[selinux-policy] +- Add realmd and stapserver policies +- Allow useradd to manage stap-server lib files +- Tighten up
Miroslav Grepl
mgrepl at fedoraproject.org
Sun Jul 15 22:03:36 UTC 2012
commit 3da13de0318a6d6addffc12537776768c89050d5
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jul 16 00:03:02 2012 +0200
+- Add realmd and stapserver policies
+- Allow useradd to manage stap-server lib files
+- Tighten up capabilities for confined users
+- Label /etc/security/opasswd as shadow_t
+- Add label for /dev/ecryptfs
+- Allow condor_startd_t to start sshd with the ranged
+- Allow lpstat.cups to read fips_enabled file
+- Allow pyzor running as spamc_t to create /root/.pyzor directory
+- Add labelinf for amavisd-snmp init script
+- Add support for amavisd-snmp
+- Allow fprintd sigkill self
+- Allow xend (w/o libvirt) to start virtual machines
+- Allow aiccu to read /etc/passwd
+- Allow condor_startd to Make specified domain MCS trusted for setting any category set fo
+- Add condor_startd_ranged_domtrans_to() interface
+- Add ssd_conf_t for /etc/sssd
+- accountsd needs to fchown some files/directories
+- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
+- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works
+- Allow xend_t to read the /etc/passwd file
Please enter the commit message for your changes. Lines starting
with '#' will be ignored, and an empty message aborts the commit.
On branch master
Changes to be committed:
(use "git reset HEAD <file>..." to unstage)
modified: policy-rawhide.patch
modified: policy_contrib-rawhide.patch
modified: selinux-policy.spec
policy-rawhide.patch | 444 ++++++++++++++-----------
policy_contrib-rawhide.patch | 761 ++++++++++++++++++++++++++++++++++++++----
selinux-policy.spec | 24 ++-
3 files changed, 962 insertions(+), 267 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 7f547f8..0f15e94 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -59605,7 +59605,7 @@ index 98b8b2d..da75471 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 81b6608..527c7bb 100644
+index 81b6608..c8252ac 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3)
@@ -60000,10 +60000,10 @@ index 81b6608..527c7bb 100644
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
+userdom_delete_all_user_home_content(useradd_t)
@@ -60043,6 +60043,14 @@ index 81b6608..527c7bb 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
+@@ -559,3 +610,7 @@ optional_policy(`
+ rpm_use_fds(useradd_t)
+ rpm_rw_pipes(useradd_t)
+ ')
++
++optional_policy(`
++ stapserver_manage_lib(useradd_t)
++')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..a01511f 100644
--- a/policy/modules/apps/seunshare.if
@@ -62392,10 +62400,10 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 02b7ac1..67183c5 100644
+index 02b7ac1..82666ab 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -15,12 +15,14 @@
+@@ -15,14 +15,17 @@
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -62410,8 +62418,11 @@ index 02b7ac1..67183c5 100644
+/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
-@@ -57,8 +59,10 @@
+ /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -57,8 +60,10 @@
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -62422,7 +62433,7 @@ index 02b7ac1..67183c5 100644
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -126,12 +130,14 @@ ifdef(`distro_suse', `
+@@ -126,12 +131,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -62437,7 +62448,7 @@ index 02b7ac1..67183c5 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -195,12 +201,22 @@ ifdef(`distro_debian',`
+@@ -195,12 +202,22 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -62463,7 +62474,7 @@ index 02b7ac1..67183c5 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index d820975..e236661 100644
+index d820975..21a21e4 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -62777,7 +62788,32 @@ index d820975..e236661 100644
## Get the attributes of the CPU
## microcode and id interfaces.
## </summary>
-@@ -2383,7 +2549,97 @@ interface(`dev_filetrans_lirc',`
+@@ -1772,6 +1938,24 @@ interface(`dev_rw_crypto',`
+ rw_chr_files_pattern($1, device_t, crypt_device_t)
+ ')
+
++########################################
++## <summary>
++## Read and write the the ecrypt filesystem device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_ecryptfs',`
++ gen_require(`
++ type device_t, ecryptfs_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, ecryptfs_device_t)
++')
++
+ #######################################
+ ## <summary>
+ ## Set the attributes of the dlm control devices.
