 @@ index 0000000..97437dd
+
+can_exec(condor_startd_t, condor_startd_exec_t)
+
-+kernel_read_kernel_sysctls(condor_startd_t)
-+
+domain_read_all_domains_state(condor_startd_t)
+
+auth_use_nsswitch(condor_startd_t)
@@ -100294,7 +100385,7 @@ index 3a6d7eb..bb32bf0 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
-index 5220c9d..25babd6 100644
+index 5220c9d..885b25d 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
@@ -100323,7 +100414,7 @@ index 5220c9d..25babd6 100644
#######################################
## <summary>
## Allow the specified domain to read corosync's log files.
-@@ -52,12 +71,37 @@ interface(`corosync_read_log',`
+@@ -52,14 +71,58 @@ interface(`corosync_read_log',`
interface(`corosync_stream_connect',`
gen_require(`
type corosync_t, corosync_var_run_t;
@@ -100335,6 +100426,25 @@ index 5220c9d..25babd6 100644
stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
')
+ ######################################
+ ## <summary>
++## Allow the specified domain to read/write corosync's tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corosync_rw_tmpfs',`
++ gen_require(`
++ type corosync_tmpfs_t;
++ ')
++
++ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
++
++')
++
+########################################
+## <summary>
+## Execute corosync server in the corosync domain.
@@ -100358,10 +100468,12 @@ index 5220c9d..25babd6 100644
+ ps_process_pattern($1, corosync_t)
+')
+
- ######################################
- ## <summary>
++######################################
++## <summary>
## All of the rules required to administrate
-@@ -80,11 +124,16 @@ interface(`corosyncd_admin',`
+ ## an corosync environment
+ ## </summary>
+@@ -80,11 +143,16 @@ interface(`corosyncd_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
@@ -100379,7 +100491,7 @@ index 5220c9d..25babd6 100644
init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
-@@ -103,4 +152,8 @@ interface(`corosyncd_admin',`
+@@ -103,4 +171,8 @@ interface(`corosyncd_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
@@ -106324,7 +106436,7 @@ index e1d7dc5..13e4800 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..f85a8a6 100644
+index acf6d4f..6ec85a2 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,4 +1,4 @@
@@ -106504,7 +106616,16 @@ index acf6d4f..f85a8a6 100644
init_rw_utmp(dovecot_auth_t)
-@@ -236,6 +270,8 @@ optional_policy(`
+@@ -224,6 +258,8 @@ miscfiles_read_localization(dovecot_auth_t)
+
+ seutil_dontaudit_search_config(dovecot_auth_t)
+
++sysnet_use_ldap(dovecot_auth_t)
++
+ optional_policy(`
+ kerberos_use(dovecot_auth_t)
+
+@@ -236,6 +272,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -106513,7 +106634,7 @@ index acf6d4f..f85a8a6 100644
')
optional_policy(`
-@@ -243,6 +279,8 @@ optional_policy(`
+@@ -243,6 +281,8 @@ optional_policy(`
')
optional_policy(`
@@ -106522,7 +106643,7 @@ index acf6d4f..f85a8a6 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +288,43 @@ optional_policy(`
+@@ -250,23 +290,43 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -106568,7 +106689,7 @@ index acf6d4f..f85a8a6 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +341,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +343,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -129223,7 +129344,7 @@ index c2ba53b..1f935bf 100644
/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
-index de37806..3e870b7 100644
+index de37806..0f269db 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -13,7 +13,7 @@
@@ -129251,11 +129372,13 @@ index de37806..3e870b7 100644
files_pid_file($1_var_run_t)
##############################
-@@ -51,7 +51,6 @@ template(`rhcs_domain_template',`
+@@ -50,8 +50,7 @@ template(`rhcs_domain_template',`
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+- files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
-
++ files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
')
######################################
@@ -129473,7 +129596,7 @@ index de37806..3e870b7 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..a99868e 100644
+index 93c896a..31f7c73 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,13 +6,22 @@ policy_module(rhcs, 1.1.0)
@@ -129522,25 +129645,26 @@ index 93c896a..a99868e 100644
#####################################
#
# dlm_controld local policy
-@@ -46,6 +61,7 @@ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fence
+@@ -46,6 +61,9 @@ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fence
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
kernel_read_system_state(dlm_controld_t)
+kernel_rw_net_sysctls(dlm_controld_t)
++
++corecmd_exec_bin(dlm_controld_t)
dev_rw_dlm_control(dlm_controld_t)
dev_rw_sysfs(dlm_controld_t)
-@@ -55,20 +71,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
-
+@@ -56,7 +74,7 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
