[selinux-policy/f16] * Mon Jul 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-90 - Allow systemd-tmpfiles to delete boo
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jul 2 08:04:31 UTC 2012
commit b89174f302383121467881cdb17a3bd837a3d2d4
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jul 2 10:04:06 2012 +0200
* Mon Jul 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-90
- Allow systemd-tmpfiles to delete boot flags
- Add support for lightdm
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_cobbler_rw_content_t
- rhsmcertd reads the rpm database
- Allow systemd-logind to kill all process with different MCS
- Allow apmd to create /var/run/pm-utils with the correct label
- Allow asterisk to read "unix"
- Allow sudodomain to read usr files
- Allow policykit_auth_t to read sysfs
- Dontaudit dhcpc to r/w networkmanger tmp files
- Add /var/run/cherokee\.pid labeling
- Allow postfix-master to r/w pipes other postfix domains
- Allow apps which search /tmp also to read tmp_t lnk_file
- Allow smbd to stream connect to nmbd
- Allow apm to request kernel module
- Fixes for cloudform services
- Allow polipo to work as web caching
policy-F16.patch | 328 +++++++++++++++++++++++++++++----------------------
selinux-policy.spec | 22 ++++-
2 files changed, 206 insertions(+), 144 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 5c712f7..7bfc69d 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3984,7 +3984,7 @@ index 975af1a..f681195 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 2731fa1..71bf5e8 100644
+index 2731fa1..29558ff 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,112 @@ attribute sudodomain;
@@ -4039,7 +4039,7 @@ index 2731fa1..71bf5e8 100644
+files_read_etc_files(sudodomain)
+files_read_var_files(sudodomain)
+files_read_usr_symlinks(sudodomain)
-+files_getattr_usr_files(sudodomain)
++files_read_usr_files(sudodomain)
+# for some PAM modules and for cwd
+files_dontaudit_search_home(sudodomain)
+files_list_tmp(sudodomain)
@@ -17246,7 +17246,7 @@ index c19518a..12e8e9c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..8e785c1 100644
+index ff006ea..c0f363c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -17685,7 +17685,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -3900,82 +4115,223 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,82 +4115,224 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -17947,6 +17947,7 @@ index ff006ea..8e785c1 100644
+ type tmp_t;
+ ')
+
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir search_dir_perms;
+')
+
@@ -17954,7 +17955,7 @@ index ff006ea..8e785c1 100644
## <summary>
## Do not audit attempts to search the tmp directory (/tmp).
## </summary>
-@@ -4017,7 +4373,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4374,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -17963,7 +17964,7 @@ index ff006ea..8e785c1 100644
## </summary>
## </param>
#
-@@ -4029,6 +4385,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4386,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -17988,7 +17989,7 @@ index ff006ea..8e785c1 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4459,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4460,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -18021,7 +18022,7 @@ index ff006ea..8e785c1 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,6 +4539,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4540,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -18064,7 +18065,7 @@ index ff006ea..8e785c1 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4202,7 +4638,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4639,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -18073,7 +18074,7 @@ index ff006ea..8e785c1 100644
## </summary>
## </param>
#
-@@ -4262,7 +4698,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4699,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -18082,7 +18083,7 @@ index ff006ea..8e785c1 100644
## </summary>
## </param>
#
-@@ -4318,7 +4754,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4755,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -18091,7 +18092,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -4342,6 +4778,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4779,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -18108,7 +18109,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -4681,7 +5127,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5128,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -18117,7 +18118,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -5084,7 +5530,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5531,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -18126,7 +18127,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -5219,7 +5665,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5666,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18135,7 +18136,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -5259,6 +5705,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5706,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -18161,7 +18162,7 @@ index ff006ea..8e785c1 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5769,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5770,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -18187,7 +18188,7 @@ index ff006ea..8e785c1 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5801,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5802,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -18196,7 +18197,7 @@ index ff006ea..8e785c1 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5822,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5823,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -18212,7 +18213,7 @@ index ff006ea..8e785c1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5837,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5838,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -18245,7 +18246,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -5373,6 +5879,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5880,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -18253,7 +18254,7 @@ index ff006ea..8e785c1 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5892,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5893,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -18261,7 +18262,7 @@ index ff006ea..8e785c1 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5918,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5919,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -18270,7 +18271,7 @@ index ff006ea..8e785c1 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5934,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5935,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -18287,7 +18288,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -5452,7 +5958,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5959,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -18296,7 +18297,7 @@ index ff006ea..8e785c1 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5999,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +6000,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -18305,7 +18306,7 @@ index ff006ea..8e785c1 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +6021,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6022,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -18314,7 +18315,7 @@ index ff006ea..8e785c1 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6053,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6054,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -18325,7 +18326,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -5608,6 +6114,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6115,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -18369,7 +18370,7 @@ index ff006ea..8e785c1 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,16 +6172,35 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,12 +6173,31 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -18382,10 +18383,9 @@ index ff006ea..8e785c1 100644
## <summary>
-## Domain allowed access.
