[selinux-policy/f17] - Backport openvswitch policy from F18 - Allow logrotate to transition to openvswitch domain - opend
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Dec 5 06:43:00 UTC 2012
commit a5551178da1ddb1aabef070e12fe6dfdf7991807
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Dec 5 07:41:36 2012 +0100
- Backport openvswitch policy from F18
- Allow logrotate to transition to openvswitch domain
- opendkim should be a part of milter
- Add filename transition for /etc/tuned/active_profile
- Allow condor_master to send mails
- Allow condor_master to create /tmp files/dirs
- Allow condor_mater to send sigkill to other condor domains
- Allow condor_procd sigkill capability
- tuned-adm wants to talk with tuned daemon
- Allow all application domains to use fifo_files passed in from userdomains
- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler"
- Fix mozilla_plugin_can_network_connect to allow to connect to all ports
- The host and a virtual machine can share the same printer on a usb device
- Backport thumb.te from F18
- Dontaudit leaks of locks or generic log files to systemprocesses
- Allow blueman to transition to ifconfig, dnsmasq
- Backport virt_lock_t from F18
- Allow syslogd to request the kernel to load a module
- Allow syslogd_t to read the network state information
- Add awstats_purge_apache_log boolean
- Allow ksysguardproces to read /.config/Trolltech.conf
- Allow passenger to create and append puppet log files
- Add puppet_append_log and puppet_create_log interfaces
policy-F16.patch | 962 +++++++++++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 29 ++-
2 files changed, 847 insertions(+), 144 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 1892c25..b12d8d3 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -64435,7 +64435,7 @@ index 4f7bd3c..9143343 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..0d2561b 100644
+index 7090dae..dc342a7 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
@@ -64506,7 +64506,7 @@ index 7090dae..0d2561b 100644
-cron_search_spool(logrotate_t)
-
-mta_send_mail(logrotate_t)
-+userdom_dontaudit_list_admin_dir(logrotate_t)
++userdom_list_admin_dir(logrotate_t)
+userdom_dontaudit_getattr_user_home_content(logrotate_t)
ifdef(`distro_debian', `
@@ -64588,7 +64588,19 @@ index 7090dae..0d2561b 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +254,14 @@ optional_policy(`
+@@ -217,6 +243,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ openvswitch_read_pid_files(logrotate_t)
++ openvswitch_domtrans(logrotate_t)
++')
++
++optional_policy(`
+ squid_domtrans(logrotate_t)
+ ')
+
+@@ -228,3 +259,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -65241,7 +65253,7 @@ index f68b573..8fb9cd3 100644
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
+')
diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te
-index 3470036..bf7e806 100644
+index 3470036..adb865b 100644
--- a/policy/modules/admin/passenger.te
+++ b/policy/modules/admin/passenger.te
@@ -28,7 +28,7 @@ files_pid_file(passenger_var_run_t)
@@ -65287,7 +65299,7 @@ index 3470036..bf7e806 100644
miscfiles_read_localization(passenger_t)
userdom_dontaudit_use_user_terminals(passenger_t)
-@@ -75,3 +84,23 @@ optional_policy(`
+@@ -75,3 +84,25 @@ optional_policy(`
apache_append_log(passenger_t)
apache_read_sys_content(passenger_t)
')
@@ -65302,6 +65314,8 @@ index 3470036..bf7e806 100644
+
+optional_policy(`
+ puppet_manage_lib(passenger_t)
++ puppet_append_log(passenger_t)
++ puppet_create_log(passenger_t)
+ puppet_read_config(passenger_t)
+ puppet_read_log(passenger_t)
+ puppet_search_pid(passenger_t)
@@ -68071,6 +68085,39 @@ index 283ff0d..53f9ba1 100644
## Read and write awstats unnamed pipes.
## </summary>
## <param name="domain">
+diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
+index 427f599..a59959a 100644
+--- a/policy/modules/apps/awstats.te
++++ b/policy/modules/apps/awstats.te
+@@ -5,6 +5,13 @@ policy_module(awstats, 1.3.1)
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow awstats to purge Apache logs
++## </p>
++## </desc>
++gen_tunable(awstats_purge_apache_log, false)
++
+ type awstats_t;
+ type awstats_exec_t;
+ domain_type(awstats_t)
+@@ -61,6 +68,14 @@ sysnet_dns_name_resolve(awstats_t)
+
+ apache_read_log(awstats_t)
+
++tunable_policy(`awstats_purge_apache_log',`
++ apache_write_log(awstats_t)
++')
++
++optional_policy(`
++ apache_read_log(awstats_t)
++')
++
+ optional_policy(`
+ cron_system_entry(awstats_t, awstats_exec_t)
+ ')
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index 46ea44f..49ce279 100644
--- a/policy/modules/apps/cdrecord.te
@@ -70412,7 +70459,7 @@ index f5afe78..e283f63 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..ffb9bd7 100644
+index 2505654..c06597b 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0)
@@ -70485,7 +70532,7 @@ index 2505654..ffb9bd7 100644
##############################
#
# Local Policy
-@@ -75,3 +118,161 @@ optional_policy(`
+@@ -75,3 +118,165 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -70570,6 +70617,10 @@ index 2505654..ffb9bd7 100644
+')
+
+optional_policy(`
++ gnome_read_home_config(gnomesystemmm_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
@@ -72265,7 +72316,7 @@ index fbb5c5a..67c1168 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..bb2d536 100644
+index 2e9318b..7208c08 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3)
@@ -72592,7 +72643,7 @@ index 2e9318b..bb2d536 100644
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
+tunable_policy(`mozilla_plugin_can_network_connect',`
-+ corenet_tcp_connect_unreserved_ports(mozilla_plugin_t)
++ corenet_tcp_connect_all_ports(mozilla_plugin_t)
')
optional_policy(`
@@ -76609,10 +76660,10 @@ index 0000000..9127cec
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..3e560dd
+index 0000000..9dabeec
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,127 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -76696,17 +76747,19 @@ index 0000000..3e560dd
+fs_read_dos_files(thumb_t)
+fs_rw_inherited_tmpfs_files(thumb_t)
+
-+auth_use_nsswitch(thumb_t)
++auth_read_passwd(thumb_t)
+
+tunable_policy(`allow_execmod',`
+ libs_legacy_use_shared_libs(thumb_t)
+')
+
+miscfiles_read_fonts(thumb_t)
-+miscfiles_read_localization(thumb_t)
++miscfiles_dontaudit_setattr_fonts_dirs(thumb_t)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(thumb_t)
+
+sysnet_read_config(thumb_t)
+
++userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