--optional_policy(`
+ optional_policy(`
- ccs_stream_connect(dlm_controld_t)
--')
--
++ corosync_rw_tmpfs(dlm_controld_t)
+ ')
+
#######################################
- #
- # fenced local policy
+@@ -65,10 +83,11 @@ optional_policy(`
#
allow fenced_t self:capability { sys_rawio sys_resource };
@@ -129553,7 +129677,7 @@ index 93c896a..a99868e 100644
can_exec(fenced_t, fenced_exec_t)
-@@ -82,13 +95,19 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -82,13 +101,19 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -129573,7 +129697,7 @@ index 93c896a..a99868e 100644
files_read_usr_symlinks(fenced_t)
storage_raw_read_fixed_disk(fenced_t)
-@@ -97,6 +116,7 @@ storage_raw_read_removable_device(fenced_t)
+@@ -97,6 +122,7 @@ storage_raw_read_removable_device(fenced_t)
term_getattr_pty_fs(fenced_t)
term_use_ptmx(fenced_t)
@@ -129581,7 +129705,7 @@ index 93c896a..a99868e 100644
auth_use_nsswitch(fenced_t)
-@@ -105,8 +125,28 @@ tunable_policy(`fenced_can_network_connect',`
+@@ -105,8 +131,28 @@ tunable_policy(`fenced_can_network_connect',`
')
optional_policy(`
@@ -129611,7 +129735,7 @@ index 93c896a..a99868e 100644
')
optional_policy(`
-@@ -114,13 +154,43 @@ optional_policy(`
+@@ -114,13 +160,43 @@ optional_policy(`
lvm_read_config(fenced_t)
')
@@ -129656,7 +129780,7 @@ index 93c896a..a99868e 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +209,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +215,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -129667,7 +129791,7 @@ index 93c896a..a99868e 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +220,10 @@ optional_policy(`
+@@ -154,9 +226,10 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -129679,7 +129803,7 @@ index 93c896a..a99868e 100644
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -168,8 +235,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +241,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -129689,7 +129813,7 @@ index 93c896a..a99868e 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -182,7 +248,7 @@ kernel_read_system_state(qdiskd_t)
+@@ -182,7 +254,7 @@ kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
@@ -129698,7 +129822,7 @@ index 93c896a..a99868e 100644
corecmd_exec_shell(qdiskd_t)
dev_read_sysfs(qdiskd_t)
-@@ -199,6 +265,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -199,6 +271,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -129707,7 +129831,7 @@ index 93c896a..a99868e 100644
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +275,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +281,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -129718,7 +129842,7 @@ index 93c896a..a99868e 100644
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +287,28 @@ optional_policy(`
+@@ -223,18 +293,28 @@ optional_policy(`
# rhcs domains common policy
#
@@ -134238,7 +134362,7 @@ index 275f9fb..f1343b7 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..1ef6c7f 100644
+index 3d8d1b3..7e367d5 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -134328,7 +134452,18 @@ index 3d8d1b3..1ef6c7f 100644
optional_policy(`
rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t)
-@@ -140,6 +147,10 @@ optional_policy(`
+@@ -131,6 +138,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ corosync_stream_connect(snmpd_t)
++')
++
++optional_policy(`
+ cups_read_rw_config(snmpd_t)
+ ')
+
+@@ -140,6 +151,10 @@ optional_policy(`
')
optional_policy(`
@@ -135229,17 +135364,27 @@ index ec1eb1e..d1559f9 100644
+')
+
diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc
-index 6cc4a90..2015152 100644
+index 6cc4a90..6664de3 100644
--- a/policy/modules/services/squid.fc
+++ b/policy/modules/services/squid.fc
-@@ -2,7 +2,6 @@
+@@ -1,9 +1,11 @@
+ /etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
++/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
++/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
-/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
++/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0)
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+ /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+@@ -12,3 +14,4 @@
+ /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+ /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+ /var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
++/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index d2496bd..c7614d7 100644
--- a/policy/modules/services/squid.if
@@ -135280,34 +135425,15 @@ index d2496bd..c7614d7 100644
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..89784b9 100644
+index 4b2230e..72c7364 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
-@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
- #
-
- ## <desc>
--## <p>
--## Allow squid to connect to all ports, not just
--## HTTP, FTP, and Gopher ports.
