[selinux-policy/f16] * Mon Feb 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-77 - Dontaudit sandbox to shudown unconf
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Feb 27 12:58:33 UTC 2012
commit 3b8b0330dbec32dc0bda958ee12b8e4730a9cf55
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Feb 27 13:58:20 2012 +0100
* Mon Feb 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-77
- Dontaudit sandbox to shudown unconfined_execmem stream
- Allow smtpd_t to manage spool files/directories and symbolic links
- Allow ksysguardproces to send system log msgs
- Allow automount to execute consoletype
- Allow boinc setpgid and signull
- Add mysqld_home_t for ~/.my.cnf
- Add unit file support to mysqld
- rhev-agent package was rename to ovirt-guest-agent
- move postfix_domtrans_user_mail_handler() to mta.if
- Fix virt_search_images() interface
- Fix iscsi policy
- Add booleans to allow rsync to share nfs and cifs file sytems
- Add file name transition for locale.conf.new
- Allow boinc projects to gconf config files
- Allow xen to search virt images directories
policy-F16.patch | 454 +++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 19 ++-
2 files changed, 317 insertions(+), 156 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 3c6e4aa..2b27688 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4932,10 +4932,10 @@ index 0000000..a03aec4
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..9a914b6
+index 0000000..689a667
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,187 @@
+@@ -0,0 +1,188 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -5034,6 +5034,7 @@ index 0000000..9a914b6
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
+ execmem_execmod(chrome_sandbox_t)
++ unconfined_dontaudit_execmem_stream_shutdown(chrome_sandbox_t)
+')
+
+optional_policy(`
@@ -7092,7 +7093,7 @@ index f5afe78..eeeebbb 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..c365443 100644
+index 2505654..489ea21 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0)
@@ -7170,7 +7171,7 @@ index 2505654..c365443 100644
##############################
#
# Local Policy
-@@ -75,3 +113,168 @@ optional_policy(`
+@@ -75,3 +113,170 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -7247,6 +7248,8 @@ index 2505654..c365443 100644
+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
++logging_send_syslog_msg(gnomesystemmm_t)
++
+miscfiles_read_localization(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
@@ -16474,7 +16477,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..cee9fe0 100644
+index fae1ab1..4796e9b 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -16570,7 +16573,7 @@ index fae1ab1..cee9fe0 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -158,5 +198,216 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +198,220 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -16632,6 +16635,10 @@ index fae1ab1..cee9fe0 100644
+')
+
+optional_policy(`
++ mysqld_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ networkmanager_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -21932,7 +21939,7 @@ index 2be17d2..e47e0f0 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..b4bff66 100644
+index e14b961..1058bf4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
@@ -22118,17 +22125,19 @@ index e14b961..b4bff66 100644
')
optional_policy(`
-@@ -225,25 +285,47 @@ optional_policy(`
- ')
+@@ -222,6 +282,11 @@ optional_policy(`
optional_policy(`
-+ ncftool_run(sysadm_t, sysadm_r)
+ mysql_stream_connect(sysadm_t)
++ mysqld_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
- netutils_run(sysadm_t, sysadm_r)
- netutils_run_ping(sysadm_t, sysadm_r)
- netutils_run_traceroute(sysadm_t, sysadm_r)
++ ncftool_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -231,19 +296,37 @@ optional_policy(`
')
optional_policy(`
@@ -22166,7 +22175,7 @@ index e14b961..b4bff66 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,31 +335,32 @@ optional_policy(`
+@@ -253,31 +336,32 @@ optional_policy(`
')
optional_policy(`
@@ -22206,7 +22215,7 @@ index e14b961..b4bff66 100644
')
optional_policy(`
-@@ -302,12 +385,18 @@ optional_policy(`
+@@ -302,12 +386,18 @@ optional_policy(`
')
optional_policy(`
@@ -22226,7 +22235,7 @@ index e14b961..b4bff66 100644
')
optional_policy(`
-@@ -332,7 +421,10 @@ optional_policy(`
+@@ -332,7 +422,10 @@ optional_policy(`
')
optional_policy(`
@@ -22238,7 +22247,7 @@ index e14b961..b4bff66 100644
')
optional_policy(`
-@@ -343,19 +435,15 @@ optional_policy(`
+@@ -343,19 +436,15 @@ optional_policy(`
')
optional_policy(`
@@ -22260,7 +22269,7 @@ index e14b961..b4bff66 100644
')
optional_policy(`
-@@ -367,45 +455,45 @@ optional_policy(`
+@@ -367,45 +456,45 @@ optional_policy(`
')
optional_policy(`
@@ -22317,7 +22326,7 @@ index e14b961..b4bff66 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +506,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +507,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22328,7 +22337,7 @@ index e14b961..b4bff66 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +523,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +524,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -22336,7 +22345,7 @@ index e14b961..b4bff66 100644
')
optional_policy(`
-@@ -446,11 +531,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +532,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22422,10 +22431,10 @@ index 0000000..0e8654b
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..8b2cdf3
+index 0000000..5832252
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,687 @@
+@@ -0,0 +1,705 @@
+## <summary>Unconfiend user role</summary>
+
+########################################
@@ -22682,6 +22691,24 @@ index 0000000..8b2cdf3
+ allow $1 unconfined_execmem_t:process signal;
+')
+
++#######################################
++## <summary>
++## Send a signal to the unconfined execmem domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_dontaudit_execmem_stream_shutdown',`
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ dontaudit $1 unconfined_execmem_t:unix_stream_socket shutdown;
++')
++
+########################################
+## <summary>
+## Send generic signals to the unconfined domain.