@@ -76730,10 +76783,13 @@ index 0000000..3e560dd
+optional_policy(`
+ # .config
+ gnome_dontaudit_search_config(thumb_t)
++ gnome_append_generic_cache_files(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t)
+ gnome_exec_gstreamer_home_files(thumb_t)
++ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
++ gnome_cache_filetrans(thumb_t, thumb_home_t, file)
+')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index f50789e..9ba6da8 100644
@@ -91841,7 +91897,7 @@ index 9e39aa5..87b9c7d 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..f9d3c63 100644
+index 6480167..0f3737f 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,62 +13,46 @@
@@ -92186,7 +92242,33 @@ index 6480167..f9d3c63 100644
## Allow the specified domain to read
## apache configuration files.
## </summary>
-@@ -699,7 +691,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -683,6 +675,25 @@ interface(`apache_append_log',`
+ append_files_pattern($1, httpd_log_t, httpd_log_t)
+ ')
+
++#######################################
++## <summary>
++## Allow the specified domain to write
++## to apache log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_write_log',`
++ gen_require(`
++ type httpd_log_t;
++ ')
++
++ allow $1 httpd_log_t:file write;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to append to the
+@@ -699,7 +710,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@@ -92195,7 +92277,7 @@ index 6480167..f9d3c63 100644
')
########################################
-@@ -745,6 +737,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -745,6 +756,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -92221,7 +92303,7 @@ index 6480167..f9d3c63 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -761,6 +772,7 @@ interface(`apache_list_modules',`
+@@ -761,6 +791,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -92229,7 +92311,7 @@ index 6480167..f9d3c63 100644
')
########################################
-@@ -802,6 +814,43 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -802,6 +833,43 @@ interface(`apache_domtrans_rotatelogs',`
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
@@ -92273,7 +92355,7 @@ index 6480167..f9d3c63 100644
########################################
## <summary>
## Allow the specified domain to list
-@@ -819,6 +868,7 @@ interface(`apache_list_sys_content',`
+@@ -819,6 +887,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -92281,7 +92363,7 @@ index 6480167..f9d3c63 100644
files_search_var($1)
')
-@@ -846,6 +896,74 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +915,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -92356,7 +92438,7 @@ index 6480167..f9d3c63 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -862,7 +980,12 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +999,12 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -92370,7 +92452,7 @@ index 6480167..f9d3c63 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1044,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1063,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -92382,7 +92464,7 @@ index 6480167..f9d3c63 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1074,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1093,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -92391,7 +92473,7 @@ index 6480167..f9d3c63 100644
')
########################################
-@@ -1091,6 +1215,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1234,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -92417,7 +92499,7 @@ index 6480167..f9d3c63 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1107,7 +1250,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1269,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -92426,7 +92508,7 @@ index 6480167..f9d3c63 100644
')
########################################
-@@ -1148,14 +1291,31 @@ interface(`apache_cgi_domain',`
+@@ -1148,14 +1310,31 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -92462,7 +92544,7 @@ index 6480167..f9d3c63 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1170,19 +1330,21 @@ interface(`apache_cgi_domain',`
+@@ -1170,19 +1349,21 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -92491,7 +92573,7 @@ index 6480167..f9d3c63 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 httpd_initrc_exec_t system_r;
-@@ -1191,10 +1353,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1372,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -92504,7 +92586,7 @@ index 6480167..f9d3c63 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1367,95 @@ interface(`apache_admin',`
+@@ -1205,14 +1386,95 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -95476,10 +95558,10 @@ index de0bd67..1df2048 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f4e7ad3..c323651 100644
+index f4e7ad3..8936606 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
-@@ -22,29 +22,47 @@ files_tmp_file(bitlbee_tmp_t)
+@@ -22,36 +22,58 @@ files_tmp_file(bitlbee_tmp_t)
type bitlbee_var_t;
files_type(bitlbee_var_t)
@@ -95527,11 +95609,12 @@ index f4e7ad3..c323651 100644
+manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
-+
++
kernel_read_system_state(bitlbee_t)
++kernel_read_kernel_sysctls(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
-@@ -52,6 +70,9 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
+ corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
@@ -95541,7 +95624,7 @@ index f4e7ad3..c323651 100644
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
-@@ -69,6 +90,11 @@ corenet_tcp_connect_http_port(bitlbee_t)
+@@ -69,6 +91,11 @@ corenet_tcp_connect_http_port(bitlbee_t)
corenet_tcp_sendrecv_http_port(bitlbee_t)
corenet_tcp_connect_http_cache_port(bitlbee_t)
corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
@@ -95670,10 +95753,10 @@ index 0000000..a66b2ff
+')
diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
new file mode 100644
-index 0000000..34a5638
+index 0000000..84d98ac
--- /dev/null
+++ b/policy/modules/services/blueman.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,66 @@
+policy_module(blueman, 1.0.0)
+
+########################################
@@ -95729,6 +95812,11 @@ index 0000000..34a5638
+')
+
+optional_policy(`
++ dnsmasq_domtrans(blueman_t)
++ dnsmasq_read_pid_files(blueman_t)
++')
++
++optional_policy(`
+ gnome_search_gconf(blueman_t)
+')
+
@@ -100452,10 +100540,10 @@ index 0000000..168f664
+')
diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
new file mode 100644
-index 0000000..b17da05
+index 0000000..9469d58
--- /dev/null