--## </p>
-+## <p>
-+## Allow squid to connect to all ports, not just
-+## HTTP, FTP, and Gopher ports.
-+## </p>
- ## </desc>
- gen_tunable(squid_connect_any, false)
-
- ## <desc>
--## <p>
--## Allow squid to run as a transparent proxy (TPROXY)
--## </p>
-+## <p>
-+## Allow squid to run as a transparent proxy (TPROXY)
-+## </p>
- ## </desc>
- gen_tunable(squid_use_tproxy, false)
+@@ -1,4 +1,4 @@
+-policy_module(squid, 1.10.0)
++policy_module(squid, 1.11.0)
+ ########################################
+ #
@@ -29,7 +29,7 @@ type squid_cache_t;
files_type(squid_cache_t)
@@ -135317,7 +135443,7 @@ index 4b2230e..89784b9 100644
type squid_initrc_exec_t;
init_script_file(squid_initrc_exec_t)
-@@ -40,6 +40,9 @@ logging_log_file(squid_log_t)
+@@ -40,9 +40,18 @@ logging_log_file(squid_log_t)
type squid_tmpfs_t;
files_tmpfs_file(squid_tmpfs_t)
@@ -135327,7 +135453,16 @@ index 4b2230e..89784b9 100644
type squid_var_run_t;
files_pid_file(squid_var_run_t)
-@@ -69,6 +72,7 @@ allow squid_t self:udp_socket create_socket_perms;
++type squid_cron_t;
++type squid_cron_exec_t;
++init_daemon_domain(squid_cron_t, squid_cron_exec_t)
++application_domain(squid_cron_t, squid_cron_exec_t)
++role system_r types squid_cron_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -69,6 +78,7 @@ allow squid_t self:udp_socket create_socket_perms;
manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
@@ -135335,7 +135470,7 @@ index 4b2230e..89784b9 100644
allow squid_t squid_conf_t:dir list_dir_perms;
read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
-@@ -85,11 +89,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+@@ -85,15 +95,19 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
@@ -135352,7 +135487,19 @@ index 4b2230e..89784b9 100644
files_dontaudit_getattr_boot_dirs(squid_t)
-@@ -169,7 +178,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+-corenet_all_recvfrom_unlabeled(squid_t)
+ corenet_all_recvfrom_netlabel(squid_t)
+ corenet_tcp_sendrecv_generic_if(squid_t)
+ corenet_udp_sendrecv_generic_if(squid_t)
+@@ -145,7 +159,6 @@ corecmd_exec_shell(squid_t)
+
+ domain_use_interactive_fds(squid_t)
+
+-files_read_etc_files(squid_t)
+ files_read_etc_runtime_files(squid_t)
+ files_read_usr_files(squid_t)
+ files_search_spool(squid_t)
+@@ -169,7 +182,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
@@ -135362,15 +135509,18 @@ index 4b2230e..89784b9 100644
')
tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +195,7 @@ optional_policy(`
- corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+@@ -182,9 +196,9 @@ optional_policy(`
+
+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+ corenet_tcp_connect_squid_port(httpd_squid_script_t)
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -206,3 +217,7 @@ optional_policy(`
+@@ -206,3 +220,29 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -135378,6 +135528,28 @@ index 4b2230e..89784b9 100644
+optional_policy(`
+ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
+')
++
++########################################
++#
++# squid cron Local policy
++#
++manage_dirs_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
++manage_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
++manage_lnk_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
++files_var_filetrans(squid_cron_t, squid_cache_t, dir, "squid")
++
++read_files_pattern(squid_cron_t, squid_conf_t, squid_conf_t)
++
++read_files_pattern(squid_cron_t, squid_log_t, squid_log_t)
++
++corecmd_exec_bin(squid_cron_t)
++
++dev_read_urand(squid_cron_t)
++
++files_read_etc_files(squid_cron_t)
++files_read_usr_files(squid_cron_t)
++
++miscfiles_read_localization(squid_cron_t)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..21ff471 100644
--- a/policy/modules/services/ssh.fc
@@ -136576,7 +136748,7 @@ index 941380a..e1095f0 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..20d8944 100644
+index 8ffa257..a2980c0 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -136655,12 +136827,15 @@ index 8ffa257..20d8944 100644
init_read_utmp(sssd_t)