+@@ -2383,7 +2567,97 @@ interface(`dev_filetrans_lirc',`
########################################
## <summary>
@@ -62876,7 +62912,7 @@ index d820975..e236661 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2706,7 +2962,7 @@ interface(`dev_write_misc',`
+@@ -2706,7 +2980,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -62885,7 +62921,7 @@ index d820975..e236661 100644
## </summary>
## </param>
#
-@@ -2956,8 +3212,8 @@ interface(`dev_dontaudit_write_mtrr',`
+@@ -2956,8 +3230,8 @@ interface(`dev_dontaudit_write_mtrr',`
type mtrr_device_t;
')
@@ -62896,7 +62932,7 @@ index d820975..e236661 100644
')
########################################
-@@ -3235,7 +3491,7 @@ interface(`dev_rw_printer',`
+@@ -3235,7 +3509,7 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -62905,7 +62941,7 @@ index d820975..e236661 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3243,12 +3499,31 @@ interface(`dev_rw_printer',`
+@@ -3243,12 +3517,31 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@@ -62940,7 +62976,7 @@ index d820975..e236661 100644
')
########################################
-@@ -3836,6 +4111,42 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3836,6 +4129,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -62983,7 +63019,7 @@ index d820975..e236661 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3885,6 +4196,7 @@ interface(`dev_list_sysfs',`
+@@ -3885,6 +4214,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -62991,7 +63027,7 @@ index d820975..e236661 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3927,23 +4239,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3927,23 +4257,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -63045,7 +63081,7 @@ index d820975..e236661 100644
########################################
## <summary>
## Read hardware state information.
-@@ -3997,6 +4335,62 @@ interface(`dev_rw_sysfs',`
+@@ -3997,6 +4353,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -63108,7 +63144,7 @@ index d820975..e236661 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4094,6 +4488,25 @@ interface(`dev_write_urand',`
+@@ -4094,6 +4506,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -63134,7 +63170,7 @@ index d820975..e236661 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4128,6 +4541,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4128,6 +4559,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -63159,7 +63195,7 @@ index d820975..e236661 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4520,6 +4951,24 @@ interface(`dev_rw_vhost',`
+@@ -4520,6 +4969,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -63184,7 +63220,7 @@ index d820975..e236661 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4725,6 +5174,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4725,6 +5192,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -63211,7 +63247,7 @@ index d820975..e236661 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4814,3 +5283,861 @@ interface(`dev_unconfined',`
+@@ -4814,3 +5301,863 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -63348,6 +63384,7 @@ index d820975..e236661 100644
+ type zero_device_t;
+ type smartcard_device_t;
+ type mtrr_device_t;
++ type ecryptfs_device_t;
+')
+
+ dev_filetrans_printer_named_dev($1)
@@ -63413,6 +63450,7 @@ index d820975..e236661 100644
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9")
++ filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2")
@@ -64074,7 +64112,7 @@ index d820975..e236661 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 74894d7..b570097 100644
+index 74894d7..94d5f10 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -20,6 +20,7 @@ files_mountpoint(device_t)
@@ -64085,7 +64123,17 @@ index 74894d7..b570097 100644
#
# Type for /dev/agpgart
-@@ -108,6 +109,7 @@ dev_node(ksm_device_t)
+@@ -62,6 +63,9 @@ dev_node(cpu_device_t)
+ type crash_device_t;
+ dev_node(crash_device_t)
+
++type ecryptfs_device_t;
++dev_node(ecryptfs_device_t)
++
+ # for the IBM zSeries z90crypt hardware ssl accelorator
+ type crypt_device_t;
+ dev_node(crypt_device_t)
+@@ -108,6 +112,7 @@ dev_node(ksm_device_t)
#
type kvm_device_t;
dev_node(kvm_device_t)
@@ -64093,7 +64141,7 @@ index 74894d7..b570097 100644
#
# Type for /dev/lirc
-@@ -118,6 +120,12 @@ dev_node(lirc_device_t)
+@@ -118,6 +123,12 @@ dev_node(lirc_device_t)
#
# Type for /dev/mapper/control
#
@@ -64106,7 +64154,7 @@ index 74894d7..b570097 100644
type lvm_control_t;
dev_node(lvm_control_t)
-@@ -218,6 +226,10 @@ files_mountpoint(sysfs_t)
+@@ -218,6 +229,10 @@ files_mountpoint(sysfs_t)
fs_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
@@ -64117,7 +64165,7 @@ index 74894d7..b570097 100644
#
# Type for /dev/tpm
#
-@@ -265,6 +277,7 @@ dev_node(v4l_device_t)
+@@ -265,6 +280,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -64125,7 +64173,7 @@ index 74894d7..b570097 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -310,5 +323,5 @@ files_associate_tmp(device_node)
+@@ -310,5 +326,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -72859,7 +72907,7 @@ index fe0c682..93ec53f 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..9dbbafe 100644
+index b17e27a..89d7bf8 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
@@ -73008,7 +73056,7 @@ index b17e27a..9dbbafe 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -157,37 +176,36 @@ logging_read_generic_logs(ssh_t)
