[selinux-policy/f18] - Allow setroubleshoot to getattr on all executables - Allow tuned to execute profiles scripts in /e
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Dec 5 13:46:18 UTC 2012
commit 9c7346238816576f2d9985342234a56ac780ef8d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Dec 5 14:45:02 2012 +0100
- Allow setroubleshoot to getattr on all executables
- Allow tuned to execute profiles scripts in /etc/tuned
- Allow apache to create directories to store its log files
- Allow all directories/files in /var/log starting with passenger to be labele
- Looks like apache is sending sinal to openshift_initrc_t now,needs back port
- Allow Postfix to be configured to listen on TCP port 10026 for email from DS
- Add filename transition for /etc/tuned/active_profile
- Allow condor_master to send mails
- Allow condor_master to read submit.cf
- Allow condor_master to create /tmp files/dirs
- Allow condor_mater to send sigkill to other condor domains
- Allow condor_procd sigkill capability
- tuned-adm wants to talk with tuned daemon
- Allow kadmind and krb5kdc to also list sssd_public_t
- Allow accountsd to dbus chat with init
- Fix git_read_generic_system_content_files() interface
- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler"
- Fix mozilla_plugin_can_network_connect to allow to connect to all ports
- Label all munin plugins which are not covered by munin plugins policy as un
- dspam wants to search /var/spool for opendkim data
- Revert "Add support for tcp/10026 port as dspam_port_t"
- Turning on labeled networking requires additional access for netlabel_peer_t
- Allow all application domains to use fifo_files passed in from userdomains,
- Allow systemd_tmpfiles_t to setattr on mandb_cache_t
policy-rawhide.patch | 276 ++++++++++++++++++++++----------------
policy_contrib-rawhide.patch | 306 +++++++++++++++++++++++++++++-------------
selinux-policy.spec | 31 ++++-
3 files changed, 402 insertions(+), 211 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index d885a84..e97a802 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -114348,7 +114348,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..651978f 100644
+index fe2ee5e..7369e6c 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
@@ -114401,7 +114401,15 @@ index fe2ee5e..651978f 100644
type client_packet_t, packet_type, client_packet_type;
#
-@@ -59,6 +75,12 @@ sid port gen_context(system_u:object_r:port_t,s0)
+@@ -46,6 +62,7 @@ type client_packet_t, packet_type, client_packet_type;
+ #
+ type netlabel_peer_t;
+ sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
++mcs_untrusted_proc(netlabel_peer_t)
+
+ #
+ # port_t is the default type of INET port numbers.
+@@ -59,6 +76,12 @@ sid port gen_context(system_u:object_r:port_t,s0)
type unreserved_port_t, port_type, unreserved_port_type;
#
@@ -114414,7 +114422,7 @@ index fe2ee5e..651978f 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -74,30 +96,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -74,30 +97,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -114455,7 +114463,7 @@ index fe2ee5e..651978f 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -108,14 +139,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -108,14 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -114479,7 +114487,7 @@ index fe2ee5e..651978f 100644
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
-@@ -123,104 +163,139 @@ network_port(hadoop_datanode, tcp,50010,s0)
+@@ -123,104 +164,139 @@ network_port(hadoop_datanode, tcp,50010,s0)
network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
@@ -114638,7 +114646,7 @@ index fe2ee5e..651978f 100644
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
network_port(utcpserver) # no defined portcon
-@@ -228,9 +303,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -228,9 +304,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -114652,7 +114660,7 @@ index fe2ee5e..651978f 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -242,17 +320,22 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -242,17 +321,22 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -114677,7 +114685,7 @@ index fe2ee5e..651978f 100644
########################################
#
-@@ -297,9 +380,22 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -297,9 +381,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -114702,6 +114710,8 @@ index fe2ee5e..651978f 100644
+
+allow netlabel_peer_type netlabel_peer_t:peer recv;
+allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
++allow netlabel_peer_t netif_t:netif ingress;
++allow netlabel_peer_t node_t:node recvfrom;
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
index 3f6e168..51ad69a 100644
--- a/policy/modules/kernel/corenetwork.te.m4
@@ -117642,7 +117652,7 @@ index 8796ca3..c2055b3 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..74f20a1 100644
+index e1e814d..d042988 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -117662,15 +117672,12 @@ index e1e814d..74f20a1 100644
allow $1 non_security_file_type:file mounton;
')
-@@ -618,6 +619,64 @@ interface(`files_dontaudit_getattr_non_security_files',`
- dontaudit $1 non_security_file_type:file getattr;
- ')
+@@ -620,6 +621,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to search
-+## of non security dirs.
+ ########################################
+ ## <summary>
++## Do not audit attempts to search
++## non security dirs.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -117724,10 +117731,12 @@ index e1e814d..74f20a1 100644
+ dontaudit $1 non_security_file_type:dir setattr;
+')