-@@ -79,6 +94,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +94,15 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
+miscfiles_read_generic_certs(sssd_t)
+
++seutil_rw_login_config_dirs(sssd_t)
++seutil_manage_login_config_files(sssd_t)
++
+sysnet_dns_name_resolve(sssd_t)
+sysnet_use_ldap(sssd_t)
+
@@ -136668,7 +136843,7 @@ index 8ffa257..20d8944 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +108,19 @@ optional_policy(`
+@@ -87,4 +111,19 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -145237,7 +145412,7 @@ index 28ad538..82def3d 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..358cf75 100644
+index 73554ec..489dfc0 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -145362,8 +145537,11 @@ index 73554ec..358cf75 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,13 +198,93 @@ interface(`auth_login_pgm_domain',`
+@@ -153,15 +196,96 @@ interface(`auth_login_pgm_domain',`
+ logging_set_tty_audit($1)
+
seutil_read_config($1)
++ seutil_read_login_config($1)
seutil_read_default_contexts($1)
- tunable_policy(`allow_polyinstantiation',`
@@ -145458,7 +145636,7 @@ index 73554ec..358cf75 100644
## Use the login program as an entry point program.
## </summary>
## <param name="domain">
-@@ -368,13 +491,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -368,13 +492,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -145475,7 +145653,7 @@ index 73554ec..358cf75 100644
')
########################################
-@@ -421,6 +546,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +547,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -145501,7 +145679,7 @@ index 73554ec..358cf75 100644
')
########################################
-@@ -440,7 +584,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -440,7 +585,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -145509,7 +145687,7 @@ index 73554ec..358cf75 100644
')
########################################
-@@ -637,6 +780,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +781,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -145520,7 +145698,7 @@ index 73554ec..358cf75 100644
')
#######################################
-@@ -736,7 +883,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +884,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -145572,7 +145750,7 @@ index 73554ec..358cf75 100644
')
#######################################
-@@ -932,9 +1122,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1123,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -145606,7 +145784,7 @@ index 73554ec..358cf75 100644
')
########################################
-@@ -1013,6 +1224,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1013,6 +1225,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -145617,7 +145795,7 @@ index 73554ec..358cf75 100644
')
########################################
-@@ -1130,6 +1345,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1130,6 +1346,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -145625,7 +145803,7 @@ index 73554ec..358cf75 100644
')
#######################################
-@@ -1387,6 +1603,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1604,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -145651,7 +145829,7 @@ index 73554ec..358cf75 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1537,37 +1772,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1773,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -145711,7 +145889,7 @@ index 73554ec..358cf75 100644
## </p>
## </desc>
## <param name="domain">
-@@ -1575,87 +1822,206 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1823,206 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
## </summary>
## </param>
@@ -149380,7 +149558,7 @@ index ddbd8be..fad18e0 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..efd3c8c 100644
+index 560dc48..64acf0b 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -28,26 +28,24 @@ ifdef(`distro_redhat',`
@@ -149508,8 +149686,8 @@ index 560dc48..efd3c8c 100644
+/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -152820,14 +152998,15 @@ index a19ecea..486d7f2 100644
')
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index 2cc4bda..bd86c17 100644