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_list_pids',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
+ attribute pidfile;
@@ -18402,14 +18402,10 @@ index ff006ea..8e785c1 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_list_pids',`
- gen_require(`
- type var_t, var_run_t;
- ')
-@@ -5736,7 +6298,7 @@ interface(`files_pid_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+@@ -5736,7 +6299,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18418,7 +18414,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -5815,6 +6377,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6378,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -18535,7 +18531,7 @@ index ff006ea..8e785c1 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6504,62 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6505,62 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -18598,7 +18594,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -5900,6 +6628,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6629,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -18689,7 +18685,7 @@ index ff006ea..8e785c1 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6042,7 +6854,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6855,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18698,7 +18694,7 @@ index ff006ea..8e785c1 100644
')
########################################
-@@ -6117,3 +6929,302 @@ interface(`files_unconfined',`
+@@ -6117,3 +6930,302 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -25465,7 +25461,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..9067769 100644
+index 9e39aa5..51593ea 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,30 @@
@@ -25550,7 +25546,7 @@ index 9e39aa5..9067769 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,20 +87,27 @@ ifdef(`distro_suse', `
+@@ -73,26 +87,34 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25580,7 +25576,14 @@ index 9e39aa5..9067769 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +126,30 @@ ifdef(`distro_debian', `
+ ')
+
+ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+@@ -105,7 +127,30 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -27520,7 +27523,7 @@ index 1ea99b2..9427dd5 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..7408dd1 100644
+index 1c8c27e..bd28312 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -27548,7 +27551,12 @@ index 1c8c27e..7408dd1 100644
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -81,6 +83,8 @@ kernel_rw_all_sysctls(apmd_t)
+@@ -77,10 +79,13 @@ manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
+ files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
+
+ kernel_read_kernel_sysctls(apmd_t)
++kernel_request_load_module(apmd_t)
+ kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
@@ -27557,7 +27565,7 @@ index 1c8c27e..7408dd1 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -109,11 +113,14 @@ domain_dontaudit_list_all_domains_state(apmd_t) # Excessive?
+@@ -109,11 +114,14 @@ domain_dontaudit_list_all_domains_state(apmd_t) # Excessive?
files_exec_etc_files(apmd_t)
files_read_etc_runtime_files(apmd_t)
@@ -27572,7 +27580,7 @@ index 1c8c27e..7408dd1 100644
init_domtrans_script(apmd_t)
init_rw_utmp(apmd_t)
init_telinit(apmd_t)
-@@ -127,10 +134,8 @@ logging_send_audit_msgs(apmd_t)
+@@ -127,10 +135,8 @@ logging_send_audit_msgs(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
@@ -27584,7 +27592,7 @@ index 1c8c27e..7408dd1 100644
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-@@ -142,9 +147,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +148,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -27595,7 +27603,7 @@ index 1c8c27e..7408dd1 100644
')
optional_policy(`
-@@ -155,6 +159,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +160,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -27611,7 +27619,7 @@ index 1c8c27e..7408dd1 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -181,6 +194,12 @@ optional_policy(`
+@@ -181,6 +195,12 @@ optional_policy(`
')
optional_policy(`
@@ -27624,7 +27632,7 @@ index 1c8c27e..7408dd1 100644
dbus_system_bus_client(apmd_t)
optional_policy(`
-@@ -201,7 +220,8 @@ optional_policy(`
+@@ -201,7 +221,8 @@ optional_policy(`
')
optional_policy(`
@@ -27634,7 +27642,7 @@ index 1c8c27e..7408dd1 100644
')
optional_policy(`
-@@ -209,8 +229,9 @@ optional_policy(`
+@@ -209,8 +230,9 @@ optional_policy(`
pcmcia_domtrans_cardctl(apmd_t)
')
@@ -27645,7 +27653,7 @@ index 1c8c27e..7408dd1 100644
')
optional_policy(`
-@@ -219,10 +240,6 @@ optional_policy(`
+@@ -219,10 +241,6 @@ optional_policy(`
')
optional_policy(`
@@ -27698,7 +27706,7 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..8e66610 100644
+index b3b0176..31e5976 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -19,10 +19,11 @@ type asterisk_log_t;
@@ -27725,7 +27733,7 @@ index b3b0176..8e66610 100644
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
