[selinux-policy] - New fix for seunshare, requires seunshare_domains to be able to mounton / - Allow systemctl runnin
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 4 14:58:53 UTC 2012
commit b3ef57fc19c3884c4c6117a9bd799ebfa274e4a3
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Jan 4 15:58:41 2012 +0100
- New fix for seunshare, requires seunshare_domains to be able to mounton /
- Allow systemctl running as logrotate_t to connect to private systemd socket
- Allow tmpwatch to read meminfo
- Allow rpc.svcgssd to read supported_krb5_enctype
- Allow zarafa domains to read /dev/random and /dev/urandom
- Allow snmpd to read dev_snmp6
- Allow procmail to talk with cyrus
- Add fixes for check_disk and check_nagios plugins
policy-F16.patch | 1026 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 12 +-
2 files changed, 789 insertions(+), 249 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index a8547ef..6577ce6 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1439,7 +1439,7 @@ index 4f7bd3c..9143343 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..a2512aa 100644
+index 7090dae..078d715 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
@@ -1485,12 +1485,13 @@ index 7090dae..a2512aa 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +118,16 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
-userdom_use_user_terminals(logrotate_t)
+systemd_exec_systemctl(logrotate_t)
++init_stream_connect(logrotate_t)
+
+userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
@@ -1508,7 +1509,7 @@ index 7090dae..a2512aa 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +138,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +139,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -1517,7 +1518,7 @@ index 7090dae..a2512aa 100644
')
optional_policy(`
-@@ -154,6 +154,10 @@ optional_policy(`
+@@ -154,6 +155,10 @@ optional_policy(`
')
optional_policy(`
@@ -1528,7 +1529,7 @@ index 7090dae..a2512aa 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +166,20 @@ optional_policy(`
+@@ -162,10 +167,20 @@ optional_policy(`
')
optional_policy(`
@@ -1549,7 +1550,7 @@ index 7090dae..a2512aa 100644
cups_domtrans(logrotate_t)
')
-@@ -200,9 +214,12 @@ optional_policy(`
+@@ -200,9 +215,12 @@ optional_policy(`
')
optional_policy(`
@@ -1563,7 +1564,7 @@ index 7090dae..a2512aa 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +245,14 @@ optional_policy(`
+@@ -228,3 +246,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -2128,10 +2129,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..9c8b64f
+index 0000000..deed25f
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,20 @@
+policy_module(permissivedomains,17)
+
+
@@ -2142,6 +2143,16 @@ index 0000000..9c8b64f
+
+ permissive blueman_t;
+')
++
++optional_policy(`
++ gen_require(`
++ type httpd_zoneminder_script_t, zoneminder_t;
++ ')
++
++ permissive httpd_zoneminder_script_t;
++ permissive zoneminder_t;
++')
++
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -11422,10 +11433,10 @@ index 1dc7a85..a01511f 100644
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..7e6f53c 100644
+index 7590165..f40af5b 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -11464,12 +11475,14 @@ index 7590165..7e6f53c 100644
+files_search_all(seunshare_domain)
+files_read_etc_files(seunshare_domain)
+files_mounton_all_poly_members(seunshare_domain)
++files_mounton_rootfs(seunshare_domain)
+files_manage_generic_tmp_dirs(seunshare_domain)
+files_relabelfrom_tmp_dirs(seunshare_domain)
-logging_send_syslog_msg(seunshare_t)
+fs_manage_cgroup_dirs(seunshare_domain)
+fs_manage_cgroup_files(seunshare_domain)
++fs_unmount_all_fs(seunshare_domain)
-miscfiles_read_localization(seunshare_t)
+logging_send_syslog_msg(seunshare_domain)
@@ -16987,7 +17000,7 @@ index c19518a..04ef731 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..b682bcf 100644
+index ff006ea..90fa357 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -17152,7 +17165,32 @@ index ff006ea..b682bcf 100644
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1848,7 +1952,7 @@ interface(`files_boot_filetrans',`
+@@ -1678,6 +1782,24 @@ interface(`files_unmount_rootfs',`
+
+ ########################################
+ ## <summary>
++## Mount a filesystem on the root file system
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_mounton_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir { search_dir_perms mounton };
++')
++
++########################################
++## <summary>
+ ## Get attributes of the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -1848,7 +1970,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -17161,7 +17199,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -2372,6 +2476,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2494,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -17186,7 +17224,7 @@ index ff006ea..b682bcf 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2451,7 +2573,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2591,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17195,7 +17233,7 @@ index ff006ea..b682bcf 100644
## </summary>
## </param>
#
-@@ -2507,6 +2629,25 @@ interface(`files_manage_etc_files',`
+@@ -2507,6 +2647,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -17221,7 +17259,7 @@ index ff006ea..b682bcf 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2525,6 +2666,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2684,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -17246,7 +17284,7 @@ index ff006ea..b682bcf 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2624,7 +2783,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2801,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -17255,7 +17293,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -2680,24 +2839,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2857,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -17280,7 +17318,7 @@ index ff006ea..b682bcf 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2738,6 +2879,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2897,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -17305,7 +17343,7 @@ index ff006ea..b682bcf 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2934,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2952,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -17313,7 +17351,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -2796,6 +2956,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -2796,6 +2974,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -17321,7 +17359,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -3364,7 +3525,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3543,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -17330,7 +17368,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -3502,20 +3663,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3681,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -17374,7 +17412,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -3804,7 +3983,7 @@ interface(`files_kernel_modules_filetrans',`