+++ b/policy/modules/services/condor.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,250 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -100482,6 +100570,9 @@ index 0000000..b17da05
+condor_domain_template(startd)
+condor_domain_template(procd)
+
++type condor_master_tmp_t;
++files_tmp_file(condor_master_tmp_t)
++
+type condor_schedd_tmp_t;
+files_tmp_file(condor_schedd_tmp_t)
+
@@ -100578,7 +100669,11 @@ index 0000000..b17da05
+
+allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+
-+allow condor_master_t condor_domain:process signal;
++allow condor_master_t condor_domain:process { sigkill signal };
++
++manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
++manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
++files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+
+corenet_tcp_bind_condor_port(condor_master_t)
+corenet_udp_bind_condor_port(condor_master_t)
@@ -100588,6 +100683,10 @@ index 0000000..b17da05
+
+auth_use_nsswitch(condor_master_t)
+
++optional_policy(`
++ mta_send_mail(condor_master_t)
++')
++
+######################################
+#
+# condor collector local policy
@@ -100621,6 +100720,9 @@ index 0000000..b17da05
+
+allow condor_procd_t self:capability { fowner chown dac_override sys_ptrace };
+
++allow condor_procd_t self:capability kill;
++allow condor_procd_t condor_startd_t:process sigkill;
++
+domain_read_all_domains_state(condor_procd_t)
+
+#######################################
@@ -103454,7 +103556,7 @@ index 305ddf4..d1b97fb 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..9ae73ae 100644
+index 0f28095..ba7a0bb 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -103613,7 +103715,16 @@ index 0f28095..9ae73ae 100644
')
optional_policy(`
-@@ -341,7 +367,7 @@ optional_policy(`
+@@ -336,12 +362,16 @@ optional_policy(`
+ udev_read_db(cupsd_t)
+ ')
+
++optional_policy(`
++ virt_rw_chr_files(cupsd_t)
++')
++
+ ########################################
+ #
# Cups configuration daemon local policy
#
@@ -103622,7 +103733,7 @@ index 0f28095..9ae73ae 100644
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process { getsched signal_perms };
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -371,8 +397,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +401,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -103633,7 +103744,7 @@ index 0f28095..9ae73ae 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +420,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +424,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -103644,7 +103755,7 @@ index 0f28095..9ae73ae 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +456,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +460,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -103658,7 +103769,7 @@ index 0f28095..9ae73ae 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +484,10 @@ optional_policy(`
+@@ -453,6 +488,10 @@ optional_policy(`
')
optional_policy(`
@@ -103669,7 +103780,7 @@ index 0f28095..9ae73ae 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +502,10 @@ optional_policy(`
+@@ -467,6 +506,10 @@ optional_policy(`
')
optional_policy(`
@@ -103680,7 +103791,7 @@ index 0f28095..9ae73ae 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -537,6 +576,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +580,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -103688,7 +103799,7 @@ index 0f28095..9ae73ae 100644
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +627,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +631,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -103721,7 +103832,7 @@ index 0f28095..9ae73ae 100644
')
########################################
-@@ -613,6 +652,8 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -613,6 +656,8 @@ tunable_policy(`use_samba_home_dirs',`
# Needed for USB Scanneer and xsane
allow hplip_t self:capability { dac_override dac_read_search net_raw };
@@ -103730,7 +103841,7 @@ index 0f28095..9ae73ae 100644
dontaudit hplip_t self:capability sys_tty_config;
allow hplip_t self:fifo_file rw_fifo_file_perms;
allow hplip_t self:process signal_perms;
-@@ -635,11 +676,18 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+@@ -635,11 +680,18 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -103750,7 +103861,7 @@ index 0f28095..9ae73ae 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -647,6 +695,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -647,6 +699,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
@@ -103760,7 +103871,7 @@ index 0f28095..9ae73ae 100644
corenet_all_recvfrom_unlabeled(hplip_t)
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
-@@ -661,6 +712,8 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,6 +716,8 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -103769,7 +103880,7 @@ index 0f28095..9ae73ae 100644
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
-@@ -673,18 +726,20 @@ dev_read_rand(hplip_t)
+@@ -673,18 +730,20 @@ dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
dev_rw_usbfs(hplip_t)
@@ -103797,7 +103908,7 @@ index 0f28095..9ae73ae 100644
logging_send_syslog_msg(hplip_t)
-@@ -695,9 +750,12 @@ sysnet_read_config(hplip_t)
+@@ -695,9 +754,12 @@ sysnet_read_config(hplip_t)
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -108752,7 +108863,7 @@ index 0000000..1f39a80
+')
+
diff --git a/policy/modules/services/fetchmail.fc b/policy/modules/services/fetchmail.fc
-index 455c620..c263c70 100644
+index 455c620..ce5f3fd 100644
--- a/policy/modules/services/fetchmail.fc
+++ b/policy/modules/services/fetchmail.fc
@@ -1,3 +1,9 @@
@@ -108765,12 +108876,23 @@ index 455c620..c263c70 100644
#
# /etc
+@@ -15,5 +21,6 @@
+ # /var
+ #
+
++/var/log/fetchmail.* gen_context(system_u:object_r:fetchmail_log_t,s0)
+ /var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+ /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
-index 6537214..8629354 100644
+index 6537214..406d62b 100644
--- a/policy/modules/services/fetchmail.if
+++ b/policy/modules/services/fetchmail.if
-@@ -18,7 +18,11 @@ interface(`fetchmail_admin',`
- type fetchmail_var_run_t;
+@@ -15,14 +15,20 @@
+ interface(`fetchmail_admin',`
+ gen_require(`
+ type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;
+- type fetchmail_var_run_t;
++ type fetchmail_var_run_t, fetchmail_log_t;
')
+ allow $1 fetchmail_t:process signal_perms;
@@ -108781,21 +108903,38 @@ index 6537214..8629354 100644
files_list_etc($1)
admin_pattern($1, fetchmail_etc_t)
+
++ admin_pattern($1, fetchmail_log_t)