allow asterisk_t self:sem create_sem_perms;
-@@ -76,10 +77,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -76,11 +77,13 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
@@ -27736,9 +27744,11 @@ index b3b0176..8e66610 100644
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
++kernel_read_network_state(asterisk_t)
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -108,14 +110,19 @@ corenet_tcp_bind_generic_port(asterisk_t)
+ kernel_request_load_module(asterisk_t)
+@@ -108,14 +111,19 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
@@ -27758,7 +27768,7 @@ index b3b0176..8e66610 100644
dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
-@@ -125,6 +132,7 @@ files_search_spool(asterisk_t)
+@@ -125,6 +133,7 @@ files_search_spool(asterisk_t)
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
files_read_usr_files(asterisk_t)
@@ -27766,7 +27776,7 @@ index b3b0176..8e66610 100644
fs_getattr_all_fs(asterisk_t)
fs_list_inotifyfs(asterisk_t)
-@@ -141,6 +149,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+@@ -141,6 +150,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
@@ -29744,7 +29754,7 @@ index 7a6e5ba..d664be8 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index c3e3f79..3e78d4e 100644
+index c3e3f79..b37a5a2 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -23,7 +23,8 @@ files_type(certmonger_var_lib_t)
@@ -29757,7 +29767,7 @@ index c3e3f79..3e78d4e 100644
allow certmonger_t self:process { getsched setsched sigkill };
allow certmonger_t self:fifo_file rw_file_perms;
allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
-@@ -32,16 +33,19 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -32,16 +33,20 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -29775,10 +29785,11 @@ index c3e3f79..3e78d4e 100644
corenet_tcp_sendrecv_all_ports(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
+corenet_tcp_connect_http_port(certmonger_t)
++corenet_tcp_connect_pki_ca_port(certmonger_t)
dev_read_urand(certmonger_t)
-@@ -51,6 +55,8 @@ files_read_etc_files(certmonger_t)
+@@ -51,6 +56,8 @@ files_read_etc_files(certmonger_t)
files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
@@ -29787,7 +29798,7 @@ index c3e3f79..3e78d4e 100644
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-@@ -58,15 +64,32 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,15 +65,32 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
@@ -30793,10 +30804,10 @@ index 6077339..d10acd2 100644
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
new file mode 100644
-index 0000000..f2968f8
+index 0000000..3fe384f
--- /dev/null
+++ b/policy/modules/services/cloudform.fc
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -30813,8 +30824,7 @@ index 0000000..f2968f8
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+
-+
++/var/log/thin\.log -- gen_context(system_u:object_r:thin_log_t,s0)
+
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
@@ -30868,10 +30878,10 @@ index 0000000..6451167
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..e22a32e
+index 0000000..a861db8
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,228 @@
+@@ -0,0 +1,238 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -30885,6 +30895,9 @@ index 0000000..e22a32e
+cloudform_domain_template(mongod)
+cloudform_domain_template(thin)
+
++type thin_log_t;
++logging_log_file(thin_log_t)
++
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
+
@@ -30932,6 +30945,9 @@ index 0000000..e22a32e
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
++kernel_read_system_state(cloudform_domain)
++
++dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
+
+files_read_etc_files(cloudform_domain)
@@ -31078,6 +31094,10 @@ index 0000000..e22a32e
+allow thin_t self:udp_socket create_socket_perms;
+allow thin_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(thin_t, thin_log_t, thin_log_t)
++manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
++logging_log_filetrans(thin_t, thin_log_t, { file dir })
++
+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+files_pid_filetrans(thin_t, thin_var_run_t, { file })
+
@@ -31130,10 +31150,10 @@ index f8463c0..bed51fb 100644
fs_search_tmpfs($1)
')
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
-index 1cf6c4e..e4bac67 100644
+index 1cf6c4e..c4656c6 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
-@@ -1,7 +1,33 @@
+@@ -1,7 +1,35 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -31146,6 +31166,8 @@ index 1cf6c4e..e4bac67 100644
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
++/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_cobbler_rw_content_t,s0)
++
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
@@ -35347,7 +35369,7 @@ index 418a5a0..c25fbdc 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..7315b40 100644
+index f706b99..3c1627a 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -35496,7 +35518,7 @@ index f706b99..7315b40 100644