+@@ -3804,7 +4001,7 @@ interface(`files_kernel_modules_filetrans',`
type modules_object_t;
')
@@ -17383,7 +17421,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -3900,6 +4079,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4097,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -17483,7 +17521,7 @@ index ff006ea..b682bcf 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3945,7 +4217,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4235,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -17492,7 +17530,7 @@ index ff006ea..b682bcf 100644
## </summary>
## </param>
#
-@@ -4017,7 +4289,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4307,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -17501,7 +17539,7 @@ index ff006ea..b682bcf 100644
## </summary>
## </param>
#
-@@ -4029,6 +4301,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4319,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -17526,12 +17564,13 @@ index ff006ea..b682bcf 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4375,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,17 +4393,43 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
+-## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -17540,14 +17579,16 @@ index ff006ea..b682bcf 100644
+## This is added to support java policy.
+## </p>
+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
+interface(`files_execmod_tmp',`
-+ gen_require(`
+ gen_require(`
+- type tmp_t;
+ attribute tmpfile;
+ ')
+
@@ -17556,26 +17597,34 @@ index ff006ea..b682bcf 100644
+
+########################################
+## <summary>
- ## Manage temporary files and directories in /tmp.
- ## </summary>
- ## <param name="domain">
-@@ -4139,7 +4455,7 @@ interface(`files_rw_generic_tmp_sockets',`
++## Manage temporary files and directories in /tmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_tmp_files',`
++ gen_require(`
++ type tmp_t;
+ ')
+
+ manage_files_pattern($1, tmp_t, tmp_t)
+@@ -4139,6 +4473,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
--## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4147,9 +4463,45 @@ interface(`files_rw_generic_tmp_sockets',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_all_tmp_dirs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
++ gen_require(`
+ type tmp_t;
+ ')
+
@@ -17602,21 +17651,10 @@ index ff006ea..b682bcf 100644
+
+########################################
+## <summary>
-+## Set the attributes of all tmp directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_setattr_all_tmp_dirs',`
-+ gen_require(`
-+ attribute tmpfile;
- ')
-
- allow $1 tmpfile:dir { search_dir_perms setattr };
-@@ -4202,7 +4554,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4202,7 +4572,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -17625,7 +17663,7 @@ index ff006ea..b682bcf 100644
## </summary>
## </param>
#
-@@ -4262,7 +4614,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4632,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17634,7 +17672,7 @@ index ff006ea..b682bcf 100644
## </summary>
## </param>
#
-@@ -4318,7 +4670,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4688,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -17643,7 +17681,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -4342,6 +4694,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4712,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -17660,7 +17698,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -4681,7 +5043,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5061,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -17669,7 +17707,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5084,7 +5446,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5464,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -17678,7 +17716,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5219,7 +5581,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5599,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -17687,7 +17725,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5304,6 +5666,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5684,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -17713,7 +17751,7 @@ index ff006ea..b682bcf 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5698,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5716,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -17722,7 +17760,7 @@ index ff006ea..b682bcf 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5719,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5737,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -17738,7 +17776,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5734,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5752,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -17771,7 +17809,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5373,6 +5776,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5794,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -17779,7 +17817,7 @@ index ff006ea..b682bcf 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5789,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5807,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -17787,7 +17825,7 @@ index ff006ea..b682bcf 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5815,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5833,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -17796,7 +17834,7 @@ index ff006ea..b682bcf 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5831,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5849,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -17813,7 +17851,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5452,7 +5855,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5873,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -17822,7 +17860,7 @@ index ff006ea..b682bcf 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5896,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5914,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -17831,7 +17869,7 @@ index ff006ea..b682bcf 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5918,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5936,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -17840,7 +17878,7 @@ index ff006ea..b682bcf 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5950,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +5968,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -17851,7 +17889,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5608,6 +6011,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6029,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -17895,7 +17933,7 @@ index ff006ea..b682bcf 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,6 +6069,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,6 +6087,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -17921,7 +17959,7 @@ index ff006ea..b682bcf 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -5736,7 +6195,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6213,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -17930,7 +17968,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5815,29 +6274,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6292,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -17964,7 +18002,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5845,42 +6300,35 @@ interface(`files_read_all_pids',`
+@@ -5845,42 +6318,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -18014,7 +18052,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5888,20 +6336,17 @@ interface(`files_delete_all_pids',`
+@@ -5888,20 +6354,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -18038,7 +18076,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5909,56 +6354,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5909,56 +6372,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -18114,7 +18152,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5966,18 +6414,17 @@ interface(`files_list_spool',`
+@@ -5966,18 +6432,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -18137,7 +18175,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5985,19 +6432,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -5985,19 +6450,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -18162,7 +18200,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6005,50 +6451,61 @@ interface(`files_read_generic_spool',`
+@@ -6005,50 +6469,61 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -18243,7 +18281,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6056,31 +6513,283 @@ interface(`files_spool_filetrans',`
+@@ -6056,16 +6531,268 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -18258,26 +18296,11 @@ index ff006ea..b682bcf 100644
- # Need to give access to /selinux/member
- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
+- # Need sys_admin capability for mounting
+########################################
+## <summary>
+## Make the specified type a file
@@ -18530,25 +18553,10 @@ index ff006ea..b682bcf 100644
+ selinux_compute_member($1)
+
+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
- allow $1 polydir: dir { write add_name open };
- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+ allow $1 self:capability { chown fsetid sys_admin fowner };
-@@ -6117,3 +6826,284 @@ interface(`files_unconfined',`
+ # Need to give access to the directories to be polyinstantiated
+@@ -6117,3 +6844,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -18908,7 +18916,7 @@ index cda5588..e89e4bf 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..6342520 100644
+index 97fcdac..dc65c9c 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19348,7 +19356,32 @@ index 97fcdac..6342520 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3958,6 +4197,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3258,6 +3497,24 @@ interface(`fs_getattr_nfsd_files',`
+ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+
++#######################################
++## <summary>
++## read files on an nfsd filesystem
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_nfsd_files',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write NFS server files.
+@@ -3958,6 +4215,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -19391,7 +19424,7 @@ index 97fcdac..6342520 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4175,6 +4450,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4468,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -19416,7 +19449,7 @@ index 97fcdac..6342520 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4251,6 +4544,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4562,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -19442,7 +19475,7 @@ index 97fcdac..6342520 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4769,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4787,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -19451,7 +19484,7 @@ index 97fcdac..6342520 100644
')
########################################
-@@ -4503,7 +4817,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4835,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -19460,7 +19493,7 @@ index 97fcdac..6342520 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5180,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5198,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -28440,10 +28473,10 @@ index 0000000..9fe3f9e
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..788087e
+index 0000000..040aa2e
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,171 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -28453,7 +28486,7 @@ index 0000000..788087e
+
+attribute boinc_domain;
+
-+type boinc_t;
++type boinc_t, boinc_domain;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
+
@@ -28496,6 +28529,7 @@ index 0000000..788087e
+dev_read_rand(boinc_domain)
+dev_read_urand(boinc_domain)
+dev_read_sysfs(boinc_domain)
++dev_rw_xserver_misc(boinc_domain)