+
- ########################################
- ## <summary>
++########################################
++## <summary>
## Read all files.
-@@ -683,12 +742,82 @@ interface(`files_read_non_security_files',`
+ ## </summary>
+ ## <param name="domain">
+@@ -683,12 +741,82 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -117810,7 +117819,7 @@ index e1e814d..74f20a1 100644
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
-@@ -953,6 +1082,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1081,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
## <summary>
@@ -117836,7 +117845,7 @@ index e1e814d..74f20a1 100644
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
-@@ -1073,10 +1221,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,10 +1220,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -117849,7 +117858,7 @@ index e1e814d..74f20a1 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1655,6 +1801,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1655,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -117874,7 +117883,7 @@ index e1e814d..74f20a1 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +1837,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1673,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -117899,7 +117908,7 @@ index e1e814d..74f20a1 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1856,6 +2038,42 @@ interface(`files_delete_root_dir_entry',`
+@@ -1856,6 +2037,42 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -117942,7 +117951,7 @@ index e1e814d..74f20a1 100644
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1874,6 +2092,24 @@ interface(`files_unmount_rootfs',`
+@@ -1874,6 +2091,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -117967,7 +117976,7 @@ index e1e814d..74f20a1 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2573,6 +2809,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2573,6 +2808,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -117992,7 +118001,7 @@ index e1e814d..74f20a1 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2644,6 +2898,7 @@ interface(`files_read_etc_files',`
+@@ -2644,6 +2897,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -118000,7 +118009,7 @@ index e1e814d..74f20a1 100644
')
########################################
-@@ -2652,7 +2907,7 @@ interface(`files_read_etc_files',`
+@@ -2652,7 +2906,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -118009,7 +118018,7 @@ index e1e814d..74f20a1 100644
## </summary>
## </param>
#
-@@ -2708,6 +2963,25 @@ interface(`files_manage_etc_files',`
+@@ -2708,6 +2962,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -118035,7 +118044,7 @@ index e1e814d..74f20a1 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2726,6 +3000,24 @@ interface(`files_delete_etc_files',`
+@@ -2726,6 +2999,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -118060,7 +118069,7 @@ index e1e814d..74f20a1 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2891,24 +3183,6 @@ interface(`files_delete_boot_flag',`
+@@ -2891,24 +3182,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -118085,7 +118094,7 @@ index e1e814d..74f20a1 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2949,9 +3223,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -2949,9 +3222,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -118096,7 +118105,7 @@ index e1e814d..74f20a1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2959,12 +3231,50 @@ interface(`files_read_etc_runtime_files',`
+@@ -2959,12 +3230,50 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -118149,7 +118158,7 @@ index e1e814d..74f20a1 100644
')
########################################
-@@ -2986,6 +3296,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2986,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -118157,7 +118166,7 @@ index e1e814d..74f20a1 100644
')
########################################
-@@ -3007,6 +3318,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3007,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -118165,7 +118174,7 @@ index e1e814d..74f20a1 100644
')
########################################
-@@ -3135,6 +3447,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3135,6 +3446,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -118191,7 +118200,7 @@ index e1e814d..74f20a1 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3382,6 +3713,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3382,6 +3712,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -118217,7 +118226,7 @@ index e1e814d..74f20a1 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3723,20 +4073,38 @@ interface(`files_list_mnt',`
+@@ -3723,20 +4072,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -118261,7 +118270,7 @@ index e1e814d..74f20a1 100644
')
########################################
-@@ -4126,6 +4494,127 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,6 +4493,127 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -118389,7 +118398,7 @@ index e1e814d..74f20a1 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4148,6 +4637,26 @@ interface(`files_associate_tmp',`
+@@ -4148,6 +4636,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -118416,7 +118425,7 @@ index e1e814d..74f20a1 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4161,6 +4670,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,6 +4669,7 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -118424,7 +118433,7 @@ index e1e814d..74f20a1 100644
allow $1 tmp_t:dir getattr;
')
-@@ -4171,7 +4681,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4171,7 +4680,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -118433,7 +118442,7 @@ index e1e814d..74f20a1 100644
## </summary>
## </param>
#
-@@ -4198,6 +4708,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4707,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -118441,7 +118450,7 @@ index e1e814d..74f20a1 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4234,6 +4745,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4744,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -118449,7 +118458,7 @@ index e1e814d..74f20a1 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4243,7 +4755,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4754,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -118458,7 +118467,7 @@ index e1e814d..74f20a1 100644
## </summary>
## </param>
#
-@@ -4255,6 +4767,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4766,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -118484,7 +118493,7 @@ index e1e814d..74f20a1 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4270,6 +4801,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4800,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -118492,7 +118501,7 @@ index e1e814d..74f20a1 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4311,6 +4843,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4842,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -118525,7 +118534,7 @@ index e1e814d..74f20a1 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4365,6 +4923,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,6 +4922,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -118568,7 +118577,7 @@ index e1e814d..74f20a1 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4383,6 +4977,42 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4383,6 +4976,42 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -118611,7 +118620,7 @@ index e1e814d..74f20a1 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4428,7 +5058,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4428,7 +5057,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -118620,7 +118629,7 @@ index e1e814d..74f20a1 100644
## </summary>
## </param>
#
-@@ -4488,7 +5118,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4488,7 +5117,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -118629,7 +118638,7 @@ index e1e814d..74f20a1 100644