+index 2cc4bda..912bcdb 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
-@@ -6,13 +6,13 @@
+@@ -6,13 +6,14 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
@@ -152840,7 +153019,7 @@ index 2cc4bda..bd86c17 100644
#
# /root
-@@ -32,17 +32,27 @@
+@@ -32,17 +33,27 @@
/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
@@ -152871,7 +153050,7 @@ index 2cc4bda..bd86c17 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..6c56785 100644
+index 170e2c7..25ce276 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -199,6 +199,10 @@ interface(`seutil_run_newrole',`
@@ -152967,7 +153146,7 @@ index 170e2c7..6c56785 100644
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -690,6 +762,7 @@ interface(`seutil_manage_config',`
+@@ -690,10 +762,115 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -152975,7 +153154,181 @@ index 170e2c7..6c56785 100644
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-@@ -756,6 +829,29 @@ interface(`seutil_read_default_contexts',`
+
++######################################
++## <summary>
++## Create, read, write, and delete
++## the general selinux configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`seutil_manage_config_dirs',`
++ gen_require(`
++ type selinux_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search the SELinux
++## login configuration directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`seutil_dontaudit_search_login_config',`
++ gen_require(`
++ type selinux_login_config_t;
++ ')
++
++ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read the SELinux
++## login configuration.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`seutil_dontaudit_read_login_config',`
++ gen_require(`
++ type selinux_login_config_t;
++ ')
++ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
++ dontaudit $1 selinux_login_config_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Read the SELinux login configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_read_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir list_dir_perms;
++ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
++########################################
++## <summary>
++## Read and write the SELinux login configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_rw_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir list_dir_perms;
++ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
+ #######################################
+ ## <summary>
+ ## Create, read, write, and delete
+@@ -704,15 +881,62 @@ interface(`seutil_manage_config',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`seutil_manage_config_dirs',`
++interface(`seutil_rw_login_config_dirs',`
+ gen_require(`
+ type selinux_config_t;
++ type selinux_login_config_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 selinux_config_t:dir manage_dir_perms;
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir rw_dir_perms;
++')
++
++######################################
++## <summary>
++## Create, read, write, and delete
++## the general selinux configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_manage_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
++######################################
++## <summary>
++## manage the login selinux configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_manage_login_config_files',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ ')
+
+ ########################################
+@@ -756,6 +980,29 @@ interface(`seutil_read_default_contexts',`
read_files_pattern($1, default_context_t, default_context_t)
')
@@ -153005,7 +153358,7 @@ index 170e2c7..6c56785 100644
########################################
## <summary>
## Create, read, write, and delete the default_contexts files.
-@@ -1009,6 +1105,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -1009,6 +1256,26 @@ interface(`seutil_domtrans_semanage',`
########################################
## <summary>
@@ -153032,7 +153385,7 @@ index 170e2c7..6c56785 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1038,6 +1154,54 @@ interface(`seutil_run_semanage',`