+
+domain_read_all_domains_state(boinc_domain)
+
@@ -28515,7 +28549,6 @@ index 0000000..788087e
+# boinc local policy
+#
+
-+allow boinc_t self:capability { kill };
+allow boinc_t self:process { setsched sigkill };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
@@ -28610,8 +28643,6 @@ index 0000000..788087e
+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
-+dev_rw_xserver_misc(boinc_project_t)
-+
+files_dontaudit_search_home(boinc_project_t)
+
+optional_policy(`
@@ -33940,7 +33971,7 @@ index 305ddf4..2746e6f 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..3bc4cfd 100644
+index 0f28095..0172ea8 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -33999,7 +34030,15 @@ index 0f28095..3bc4cfd 100644
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-@@ -270,12 +275,6 @@ files_dontaudit_list_home(cupsd_t)
+@@ -220,6 +225,7 @@ corecmd_exec_bin(cupsd_t)
+
+ domain_use_interactive_fds(cupsd_t)
+
++files_getattr_boot_dirs(cupsd_t)
+ files_list_spool(cupsd_t)
+ files_read_etc_files(cupsd_t)
+ files_read_etc_runtime_files(cupsd_t)
+@@ -270,12 +276,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
@@ -34012,7 +34051,7 @@ index 0f28095..3bc4cfd 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -297,8 +296,10 @@ optional_policy(`
+@@ -297,8 +297,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -34023,7 +34062,7 @@ index 0f28095..3bc4cfd 100644
')
')
-@@ -311,10 +312,22 @@ optional_policy(`
+@@ -311,10 +313,22 @@ optional_policy(`
')
optional_policy(`
@@ -34046,7 +34085,7 @@ index 0f28095..3bc4cfd 100644
mta_send_mail(cupsd_t)
')
-@@ -371,8 +384,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +385,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -34057,7 +34096,7 @@ index 0f28095..3bc4cfd 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +407,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +408,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -34068,7 +34107,7 @@ index 0f28095..3bc4cfd 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +443,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +444,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -34082,7 +34121,7 @@ index 0f28095..3bc4cfd 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +471,10 @@ optional_policy(`
+@@ -453,6 +472,10 @@ optional_policy(`
')
optional_policy(`
@@ -34093,7 +34132,7 @@ index 0f28095..3bc4cfd 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +489,10 @@ optional_policy(`
+@@ -467,6 +490,10 @@ optional_policy(`
')
optional_policy(`
@@ -34104,7 +34143,7 @@ index 0f28095..3bc4cfd 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,23 +613,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +614,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -34137,7 +34176,7 @@ index 0f28095..3bc4cfd 100644
')
########################################
-@@ -639,7 +664,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +665,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -34146,7 +34185,7 @@ index 0f28095..3bc4cfd 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +710,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +711,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -34154,7 +34193,7 @@ index 0f28095..3bc4cfd 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +722,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +723,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -45627,7 +45666,7 @@ index 256166a..71e7a36 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..867dfac 100644
+index 343cee3..381f8c1 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -45750,7 +45789,7 @@ index 343cee3..867dfac 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -391,12 +416,17 @@ interface(`mta_send_mail',`
+@@ -391,12 +416,19 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -45766,11 +45805,13 @@ index 343cee3..867dfac 100644
+
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
++ allow mta_user_agent $1:fd use;
++ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file { read write };
')
########################################
-@@ -409,7 +439,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +441,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -45778,7 +45819,7 @@ index 343cee3..867dfac 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +449,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +451,24 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -45803,7 +45844,7 @@ index 343cee3..867dfac 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +485,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +487,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -45830,7 +45871,7 @@ index 343cee3..867dfac 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -474,7 +541,8 @@ interface(`mta_write_config',`
+@@ -474,7 +543,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -45840,7 +45881,7 @@ index 343cee3..867dfac 100644
')
########################################
-@@ -494,6 +562,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +564,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -45848,7 +45889,7 @@ index 343cee3..867dfac 100644
')
########################################
-@@ -532,7 +601,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +603,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -45857,7 +45898,7 @@ index 343cee3..867dfac 100644
')
########################################
-@@ -552,7 +621,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +623,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -45866,7 +45907,7 @@ index 343cee3..867dfac 100644
')
#######################################
-@@ -646,8 +715,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +717,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -45877,7 +45918,7 @@ index 343cee3..867dfac 100644
')
#######################################
-@@ -677,7 +746,26 @@ interface(`mta_spool_filetrans',`
+@@ -677,7 +748,26 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
@@ -45905,7 +45946,7 @@ index 343cee3..867dfac 100644
')
########################################
-@@ -697,8 +785,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +787,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -45916,7 +45957,7 @@ index 343cee3..867dfac 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +926,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +928,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -45925,7 +45966,7 @@ index 343cee3..867dfac 100644