## </summary>
## </param>
#
-@@ -4573,6 +5203,16 @@ interface(`files_purge_tmp',`
+@@ -4573,6 +5202,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -118646,7 +118655,7 @@ index e1e814d..74f20a1 100644
')
########################################
-@@ -5150,12 +5790,30 @@ interface(`files_list_var',`
+@@ -5150,12 +5789,30 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -118680,7 +118689,7 @@ index e1e814d..74f20a1 100644
## </summary>
## </param>
#
-@@ -5505,6 +6163,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5505,6 +6162,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -118706,7 +118715,7 @@ index e1e814d..74f20a1 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,7 +6227,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6226,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -118715,7 +118724,7 @@ index e1e814d..74f20a1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5558,12 +6235,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6234,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -118731,7 +118740,7 @@ index e1e814d..74f20a1 100644
')
########################################
-@@ -5581,6 +6259,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6258,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -118739,7 +118748,7 @@ index e1e814d..74f20a1 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5607,7 +6286,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6285,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -118767,7 +118776,7 @@ index e1e814d..74f20a1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5615,13 +6313,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6312,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -118784,7 +118793,7 @@ index e1e814d..74f20a1 100644
')
########################################
-@@ -5640,7 +6337,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6336,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -118793,7 +118802,7 @@ index e1e814d..74f20a1 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5673,7 +6370,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6369,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -118801,7 +118810,7 @@ index e1e814d..74f20a1 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5701,8 +6397,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6396,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -118811,7 +118820,7 @@ index e1e814d..74f20a1 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5718,13 +6413,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6412,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -118829,7 +118838,7 @@ index e1e814d..74f20a1 100644
')
########################################
-@@ -5743,8 +6437,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6436,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -118839,7 +118848,7 @@ index e1e814d..74f20a1 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5786,8 +6479,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6478,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -118849,7 +118858,7 @@ index e1e814d..74f20a1 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6501,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6500,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -118859,7 +118868,7 @@ index e1e814d..74f20a1 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6538,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6537,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -118869,7 +118878,7 @@ index e1e814d..74f20a1 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5911,6 +6601,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6600,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -118913,7 +118922,7 @@ index e1e814d..74f20a1 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5933,6 +6660,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6659,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -118939,7 +118948,7 @@ index e1e814d..74f20a1 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6048,7 +6794,6 @@ interface(`files_pid_filetrans',`
+@@ -6048,7 +6793,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -118947,7 +118956,7 @@ index e1e814d..74f20a1 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6157,30 +6902,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,30 +6901,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -118982,7 +118991,7 @@ index e1e814d..74f20a1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6188,43 +6928,35 @@ interface(`files_read_all_pids',`
+@@ -6188,43 +6927,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -119033,7 +119042,7 @@ index e1e814d..74f20a1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6232,21 +6964,17 @@ interface(`files_delete_all_pids',`
+@@ -6232,21 +6963,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -119058,7 +119067,7 @@ index e1e814d..74f20a1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6254,56 +6982,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6254,56 +6981,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -119134,7 +119143,7 @@ index e1e814d..74f20a1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6311,18 +7042,17 @@ interface(`files_list_spool',`
+@@ -6311,18 +7041,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -119157,7 +119166,7 @@ index e1e814d..74f20a1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,19 +7060,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6330,19 +7059,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -119182,7 +119191,7 @@ index e1e814d..74f20a1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6350,55 +7079,62 @@ interface(`files_read_generic_spool',`
+@@ -6350,55 +7078,62 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -119269,7 +119278,7 @@ index e1e814d..74f20a1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6406,25 +7142,283 @@ interface(`files_spool_filetrans',`
+@@ -6406,25 +7141,283 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -119568,7 +119577,7 @@ index e1e814d..74f20a1 100644
# is remounted for polyinstantiation aware programs (like gdm)
allow $1 polyparent:dir { getattr mounton };
-@@ -6467,3 +7461,457 @@ interface(`files_unconfined',`
+@@ -6467,3 +7460,457 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -120027,7 +120036,7 @@ index e1e814d..74f20a1 100644
+')
+
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 52ef84e..932cc01 100644
+index 52ef84e..45cb0bc 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.17.0)
@@ -120090,17 +120099,15 @@ index 52ef84e..932cc01 100644
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
-@@ -79,8 +95,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
- # assigned an extended attribute (EA) value (when using a filesystem
- # that supports EAs).
+@@ -81,6 +97,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
#
--type file_t;
--files_mountpoint(file_t)
-+type file_t, security_file_type, mountpoint;
+ type file_t;
+ files_mountpoint(file_t)
++files_base_file(file_t)
kernel_rootfs_mountpoint(file_t)
sid file gen_context(system_u:object_r:file_t,s0)
-@@ -89,6 +104,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
+@@ -89,6 +106,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
# are created
#
type home_root_t;
@@ -120108,7 +120115,7 @@ index 52ef84e..932cc01 100644
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)
-@@ -96,12 +112,13 @@ files_poly_parent(home_root_t)
+@@ -96,12 +114,13 @@ files_poly_parent(home_root_t)
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
@@ -120123,7 +120130,7 @@ index 52ef84e..932cc01 100644
files_mountpoint(mnt_t)
#
-@@ -123,6 +140,7 @@ files_type(readable_t)
+@@ -123,6 +142,7 @@ files_type(readable_t)