+@@ -1038,6 +1305,54 @@ interface(`seutil_run_semanage',`
########################################
## <summary>
@@ -153087,7 +153440,7 @@ index 170e2c7..6c56785 100644
## Full management of the semanage
## module store.
## </summary>
-@@ -1149,3 +1313,107 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1464,107 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -153196,7 +153549,7 @@ index 170e2c7..6c56785 100644
+ auth_relabelto_shadow($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..c0109fd 100644
+index 7ed9819..78e1bbb 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,6 +11,7 @@ gen_require(`
@@ -153207,17 +153560,20 @@ index 7ed9819..c0109fd 100644
#
# selinux_config_t is the type applied to
-@@ -22,6 +23,9 @@ attribute can_relabelto_binary_policy;
+@@ -22,6 +23,12 @@ attribute can_relabelto_binary_policy;
type selinux_config_t;
files_type(selinux_config_t)
++type selinux_login_config_t;
++files_type(selinux_login_config_t)
++
+type selinux_var_lib_t;
+files_type(selinux_var_lib_t)
+
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
-@@ -57,8 +61,13 @@ domain_interactive_fd(newrole_t)
+@@ -57,8 +64,13 @@ domain_interactive_fd(newrole_t)
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
@@ -153233,7 +153589,7 @@ index 7ed9819..c0109fd 100644
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
-@@ -74,7 +83,6 @@ type restorecond_t;
+@@ -74,7 +86,6 @@ type restorecond_t;
type restorecond_exec_t;
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
@@ -153241,7 +153597,7 @@ index 7ed9819..c0109fd 100644
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -88,26 +96,37 @@ role system_r types run_init_t;
+@@ -88,26 +99,37 @@ role system_r types run_init_t;
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
@@ -153281,7 +153637,15 @@ index 7ed9819..c0109fd 100644
########################################
#
# Checkpolicy local policy
-@@ -139,7 +158,7 @@ term_use_console(checkpolicy_t)
+@@ -125,6 +147,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
+ read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+ read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+ allow checkpolicy_t selinux_config_t:dir search_dir_perms;
++allow checkpolicy_t selinux_login_config_t:dir search_dir_perms;
+
+ domain_use_interactive_fds(checkpolicy_t)
+
+@@ -139,7 +162,7 @@ term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
@@ -153290,7 +153654,7 @@ index 7ed9819..c0109fd 100644
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
-@@ -176,13 +195,15 @@ term_list_ptys(load_policy_t)
+@@ -176,13 +199,15 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
@@ -153307,7 +153671,15 @@ index 7ed9819..c0109fd 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -204,7 +225,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -193,6 +218,7 @@ ifdef(`distro_ubuntu',`
+ ifdef(`hide_broken_symptoms',`
+ # cjp: cover up stray file descriptors.
+ dontaudit load_policy_t selinux_config_t:file write;
++ dontaudit load_policy_t selinux_login_config_t:file write;
+
+ optional_policy(`
+ unconfined_dontaudit_read_pipes(load_policy_t)
+@@ -204,7 +230,7 @@ ifdef(`hide_broken_symptoms',`
# Newrole local policy
#
@@ -153316,7 +153688,7 @@ index 7ed9819..c0109fd 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -216,7 +237,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -216,7 +242,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -153325,7 +153697,7 @@ index 7ed9819..c0109fd 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -233,6 +254,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -233,6 +259,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@@ -153333,7 +153705,7 @@ index 7ed9819..c0109fd 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -260,25 +282,30 @@ term_relabel_all_ptys(newrole_t)
+@@ -260,25 +287,30 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -153370,7 +153742,7 @@ index 7ed9819..c0109fd 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -312,9 +339,13 @@ kernel_use_fds(restorecond_t)
+@@ -312,9 +344,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -153385,7 +153757,7 @@ index 7ed9819..c0109fd 100644
fs_list_inotifyfs(restorecond_t)
selinux_validate_context(restorecond_t)
-@@ -323,8 +354,8 @@ selinux_compute_create_context(restorecond_t)
+@@ -323,8 +359,8 @@ selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
@@ -153396,7 +153768,7 @@ index 7ed9819..c0109fd 100644
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
-@@ -335,6 +366,8 @@ miscfiles_read_localization(restorecond_t)
+@@ -335,6 +371,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
@@ -153405,7 +153777,7 @@ index 7ed9819..c0109fd 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,16 +386,19 @@ optional_policy(`
+@@ -353,16 +391,19 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -153426,7 +153798,7 @@ index 7ed9819..c0109fd 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -380,6 +416,8 @@ selinux_compute_create_context(run_init_t)
+@@ -380,6 +421,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -153435,7 +153807,7 @@ index 7ed9819..c0109fd 100644
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -388,6 +426,7 @@ auth_dontaudit_read_shadow(run_init_t)
+@@ -388,6 +431,7 @@ auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
@@ -153443,7 +153815,7 @@ index 7ed9819..c0109fd 100644
logging_send_syslog_msg(run_init_t)
-@@ -396,7 +435,7 @@ miscfiles_read_localization(run_init_t)
+@@ -396,7 +440,7 @@ miscfiles_read_localization(run_init_t)