')
########################################
-@@ -864,6 +952,36 @@ interface(`mta_manage_queue',`
+@@ -864,6 +954,36 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -45962,7 +46003,7 @@ index 343cee3..867dfac 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -899,3 +1017,114 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +1019,114 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -47221,7 +47262,7 @@ index 8581040..039bfa0 100644
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..1147e19 100644
+index bf64a4c..9ad9024 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -25,7 +25,10 @@ type nagios_var_run_t;
@@ -47368,14 +47409,24 @@ index bf64a4c..1147e19 100644
')
optional_policy(`
-@@ -363,7 +376,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
--kernel_read_system_state(nagios_system_plugin_t)
++read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
++
+ kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
- corecmd_exec_bin(nagios_system_plugin_t)
+@@ -376,6 +391,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
+
+ files_read_etc_files(nagios_system_plugin_t)
+
++fs_getattr_all_fs(nagios_system_plugin_t)
++
+ # needed by check_users plugin
+ optional_policy(`
+ init_read_utmp(nagios_system_plugin_t)
diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
index 74da57f..b94bb3b 100644
--- a/policy/modules/services/nessus.fc
@@ -53398,7 +53449,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..999b986 100644
+index 29b9295..df6c236 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -53452,7 +53503,7 @@ index 29b9295..999b986 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -97,17 +110,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -97,21 +110,16 @@ ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
')
@@ -53471,18 +53522,16 @@ index 29b9295..999b986 100644
optional_policy(`
clamav_domtrans_clamscan(procmail_t)
-@@ -115,6 +118,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_manage_data(procmail_t)
+ clamav_search_lib(procmail_t)
++ cyrus_stream_connect(procmail_t)
+')
+
+optional_policy(`
- munin_dontaudit_search_lib(procmail_t)
++ gnome_manage_data(procmail_t)
')
-@@ -125,6 +132,11 @@ optional_policy(`
+ optional_policy(`
+@@ -125,6 +133,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -53859,7 +53908,7 @@ index 2855a44..58bb459 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..39d23dc 100644
+index 64c5f95..d70e965 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -54163,14 +54212,16 @@ index 64c5f95..39d23dc 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +368,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -205,22 +367,48 @@ corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
-
++corenet_tcp_connect_ntop_port(puppetmaster_t)
++
+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
+corenet_udp_bind_generic_node(puppetmaster_t)
+corenet_udp_bind_generic_port(puppetmaster_t)
-+
+
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
+dev_search_sysfs(puppetmaster_t)
@@ -54213,7 +54264,7 @@ index 64c5f95..39d23dc 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +418,9 @@ optional_policy(`
+@@ -231,3 +419,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -56988,10 +57039,10 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..4d1d0c7
+index 0000000..c0952a3
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,65 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -57038,14 +57089,18 @@ index 0000000..4d1d0c7
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+
++kernel_read_network_state(rhsmcertd_t)
+kernel_read_system_state(rhsmcertd_t)
+
++files_list_tmp(rhsmcertd_t)
++
+corecmd_exec_bin(rhsmcertd_t)
+
+dev_read_urand(rhsmcertd_t)
+
+files_read_etc_files(rhsmcertd_t)
+files_read_usr_files(rhsmcertd_t)
++files_manage_generic_locks(rhsmcertd_t)
+
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_certs(rhsmcertd_t)
@@ -57836,7 +57891,7 @@ index cda37bb..617e83f 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..1896e20 100644
+index b1468ed..32dd23d 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -57994,7 +58049,7 @@ index b1468ed..1896e20 100644
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
-+fs_search_nfsd_fs(gssd_t)
++fs_read_nfsd_files(gssd_t)
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
@@ -58749,7 +58804,7 @@ index 82cb169..48c023e 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..5d2dfe7 100644
+index e30bb63..895d6c0 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -58797,7 +58852,15 @@ index e30bb63..5d2dfe7 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -263,7 +264,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -249,6 +250,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow smbd_t nmbd_t:process { signal signull };
+
+ allow smbd_t nmbd_var_run_t:file rw_file_perms;
++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
+ allow smbd_t samba_etc_t:file { rw_file_perms setattr };
+
+@@ -263,7 +265,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -58806,7 +58869,7 @@ index e30bb63..5d2dfe7 100644
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -279,7 +280,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -279,7 +281,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -58815,7 +58878,7 @@ index e30bb63..5d2dfe7 100644
allow smbd_t swat_t:process signal;
-@@ -323,15 +324,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,15 +325,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -58834,7 +58897,7 @@ index e30bb63..5d2dfe7 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +347,7 @@ files_read_usr_files(smbd_t)
+@@ -343,6 +348,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -58842,7 +58905,7 @@ index e30bb63..5d2dfe7 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -385,12 +390,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +391,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -58856,7 +58919,7 @@ index e30bb63..5d2dfe7 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +410,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +411,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -58867,7 +58930,7 @@ index e30bb63..5d2dfe7 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -445,26 +449,25 @@ optional_policy(`