########################################
## <summary>
## Read devicekit PID files.
-@@ -139,22 +252,92 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +252,93 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
@@ -35539,6 +35561,7 @@ index f706b99..7315b40 100644
+ files_search_pids($1)
+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+')
+
+#######################################
@@ -35595,7 +35618,7 @@ index f706b99..7315b40 100644
## </summary>
## </param>
## <rolecap/>
-@@ -165,21 +348,41 @@ interface(`devicekit_admin',`
+@@ -165,21 +349,41 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -51136,7 +51159,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..e3d4700 100644
+index 1e7169d..05cfcc0 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -5,47 +5,69 @@ policy_module(policykit, 1.1.0)
@@ -51221,7 +51244,7 @@ index 1e7169d..e3d4700 100644
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +78,101 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +78,102 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -51307,6 +51330,7 @@ index 1e7169d..e3d4700 100644
+kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
+
+dev_read_video_dev(policykit_auth_t)
++dev_read_sysfs(policykit_auth_t)
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
@@ -51335,7 +51359,7 @@ index 1e7169d..e3d4700 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,14 +185,21 @@ optional_policy(`
+@@ -118,14 +186,21 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
@@ -51359,7 +51383,7 @@ index 1e7169d..e3d4700 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -148,16 +222,15 @@ files_read_usr_files(policykit_grant_t)
+@@ -148,16 +223,15 @@ files_read_usr_files(policykit_grant_t)
auth_use_nsswitch(policykit_grant_t)
auth_domtrans_chk_passwd(policykit_grant_t)
@@ -51380,7 +51404,7 @@ index 1e7169d..e3d4700 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -168,8 +241,7 @@ optional_policy(`
+@@ -168,8 +242,7 @@ optional_policy(`
#
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
@@ -51390,7 +51414,7 @@ index 1e7169d..e3d4700 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -189,10 +261,6 @@ mcs_ptrace_all(policykit_resolve_t)
+@@ -189,10 +262,6 @@ mcs_ptrace_all(policykit_resolve_t)
auth_use_nsswitch(policykit_resolve_t)
@@ -51401,7 +51425,7 @@ index 1e7169d..e3d4700 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -207,4 +275,3 @@ optional_policy(`
+@@ -207,4 +276,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
@@ -51619,10 +51643,10 @@ index 0000000..b11f37a
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
-index 0000000..299b3ed
+index 0000000..4a1b887
--- /dev/null
+++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,173 @@
+policy_module(polipo, 1.0.0)
+
+########################################
@@ -51725,6 +51749,7 @@ index 0000000..299b3ed
+corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
++corenet_tcp_connect_http_port(polipo_daemon)
+
+files_read_usr_files(polipo_daemon)
+
@@ -52320,7 +52345,7 @@ index 46bee12..76b68b5 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..90db1ee 100644
+index a32c4b3..6550576 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -52606,12 +52631,13 @@ index a32c4b3..90db1ee 100644
')
optional_policy(`
-@@ -436,11 +498,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +498,18 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
+# Might be a leak, but I need a postfix expert to explain
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
++allow postfix_postdrop_t postfix_master_t:fifo_file { read write };
+
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
@@ -52624,7 +52650,7 @@ index a32c4b3..90db1ee 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +555,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +556,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -52635,7 +52661,7 @@ index a32c4b3..90db1ee 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +588,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -52648,7 +52674,7 @@ index a32c4b3..90db1ee 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +612,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -52659,7 +52685,7 @@ index a32c4b3..90db1ee 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +632,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +633,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -52668,7 +52694,7 @@ index a32c4b3..90db1ee 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +641,14 @@ optional_policy(`
+@@ -565,6 +642,14 @@ optional_policy(`
')
optional_policy(`
@@ -52683,7 +52709,7 @@ index a32c4b3..90db1ee 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +665,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +666,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -52710,7 +52736,7 @@ index a32c4b3..90db1ee 100644
')
optional_policy(`
-@@ -599,6 +691,11 @@ optional_policy(`
+@@ -599,6 +692,11 @@ optional_policy(`
')
optional_policy(`
@@ -52722,7 +52748,7 @@ index a32c4b3..90db1ee 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +708,6 @@ optional_policy(`
+@@ -611,7 +709,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -52730,7 +52756,7 @@ index a32c4b3..90db1ee 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +726,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +727,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -57037,7 +57063,7 @@ index 0000000..811c52e
+
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..8d25cc5
+index 0000000..0a36c2b
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
@@ -0,0 +1,67 @@