@@ -27321,7 +27348,7 @@ index d80a16b..68b85e2 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
-index 39799db..9390ef1 100644
+index 39799db..68c3900 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -64,6 +64,7 @@ kernel_read_network_state(automount_t)
@@ -27342,10 +27369,14 @@ index 39799db..9390ef1 100644
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
-@@ -155,6 +153,13 @@ optional_policy(`
+@@ -155,6 +153,17 @@ optional_policy(`
')
optional_policy(`
++ consoletype_exec(automount_t)
++')
++
++optional_policy(`
+ # Run mount in the mount_t domain.
+ mount_domtrans(automount_t)
+ mount_domtrans_showmount(automount_t)
@@ -28092,7 +28123,7 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..8b244be
+index 0000000..41698a6
--- /dev/null
+++ b/policy/modules/services/boinc.te
@@ -0,0 +1,175 @@
@@ -28171,7 +28202,7 @@ index 0000000..8b244be
+#
+
+allow boinc_t self:capability { kill };
-+allow boinc_t self:process { setsched sigkill };
++allow boinc_t self:process { setsched setpgid signull sigkill };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
@@ -46043,8 +46074,27 @@ index f17583b..171ebec 100644
+fs_getattr_all_fs(munin_plugin_domain)
+
+miscfiles_read_localization(munin_plugin_domain)
+diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
+index cc7192c..eeb72ba 100644
+--- a/policy/modules/services/mysql.fc
++++ b/policy/modules/services/mysql.fc
+@@ -1,6 +1,14 @@
+ # mysql database server
+
+ #
++# /HOME
++#
++HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
++/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
++
++/lib/systemd/system/mysqld\.service -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
++
++#
+ # /etc
+ #
+ /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..14af30a 100644
+index e9c0982..ffbf2d0 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -46145,7 +46195,56 @@ index e9c0982..14af30a 100644
#####################################
## <summary>
## Read MySQL PID files.
-@@ -329,10 +384,9 @@ interface(`mysql_search_pid_files',`
+@@ -313,6 +368,48 @@ interface(`mysql_search_pid_files',`
+
+ ########################################
+ ## <summary>
++## Execute mysqld server in the mysqld domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mysqld_systemctl',`
++ gen_require(`
++ type mysqld_unit_file_t;
++ type mysqld_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 mysqld_unit_file_t:file read_file_perms;
++ allow $1 mysqld_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, mysqld_t)
++')
++
++########################################
++## <summary>
++## Transition to mysqld named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysqld_filetrans_named_content',`
++ gen_require(`
++ type mysqld_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
++ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate an mysql environment
+ ## </summary>
+ ## <param name="domain">
+@@ -329,10 +426,10 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
@@ -46156,10 +46255,11 @@ index e9c0982..14af30a 100644
+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
+ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
+ type mysqld_etc_t;
++ type mysqld_home_t;
')
allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +397,19 @@ interface(`mysql_admin',`
+@@ -343,13 +440,25 @@ interface(`mysql_admin',`
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@@ -46177,10 +46277,16 @@ index e9c0982..14af30a 100644
+ files_list_tmp($1)
admin_pattern($1, mysqld_tmp_t)
+
++ userdom_search_user_home_dirs($1)
++ files_list_root($1)
++ admin_pattern($1, mysqld_home_t)
++
++ mysqld_systemctl($1)
++
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..d86e78b 100644
+index 0a0d63c..c51cbf6 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -46196,7 +46302,20 @@ index 0a0d63c..d86e78b 100644
## </desc>
gen_tunable(mysql_connect_any, false)
-@@ -64,11 +64,12 @@ allow mysqld_t self:udp_socket create_socket_perms;
+@@ -29,6 +29,12 @@ files_type(mysqld_db_t)
+ type mysqld_etc_t alias etc_mysqld_t;
+ files_config_file(mysqld_etc_t)
+
++type mysqld_home_t;
++userdom_user_home_content(mysqld_home_t)
++
++type mysqld_unit_file_t;
++systemd_unit_file(mysqld_unit_file_t)
++
+ type mysqld_initrc_exec_t;
+ init_script_file(mysqld_initrc_exec_t)
+
+@@ -64,11 +70,12 @@ allow mysqld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -46210,7 +46329,7 @@ index 0a0d63c..d86e78b 100644
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;
-@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+@@ -78,13 +85,20 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
@@ -46219,6 +46338,9 @@ index 0a0d63c..d86e78b 100644
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
-files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file })
+files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
++
++userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
++read_files_pattern(mysqld_t, mysqld_home_t, mysqld_home_t)
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
@@ -46229,9 +46351,14 @@ index 0a0d63c..d86e78b 100644
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
-@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
- userdom_read_user_home_content_files(mysqld_t)
+@@ -122,13 +136,8 @@ miscfiles_read_localization(mysqld_t)
+ sysnet_read_config(mysqld_t)
+
+-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+-# for /root/.my.cnf - should not be needed:
+-userdom_read_user_home_content_files(mysqld_t)
+-
ifdef(`distro_redhat',`
- # because Fedora has the sock_file in the database directory
- type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
@@ -46239,7 +46366,7 @@ index 0a0d63c..d86e78b 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -155,9 +159,11 @@ optional_policy(`
+@@ -155,9 +164,11 @@ optional_policy(`
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
@@ -46251,7 +46378,7 @@ index 0a0d63c..d86e78b 100644
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
-@@ -170,26 +176,33 @@ kernel_read_system_state(mysqld_safe_t)
+@@ -170,26 +181,33 @@ kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
@@ -51202,7 +51329,7 @@ index 46bee12..76b68b5 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..f639ebb 100644
+index a32c4b3..90db1ee 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -51565,7 +51692,17 @@ index a32c4b3..f639ebb 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -581,17 +665,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+ corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