+@@ -445,26 +450,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -58901,7 +58964,7 @@ index e30bb63..5d2dfe7 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +487,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +488,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -58913,7 +58976,7 @@ index e30bb63..5d2dfe7 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -555,18 +560,21 @@ optional_policy(`
+@@ -555,18 +561,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -58939,7 +59002,7 @@ index e30bb63..5d2dfe7 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +582,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +583,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -58960,7 +59023,7 @@ index e30bb63..5d2dfe7 100644
########################################
#
-@@ -644,19 +660,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +661,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -58985,7 +59048,7 @@ index e30bb63..5d2dfe7 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +695,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +696,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -58995,7 +59058,7 @@ index e30bb63..5d2dfe7 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +711,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +712,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -59010,7 +59073,7 @@ index e30bb63..5d2dfe7 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +731,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +732,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -59018,7 +59081,7 @@ index e30bb63..5d2dfe7 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +776,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +777,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -59027,7 +59090,7 @@ index e30bb63..5d2dfe7 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +807,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +808,7 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -59036,7 +59099,7 @@ index e30bb63..5d2dfe7 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +830,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +831,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -59058,7 +59121,7 @@ index e30bb63..5d2dfe7 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +858,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +859,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -59066,7 +59129,7 @@ index e30bb63..5d2dfe7 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +876,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +877,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -59081,7 +59144,7 @@ index e30bb63..5d2dfe7 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +893,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +894,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -59094,7 +59157,7 @@ index e30bb63..5d2dfe7 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +940,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +941,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -59103,7 +59166,7 @@ index e30bb63..5d2dfe7 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +958,18 @@ optional_policy(`
+@@ -922,6 +959,18 @@ optional_policy(`
#
optional_policy(`
@@ -59122,7 +59185,7 @@ index e30bb63..5d2dfe7 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +980,12 @@ optional_policy(`
+@@ -932,9 +981,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -60332,7 +60395,7 @@ index 275f9fb..f1343b7 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..1d22eed 100644
+index 3d8d1b3..73fdfdc 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -60360,7 +60423,7 @@ index 3d8d1b3..1d22eed 100644
allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;
-@@ -41,18 +44,18 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+@@ -41,18 +44,19 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
@@ -60376,14 +60439,15 @@ index 3d8d1b3..1d22eed 100644
kernel_read_kernel_sysctls(snmpd_t)
kernel_read_fs_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
- kernel_read_proc_symlinks(snmpd_t)
+-kernel_read_proc_symlinks(snmpd_t)
-kernel_read_system_state(snmpd_t)
--kernel_read_network_state(snmpd_t)
+ kernel_read_network_state(snmpd_t)
++kernel_read_proc_symlinks(snmpd_t)
+kernel_read_all_proc(snmpd_t)
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
-@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
+@@ -94,15 +98,19 @@ files_search_home(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
@@ -60404,7 +60468,7 @@ index 3d8d1b3..1d22eed 100644
logging_send_syslog_msg(snmpd_t)
-@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +123,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -68616,7 +68680,7 @@ index 21ae664..3e448dd 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..6e2c42a 100644
+index 9fb4747..92c156b 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -68630,16 +68694,7 @@ index 9fb4747..6e2c42a 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -41,6 +45,8 @@ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t
- manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
- files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
-
-+dev_read_rand(zarafa_deliver_t)
-+
- ########################################
- #
- # zarafa_gateway local policy
-@@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -57,6 +61,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -68660,7 +68715,7 @@ index 9fb4747..6e2c42a 100644
#######################################
#
# zarafa-ical local policy
-@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
+@@ -107,7 +125,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
files_read_usr_files(zarafa_server_t)
@@ -68668,22 +68723,16 @@ index 9fb4747..6e2c42a 100644
logging_send_audit_msgs(zarafa_server_t)
sysnet_dns_name_resolve(zarafa_server_t)
-@@ -136,6 +155,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
- corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
- corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+@@ -138,6 +155,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
-+dev_read_rand(zarafa_spooler_t)
-+
-+########################################
-+#
+ ########################################
+ #
+# zarafa_gateway local policy
+#
+