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
@@ -153452,7 +153824,7 @@ index 7ed9819..c0109fd 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
-@@ -405,6 +444,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -405,6 +449,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -153472,7 +153844,7 @@ index 7ed9819..c0109fd 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,185 +472,203 @@ optional_policy(`
+@@ -420,185 +477,203 @@ optional_policy(`
# semodule local policy
#
@@ -153486,16 +153858,16 @@ index 7ed9819..c0109fd 100644
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
--kernel_read_system_state(semanage_t)
--kernel_read_kernel_sysctls(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--corecmd_exec_bin(semanage_t)
+-kernel_read_system_state(semanage_t)
+-kernel_read_kernel_sysctls(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-corecmd_exec_bin(semanage_t)
+-
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
@@ -153519,11 +153891,11 @@ index 7ed9819..c0109fd 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
--
--locallogin_use_fds(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
+-locallogin_use_fds(semanage_t)
+-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
@@ -153779,15 +154151,15 @@ index 7ed9819..c0109fd 100644
- fs_rw_tmpfs_blk_files(setfiles_t)
- fs_relabel_tmpfs_blk_file(setfiles_t)
- fs_relabel_tmpfs_chr_file(setfiles_t)
-+ fs_rw_tmpfs_chr_files(setfiles_domain)
- ')
-
+-')
+-
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(setfiles_t)
- ')
--')
--
++ fs_rw_tmpfs_chr_files(setfiles_domain)
+ ')
+
-ifdef(`hide_broken_symptoms',`
- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(setfiles_t)
@@ -156946,7 +157318,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..7ec3343 100644
+index 4b2878a..646b52d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -158342,7 +158714,7 @@ index 4b2878a..7ec3343 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1575,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1575,25 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -158353,6 +158725,7 @@ index 4b2878a..7ec3343 100644
+ seutil_manage_file_contexts($1)
+ seutil_manage_module_store($1)
+ seutil_manage_config($1)
++ seutil_manage_login_config($1)
+ seutil_run_checkpolicy($1,$2)
+ seutil_run_loadpolicy($1,$2)
+ seutil_run_semanage($1,$2)
@@ -158371,7 +158744,7 @@ index 4b2878a..7ec3343 100644
')
optional_policy(`
-@@ -1251,12 +1603,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1604,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -158387,7 +158760,7 @@ index 4b2878a..7ec3343 100644
')
optional_policy(`
-@@ -1279,54 +1631,103 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1632,103 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -158506,7 +158879,7 @@ index 4b2878a..7ec3343 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1395,11 +1796,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,11 +1797,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -158538,7 +158911,7 @@ index 4b2878a..7ec3343 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1441,6 +1862,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1863,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -158553,7 +158926,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -1456,9 +1885,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1886,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -158565,7 +158938,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -1515,6 +1946,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1947,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -158608,7 +158981,7 @@ index 4b2878a..7ec3343 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2056,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2057,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -158617,7 +158990,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -1603,10 +2072,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2073,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -158632,7 +159005,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -1649,6 +2120,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2121,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -158676,7 +159049,7 @@ index 4b2878a..7ec3343 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2176,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2177,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -158702,7 +159075,7 @@ index 4b2878a..7ec3343 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2225,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2226,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -158740,7 +159113,7 @@ index 4b2878a..7ec3343 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2265,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2266,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -158758,7 +159131,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -1779,6 +2331,78 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2332,78 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -158837,7 +159210,7 @@ index 4b2878a..7ec3343 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2434,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2435,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -158847,7 +159220,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -1827,21 +2450,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2451,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -158873,7 +159246,7 @@ index 4b2878a..7ec3343 100644