# root_t is the type for rootfs and the root directory.
#
type root_t;
@@ -120131,7 +120138,7 @@ index 52ef84e..932cc01 100644
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
-@@ -133,52 +151,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+@@ -133,52 +153,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
type src_t;
files_mountpoint(src_t)
@@ -120195,7 +120202,7 @@ index 52ef84e..932cc01 100644
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
-@@ -186,7 +215,9 @@ files_mountpoint(var_run_t)
+@@ -186,7 +217,9 @@ files_mountpoint(var_run_t)
# var_spool_t is the type of /var/spool
#
type var_spool_t;
@@ -120205,7 +120212,7 @@ index 52ef84e..932cc01 100644
########################################
#
-@@ -225,10 +256,11 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -225,10 +258,11 @@ fs_associate_tmpfs(tmpfsfile)
# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
@@ -130834,10 +130841,10 @@ index 1b6619e..219acba 100644
+ allow $1 application_domain_type:socket_class_set getattr;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..0118d30 100644
+index c6fdab7..c59902a 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
-@@ -6,6 +6,28 @@ attribute application_domain_type;
+@@ -6,6 +6,30 @@ attribute application_domain_type;
# Executables to be run by user
attribute application_exec_type;
@@ -130846,6 +130853,8 @@ index c6fdab7..0118d30 100644
+userdom_inherit_append_user_home_content_files(application_domain_type)
+userdom_inherit_append_admin_home_files(application_domain_type)
+userdom_inherit_append_user_tmp_files(application_domain_type)
++userdom_rw_inherited_user_tmp_files(application_domain_type)
++userdom_rw_inherited_user_pipes(application_domain_type)
+logging_inherit_append_all_logs(application_domain_type)
+
+files_dontaudit_search_non_security_dirs(application_domain_type)
@@ -142193,10 +142202,10 @@ index 0000000..5d53f08
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..538bb15
+index 0000000..5b669b8
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,449 @@
+@@ -0,0 +1,450 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -142525,6 +142534,7 @@ index 0000000..538bb15
+miscfiles_filetrans_named_content(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
++miscfiles_delete_man_pages(systemd_tmpfiles_t)
+
+seutil_read_config(systemd_tmpfiles_t)
+seutil_read_file_contexts(systemd_tmpfiles_t)
@@ -143995,7 +144005,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..89e714c 100644
+index e720dcd..69b008a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -146510,7 +146520,7 @@ index e720dcd..89e714c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3142,54 +3888,54 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3142,36 +3888,37 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -146553,44 +146563,66 @@ index e720dcd..89e714c 100644
########################################
## <summary>
-## Get the attributes of all user domains.
-+## Do not audit attempts to use user ttys.
++## Allow domain to read/write inherited users
++## fifo files.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -3179,40 +3926,96 @@ interface(`userdom_read_all_users_state',`
## </summary>
## </param>
#
-interface(`userdom_getattr_all_users',`
-+interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_rw_inherited_user_pipes',`
gen_require(`
-- attribute userdomain;
-+ type user_tty_device_t;
+ attribute userdomain;
')
- allow $1 userdomain:process getattr;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
-## Inherit the file descriptors from all user domains
-+## Read the process state of all user domains.
++## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
## <summary>
-@@ -3197,12 +3943,50 @@ interface(`userdom_getattr_all_users',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`userdom_use_all_users_fds',`
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_use_user_ttys',`
gen_require(`
- attribute userdomain;
+- attribute userdomain;
++ type user_tty_device_t;
')
- allow $1 userdomain:fd use;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to inherit the file
+-## descriptors from any user domains.
++## Read the process state of all user domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_all_users_state',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
+ read_files_pattern($1, userdomain, userdomain)
+ read_lnk_files_pattern($1,userdomain,userdomain)
+ kernel_search_proc($1)
@@ -146630,10 +146662,20 @@ index e720dcd..89e714c 100644
+ ')
+
+ allow $1 userdomain:fd use;
- ')
-
- ########################################
-@@ -3242,6 +4026,42 @@ interface(`userdom_signal_all_users',`
++')
++
++########################################
++## <summary>
++## Do not audit attempts to inherit the file
++## descriptors from any user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -3242,6 +4045,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -146676,7 +146718,7 @@ index e720dcd..89e714c 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4082,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4101,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -146701,7 +146743,7 @@ index e720dcd..89e714c 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4134,1361 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4153,1361 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 6c2d5c9..20d2ada 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -908,7 +908,7 @@ index c0f858d..4a3dab6 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
-index 1632f10..5fe3889 100644
+index 1632f10..074ebc9 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -1,5 +1,9 @@
@@ -921,7 +921,7 @@ index 1632f10..5fe3889 100644
########################################
#
# Declarations
-@@ -7,37 +11,46 @@ policy_module(accountsd, 1.0.0)