+allow zarafa_gateway_t self:capability { chown kill };
+allow zarafa_gateway_t self:process setrlimit;
+
-+dev_read_rand(zarafa_gateway_t)
-+
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
@@ -68702,10 +68751,19 @@ index 9fb4747..6e2c42a 100644
+
+allow zarafa_monitor_t self:capability chown;
+
- ########################################
- #
++########################################
++#
# zarafa domains local policy
-@@ -156,6 +205,6 @@ kernel_read_system_state(zarafa_domain)
+ #
+
+@@ -152,10 +195,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+
+ read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
+
++dev_read_rand(zarafa_domain)
++dev_read_urand(zarafa_domain)
++
+ kernel_read_system_state(zarafa_domain)
files_read_etc_files(zarafa_domain)
@@ -68782,6 +68840,478 @@ index ade6c2c..2b78f0d 100644
manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
+diff --git a/policy/modules/services/zoneminder.fc b/policy/modules/services/zoneminder.fc
+new file mode 100644
+index 0000000..b74fadf
+--- /dev/null
++++ b/policy/modules/services/zoneminder.fc
+@@ -0,0 +1,12 @@
++
++/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
++
++/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
++
++/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
++
++/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
++
++/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0)
++
++/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
+diff --git a/policy/modules/services/zoneminder.if b/policy/modules/services/zoneminder.if
+new file mode 100644
+index 0000000..aadeef3
+--- /dev/null
++++ b/policy/modules/services/zoneminder.if
+@@ -0,0 +1,320 @@
++
++## <summary>policy for zoneminder</summary>
++
++
++########################################
++## <summary>
++## Transition to zoneminder.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`zoneminder_domtrans',`
++ gen_require(`
++ type zoneminder_t, zoneminder_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, zoneminder_exec_t, zoneminder_t)
++')
++
++
++########################################
++## <summary>
++## Execute zoneminder server in the zoneminder domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_initrc_domtrans',`
++ gen_require(`
++ type zoneminder_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, zoneminder_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++## Read zoneminder's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`zoneminder_read_log',`
++ gen_require(`
++ type zoneminder_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
++')
++
++########################################
++## <summary>
++## Append to zoneminder log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_append_log',`
++ gen_require(`
++ type zoneminder_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
++')
++
++########################################
++## <summary>
++## Manage zoneminder log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_manage_log',`
++ gen_require(`
++ type zoneminder_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t)
++ manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
++ manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
++')
++
++########################################
++## <summary>
++## Search zoneminder lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_search_lib',`
++ gen_require(`
++ type zoneminder_var_lib_t;
++ ')
++
++ allow $1 zoneminder_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read zoneminder lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_read_lib_files',`
++ gen_require(`
++ type zoneminder_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage zoneminder lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_manage_lib_files',`
++ gen_require(`
++ type zoneminder_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage zoneminder lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_manage_lib_dirs',`
++ gen_require(`
++ type zoneminder_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Search zoneminder spool directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_search_spool',`
++ gen_require(`
++ type zoneminder_spool_t;
++ ')
++
++ allow $1 zoneminder_spool_t:dir search_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++## <summary>
++## Read zoneminder spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_read_spool_files',`
++ gen_require(`
++ type zoneminder_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
++')
++
++########################################
++## <summary>
++## Manage zoneminder spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_manage_spool_files',`
++ gen_require(`
++ type zoneminder_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
++')
++
++########################################
++## <summary>
++## Manage zoneminder spool dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_manage_spool_dirs',`
++ gen_require(`
++ type zoneminder_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
++')
++
++########################################
++## <summary>
++## Connect to zoneminder over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_stream_connect',`
++ gen_require(`
++ type zoneminder_t, zoneminder_var_lib_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an zoneminder environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`zoneminder_admin',`
++ gen_require(`
++ type zoneminder_t;
++ type zoneminder_initrc_exec_t;
++ type zoneminder_log_t;
++ type zoneminder_var_lib_t;
++ type zoneminder_spool_t;
++ ')
++
++ allow $1 zoneminder_t:process { ptrace signal_perms };
++ ps_process_pattern($1, zoneminder_t)
++
++ zoneminder_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 zoneminder_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, zoneminder_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, zoneminder_var_lib_t)
++
++ files_search_spool($1)
++ admin_pattern($1, zoneminder_spool_t)
++
++')
++
+diff --git a/policy/modules/services/zoneminder.te b/policy/modules/services/zoneminder.te
+new file mode 100644
+index 0000000..bcbe09f
+--- /dev/null
++++ b/policy/modules/services/zoneminder.te
+@@ -0,0 +1,122 @@
++policy_module(zoneminder, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow ZoneMinder to modify public files
++## used for public file transfer services.