+@@ -157,37 +176,42 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -73058,12 +73106,18 @@ index b17e27a..9dbbafe 100644
+ corenet_tcp_bind_all_unreserved_ports(ssh_t)
+')
+
++ifdef(`enable_mcs',`
++ optional_policy(`
++ condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh)
++ ')
++')
++
+optional_policy(`
+ gnome_stream_connect_gkeyringd(ssh_t)
')
optional_policy(`
-@@ -195,28 +213,24 @@ optional_policy(`
+@@ -195,28 +219,24 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -73096,7 +73150,7 @@ index b17e27a..9dbbafe 100644
#################################
#
# sshd local policy
-@@ -227,33 +241,46 @@ optional_policy(`
+@@ -227,33 +247,46 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -73152,7 +73206,7 @@ index b17e27a..9dbbafe 100644
')
optional_policy(`
-@@ -261,11 +288,24 @@ optional_policy(`
+@@ -261,11 +294,24 @@ optional_policy(`
')
optional_policy(`
@@ -73178,7 +73232,7 @@ index b17e27a..9dbbafe 100644
')
optional_policy(`
-@@ -283,6 +323,15 @@ optional_policy(`
+@@ -283,6 +329,15 @@ optional_policy(`
')
optional_policy(`
@@ -73194,7 +73248,7 @@ index b17e27a..9dbbafe 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -290,6 +339,29 @@ optional_policy(`
+@@ -290,6 +345,29 @@ optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@@ -73224,7 +73278,7 @@ index b17e27a..9dbbafe 100644
########################################
#
# ssh_keygen local policy
-@@ -298,19 +370,26 @@ optional_policy(`
+@@ -298,19 +376,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -73252,7 +73306,7 @@ index b17e27a..9dbbafe 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -327,9 +406,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -327,9 +412,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -73266,7 +73320,7 @@ index b17e27a..9dbbafe 100644
')
optional_policy(`
-@@ -339,3 +420,83 @@ optional_policy(`
+@@ -339,3 +426,83 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -75978,7 +76032,7 @@ index c4f7c35..06c447c 100644
+ unconfined_domain(xdm_unconfined_t)
+')
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index 1b6619e..232be41 100644
+index 1b6619e..219acba 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
@@ -43,6 +43,27 @@ interface(`application_executable_file',`
@@ -76009,7 +76063,15 @@ index 1b6619e..232be41 100644
########################################
## <summary>
## Execute application executables in the caller domain.
-@@ -189,6 +210,24 @@ interface(`application_dontaudit_signal',`
+@@ -76,7 +97,6 @@ interface(`application_exec_all',`
+ corecmd_dontaudit_exec_all_executables($1)
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+- corecmd_exec_chroot($1)
+
+ application_exec($1)
+ ')
+@@ -189,6 +209,24 @@ interface(`application_dontaudit_signal',`
########################################
## <summary>
@@ -76034,7 +76096,7 @@ index 1b6619e..232be41 100644
## Do not audit attempts to send kill signals
## to all application domains.
## </summary>
-@@ -205,3 +244,21 @@ interface(`application_dontaudit_sigkill',`
+@@ -205,3 +243,21 @@ interface(`application_dontaudit_sigkill',`
dontaudit $1 application_domain_type:process sigkill;
')
@@ -76090,7 +76152,7 @@ index c6fdab7..32f45fa 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..82def3d 100644
+index 28ad538..47fdb65 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,3 +1,7 @@
@@ -76101,12 +76163,14 @@ index 28ad538..82def3d 100644
/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-@@ -5,7 +9,12 @@
+@@ -5,7 +9,14 @@
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
@@ -76114,7 +76178,7 @@ index 28ad538..82def3d 100644
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-@@ -16,13 +25,22 @@ ifdef(`distro_suse', `
+@@ -16,13 +27,22 @@ ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -76139,7 +76203,7 @@ index 28ad538..82def3d 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,6 +48,8 @@ ifdef(`distro_gentoo', `
+@@ -30,6 +50,8 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -76148,7 +76212,7 @@ index 28ad538..82def3d 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -39,11 +59,13 @@ ifdef(`distro_gentoo', `
+@@ -39,11 +61,13 @@ ifdef(`distro_gentoo', `
/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
@@ -87635,7 +87699,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..18fff60 100644
+index e720dcd..bb468a3 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -87651,7 +87715,7 @@ index e720dcd..18fff60 100644
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -44,79 +46,134 @@ template(`userdom_base_user_template',`
+@@ -44,79 +46,132 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -87794,8 +87858,6 @@ index e720dcd..18fff60 100644
- libs_exec_ld_so($1_t)
+ libs_exec_ld_so($1_usertype)
-+
-+ logging_send_audit_msgs($1_t)
miscfiles_read_localization($1_t)
miscfiles_read_generic_certs($1_t)
@@ -87837,7 +87899,7 @@ index e720dcd..18fff60 100644
')
#######################################
-@@ -150,6 +207,8 @@ interface(`userdom_ro_home_role',`
+@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -87846,7 +87908,7 @@ index e720dcd..18fff60 100644
##############################
#
# Domain access to home dir
-@@ -167,27 +226,6 @@ interface(`userdom_ro_home_role',`
+@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -87874,7 +87936,7 @@ index e720dcd..18fff60 100644
')
#######################################
-@@ -219,8 +257,11 @@ interface(`userdom_ro_home_role',`