++
+ admin_pattern($1, fetchmail_uidl_cache_t)
+
+ files_list_pids($1)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
-index 3459d93..887540e 100644
+index 3459d93..b820ba5 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
-@@ -10,6 +10,9 @@ type fetchmail_exec_t;
+@@ -10,6 +10,12 @@ type fetchmail_exec_t;
init_daemon_domain(fetchmail_t, fetchmail_exec_t)
application_executable_file(fetchmail_exec_t)
+type fetchmail_home_t;
+userdom_user_home_content(fetchmail_home_t)
+
++type fetchmail_log_t;
++logging_log_file(fetchmail_log_t)
++
type fetchmail_var_run_t;
files_pid_file(fetchmail_var_run_t)
-@@ -41,6 +44,11 @@ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+@@ -37,10 +43,19 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms;
+ allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
+ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
+
++manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
++manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
++logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
++
+ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
@@ -108807,7 +108946,7 @@ index 3459d93..887540e 100644
kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t)
kernel_getattr_proc_files(fetchmail_t)
-@@ -77,6 +85,8 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -77,6 +92,8 @@ fs_search_auto_mountpoints(fetchmail_t)
domain_use_interactive_fds(fetchmail_t)
@@ -108816,7 +108955,7 @@ index 3459d93..887540e 100644
logging_send_syslog_msg(fetchmail_t)
miscfiles_read_localization(fetchmail_t)
-@@ -85,7 +95,10 @@ miscfiles_read_generic_certs(fetchmail_t)
+@@ -85,7 +102,10 @@ miscfiles_read_generic_certs(fetchmail_t)
sysnet_read_config(fetchmail_t)
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
@@ -110805,7 +110944,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..469a6e3 100644
+index 4fde46b..58a7e51 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -8,25 +8,37 @@ policy_module(gnomeclock, 1.0.0)
@@ -110850,7 +110989,7 @@ index 4fde46b..469a6e3 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +47,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +47,35 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -110871,6 +111010,7 @@ index 4fde46b..469a6e3 100644
+
+optional_policy(`
+ gnome_manage_usr_config(gnomeclock_t)
++ gnome_manage_home_config(gnomeclock_t)
+')
+
+optional_policy(`
@@ -116194,13 +116334,14 @@ index b681608..0934c95 100644
kernel_read_kernel_sysctls(memcached_t)
kernel_read_system_state(memcached_t)
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
-index 55a3e2f..93a06ee 100644
+index 55a3e2f..133f47b 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
-@@ -1,12 +1,20 @@
+@@ -1,13 +1,24 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
++/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
@@ -116217,7 +116358,10 @@ index 55a3e2f..93a06ee 100644
+/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
++/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
index ed1af3c..ac7822b 100644
--- a/policy/modules/services/milter.if
@@ -123668,6 +123812,369 @@ index 8b550f4..cae4941 100644
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
+diff --git a/policy/modules/services/openvswitch.fc b/policy/modules/services/openvswitch.fc
+new file mode 100644
+index 0000000..baf8d21
+--- /dev/null
++++ b/policy/modules/services/openvswitch.fc
+@@ -0,0 +1,15 @@
++/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
++
++/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++
++/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
++
++/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
++
++/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
++
++/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
+diff --git a/policy/modules/services/openvswitch.if b/policy/modules/services/openvswitch.if
+new file mode 100644
+index 0000000..e2c300a
+--- /dev/null
++++ b/policy/modules/services/openvswitch.if
+@@ -0,0 +1,247 @@
++
++## <summary>policy for openvswitch</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the openvswitch domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`openvswitch_domtrans',`
++ gen_require(`
++ type openvswitch_t, openvswitch_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
++')
++########################################
++## <summary>
++## Read openvswitch's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openvswitch_read_log',`
++ gen_require(`
++ type openvswitch_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
++')
++
++########################################
++## <summary>
++## Append to openvswitch log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openvswitch_append_log',`
++ gen_require(`
++ type openvswitch_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
++')
++
++########################################
++## <summary>
++## Manage openvswitch log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openvswitch_manage_log',`
++ gen_require(`
++ type openvswitch_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t)
++ manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
++ manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
++')
++
++########################################
++## <summary>
++## Search openvswitch lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openvswitch_search_lib',`
++ gen_require(`
++ type openvswitch_var_lib_t;
++ ')
++
++ allow $1 openvswitch_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read openvswitch lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openvswitch_read_lib_files',`
++ gen_require(`
++ type openvswitch_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage openvswitch lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openvswitch_manage_lib_files',`
++ gen_require(`
++ type openvswitch_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage openvswitch lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openvswitch_manage_lib_dirs',`
++ gen_require(`
++ type openvswitch_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read openvswitch PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openvswitch_read_pid_files',`
++ gen_require(`
++ type openvswitch_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute openvswitch server in the openvswitch domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`openvswitch_systemctl',`
++ gen_require(`
++ type openvswitch_t;