++## </p>
++## </desc>
++gen_tunable(zoneminder_anon_write, false)
++
++type zoneminder_t;
++type zoneminder_exec_t;
++init_daemon_domain(zoneminder_t, zoneminder_exec_t)
++
++type zoneminder_initrc_exec_t;
++init_script_file(zoneminder_initrc_exec_t)
++
++type zoneminder_log_t;
++logging_log_file(zoneminder_log_t)
++
++type zoneminder_tmpfs_t;
++files_tmpfs_file(zoneminder_tmpfs_t)
++
++type zoneminder_spool_t;
++files_type(zoneminder_spool_t)
++
++type zoneminder_var_lib_t;
++files_type(zoneminder_var_lib_t)
++
++type zoneminder_var_run_t;
++files_pid_file(zoneminder_var_run_t)
++
++########################################
++#
++# zoneminder local policy
++#
++allow zoneminder_t self:capability { chown dac_override };
++allow zoneminder_t self:process { signal_perms setpgid };
++allow zoneminder_t self:shm create_shm_perms;
++allow zoneminder_t self:fifo_file rw_fifo_file_perms;
++allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
++manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
++logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file })
++
++manage_dirs_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++manage_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++manage_lnk_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++fs_tmpfs_filetrans(zoneminder_t, zoneminder_tmpfs_t, { dir file lnk_file })
++
++manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file })
++
++manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
++manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
++files_pid_filetrans(zoneminder_t, zoneminder_var_run_t, { dir file })
++
++manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
++manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
++manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
++files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file })
++
++kernel_read_system_state(zoneminder_t)
++
++corecmd_exec_bin(zoneminder_t)
++corecmd_exec_shell(zoneminder_t)
++
++dev_read_sysfs(zoneminder_t)
++dev_read_rand(zoneminder_t)
++dev_read_urand(zoneminder_t)
++dev_read_video_dev(zoneminder_t)
++
++domain_use_interactive_fds(zoneminder_t)
++
++files_read_etc_files(zoneminder_t)
++files_read_usr_files(zoneminder_t)
++
++auth_use_nsswitch(zoneminder_t)
++
++logging_send_syslog_msg(zoneminder_t)
++
++miscfiles_read_localization(zoneminder_t)
++
++tunable_policy(`zoneminder_anon_write',`
++ miscfiles_manage_public_files(zoneminder_t)
++')
++
++optional_policy(`
++ mysql_stream_connect(zoneminder_t)
++')
++
++########################################
++#
++# zoneminder cgi local policy
++#
++
++optional_policy(`
++ apache_content_template(zoneminder)
++
++ # need more testing
++ #allow httpd_zoneminder_script_t self:shm create_shm_perms;
++
++ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++ zoneminder_stream_connect(httpd_zoneminder_script_t)
++
++ files_search_var_lib(httpd_zoneminder_script_t)
++
++ logging_send_syslog_msg(httpd_zoneminder_script_t)
++
++ optional_policy(`
++ mysql_stream_connect(httpd_zoneminder_script_t)
++ ')
++
++')
diff --git a/policy/modules/services/zosremote.fc b/policy/modules/services/zosremote.fc
index d719d0b..7a7fc61 100644
--- a/policy/modules/services/zosremote.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fdee870..1983e28 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 71%{?dist}
+Release: 72%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-72
+- New fix for seunshare, requires seunshare_domains to be able to mounton /
+- Allow systemctl running as logrotate_t to connect to private systemd socket
+- Allow tmpwatch to read meminfo
+- Allow rpc.svcgssd to read supported_krb5_enctype
+- Allow zarafa domains to read /dev/random and /dev/urandom
+- Allow snmpd to read dev_snmp6
+- Allow procmail to talk with cyrus
+- Add fixes for check_disk and check_nagios plugins
+
* Tue Dec 20 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-71
- default trans rules for Rawhide policy
- Make sure sound_devices controlC* are labeled correctly on creation
More information about the scm-commits
mailing list