+@@ -7,37 +11,48 @@ policy_module(accountsd, 1.0.0)
type accountsd_t;
type accountsd_exec_t;
@@ -966,13 +966,14 @@ index 1632f10..5fe3889 100644
auth_use_nsswitch(accountsd_t)
auth_read_shadow(accountsd_t)
--
--miscfiles_read_localization(accountsd_t)
+auth_read_login_records(accountsd_t)
+-miscfiles_read_localization(accountsd_t)
++init_dbus_chat(accountsd_t)
+
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
-@@ -50,8 +63,20 @@ usermanage_domtrans_passwd(accountsd_t)
+@@ -50,8 +65,20 @@ usermanage_domtrans_passwd(accountsd_t)
optional_policy(`
consolekit_read_log(accountsd_t)
@@ -3102,7 +3103,7 @@ index 6480167..f319eaf 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..ba4ab9e 100644
+index 0833afb..2032414 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3453,7 +3454,15 @@ index 0833afb..ba4ab9e 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -336,8 +514,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -305,6 +483,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(httpd_t, httpd_lock_t, file)
+
+ allow httpd_t httpd_log_t:dir setattr;
++create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+@@ -336,8 +515,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -3465,7 +3474,7 @@ index 0833afb..ba4ab9e 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -346,8 +526,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -346,8 +527,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -3476,7 +3485,7 @@ index 0833afb..ba4ab9e 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,8 +543,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -362,8 +544,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -3487,7 +3496,7 @@ index 0833afb..ba4ab9e 100644
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
corenet_udp_sendrecv_generic_if(httpd_t)
-@@ -372,11 +554,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -3508,7 +3517,7 @@ index 0833afb..ba4ab9e 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -385,9 +575,14 @@ dev_rw_crypto(httpd_t)
+@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -3523,7 +3532,7 @@ index 0833afb..ba4ab9e 100644
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_shell(httpd_t)
-@@ -396,61 +591,112 @@ domain_use_interactive_fds(httpd_t)
+@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
@@ -3644,7 +3653,7 @@ index 0833afb..ba4ab9e 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +707,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -3708,7 +3717,7 @@ index 0833afb..ba4ab9e 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +771,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -3731,7 +3740,7 @@ index 0833afb..ba4ab9e 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +806,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -3752,7 +3761,7 @@ index 0833afb..ba4ab9e 100644
')
optional_policy(`
-@@ -525,6 +830,9 @@ optional_policy(`
+@@ -525,6 +831,9 @@ optional_policy(`
')
optional_policy(`
@@ -3762,7 +3771,7 @@ index 0833afb..ba4ab9e 100644
cobbler_search_lib(httpd_t)
')
-@@ -540,6 +848,24 @@ optional_policy(`
+@@ -540,6 +849,24 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -3787,7 +3796,7 @@ index 0833afb..ba4ab9e 100644
optional_policy(`
dbus_system_bus_client(httpd_t)
-@@ -549,13 +875,24 @@ optional_policy(`
+@@ -549,13 +876,24 @@ optional_policy(`
')
optional_policy(`
@@ -3813,7 +3822,7 @@ index 0833afb..ba4ab9e 100644
')
optional_policy(`
-@@ -573,7 +910,21 @@ optional_policy(`
+@@ -573,7 +911,21 @@ optional_policy(`
')
optional_policy(`
@@ -3835,7 +3844,7 @@ index 0833afb..ba4ab9e 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -584,6 +935,7 @@ optional_policy(`
+@@ -584,6 +936,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3843,12 +3852,13 @@ index 0833afb..ba4ab9e 100644
')
optional_policy(`
-@@ -594,6 +946,41 @@ optional_policy(`
+@@ -594,6 +947,42 @@ optional_policy(`
')
optional_policy(`
+ openshift_search_lib(httpd_t)
+ openshift_initrc_signull(httpd_t)
++ openshift_initrc_signal(httpd_t)
+')
+
+optional_policy(`
@@ -3885,7 +3895,7 @@ index 0833afb..ba4ab9e 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +995,11 @@ optional_policy(`
+@@ -608,6 +997,11 @@ optional_policy(`
')
optional_policy(`
@@ -3897,7 +3907,7 @@ index 0833afb..ba4ab9e 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +1012,12 @@ optional_policy(`
+@@ -620,6 +1014,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3910,7 +3920,7 @@ index 0833afb..ba4ab9e 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1031,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1033,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3954,7 +3964,7 @@ index 0833afb..ba4ab9e 100644
########################################
#
-@@ -671,28 +1104,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1106,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3998,7 +4008,7 @@ index 0833afb..ba4ab9e 100644
')
########################################
-@@ -702,6 +1137,7 @@ optional_policy(`
+@@ -702,6 +1139,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -4006,7 +4016,7 @@ index 0833afb..ba4ab9e 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1152,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1154,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4035,7 +4045,7 @@ index 0833afb..ba4ab9e 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1182,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1184,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -4053,7 +4063,7 @@ index 0833afb..ba4ab9e 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1200,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1202,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -4086,7 +4096,7 @@ index 0833afb..ba4ab9e 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1247,25 @@ optional_policy(`