########################################
## <summary>
## Do not audit attempts to execute user home files.
-@@ -1941,6 +2558,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2559,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -158898,7 +159271,7 @@ index 4b2878a..7ec3343 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2643,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2644,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -158907,7 +159280,7 @@ index 4b2878a..7ec3343 100644
files_search_home($1)
')
-@@ -2039,7 +2674,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2675,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -158916,7 +159289,7 @@ index 4b2878a..7ec3343 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2793,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2794,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -158931,7 +159304,7 @@ index 4b2878a..7ec3343 100644
files_search_tmp($1)
')
-@@ -2182,7 +2817,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2818,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -158940,7 +159313,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -2390,7 +3025,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +3026,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -158949,7 +159322,7 @@ index 4b2878a..7ec3343 100644
files_search_tmp($1)
')
-@@ -2419,6 +3054,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3055,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -158975,7 +159348,7 @@ index 4b2878a..7ec3343 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3089,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3090,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -158991,7 +159364,7 @@ index 4b2878a..7ec3343 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3117,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3118,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -159000,7 +159373,7 @@ index 4b2878a..7ec3343 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,19 +3125,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,19 +3126,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -159023,7 +159396,7 @@ index 4b2878a..7ec3343 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2490,9 +3143,27 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2490,9 +3144,27 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -159053,7 +159426,7 @@ index 4b2878a..7ec3343 100644
')
allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
-@@ -2572,6 +3243,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +3244,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -159078,7 +159451,7 @@ index 4b2878a..7ec3343 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2590,22 +3279,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +3280,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -159121,7 +159494,7 @@ index 4b2878a..7ec3343 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3315,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3316,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -159159,7 +159532,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -2640,8 +3360,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3361,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -159189,7 +159562,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -2713,69 +3452,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,69 +3453,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -159290,7 +159663,7 @@ index 4b2878a..7ec3343 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2783,12 +3521,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3522,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -159305,7 +159678,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -2852,7 +3590,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3591,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -159314,7 +159687,7 @@ index 4b2878a..7ec3343 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3606,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3607,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -159348,7 +159721,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -2972,7 +3694,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3695,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -159357,7 +159730,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -3027,7 +3749,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3750,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -159404,7 +159777,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -3045,7 +3805,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3806,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -159413,7 +159786,7 @@ index 4b2878a..7ec3343 100644
')
########################################
-@@ -3064,6 +3824,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3825,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -159421,7 +159794,7 @@ index 4b2878a..7ec3343 100644
kernel_search_proc($1)
')
-@@ -3140,6 +3901,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3902,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -159464,7 +159837,7 @@ index 4b2878a..7ec3343 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +3957,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3958,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -159489,7 +159862,7 @@ index 4b2878a..7ec3343 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +4009,1285 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +4010,1285 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f3fd5d8..ed1213d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 145%{?dist}
+Release: 146%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,25 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Aug 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-146
+- Allow tmpreaper to delete unlabeled files
+- Backport selinux_login_config fixes from F18 for sssd
+- Allow thumb drives to create shared memory and semaphores
+- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working
+- Allow dlm_controld to execute dlm_stonith labeled as bin_t
+- Allow GFS2 working on F17
+- Allow thumb to gettatr on all fs
+- Allow condor domains to read kernel sysctls
+- Allow condor_master to connect to amqp
+- Allow abrt to read mozilla_plugin config files
+- Backport squid policy with support for lightsquid
+- Allow useradd to modify /etc/default/useradd
+- dovecot_auth_t uses ldap for user auth
+- Dontaudit mozilla_plugin attempts to ipc_lock
+- Allow tmpreaper to search unlabeled /tmp/kdecache-root
+- Allow jockey to list the contents of modeprobe.d
+- Allow web plugins to connect to the asterisk ports
+
* Wed Aug 8 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-145
- Allow Chrome_ChildIO to read dosfs_t
- Fix svirt to be allowed to use fusefs file system
More information about the scm-commits
mailing list