++ type openvswitch_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 openvswitch_unit_file_t:file read_file_perms;
++ allow $1 openvswitch_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, openvswitch_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an openvswitch environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openvswitch_admin',`
++ gen_require(`
++ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t;
++ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t;
++ ')
++
++ allow $1 openvswitch_t:process { ptrace signal_perms };
++ ps_process_pattern($1, openvswitch_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, openvswitch_rw_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, openvswitch_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, openvswitch_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, openvswitch_var_run_t)
++
++ openvswitch_systemctl($1)
++ admin_pattern($1, openvswitch_unit_file_t)
++ allow $1 openvswitch_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/openvswitch.te b/policy/modules/services/openvswitch.te
+new file mode 100644
+index 0000000..31370ed
+--- /dev/null
++++ b/policy/modules/services/openvswitch.te
+@@ -0,0 +1,83 @@
++policy_module(openvswitch, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openvswitch_t;
++type openvswitch_exec_t;
++init_daemon_domain(openvswitch_t, openvswitch_exec_t)
++
++type openvswitch_rw_t;
++files_config_file(openvswitch_rw_t)
++
++type openvswitch_var_lib_t;
++files_type(openvswitch_var_lib_t)
++
++type openvswitch_log_t;
++logging_log_file(openvswitch_log_t)
++
++type openvswitch_var_run_t;
++files_pid_file(openvswitch_var_run_t)
++
++type openvswitch_unit_file_t;
++systemd_unit_file(openvswitch_unit_file_t)
++
++########################################
++#
++# openvswitch local policy
++#
++
++allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource };
++allow openvswitch_t self:process { fork setsched setrlimit signal };
++allow openvswitch_t self:fifo_file rw_fifo_file_perms;
++allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow openvswitch_t self:netlink_socket create_socket_perms;
++
++can_exec(openvswitch_t, openvswitch_exec_t)
++
++manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
++manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
++
++manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
++manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
++files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
++manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
++logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
++
++manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
++manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
++manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
++files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
++
++kernel_read_network_state(openvswitch_t)
++kernel_read_system_state(openvswitch_t)
++
++corecmd_exec_bin(openvswitch_t)
++
++dev_read_urand(openvswitch_t)
++
++domain_use_interactive_fds(openvswitch_t)
++
++files_read_etc_files(openvswitch_t)
++
++fs_getattr_all_fs(openvswitch_t)
++fs_search_cgroup_dirs(openvswitch_t)
++
++auth_read_passwd(openvswitch_t)
++
++logging_send_syslog_msg(openvswitch_t)
++
++sysnet_dns_name_resolve(openvswitch_t)
++
++optional_policy(`
++ iptables_domtrans(openvswitch_t)
++')
++
diff --git a/policy/modules/services/pacemaker.fc b/policy/modules/services/pacemaker.fc
new file mode 100644
index 0000000..4e915ab
@@ -127821,7 +128328,7 @@ index b524673..1cca3d2 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..2a05225 100644
+index 2af42e7..ff8abbe 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -127862,7 +128369,7 @@ index 2af42e7..2a05225 100644
#
-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
-+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched signal };
+allow pppd_t self:process { getsched setsched signal };
@@ -127918,7 +128425,14 @@ index 2af42e7..2a05225 100644
# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
-@@ -166,6 +172,8 @@ init_dontaudit_write_utmp(pppd_t)
+@@ -160,12 +166,15 @@ files_dontaudit_write_etc_files(pppd_t)
+
+ # for scripts
+ files_read_etc_files(pppd_t)
++files_read_usr_files(pppd_t)
+
+ init_read_utmp(pppd_t)
+ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -127927,7 +128441,7 @@ index 2af42e7..2a05225 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -176,9 +184,10 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,9 +185,10 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -127939,7 +128453,7 @@ index 2af42e7..2a05225 100644
ppp_exec(pppd_t)
-@@ -187,13 +196,21 @@ optional_policy(`
+@@ -187,13 +197,21 @@ optional_policy(`
')
optional_policy(`
@@ -127962,7 +128476,7 @@ index 2af42e7..2a05225 100644
')
optional_policy(`
-@@ -243,14 +260,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +261,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -127982,7 +128496,7 @@ index 2af42e7..2a05225 100644
dev_read_sysfs(pptp_t)
-@@ -265,9 +286,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
+@@ -265,9 +287,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_generic_node(pptp_t)
@@ -128588,7 +129102,7 @@ index 2f1e529..8c0b242 100644
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
-index 2855a44..8b481cb 100644
+index 2855a44..ae8754a 100644
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@@ -8,6 +8,53 @@
@@ -128645,7 +129159,7 @@ index 2855a44..8b481cb 100644
################################################
## <summary>
## Read / Write to Puppet temp files. Puppet uses
-@@ -21,11 +68,126 @@
+@@ -21,11 +68,164 @@
## </summary>
## </param>
#
@@ -128736,6 +129250,44 @@ index 2855a44..8b481cb 100644
+ read_files_pattern($1, puppet_log_t, puppet_log_t)
+')
+
++#####################################
++## <summary>
++## Allow the specified domain to create puppet's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_create_log',`
++ gen_require(`
++ type puppet_log_t;
++ ')
++
++ logging_search_logs($1)
++ create_files_pattern($1, puppet_log_t, puppet_log_t)
++')
++
++####################################
++## <summary>
++## Allow the specified domain to append puppet's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_append_log',`
++ gen_require(`
++ type puppet_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, puppet_log_t, puppet_log_t)
++')
++
+####################################
+## <summary>
+## Allow the specified domain to read puppet's config files.