+@@ -786,6 +1249,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4112,7 +4122,7 @@ index 0833afb..ba4ab9e 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1286,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1288,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -4130,7 +4140,7 @@ index 0833afb..ba4ab9e 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1305,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1307,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4189,7 +4199,7 @@ index 0833afb..ba4ab9e 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1356,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1358,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4230,7 +4240,7 @@ index 0833afb..ba4ab9e 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -859,10 +1401,20 @@ optional_policy(`
+@@ -859,10 +1403,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -4251,7 +4261,7 @@ index 0833afb..ba4ab9e 100644
')
########################################
-@@ -878,11 +1430,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1432,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4263,7 +4273,7 @@ index 0833afb..ba4ab9e 100644
########################################
#
-@@ -908,11 +1458,138 @@ optional_policy(`
+@@ -908,11 +1460,138 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -11588,10 +11598,10 @@ index 0000000..8424fdb
+')
diff --git a/condor.te b/condor.te
new file mode 100644
-index 0000000..328eafe
+index 0000000..c2bc300
--- /dev/null
+++ b/condor.te
-@@ -0,0 +1,225 @@
+@@ -0,0 +1,240 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -11618,6 +11628,9 @@ index 0000000..328eafe
+condor_domain_template(startd)
+condor_domain_template(procd)
+
++type condor_master_tmp_t;
++files_tmp_file(condor_master_tmp_t)
++
+type condor_schedd_tmp_t;
+files_tmp_file(condor_schedd_tmp_t)
+
@@ -11710,7 +11723,11 @@ index 0000000..328eafe
+
+allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+
-+allow condor_master_t condor_domain:process signal;
++allow condor_master_t condor_domain:process { sigkill signal };
++
++manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
++manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
++files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+
+corenet_tcp_bind_condor_port(condor_master_t)
+corenet_udp_bind_condor_port(condor_master_t)
@@ -11718,6 +11735,11 @@ index 0000000..328eafe
+
+domain_read_all_domains_state(condor_master_t)
+
++optional_policy(`
++ mta_send_mail(condor_master_t)
++ mta_read_config(condor_master_t)
++')
++
+######################################
+#
+# condor collector local policy
@@ -11747,6 +11769,9 @@ index 0000000..328eafe
+
+allow condor_procd_t self:capability { fowner chown dac_override sys_ptrace };
+
++allow condor_procd_t self:capability kill;
++allow condor_procd_t condor_startd_t:process sigkill;
++
+domain_read_all_domains_state(condor_procd_t)
+
+#######################################
@@ -19992,10 +20017,10 @@ index 0000000..a446210
+')
diff --git a/dspam.te b/dspam.te
new file mode 100644
-index 0000000..be45ad6
+index 0000000..2b91a78
--- /dev/null
+++ b/dspam.te
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,92 @@
+
+policy_module(dspam, 1.0.0)
+
@@ -20050,11 +20075,13 @@ index 0000000..be45ad6
+manage_sock_files_pattern(dspam_t, dspam_tmp_t, dspam_tmp_t)
+files_tmp_filetrans(dspam_t, dspam_tmp_t, { sock_file })
+
-+# need to add the port tcp/10026 to corenetwork.te.in
-+#allow dspam_t port_t:tcp_socket name_connect;
++corenet_tcp_connect_spamd_port(dspam_t)
++corenet_tcp_bind_spamd_port(dspam_t)
+
+auth_use_nsswitch(dspam_t)
+
++files_search_spool(dspam_t)
++
+# for RHEL5
+libs_use_ld_so(dspam_t)
+libs_use_shared_libs(dspam_t)
@@ -22208,7 +22235,7 @@ index 13e72a7..a4dc0b9 100644
/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/git.if b/git.if
-index b0242d9..a9e6842 100644
+index b0242d9..407e79d 100644
--- a/git.if
+++ b/git.if
@@ -15,9 +15,9 @@
@@ -22223,7 +22250,7 @@ index b0242d9..a9e6842 100644
')
########################################
-@@ -32,19 +32,494 @@ template(`git_role',`
+@@ -32,19 +32,495 @@ template(`git_role',`
# Policy
#
@@ -22610,6 +22637,7 @@ index b0242d9..a9e6842 100644
+
+ list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+ read_files_pattern($1, git_sys_content_t, git_sys_content_t)
++ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
@@ -29244,7 +29272,7 @@ index 604f67b..138e1e2 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
+')
diff --git a/kerberos.te b/kerberos.te
-index 6a95faf..69502c9 100644
+index 6a95faf..6127834 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0)
@@ -29354,7 +29382,7 @@ index 6a95faf..69502c9 100644
seutil_read_file_contexts(kadmind_t)
sysnet_read_config(kadmind_t)
-@@ -164,6 +173,10 @@ optional_policy(`
+@@ -164,10 +173,18 @@ optional_policy(`
')
optional_policy(`
@@ -29365,7 +29393,15 @@ index 6a95faf..69502c9 100644
nis_use_ypbind(kadmind_t)
')
-@@ -182,6 +195,7 @@ optional_policy(`
+ optional_policy(`
++ sssd_read_public_files(kadmind_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(kadmind_t)
+ ')
+
+@@ -182,6 +199,7 @@ optional_policy(`
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
@@ -29373,7 +29409,7 @@ index 6a95faf..69502c9 100644
dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -197,13 +211,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
+@@ -197,13 +215,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
@@ -29389,7 +29425,7 @@ index 6a95faf..69502c9 100644
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
-@@ -221,7 +234,6 @@ kernel_search_network_sysctl(krb5kdc_t)
+@@ -221,7 +238,6 @@ kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
@@ -29397,7 +29433,7 @@ index 6a95faf..69502c9 100644
corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_generic_if(krb5kdc_t)
corenet_udp_sendrecv_generic_if(krb5kdc_t)
-@@ -242,6 +254,7 @@ dev_read_urand(krb5kdc_t)
+@@ -242,6 +258,7 @@ dev_read_urand(krb5kdc_t)
fs_getattr_all_fs(krb5kdc_t)
fs_search_auto_mountpoints(krb5kdc_t)
@@ -29405,7 +29441,7 @@ index 6a95faf..69502c9 100644
domain_use_interactive_fds(krb5kdc_t)
-@@ -253,7 +266,7 @@ selinux_validate_context(krb5kdc_t)
+@@ -253,7 +270,7 @@ selinux_validate_context(krb5kdc_t)
logging_send_syslog_msg(krb5kdc_t)
@@ -29414,7 +29450,7 @@ index 6a95faf..69502c9 100644
seutil_read_file_contexts(krb5kdc_t)
-@@ -268,6 +281,10 @@ optional_policy(`
+@@ -268,6 +285,10 @@ optional_policy(`
')
optional_policy(`
@@ -29425,7 +29461,18 @@ index 6a95faf..69502c9 100644
nis_use_ypbind(krb5kdc_t)
')
-@@ -308,7 +325,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -276,6 +297,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sssd_read_public_files(krb5kdc_t)
++')
++
++optional_policy(`
+ udev_read_db(krb5kdc_t)
+ ')
+
+@@ -308,7 +333,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -29433,7 +29480,7 @@ index 6a95faf..69502c9 100644
corenet_tcp_sendrecv_generic_if(kpropd_t)
corenet_tcp_sendrecv_generic_node(kpropd_t)
corenet_tcp_sendrecv_all_ports(kpropd_t)
-@@ -324,8 +340,6 @@ selinux_validate_context(kpropd_t)
+@@ -324,8 +348,6 @@ selinux_validate_context(kpropd_t)
logging_send_syslog_msg(kpropd_t)
@@ -33201,7 +33248,7 @@ index ee72cbe..bdf319a 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 26101cb..efd51a0 100644
+index 26101cb..64c2969 100644
--- a/milter.te
+++ b/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
@@ -33218,7 +33265,7 @@ index 26101cb..efd51a0 100644
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
-@@ -20,6 +27,24 @@ milter_template(spamass)
+@@ -20,6 +27,26 @@ milter_template(spamass)
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
@@ -33234,6 +33281,8 @@ index 26101cb..efd51a0 100644
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
++kernel_read_kernel_sysctls(dkim_milter_t)
++
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
@@ -33243,7 +33292,7 @@ index 26101cb..efd51a0 100644
########################################
#
# milter-greylist local policy
-@@ -33,11 +58,25 @@ files_type(spamass_milter_state_t)
+@@ -33,11 +60,25 @@ files_type(spamass_milter_state_t)
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched };
@@ -33269,7 +33318,7 @@ index 26101cb..efd51a0 100644
# Allow the milter to read a GeoIP database in /usr/share
files_read_usr_files(greylist_milter_t)
# The milter runs from /var/lib/milter-greylist and maintains files there
-@@ -49,6 +88,14 @@ auth_use_nsswitch(greylist_milter_t)
+@@ -49,6 +90,14 @@ auth_use_nsswitch(greylist_milter_t)
# Config is in /etc/mail/greylist.conf
mta_read_config(greylist_milter_t)
@@ -33284,7 +33333,7 @@ index 26101cb..efd51a0 100644
########################################
#
# milter-regex local policy
-@@ -88,6 +135,8 @@ corecmd_exec_shell(spamass_milter_t)
+@@ -88,6 +137,8 @@ corecmd_exec_shell(spamass_milter_t)
corecmd_read_bin_symlinks(spamass_milter_t)
corecmd_search_bin(spamass_milter_t)
@@ -34406,7 +34455,7 @@ index b397fde..c7c031d 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..0efc1df 100644
+index d4fcb75..bb729e7 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -34763,7 +34812,7 @@ index d4fcb75..0efc1df 100644
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
+tunable_policy(`mozilla_plugin_can_network_connect',`
-+ corenet_tcp_connect_unreserved_ports(mozilla_plugin_t)
++ corenet_tcp_connect_all_ports(mozilla_plugin_t)
')
optional_policy(`
@@ -36564,10 +36613,21 @@ index 84a7d66..c58f1e7 100644
+ clamav_stream_connect(mta_user_agent)
+')
diff --git a/munin.fc b/munin.fc
-index fd71d69..5987e1c 100644
+index fd71d69..5b771ef 100644
--- a/munin.fc
+++ b/munin.fc
-@@ -41,6 +41,9 @@
+@@ -4,7 +4,9 @@
+ /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+ /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+ /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+-/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
++
++# label all plugins as unconfined_munin_plugin_exec_t
++/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
+
+ # disk plugins
+ /usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+@@ -41,6 +43,9 @@
/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
@@ -36577,7 +36637,7 @@ index fd71d69..5987e1c 100644
# system plugins
/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -51,6 +54,7 @@
+@@ -51,6 +56,7 @@
/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@@ -36585,7 +36645,7 @@ index fd71d69..5987e1c 100644
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -58,11 +62,13 @@
+@@ -58,11 +64,13 @@
/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@@ -42063,10 +42123,10 @@ index 0000000..c9a5f74
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..bf37353
+index 0000000..6e20e72
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,608 @@
+@@ -0,0 +1,644 @@
+
+## <summary> policy for openshift </summary>
+
@@ -42107,6 +42167,42 @@ index 0000000..bf37353
+ allow $1 openshift_initrc_t:process signull;
+')
+
++#######################################
++## <summary>
++## Send a signal to openshift init scripts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_initrc_signal',`
++ gen_require(`
++ type openshift_initrc_t;
++ ')
++
++ allow $1 openshift_initrc_t:process signal;
++')
++
++########################################
++## <summary>
++## Send a signal to openshift init scripts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_initrc_signl',`
++ gen_require(`
++ type openshift_initrc_t;
++ ')
++
++ allow $1 openshift_initrc_t:process signal;
++')
++
+########################################
+## <summary>
+## Search openshift cache directories.