+ # for prng_exch
+-allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
++manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
++manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
++manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
+ allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+
+ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -51582,7 +51719,7 @@ index a32c4b3..f639ebb 100644
')
optional_policy(`
-@@ -599,6 +689,11 @@ optional_policy(`
+@@ -599,6 +691,11 @@ optional_policy(`
')
optional_policy(`
@@ -51594,7 +51731,7 @@ index a32c4b3..f639ebb 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +706,6 @@ optional_policy(`
+@@ -611,7 +708,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -51602,7 +51739,7 @@ index a32c4b3..f639ebb 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +724,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +726,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -55284,11 +55421,15 @@ index 93c896a..8c29c39 100644
+')
diff --git a/policy/modules/services/rhev.fc b/policy/modules/services/rhev.fc
new file mode 100644
-index 0000000..9a8524d
+index 0000000..3599f59
--- /dev/null
+++ b/policy/modules/services/rhev.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,9 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++
++/lib/systemd/system/ovirt-guest-agent\.service -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
++/usr/lib/systemd/system/ovirt-guest-agent\.serviceservice -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+
@@ -55377,10 +55518,10 @@ index 0000000..bf11e25
+')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
-index 0000000..5fdaf06
+index 0000000..1986422
--- /dev/null
+++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,111 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -55392,6 +55533,9 @@ index 0000000..5fdaf06
+type rhev_agentd_exec_t;
+init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t)
+
++type rhev_agentd_unit_file_t;
++systemd_unit_file(rhev_agentd_unit_file_t)
++
+type rhev_agentd_var_run_t;
+files_pid_file(rhev_agentd_var_run_t)
+
@@ -77519,7 +77663,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..9e90eb9 100644
+index 4b2878a..050c81a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -78385,7 +78529,7 @@ index 4b2878a..9e90eb9 100644
userdom_change_password_template($1)
-@@ -736,72 +912,76 @@ template(`userdom_login_user_template', `
+@@ -736,72 +912,80 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -78455,20 +78599,24 @@ index 4b2878a..9e90eb9 100644
+ miscfiles_exec_tetex_data($1_usertype)
+
+ seutil_read_config($1_usertype)
-
-- seutil_read_config($1_t)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
+- seutil_read_config($1_t)
++ optional_policy(`
++ kerberos_use($1_usertype)
++ kerberos_filetrans_home_content($1_usertype)
++ ')
+
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ kerberos_use($1_usertype)
-+ kerberos_filetrans_home_content($1_usertype)
++ mysqld_filetrans_named_content($1_usertype)
')
optional_policy(`
@@ -78495,7 +78643,7 @@ index 4b2878a..9e90eb9 100644
')
')
-@@ -833,6 +1013,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1017,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -78505,7 +78653,7 @@ index 4b2878a..9e90eb9 100644
##############################
#
# Local policy
-@@ -874,45 +1057,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1061,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -78635,7 +78783,7 @@ index 4b2878a..9e90eb9 100644
')
')
-@@ -947,7 +1203,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1207,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -78644,7 +78792,7 @@ index 4b2878a..9e90eb9 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1212,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1216,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -78662,7 +78810,7 @@ index 4b2878a..9e90eb9 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1237,72 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1241,72 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -78713,15 +78861,15 @@ index 4b2878a..9e90eb9 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ execmem_role_template($1, $1_r, $1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
++ execmem_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
+ ')
+
@@ -78744,7 +78892,7 @@ index 4b2878a..9e90eb9 100644
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1311,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1315,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -78755,7 +78903,7 @@ index 4b2878a..9e90eb9 100644
')
')
-@@ -1039,7 +1349,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1353,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -78764,7 +78912,7 @@ index 4b2878a..9e90eb9 100644
')
##############################
-@@ -1066,6 +1376,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1380,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -78772,7 +78920,7 @@ index 4b2878a..9e90eb9 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1389,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -78782,7 +78930,7 @@ index 4b2878a..9e90eb9 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1406,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -78790,7 +78938,7 @@ index 4b2878a..9e90eb9 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1424,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -78804,7 +78952,7 @@ index 4b2878a..9e90eb9 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1441,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -78847,7 +78995,7 @@ index 4b2878a..9e90eb9 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1482,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -78856,7 +79004,7 @@ index 4b2878a..9e90eb9 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1543,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -78865,7 +79013,7 @@ index 4b2878a..9e90eb9 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1557,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -78876,7 +79024,7 @@ index 4b2878a..9e90eb9 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1570,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -78905,7 +79053,7 @@ index 4b2878a..9e90eb9 100644