@@ -57105,9 +57131,9 @@ index 0000000..8d25cc5
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_certs(rhsmcertd_t)
+
-+optional_policy(`
-+ sysnet_dns_name_resolve(rhsmcertd_t)
-+')
++sysnet_dns_name_resolve(rhsmcertd_t)
++
++rpm_read_db(rhsmcertd_t)
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327..ed5dc05 100644
--- a/policy/modules/services/ricci.fc
@@ -58743,7 +58769,7 @@ index 82cb169..f9c229f 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..76f4f25 100644
+index e30bb63..fa11366 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -58791,7 +58817,15 @@ index e30bb63..76f4f25 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -263,7 +264,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -249,6 +250,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow smbd_t nmbd_t:process { signal signull };
+
+ allow smbd_t nmbd_var_run_t:file rw_file_perms;
++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
+ allow smbd_t samba_etc_t:file { rw_file_perms setattr };
+
+@@ -263,7 +265,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -58800,7 +58834,7 @@ index e30bb63..76f4f25 100644
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -279,7 +280,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -279,7 +281,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -58809,7 +58843,7 @@ index e30bb63..76f4f25 100644
allow smbd_t swat_t:process signal;
-@@ -323,15 +324,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,15 +325,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -58828,7 +58862,7 @@ index e30bb63..76f4f25 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +347,7 @@ files_read_usr_files(smbd_t)
+@@ -343,6 +348,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -58836,7 +58870,7 @@ index e30bb63..76f4f25 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -385,12 +390,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +391,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -58850,7 +58884,7 @@ index e30bb63..76f4f25 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +410,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +411,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -58861,7 +58895,7 @@ index e30bb63..76f4f25 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -445,26 +449,25 @@ optional_policy(`
+@@ -445,26 +450,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -58895,7 +58929,7 @@ index e30bb63..76f4f25 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +487,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +488,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -58907,7 +58941,7 @@ index e30bb63..76f4f25 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -555,18 +560,20 @@ optional_policy(`
+@@ -555,18 +561,20 @@ optional_policy(`
# smbcontrol local policy
#
@@ -58932,7 +58966,7 @@ index e30bb63..76f4f25 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +581,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +582,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -58953,7 +58987,7 @@ index e30bb63..76f4f25 100644
########################################
#
-@@ -644,19 +659,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +660,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -58978,7 +59012,7 @@ index e30bb63..76f4f25 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +694,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +695,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -58988,7 +59022,7 @@ index e30bb63..76f4f25 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +710,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +711,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -59003,7 +59037,7 @@ index e30bb63..76f4f25 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +730,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +731,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -59011,7 +59045,7 @@ index e30bb63..76f4f25 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +775,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +776,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -59020,7 +59054,7 @@ index e30bb63..76f4f25 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +806,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +807,7 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -59029,7 +59063,7 @@ index e30bb63..76f4f25 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +829,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +830,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -59051,7 +59085,7 @@ index e30bb63..76f4f25 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +857,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +858,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -59059,7 +59093,7 @@ index e30bb63..76f4f25 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +875,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +876,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -59074,7 +59108,7 @@ index e30bb63..76f4f25 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +892,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +893,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -59087,7 +59121,7 @@ index e30bb63..76f4f25 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +939,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +940,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -59096,7 +59130,7 @@ index e30bb63..76f4f25 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +957,18 @@ optional_policy(`
+@@ -922,6 +958,18 @@ optional_policy(`
#
optional_policy(`