+@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -87886,7 +87948,7 @@ index e720dcd..18fff60 100644
##############################
#
# Domain access to home dir
-@@ -229,43 +270,47 @@ interface(`userdom_manage_home_role',`
+@@ -229,43 +268,47 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -87950,7 +88012,7 @@ index e720dcd..18fff60 100644
')
')
-@@ -273,6 +318,25 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +316,25 @@ interface(`userdom_manage_home_role',`
## <summary>
## Manage user temporary files
## </summary>
@@ -87976,7 +88038,7 @@ index e720dcd..18fff60 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,17 +351,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +349,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -88046,7 +88108,7 @@ index e720dcd..18fff60 100644
')
#######################################
-@@ -317,6 +428,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,6 +426,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -88054,7 +88116,7 @@ index e720dcd..18fff60 100644
files_search_tmp($1)
')
-@@ -348,59 +460,62 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +458,62 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -88149,7 +88211,7 @@ index e720dcd..18fff60 100644
')
#######################################
-@@ -431,6 +546,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +544,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -88157,7 +88219,7 @@ index e720dcd..18fff60 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +579,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +577,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -88168,7 +88230,7 @@ index e720dcd..18fff60 100644
')
')
-@@ -491,7 +607,7 @@ template(`userdom_common_user_template',`
+@@ -491,7 +605,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -88177,7 +88239,7 @@ index e720dcd..18fff60 100644
##############################
#
-@@ -501,73 +617,83 @@ template(`userdom_common_user_template',`
+@@ -501,73 +615,83 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -88248,7 +88310,7 @@ index e720dcd..18fff60 100644
- fs_rw_cgroup_files($1_t)
+ logging_send_syslog_msg($1_usertype)
-+ logging_send_audit_msgs($1_usertype)
++
+ selinux_get_enforce_mode($1_usertype)
# cjp: some of this probably can be removed
@@ -88303,7 +88365,7 @@ index e720dcd..18fff60 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -575,71 +701,117 @@ template(`userdom_common_user_template',`
+@@ -575,71 +699,117 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -88318,19 +88380,19 @@ index e720dcd..18fff60 100644
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ canna_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ chrome_role($1_r, $1_usertype)
++ colord_read_lib_files($1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
-+ colord_read_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -88404,23 +88466,23 @@ index e720dcd..18fff60 100644
+ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
++ ')
++
++ optional_policy(`
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
++ lircd_stream_connect($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
-+ lircd_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ locate_read_lib_files($1_usertype)
')
@@ -88443,7 +88505,7 @@ index e720dcd..18fff60 100644
mysql_stream_connect($1_t)
')
')
-@@ -651,40 +823,52 @@ template(`userdom_common_user_template',`
+@@ -651,40 +821,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -88480,35 +88542,35 @@ index e720dcd..18fff60 100644
+
+ optional_policy(`
+ rpcbind_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ slrnpull_search_spool($1_usertype)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
++ slrnpull_search_spool($1_usertype)
++ ')
++
++ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -709,17 +893,33 @@ template(`userdom_common_user_template',`
+@@ -709,17 +891,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -88519,11 +88581,11 @@ index e720dcd..18fff60 100644
- userdom_manage_home_role($1_r, $1_t)
+ typeattribute $1_t login_userdomain;
++
++ userdom_manage_home_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_home_role($1_r, $1_usertype)
-+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
@@ -88547,20 +88609,19 @@ index e720dcd..18fff60 100644
userdom_change_password_template($1)
-@@ -728,81 +928,98 @@ template(`userdom_login_user_template', `
+@@ -727,82 +925,95 @@ template(`userdom_login_user_template', `
+ #
# User domain Local policy
#
-
+-
- allow $1_t self:capability { setgid chown fowner };
-+ allow $1_t self:capability { setgid setuid chown fowner };
-+ allow $1_t self:process setcurrent;
-+ domain_dyntrans_type($1_t)
dontaudit $1_t self:capability { sys_nice fsetid };
-
+-
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+ allow $1_t self:process ~{ ptrace setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
++ domain_dyntrans_type($1_t)
allow $1_t self:context contains;
@@ -88632,56 +88693,56 @@ index e720dcd..18fff60 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-
-- seutil_read_config($1_t)
++
+ seutil_read_config($1_usertype)
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
++
++ optional_policy(`
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
++ ')
+
+- seutil_read_config($1_t)
++ optional_policy(`
++ kerberos_use($1_usertype)
++ kerberos_filetrans_home_content($1_usertype)
++ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
++ mysql_filetrans_named_content($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ kerberos_use($1_usertype)
-+ kerberos_filetrans_home_content($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ mysql_filetrans_named_content($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
-@@ -834,6 +1051,12 @@ template(`userdom_restricted_user_template',`
+@@ -834,6 +1045,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -88694,7 +88755,7 @@ index e720dcd..18fff60 100644
##############################
#
# Local policy
-@@ -874,46 +1097,115 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,46 +1091,114 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -88734,7 +88795,7 @@ index e720dcd..18fff60 100644
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
- logging_send_audit_msgs($1_t)
+- logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t)
+ seutil_exec_restorecond($1_t)
+ seutil_read_file_contexts($1_t)
@@ -88823,7 +88884,7 @@ index e720dcd..18fff60 100644
')
')
-@@ -948,7 +1240,7 @@ template(`userdom_unpriv_user_template', `
+@@ -948,21 +1233,27 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -88832,8 +88893,12 @@ index e720dcd..18fff60 100644
userdom_common_user_template($1)
##############################
-@@ -957,12 +1249,15 @@ template(`userdom_unpriv_user_template', `
#
+ # Local policy
+ #
++ allow $1_t self:capability { setgid chown fowner };
++
++ corecmd_exec_chroot($1_t)
# port access is audited even if dac would not have allowed it, so dontaudit it here
- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
@@ -88850,7 +88915,7 @@ index e720dcd..18fff60 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -979,23 +1274,60 @@ template(`userdom_unpriv_user_template', `
+@@ -979,23 +1270,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -88920,7 +88985,7 @@ index e720dcd..18fff60 100644
')
# Run pppd in pppd_t by default for user
-@@ -1004,7 +1336,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1004,7 +1332,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -88931,7 +88996,7 @@ index e720dcd..18fff60 100644
')
')
-@@ -1040,7 +1374,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1040,7 +1370,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -88940,7 +89005,7 @@ index e720dcd..18fff60 100644
')
##############################
-@@ -1067,6 +1401,7 @@ template(`userdom_admin_user_template',`
+@@ -1067,6 +1397,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -88948,7 +89013,7 @@ index e720dcd..18fff60 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1075,6 +1410,9 @@ template(`userdom_admin_user_template',`
+@@ -1075,6 +1406,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -88958,7 +89023,7 @@ index e720dcd..18fff60 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1427,7 @@ template(`userdom_admin_user_template',`
+@@ -1089,6 +1423,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -88966,7 +89031,7 @@ index e720dcd..18fff60 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,10 +1445,13 @@ template(`userdom_admin_user_template',`
+@@ -1106,10 +1441,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -88980,7 +89045,7 @@ index e720dcd..18fff60 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1120,29 +1462,38 @@ template(`userdom_admin_user_template',`
+@@ -1120,29 +1458,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -89023,7 +89088,7 @@ index e720dcd..18fff60 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1152,6 +1503,8 @@ template(`userdom_admin_user_template',`
+@@ -1152,6 +1499,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -89032,7 +89097,7 @@ index e720dcd..18fff60 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1166,6 +1519,10 @@ template(`userdom_admin_user_template',`
+@@ -1166,6 +1515,10 @@ template(`userdom_admin_user_template',`
fs_read_noxattr_fs_files($1_t)
')
@@ -89043,7 +89108,7 @@ index e720dcd..18fff60 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1568,8 @@ template(`userdom_security_admin_template',`
+@@ -1211,6 +1564,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -89052,7 +89117,7 @@ index e720dcd..18fff60 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1223,8 +1582,10 @@ template(`userdom_security_admin_template',`
+@@ -1223,8 +1578,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -89064,7 +89129,7 @@ index e720dcd..18fff60 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,13 +1596,18 @@ template(`userdom_security_admin_template',`
+@@ -1235,13 +1592,18 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -89087,7 +89152,7 @@ index e720dcd..18fff60 100644
')
optional_policy(`
-@@ -1252,12 +1618,12 @@ template(`userdom_security_admin_template',`
+@@ -1252,12 +1614,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -89103,7 +89168,7 @@ index e720dcd..18fff60 100644
')
optional_policy(`
-@@ -1317,12 +1683,15 @@ interface(`userdom_user_application_domain',`
+@@ -1317,12 +1679,15 @@ interface(`userdom_user_application_domain',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -89120,7 +89185,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -1363,18 +1732,63 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1363,9 +1728,54 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -89130,17 +89195,14 @@ index e720dcd..18fff60 100644
-## Domain allowed access.