')
optional_policy(`
-@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1598,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -78921,7 +79069,7 @@ index 4b2878a..9e90eb9 100644
')
optional_policy(`
-@@ -1279,54 +1622,103 @@ template(`userdom_security_admin_template',`
+@@ -1279,50 +1626,99 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -78990,15 +79138,15 @@ index 4b2878a..9e90eb9 100644
')
- allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
+-')
+ typeattribute $1 user_tmpfs_type;
+
+ files_tmpfs_file($1)
+ ubac_constrained($1)
- ')
-
- ########################################
- ## <summary>
--## Create a user pty.
++')
++
++########################################
++## <summary>
+## Allow domain to attach to TUN devices created by administrative users.
+## </summary>
+## <param name="domain">
@@ -79033,14 +79181,10 @@ index 4b2878a..9e90eb9 100644
+
+ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
+')
-+
-+########################################
-+## <summary>
-+## Create a user pty.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1395,6 +1787,7 @@ interface(`userdom_search_user_home_dirs',`
+
+ ########################################
+ ## <summary>
+@@ -1395,6 +1791,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -79048,7 +79192,7 @@ index 4b2878a..9e90eb9 100644
files_search_home($1)
')
-@@ -1441,6 +1834,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1838,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -79063,7 +79207,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -1456,9 +1857,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1861,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -79075,7 +79219,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -1515,6 +1918,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1922,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -79118,7 +79262,7 @@ index 4b2878a..9e90eb9 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2028,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2032,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -79127,7 +79271,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -1603,10 +2044,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2048,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -79142,7 +79286,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -1649,6 +2092,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2096,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -79186,7 +79330,7 @@ index 4b2878a..9e90eb9 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2148,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2152,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -79212,7 +79356,7 @@ index 4b2878a..9e90eb9 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2197,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2201,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -79250,7 +79394,7 @@ index 4b2878a..9e90eb9 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2237,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2241,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -79268,7 +79412,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -1779,6 +2303,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2307,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -79329,7 +79473,7 @@ index 4b2878a..9e90eb9 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2388,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2392,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -79339,7 +79483,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -1827,20 +2404,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2408,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -79353,18 +79497,19 @@ index 4b2878a..9e90eb9 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -1941,6 +2512,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -1941,6 +2516,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -79389,7 +79534,7 @@ index 4b2878a..9e90eb9 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2597,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2601,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -79398,7 +79543,7 @@ index 4b2878a..9e90eb9 100644
files_search_home($1)
')
-@@ -2039,7 +2628,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2632,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -79407,7 +79552,7 @@ index 4b2878a..9e90eb9 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2747,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2751,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -79422,7 +79567,7 @@ index 4b2878a..9e90eb9 100644
files_search_tmp($1)
')
-@@ -2182,7 +2771,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2775,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -79431,7 +79576,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -2390,7 +2979,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2983,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -79440,7 +79585,7 @@ index 4b2878a..9e90eb9 100644
files_search_tmp($1)
')
-@@ -2419,6 +3008,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3012,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -79466,7 +79611,7 @@ index 4b2878a..9e90eb9 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3043,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3047,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -79482,7 +79627,7 @@ index 4b2878a..9e90eb9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3071,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3075,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -79491,7 +79636,7 @@ index 4b2878a..9e90eb9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3079,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3083,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -79526,7 +79671,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -2572,7 +3197,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3201,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -79535,7 +79680,7 @@ index 4b2878a..9e90eb9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,48 +3205,97 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,33 +3209,63 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -79570,23 +79715,18 @@ index 4b2878a..9e90eb9 100644
-## not be allowed for non-interactive domains.