@@ -59115,7 +59149,7 @@ index e30bb63..76f4f25 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +979,12 @@ optional_policy(`
+@@ -932,9 +980,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -65813,7 +65847,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..cb2e1a3 100644
+index 4966c94..b66ffd9 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,34 @@
@@ -65872,7 +65906,7 @@ index 4966c94..cb2e1a3 100644
#
# /opt
#
-@@ -48,28 +66,30 @@ ifdef(`distro_redhat',`
+@@ -48,28 +66,31 @@ ifdef(`distro_redhat',`
# /tmp
#
@@ -65890,6 +65924,7 @@ index 4966c94..cb2e1a3 100644
#
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -65909,7 +65944,7 @@ index 4966c94..cb2e1a3 100644
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-@@ -90,17 +110,44 @@ ifdef(`distro_debian', `
+@@ -90,17 +111,47 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -65920,11 +65955,13 @@ index 4966c94..cb2e1a3 100644
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
+/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/(l)?xdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -65938,6 +65975,7 @@ index 4966c94..cb2e1a3 100644
+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -76565,7 +76603,7 @@ index ff80d0a..be800df 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..249c952 100644
+index 34d0ec5..32209aa 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -76712,7 +76750,7 @@ index 34d0ec5..249c952 100644
')
optional_policy(`
-@@ -192,17 +224,31 @@ optional_policy(`
+@@ -192,17 +224,32 @@ optional_policy(`
')
optional_policy(`
@@ -76723,6 +76761,7 @@ index 34d0ec5..249c952 100644
+ networkmanager_domtrans(dhcpc_t)
+ networkmanager_read_pid_files(dhcpc_t)
+ networkmanager_read_lib_files(dhcpc_t)
++ networkmanager_dontaudit_rw_tmp_files(dhcpc_t)
+')
+
+optional_policy(`
@@ -76744,7 +76783,7 @@ index 34d0ec5..249c952 100644
')
optional_policy(`
-@@ -213,6 +259,11 @@ optional_policy(`
+@@ -213,6 +260,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -76756,7 +76795,7 @@ index 34d0ec5..249c952 100644
')
optional_policy(`
-@@ -255,6 +306,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +307,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -76764,7 +76803,7 @@ index 34d0ec5..249c952 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +328,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +329,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -76776,7 +76815,7 @@ index 34d0ec5..249c952 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,11 +356,12 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +357,12 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -76791,7 +76830,7 @@ index 34d0ec5..249c952 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +370,22 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +371,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -76814,7 +76853,7 @@ index 34d0ec5..249c952 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +396,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +397,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -76829,7 +76868,7 @@ index 34d0ec5..249c952 100644
')
optional_policy(`
-@@ -335,6 +412,22 @@ optional_policy(`
+@@ -335,6 +413,22 @@ optional_policy(`
')
optional_policy(`
@@ -76852,7 +76891,7 @@ index 34d0ec5..249c952 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +449,9 @@ optional_policy(`
+@@ -356,3 +450,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -77418,10 +77457,10 @@ index 0000000..d77929b
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..af1e889
+index 0000000..aa4826d
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,394 @@
+@@ -0,0 +1,397 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -77518,6 +77557,8 @@ index 0000000..af1e889
+# write getattr open setattr
+fs_manage_cgroup_files(systemd_logind_t)
+
++mcs_killall(systemd_logind_t)
++
+storage_setattr_removable_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
@@ -77655,6 +77696,7 @@ index 0000000..af1e889
+files_manage_all_locks(systemd_tmpfiles_t)
+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
++files_delete_boot_flag(systemd_tmpfiles_t)
+files_delete_all_non_security_files(systemd_tmpfiles_t)
+files_delete_all_pid_sockets(systemd_tmpfiles_t)
+files_delete_all_pid_pipes(systemd_tmpfiles_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e0291d1..63e2ba6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 89%{?dist}
+Release: 90%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,26 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jul 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-90
+- Allow systemd-tmpfiles to delete boot flags
+- Add support for lightdm
+- Allow certmonger to talk directly to Dogtag servers
+- Change labeling for /var/lib/cobbler/webui_sessions to httpd_cobbler_rw_content_t
+- rhsmcertd reads the rpm database
+- Allow systemd-logind to kill all process with different MCS
+- Allow apmd to create /var/run/pm-utils with the correct label
+- Allow asterisk to read "unix"
+- Allow sudodomain to read usr files
+- Allow policykit_auth_t to read sysfs
+- Dontaudit dhcpc to r/w networkmanger tmp files
+- Add /var/run/cherokee\.pid labeling
+- Allow postfix-master to r/w pipes other postfix domains
+- Allow apps which search /tmp also to read tmp_t lnk_file
+- Allow smbd to stream connect to nmbd
+- Allow apm to request kernel module
+- Fixes for cloudform services
+- Allow polipo to work as web caching
+
* Tue Jun 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-89
- Allow systemd to read tmp_t link files
- Backport ABRT policy from F17
More information about the scm-commits
mailing list