+## Type to be used as a file in the
+## generic temporary directory.
- ## </summary>
- ## </param>
- #
--interface(`userdom_attach_admin_tun_iface',`
++## </summary>
++## </param>
++#
+interface(`userdom_user_tmp_content',`
- gen_require(`
-- attribute admindomain;
++ gen_require(`
+ attribute user_tmp_type;
- ')
-
-- allow $1 admindomain:tun_socket relabelfrom;
++ ')
++
+ typeattribute $1 user_tmp_type;
+
+ files_tmp_file($1)
@@ -89177,19 +89239,10 @@ index e720dcd..18fff60 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_attach_admin_tun_iface',`
-+ gen_require(`
-+ attribute admindomain;
-+ ')
-+
-+ allow $1 admindomain:tun_socket relabelfrom;
- allow $1 self:tun_socket relabelto;
- ')
-
-@@ -1467,11 +1881,31 @@ interface(`userdom_search_user_home_dirs',`
+ ## </summary>
+ ## </param>
+ #
+@@ -1467,11 +1877,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -89221,7 +89274,7 @@ index e720dcd..18fff60 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1947,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1513,6 +1943,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -89236,7 +89289,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -1528,9 +1970,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1528,9 +1966,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -89248,7 +89301,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -1587,6 +2031,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1587,6 +2027,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -89291,7 +89344,7 @@ index e720dcd..18fff60 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2146,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1666,6 +2142,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -89300,7 +89353,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -1680,10 +2162,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1680,10 +2158,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -89315,7 +89368,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -1726,6 +2210,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1726,6 +2206,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -89359,7 +89412,7 @@ index e720dcd..18fff60 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1745,6 +2266,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1745,6 +2262,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -89385,7 +89438,7 @@ index e720dcd..18fff60 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2315,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1775,14 +2311,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -89423,7 +89476,7 @@ index e720dcd..18fff60 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2355,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1793,11 +2351,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -89441,7 +89494,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -1856,6 +2421,78 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,6 +2417,78 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -89520,7 +89573,7 @@ index e720dcd..18fff60 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1887,8 +2524,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1887,8 +2520,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -89530,7 +89583,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -1904,20 +2540,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1904,20 +2536,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -89555,7 +89608,7 @@ index e720dcd..18fff60 100644
########################################
## <summary>
-@@ -2018,6 +2648,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -2018,6 +2644,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -89580,7 +89633,7 @@ index e720dcd..18fff60 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2898,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2894,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -89595,7 +89648,7 @@ index e720dcd..18fff60 100644
files_search_tmp($1)
')
-@@ -2274,7 +2922,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2918,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -89604,7 +89657,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -2521,6 +3169,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,6 +3165,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -89630,7 +89683,7 @@ index e720dcd..18fff60 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3204,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3200,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -89646,7 +89699,7 @@ index e720dcd..18fff60 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3232,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3228,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -89655,7 +89708,7 @@ index e720dcd..18fff60 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,19 +3240,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,19 +3236,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -89678,13 +89731,14 @@ index e720dcd..18fff60 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2592,7 +3258,25 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2592,9 +3254,27 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
-interface(`userdom_getattr_user_ttys',`
+interface(`userdom_execute_user_tmpfs_files',`
-+ gen_require(`
+ gen_require(`
+- type user_tty_device_t;
+ type user_tmpfs_t;
+ ')
+
@@ -89702,10 +89756,12 @@ index e720dcd..18fff60 100644
+## </param>
+#
+interface(`userdom_getattr_user_ttys',`