-## </p>
-## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <infoflow type="both" weight="10"/>
- #
--interface(`userdom_use_user_terminals',`
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`userdom_use_user_ptys',`
- gen_require(`
-- type user_tty_device_t, user_devpts_t;
++ gen_require(`
+ type user_devpts_t;
- ')
-
-- allow $1 user_tty_device_t:chr_file rw_term_perms;
- allow $1 user_devpts_t:chr_file rw_term_perms;
-- term_list_ptys($1)
++ ')
++
++ allow $1 user_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
@@ -79620,18 +79760,22 @@ index 4b2878a..9e90eb9 100644
+## access.
+## </p>
+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <infoflow type="both" weight="10"/>
-+#
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+@@ -2614,14 +3273,33 @@ interface(`userdom_use_user_ptys',`
+ ## </param>
+ ## <infoflow type="both" weight="10"/>
+ #
+-interface(`userdom_use_user_terminals',`
+interface(`userdom_use_inherited_user_terminals',`
-+ gen_require(`
-+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+- allow $1 user_tty_device_t:chr_file rw_term_perms;
+- allow $1 user_devpts_t:chr_file rw_term_perms;
+- term_list_ptys($1)
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
@@ -79657,7 +79801,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -2640,8 +3314,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3318,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -79687,7 +79831,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -2713,6 +3406,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3410,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -79712,7 +79856,7 @@ index 4b2878a..9e90eb9 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2736,24 +3447,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3451,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -79737,7 +79881,7 @@ index 4b2878a..9e90eb9 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3465,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3469,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -79763,7 +79907,7 @@ index 4b2878a..9e90eb9 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3526,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3530,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -79772,7 +79916,7 @@ index 4b2878a..9e90eb9 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3542,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3546,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -79806,7 +79950,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -2972,7 +3630,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3634,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -79815,7 +79959,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -3027,7 +3685,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3689,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -79862,7 +80006,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -3045,7 +3741,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3745,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -79871,7 +80015,7 @@ index 4b2878a..9e90eb9 100644
')
########################################
-@@ -3064,6 +3760,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3764,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -79879,7 +80023,7 @@ index 4b2878a..9e90eb9 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3839,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3843,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -79904,7 +80048,7 @@ index 4b2878a..9e90eb9 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3160,6 +3875,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3879,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -79929,7 +80073,7 @@ index 4b2878a..9e90eb9 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3927,1165 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3931,1165 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 845926b..09ab505 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 76%{?dist}
+Release: 77%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Feb 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-77
+- Dontaudit sandbox to shudown unconfined_execmem stream
+- Allow smtpd_t to manage spool files/directories and symbolic links
+- Allow ksysguardproces to send system log msgs
+- Allow automount to execute consoletype
+- Allow boinc setpgid and signull
+- Add mysqld_home_t for ~/.my.cnf
+- Add unit file support to mysqld
+- rhev-agent package was rename to ovirt-guest-agent
+- move postfix_domtrans_user_mail_handler() to mta.if
+- Fix virt_search_images() interface
+- Fix iscsi policy
+- Add booleans to allow rsync to share nfs and cifs file sytems
+- Add file name transition for locale.conf.new
+- Allow boinc projects to gconf config files
+- Allow xen to search virt images directories
+
* Mon Feb 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-76
- Allow denyhosts to read "unix"
- Add file name transition for locale.conf.new
More information about the scm-commits
mailing list