@@ -132480,7 +133032,7 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..1bf96b9
+index 0000000..f00fee5
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
@@ -0,0 +1,81 @@
@@ -132516,7 +133068,7 @@ index 0000000..1bf96b9
+#
+
+allow rhsmcertd_t self:capability sys_nice;
-+allow rhsmcertd_t self:process setsched;
++allow rhsmcertd_t self:process { signal setsched };
+
+allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
+allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
@@ -141020,7 +141572,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..4808975 100644
+index db9d2a5..a029128 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -141036,7 +141588,7 @@ index db9d2a5..4808975 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -22,24 +28,40 @@ files_pid_file(tuned_var_run_t)
+@@ -22,24 +28,41 @@ files_pid_file(tuned_var_run_t)
#
# tuned local policy
#
@@ -141050,6 +141602,7 @@ index db9d2a5..4808975 100644
+read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
+
+manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
++files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -141082,7 +141635,7 @@ index db9d2a5..4808975 100644
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -47,17 +69,34 @@ files_read_etc_files(tuned_t)
+@@ -47,18 +70,39 @@ files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
@@ -141097,8 +141650,8 @@ index db9d2a5..4808975 100644
userdom_dontaudit_search_user_home_dirs(tuned_t)
+optional_policy(`
-+ dbus_system_bus_client(tuned_t)
-+ dbus_connect_system_bus(tuned_t)
++ dbus_system_bus_client(tuned_t)
++ dbus_connect_system_bus(tuned_t)
+')
+
# to allow disk tuning
@@ -141117,6 +141670,11 @@ index db9d2a5..4808975 100644
# to allow network interface tuning
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
+ ')
++
++optional_policy(`
++ unconfined_dbus_send(tuned_t)
++')
diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if
index c1feba4..1f6f55b 100644
--- a/policy/modules/services/ucspitcp.if
@@ -142091,7 +142649,7 @@ index 2124b6a..674d931 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..aafa852 100644
+index 7c5d8d8..6917f32 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,45 @@
@@ -142450,7 +143008,7 @@ index 7c5d8d8..aafa852 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -424,6 +582,24 @@ interface(`virt_read_images',`
+@@ -424,6 +582,42 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -142470,12 +143028,30 @@ index 7c5d8d8..aafa852 100644
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+')
+
++#######################################
++## <summary>
++## Allow domain to read/write virt image chr files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_rw_chr_files',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++')
++
+########################################
+## <summary>
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +609,15 @@ interface(`virt_read_images',`
+@@ -433,15 +627,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -142496,7 +143072,7 @@ index 7c5d8d8..aafa852 100644
')
########################################
-@@ -466,18 +642,7 @@ interface(`virt_manage_images',`
+@@ -466,18 +660,7 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -142516,7 +143092,7 @@ index 7c5d8d8..aafa852 100644
')
########################################
-@@ -500,10 +665,19 @@ interface(`virt_manage_images',`
+@@ -500,10 +683,19 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -142537,7 +143113,7 @@ index 7c5d8d8..aafa852 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -515,4 +689,249 @@ interface(`virt_admin',`
+@@ -515,4 +707,249 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -142788,7 +143364,7 @@ index 7c5d8d8..aafa852 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..7cf4bdb 100644
+index 3eca020..6d2aef0 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1,60 +1,91 @@
@@ -142892,7 +143468,7 @@ index 3eca020..7cf4bdb 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,23 +93,34 @@ files_config_file(virt_etc_t)
+@@ -62,23 +93,37 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -142918,6 +143494,9 @@ index 3eca020..7cf4bdb 100644
type virt_log_t;
logging_log_file(virt_log_t)
+mls_trusted_object(virt_log_t)
++
++type virt_lock_t;
++files_lock_file(virt_lock_t)
type virt_var_run_t;
files_pid_file(virt_var_run_t)
@@ -142928,7 +143507,7 @@ index 3eca020..7cf4bdb 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +131,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +134,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -142940,7 +143519,7 @@ index 3eca020..7cf4bdb 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -97,6 +144,35 @@ ifdef(`enable_mls',`
+@@ -97,6 +147,35 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -142976,7 +143555,7 @@ index 3eca020..7cf4bdb 100644
########################################
#
# svirt local policy
-@@ -104,15 +180,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +183,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -142993,7 +143572,7 @@ index 3eca020..7cf4bdb 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +203,17 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +206,17 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -143011,7 +143590,7 @@ index 3eca020..7cf4bdb 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -140,18 +221,26 @@ tunable_policy(`virt_use_comm',`
+@@ -140,18 +224,26 @@ tunable_policy(`virt_use_comm',`
')
tunable_policy(`virt_use_fusefs',`
@@ -143039,7 +143618,7 @@ index 3eca020..7cf4bdb 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +249,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +252,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -143068,7 +143647,7 @@ index 3eca020..7cf4bdb 100644
xen_rw_image_files(svirt_t)
')
-@@ -173,22 +279,41 @@ optional_policy(`
+@@ -173,22 +282,41 @@ optional_policy(`
# virtd local policy
#
@@ -143117,7 +143696,7 @@ index 3eca020..7cf4bdb 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +324,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,14 +327,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -143138,7 +143717,17 @@ index 3eca020..7cf4bdb 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +351,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+ logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+
++manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
++manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
++manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
++files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file })
++
+ manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+ manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+ manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+@@ -217,9 +359,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -143154,7 +143743,7 @@ index 3eca020..7cf4bdb 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +379,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +387,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -143188,7 +143777,7 @@ index 3eca020..7cf4bdb 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +412,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +420,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -143207,7 +143796,7 @@ index 3eca020..7cf4bdb 100644
mcs_process_set_categories(virtd_t)
-@@ -276,6 +438,8 @@ term_use_ptmx(virtd_t)
+@@ -276,6 +446,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -143216,14 +143805,14 @@ index 3eca020..7cf4bdb 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +449,32 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +457,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -143249,7 +143838,7 @@ index 3eca020..7cf4bdb 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +493,10 @@ optional_policy(`
+@@ -313,6 +501,10 @@ optional_policy(`
')
optional_policy(`
@@ -143260,7 +143849,7 @@ index 3eca020..7cf4bdb 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,19 +510,34 @@ optional_policy(`
+@@ -326,19 +518,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -143296,7 +143885,7 @@ index 3eca020..7cf4bdb 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -353,6 +552,12 @@ optional_policy(`
+@@ -353,6 +560,12 @@ optional_policy(`
')
optional_policy(`
@@ -143309,7 +143898,7 @@ index 3eca020..7cf4bdb 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -360,11 +565,11 @@ optional_policy(`
+@@ -360,11 +573,11 @@ optional_policy(`
')
optional_policy(`
@@ -143326,7 +143915,7 @@ index 3eca020..7cf4bdb 100644
')
optional_policy(`
-@@ -375,6 +580,7 @@ optional_policy(`
+@@ -375,6 +588,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -143334,7 +143923,7 @@ index 3eca020..7cf4bdb 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -394,20 +600,36 @@ optional_policy(`
+@@ -394,20 +608,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -143374,7 +143963,7 @@ index 3eca020..7cf4bdb 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +640,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +648,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -143388,7 +143977,7 @@ index 3eca020..7cf4bdb 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +653,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +661,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -143401,7 +143990,7 @@ index 3eca020..7cf4bdb 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +666,445 @@ files_search_all(virt_domain)
+@@ -440,25 +674,445 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -147951,10 +148540,10 @@ index 1b6619e..232be41 100644
+ allow $1 application_domain_type:socket_class_set getattr;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..32f45fa 100644
+index c6fdab7..cc8a0e9 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
-@@ -6,6 +6,28 @@ attribute application_domain_type;
+@@ -6,6 +6,30 @@ attribute application_domain_type;
# Executables to be run by user
attribute application_exec_type;
@@ -147963,6 +148552,8 @@ index c6fdab7..32f45fa 100644
+userdom_inherit_append_user_home_content_files(application_domain_type)
+userdom_inherit_append_admin_home_files(application_domain_type)
+userdom_inherit_append_user_tmp_files(application_domain_type)
++userdom_rw_inherited_user_tmp_files(application_domain_type)
++userdom_rw_inherited_user_pipes(application_domain_type)
+logging_inherit_append_all_logs(application_domain_type)
+
+files_dontaudit_search_all_dirs(application_domain_type)
@@ -150599,7 +151190,7 @@ index 94fd8dd..09f0ac4 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..efca7b7 100644
+index 29a9565..72897c6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -151573,7 +152164,7 @@ index 29a9565..efca7b7 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1287,166 @@ optional_policy(`
+@@ -854,3 +1287,170 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -151671,8 +152262,12 @@ index 29a9565..efca7b7 100644
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
++files_dontaudit_rw_inherited_locks(systemprocess)
++
+init_rw_inherited_script_tmp_files(systemprocess)
+
++logging_dontaudit_rw_inherited_generic_logs(systemprocess)
++
+tunable_policy(`init_systemd',`
+ # Handle upstart/systemd direct transition to a executable
+ allow init_t systemprocess:process { dyntransition siginh };
@@ -153276,7 +153871,7 @@ index 02f4c97..54c74fe 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 831b909..b9cff6d 100644
+index 831b909..a569590 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -153407,7 +154002,33 @@ index 831b909..b9cff6d 100644
## Read the auditd configuration files.
## </summary>
## <param name="domain">
-@@ -734,7 +830,25 @@ interface(`logging_append_all_logs',`
+@@ -625,6 +721,25 @@ interface(`logging_search_logs',`
+
+ #######################################
+ ## <summary>
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++#######################################
++## <summary>
+ ## Do not audit attempts to search the var log directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -734,7 +849,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -153434,7 +154055,7 @@ index 831b909..b9cff6d 100644
')
########################################
-@@ -817,7 +931,7 @@ interface(`logging_manage_all_logs',`
+@@ -817,7 +950,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -153443,7 +154064,7 @@ index 831b909..b9cff6d 100644
')
########################################
-@@ -843,6 +957,44 @@ interface(`logging_read_generic_logs',`
+@@ -843,6 +976,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -153488,7 +154109,32 @@ index 831b909..b9cff6d 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -942,11 +1094,16 @@ interface(`logging_admin_audit',`
+@@ -861,6 +1032,24 @@ interface(`logging_write_generic_logs',`
+ write_files_pattern($1, var_log_t, var_log_t)
+ ')
+
++#######################################
++## <summary>
++## Dontaudit read/Write inherited generic log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`logging_dontaudit_rw_inherited_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ dontaudit $1 var_log_t:file rw_inherited_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Dontaudit Write generic log files.