- gen_require(`
- type user_tty_device_t;
++ gen_require(`
++ type user_tty_device_t;
')
-@@ -2674,6 +3358,24 @@ interface(`userdom_use_user_ttys',`
+
+ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
+@@ -2674,6 +3354,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -89730,7 +89786,7 @@ index e720dcd..18fff60 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3394,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3390,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -89773,7 +89829,7 @@ index e720dcd..18fff60 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3430,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3426,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -89811,7 +89867,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -2742,8 +3475,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3471,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -89841,7 +89897,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -2815,69 +3567,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3563,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -89942,7 +89998,7 @@ index e720dcd..18fff60 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3636,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3632,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -89957,7 +90013,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -2954,7 +3705,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3701,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -89966,7 +90022,7 @@ index e720dcd..18fff60 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3721,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3717,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -90000,7 +90056,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -3074,7 +3809,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3805,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -90009,7 +90065,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -3129,7 +3864,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,7 +3860,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -90056,7 +90112,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -3147,7 +3920,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3147,7 +3916,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -90065,7 +90121,7 @@ index e720dcd..18fff60 100644
')
########################################
-@@ -3166,6 +3939,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3166,6 +3935,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -90073,7 +90129,7 @@ index e720dcd..18fff60 100644
kernel_search_proc($1)
')
-@@ -3242,6 +4016,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4012,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -90116,7 +90172,7 @@ index e720dcd..18fff60 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4072,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4068,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -90141,7 +90197,7 @@ index e720dcd..18fff60 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4124,1282 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4120,1282 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 9b32038..e906a1b 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -833,7 +833,7 @@ index c0f858d..d75aae9 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
-index 1632f10..67cd103 100644
+index 1632f10..1cb95bc 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -1,5 +1,9 @@
@@ -865,7 +865,7 @@ index 1632f10..67cd103 100644
#
-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
-+allow accountsd_t self:capability { dac_override setuid setgid };
++allow accountsd_t self:capability { chown dac_override setuid setgid };
+allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
+allow accountsd_t self:passwd { rootok passwd chfn chsh };
@@ -988,10 +988,18 @@ index 8559cdc..641044e 100644
# Allow afs_admin to restart the afs service
afs_initrc_domtrans($1)
diff --git a/afs.te b/afs.te
-index a496fde..847609a 100644
+index a496fde..859f4cf 100644
--- a/afs.te
+++ b/afs.te
-@@ -107,6 +107,10 @@ miscfiles_read_localization(afs_t)
+@@ -71,6 +71,7 @@ role system_r types afs_vlserver_t;
+ #
+
+ allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
++dontaudit afs_t self:capability dac_override;
+ allow afs_t self:process { setsched signal };
+ allow afs_t self:udp_socket create_socket_perms;
+ allow afs_t self:fifo_file rw_file_perms;
+@@ -107,6 +108,10 @@ miscfiles_read_localization(afs_t)
sysnet_dns_name_resolve(afs_t)
@@ -1022,7 +1030,7 @@ index 184c9a8..8f77bf5 100644
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
-index 6d685ba..4114d9b 100644
+index 6d685ba..b6f9ba3 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -45,9 +45,11 @@ corecmd_exec_shell(aiccu_t)
@@ -1037,6 +1045,15 @@ index 6d685ba..4114d9b 100644
corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
corenet_tcp_bind_generic_node(aiccu_t)
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+@@ -62,6 +64,8 @@ dev_read_urand(aiccu_t)
+
+ files_read_etc_files(aiccu_t)
+
++auth_read_passwd(aiccu_t)
++
+ logging_send_syslog_msg(aiccu_t)
+
+ miscfiles_read_localization(aiccu_t)
diff --git a/aide.if b/aide.if
index 838d25b..33981e0 100644
--- a/aide.if
@@ -1472,6 +1489,18 @@ index bec220e..1d26add 100644
+ fstools_domtrans(amanda_t)
+ fstools_signal(amanda_t)
+')
+diff --git a/amavis.fc b/amavis.fc
+index 446ee16..25423bf 100644
+--- a/amavis.fc
++++ b/amavis.fc
+@@ -2,6 +2,7 @@