@@ -43969,10 +44065,10 @@ index b246bdd..3cbcc49 100644
sysnet_dns_name_resolve(pads_t)
diff --git a/passenger.fc b/passenger.fc
-index 545518d..16638ac 100644
+index 545518d..677ac68 100644
--- a/passenger.fc
+++ b/passenger.fc
-@@ -1,7 +1,7 @@
+@@ -1,11 +1,10 @@
-/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
@@ -43984,6 +44080,11 @@ index 545518d..16638ac 100644
/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+-/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
+-/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0)
++/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
+
+ /var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if
index f68b573..8fb9cd3 100644
--- a/passenger.if
@@ -48196,7 +48297,7 @@ index 46bee12..8ef270f 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..22a3efd 100644
+index a1e0f60..85b12af 100644
--- a/postfix.te
+++ b/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -48204,9 +48305,9 @@ index a1e0f60..22a3efd 100644
#
+## <desc>
-+## <p>
-+## Allow postfix_local domain full write access to mail_spool directories
-+## </p>
++## <p>
++## Allow postfix_local domain full write access to mail_spool directories
++## </p>
+## </desc>
+gen_tunable(postfix_local_write_mail_spool, true)
+
@@ -48357,6 +48458,15 @@ index a1e0f60..22a3efd 100644
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+@@ -195,7 +216,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+-# for postalias
++# for postalias
+ mailman_manage_data_files(postfix_master_t)
+ ')
+
@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
@@ -48621,7 +48731,7 @@ index a1e0f60..22a3efd 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +648,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +648,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -48629,15 +48739,16 @@ index a1e0f60..22a3efd 100644
+
+# for spampd
+corenet_tcp_connect_spamd_port(postfix_master_t)
++corenet_tcp_bind_spamd_port(postfix_master_t)
+
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +660,14 @@ optional_policy(`
+@@ -565,6 +661,14 @@ optional_policy(`
')
optional_policy(`
-+ dovecot_stream_connect(postfix_smtp_t)
++ dovecot_stream_connect(postfix_smtp_t)
+')
+
+optional_policy(`
@@ -48648,7 +48759,7 @@ index a1e0f60..22a3efd 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +684,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -48675,7 +48786,7 @@ index a1e0f60..22a3efd 100644
')
optional_policy(`
-@@ -599,6 +710,11 @@ optional_policy(`
+@@ -599,6 +711,11 @@ optional_policy(`
')
optional_policy(`
@@ -48687,7 +48798,7 @@ index a1e0f60..22a3efd 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +727,6 @@ optional_policy(`
+@@ -611,7 +728,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -48695,7 +48806,7 @@ index a1e0f60..22a3efd 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +737,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -48703,7 +48814,7 @@ index a1e0f60..22a3efd 100644
files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +744,76 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -49095,7 +49206,7 @@ index de4bdb7..a4cad0b 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index bcbf9ac..c4607d4 100644
+index bcbf9ac..5a550bb 100644
--- a/ppp.te
+++ b/ppp.te
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
@@ -49141,7 +49252,7 @@ index bcbf9ac..c4607d4 100644
#
-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
-+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched signal };
+allow pppd_t self:process { getsched setsched signal };
@@ -61642,7 +61753,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..3ec58d6 100644
+index 086cd5f..08ef0c7 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -61767,13 +61878,15 @@ index 086cd5f..3ec58d6 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,10 +176,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -150,11 +175,16 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
-
++corecmd_getattr_all_executables(setroubleshoot_fixit_t)
++
+dev_read_sysfs(setroubleshoot_fixit_t)
+dev_read_urand(setroubleshoot_fixit_t)
-+
+
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+seutil_read_module_store(setroubleshoot_fixit_t)
@@ -61783,7 +61896,7 @@ index 086cd5f..3ec58d6 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,7 +191,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -162,7 +192,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -68163,7 +68276,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..8843888 100644
+index db9d2a5..6c25856 100644
--- a/tuned.te
+++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -68179,7 +68292,7 @@ index db9d2a5..8843888 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -22,42 +28,73 @@ files_pid_file(tuned_var_run_t)
+@@ -22,43 +28,80 @@ files_pid_file(tuned_var_run_t)
#
# tuned local policy
#
@@ -68191,8 +68304,10 @@ index db9d2a5..8843888 100644
+allow tuned_t self:udp_socket create_socket_perms;
+
+read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
++exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
+
+manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
++files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -68232,10 +68347,10 @@ index db9d2a5..8843888 100644
-logging_send_syslog_msg(tuned_t)
+fs_getattr_all_fs(tuned_t)
++
++auth_use_nsswitch(tuned_t)
-miscfiles_read_localization(tuned_t)
-+auth_use_nsswitch(tuned_t)
-+
+logging_send_syslog_msg(tuned_t)
userdom_dontaudit_search_user_home_dirs(tuned_t)
@@ -68261,6 +68376,11 @@ index db9d2a5..8843888 100644
# to allow network interface tuning
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
+ ')
++
++optional_policy(`
++ unconfined_dbus_send(tuned_t)
++')
diff --git a/tvtime.te b/tvtime.te
index 531b1f1..7455f78 100644
--- a/tvtime.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3dcfb3c..09d7359 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 59%{?dist}
+Release: 60%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,35 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Dec 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-60
+- Add openshift_initrc_signal() interface
+- Fix typos
+- dspam port is treat as spamd_port_t
+- Allow setroubleshoot to getattr on all executables
+- Allow tuned to execute profiles scripts in /etc/tuned
+- Allow apache to create directories to store its log files
+- Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t
+- Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6
+- Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM
+- Add filename transition for /etc/tuned/active_profile
+- Allow condor_master to send mails
+- Allow condor_master to read submit.cf
+- Allow condor_master to create /tmp files/dirs
+- Allow condor_mater to send sigkill to other condor domains
+- Allow condor_procd sigkill capability
+- tuned-adm wants to talk with tuned daemon
+- Allow kadmind and krb5kdc to also list sssd_public_t
+- Allow accountsd to dbus chat with init
+- Fix git_read_generic_system_content_files() interface
+- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler"
+- Fix mozilla_plugin_can_network_connect to allow to connect to all ports
+- Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t
+- dspam wants to search /var/spool for opendkim data
+- Revert "Add support for tcp/10026 port as dspam_port_t"
+- Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6
+- Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain
+- Allow systemd_tmpfiles_t to setattr on mandb_cache_t
+
* Sat Dec 1 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-59
- consolekit.pp was not removed from the postinstall script
More information about the scm-commits
mailing list