+@@ -942,11 +1131,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -153506,7 +154152,7 @@ index 831b909..b9cff6d 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -962,6 +1119,33 @@ interface(`logging_admin_audit',`
+@@ -962,6 +1156,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -153540,7 +154186,7 @@ index 831b909..b9cff6d 100644
')
########################################
-@@ -990,10 +1174,15 @@ interface(`logging_admin_syslog',`
+@@ -990,10 +1211,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -153558,7 +154204,7 @@ index 831b909..b9cff6d 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1015,6 +1204,8 @@ interface(`logging_admin_syslog',`
+@@ -1015,6 +1241,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -153567,7 +154213,7 @@ index 831b909..b9cff6d 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1043,3 +1234,25 @@ interface(`logging_admin',`
+@@ -1043,3 +1271,25 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -153594,7 +154240,7 @@ index 831b909..b9cff6d 100644
+ files_spool_filetrans($1, audit_spool_t, dir, "audit")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..dec9390 100644
+index b6ec597..02eb381 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2)
@@ -153764,7 +154410,7 @@ index b6ec597..dec9390 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -385,9 +432,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -385,18 +432,26 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -153780,7 +154426,18 @@ index b6ec597..dec9390 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -426,10 +479,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+
+ kernel_read_system_state(syslogd_t)
++kernel_read_network_state(syslogd_t)
+ kernel_read_kernel_sysctls(syslogd_t)
+ kernel_read_proc_symlinks(syslogd_t)
+ # Allow access to /proc/kmsg for syslog-ng
+ kernel_read_messages(syslogd_t)
++kernel_request_load_module(syslogd_t)
+ kernel_clear_ring_buffer(syslogd_t)
+ kernel_change_ring_buffer_level(syslogd_t)
+
+@@ -426,10 +481,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -153808,7 +154465,7 @@ index b6ec597..dec9390 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -447,7 +517,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -447,7 +519,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -153818,7 +154475,7 @@ index b6ec597..dec9390 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +531,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +533,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -153826,7 +154483,7 @@ index b6ec597..dec9390 100644
miscfiles_read_localization(syslogd_t)
-@@ -492,15 +565,29 @@ optional_policy(`
+@@ -492,15 +567,29 @@ optional_policy(`
')
optional_policy(`
@@ -160028,7 +160685,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..fc0e252 100644
+index 4b2878a..9feac30 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -162434,7 +163091,7 @@ index 4b2878a..fc0e252 100644
')
########################################
-@@ -3027,7 +3798,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3798,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -162478,10 +163135,29 @@ index 4b2878a..fc0e252 100644
+ ')
+
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Allow domain to read/write inherited users
++## fifo files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_rw_inherited_user_pipes',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
')
########################################
-@@ -3045,7 +3854,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3873,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -162490,7 +163166,7 @@ index 4b2878a..fc0e252 100644
')
########################################
-@@ -3064,6 +3873,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3892,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -162498,7 +163174,7 @@ index 4b2878a..fc0e252 100644
kernel_search_proc($1)
')
-@@ -3140,6 +3950,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3969,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -162541,7 +163217,7 @@ index 4b2878a..fc0e252 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +4006,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +4025,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -162566,7 +163242,7 @@ index 4b2878a..fc0e252 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +4058,1285 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +4077,1285 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -163575,10 +164251,10 @@ index 4b2878a..fc0e252 100644
+#
+interface(`userdom_rw_inherited_user_home_sock_files',`
+ gen_require(`
-+ type user_home_t;
++ attribute user_home_type;
+ ')
+
-+ allow $1 user_home_t:sock_file write;
++ allow $1 user_home_type:sock_file write;
+')
+
+########################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8f8aec5..8631fa8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 161%{?dist}
+Release: 162%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,33 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Dec 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-162
+- Backport openvswitch policy from F18
+- Allow logrotate to transition to openvswitch domain
+- opendkim should be a part of milter
+- Add filename transition for /etc/tuned/active_profile
+- Allow condor_master to send mails
+- Allow condor_master to create /tmp files/dirs
+- Allow condor_mater to send sigkill to other condor domains
+- Allow condor_procd sigkill capability
+- tuned-adm wants to talk with tuned daemon
+- Allow all application domains to use fifo_files passed in from userdomains
+- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler"
+- Fix mozilla_plugin_can_network_connect to allow to connect to all ports
+- The host and a virtual machine can share the same printer on a usb device
+- Backport thumb.te from F18
+- Dontaudit leaks of locks or generic log files to systemprocesses
+- Allow blueman to transition to ifconfig, dnsmasq
+- Backport virt_lock_t from F18
+- Allow syslogd to request the kernel to load a module
+- Allow syslogd_t to read the network state information
+- Add awstats_purge_apache_log boolean
+- Allow ksysguardproces to read /.config/Trolltech.conf
+- Allow passenger to create and append puppet log files
+- Add puppet_append_log and puppet_create_log interfaces
+- Allow rhsmcertd to send signal to itself
+
+
* Wed Nov 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-161
- Add commands needed to get mock to build from staff_t in enforcing mode
- Allow dbus-daemon to read/write inherited removable devices
More information about the scm-commits
mailing list