+ /etc/amavis(d)?\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
+ /etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
+ /etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+
+ /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+ /usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/amavis.if b/amavis.if
index e31d92a..1aa0718 100644
--- a/amavis.if
@@ -1500,7 +1529,7 @@ index e31d92a..1aa0718 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
-index 5a9b451..c4b2eec 100644
+index 5a9b451..189c0a8 100644
--- a/amavis.te
+++ b/amavis.te
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
@@ -1534,7 +1563,11 @@ index 5a9b451..c4b2eec 100644
# var/lib files for amavis
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
-@@ -128,17 +130,19 @@ corenet_tcp_connect_razor_port(amavis_t)
+@@ -125,20 +127,23 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t)
+ corenet_udp_bind_generic_port(amavis_t)
+ corenet_dontaudit_udp_bind_all_ports(amavis_t)
+ corenet_tcp_connect_razor_port(amavis_t)
++corenet_tcp_connect_agentx_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_urand(amavis_t)
@@ -1555,7 +1588,7 @@ index 5a9b451..c4b2eec 100644
# uses uptime which reads utmp - redhat bug 561383
init_read_utmp(amavis_t)
init_stream_connect_script(amavis_t)
-@@ -148,29 +152,32 @@ logging_send_syslog_msg(amavis_t)
+@@ -148,34 +153,38 @@ logging_send_syslog_msg(amavis_t)
miscfiles_read_generic_certs(amavis_t)
miscfiles_read_localization(amavis_t)
@@ -1596,6 +1629,23 @@ index 5a9b451..c4b2eec 100644
nslcd_stream_connect(amavis_t)
')
+ optional_policy(`
+ postfix_read_config(amavis_t)
++ postfix_list_spool(amavis_t)
+ ')
+
+ optional_policy(`
+@@ -188,6 +197,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ snmp_manage_var_lib_files(amavis_t)
++')
++
++optional_policy(`
+ spamassassin_exec(amavis_t)
+ spamassassin_exec_client(amavis_t)
+ spamassassin_read_lib_files(amavis_t)
diff --git a/amtu.te b/amtu.te
index 057abb0..c75e9e9 100644
--- a/amtu.te
@@ -10035,10 +10085,10 @@ index 0000000..b3a5b51
+/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0)
diff --git a/condor.if b/condor.if
new file mode 100644
-index 0000000..168f664
+index 0000000..e4ef32f
--- /dev/null
+++ b/condor.if
-@@ -0,0 +1,327 @@
+@@ -0,0 +1,387 @@
+
+## <summary>policy for condor</summary>
+
@@ -10091,6 +10141,66 @@ index 0000000..168f664
+ corecmd_search_bin($1)
+ domtrans_pattern($1, condor_exec_t, condor_t)
+')
++
++#######################################
++## <summary>
++## Allows to start userland processes
++## by transitioning to the specified domain,
++## with a range transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## The process type entered by condor_startd.
++## </summary>
++## </param>
++## <param name="entrypoint">
++## <summary>
++## The executable type for the entrypoint.
++## </summary>
++## </param>
++## <param name="range">
++## <summary>
++## Range for the domain.
++## </summary>
++## </param>
++#
++interface(`condor_startd_ranged_domtrans_to',`
++ gen_require(`
++ type sshd_t;
++ ')
++ condor_startd_domtrans_to($1, $2)
++
++
++ ifdef(`enable_mcs',`
++ range_transition condor_startd_t $2:process $3;
++ ')
++
++')
++
++#######################################
++## <summary>
++## Allows to start userlandprocesses
++## by transitioning to the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The process type entered by condor_startd.
++## </summary>
++## </param>
++## <param name="entrypoint">
++## <summary>
++## The executable type for the entrypoint.
++## </summary>
++## </param>
++#
++interface(`condor_startd_domtrans_to',`
++ gen_require(`
++ type condor_startd_t;
++ ')
++
++ domtrans_pattern(condor_startd_t, $2, $1)
++')
++
+########################################
+## <summary>
+## Read condor's log files.
@@ -10368,10 +10478,10 @@ index 0000000..168f664
+')
diff --git a/condor.te b/condor.te
new file mode 100644
-index 0000000..40f65d5
+index 0000000..d39573f
--- /dev/null
+++ b/condor.te
-@@ -0,0 +1,239 @@
+@@ -0,0 +1,241 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -10587,6 +10697,8 @@ index 0000000..40f65d5
+
+domain_read_all_domains_state(condor_startd_t)
+
++mcs_process_set_categories(condor_startd_t)
++
+auth_use_nsswitch(condor_startd_t)
+
+init_domtrans_script(condor_startd_t)
@@ -19318,7 +19430,7 @@ index ebad8c4..640293e 100644
')
-
diff --git a/fprintd.te b/fprintd.te
-index 7df52c7..5b9e374 100644
+index 7df52c7..1eb75fd 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -8,6 +8,7 @@ policy_module(fprintd, 1.1.0)
@@ -19338,7 +19450,7 @@ index 7df52c7..5b9e374 100644
+
allow fprintd_t self:fifo_file rw_fifo_file_perms;
-allow fprintd_t self:process { getsched signal };
-+allow fprintd_t self:process { getsched setsched signal };
++allow fprintd_t self:process { getsched setsched signal sigkill };
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
@@ -28415,7 +28527,7 @@ index a4f32f5..628b63c 100644
## in the caller domain.
## </summary>
diff --git a/lpd.te b/lpd.te
-index a03b63a..bee4750 100644
+index a03b63a..ce66d05 100644
--- a/lpd.te
+++ b/lpd.te
@@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t)
@@ -28481,7 +28593,15 @@ index a03b63a..bee4750 100644
logging_send_syslog_msg(lpd_t)
-@@ -256,7 +255,6 @@ domain_use_interactive_fds(lpr_t)
+@@ -236,6 +235,7 @@ can_exec(lpr_t, lpr_exec_t)
+ # Allow lpd to read, rename, and unlink spool files.
+ allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
+
++kernel_read_system_state(lpr_t)
+ kernel_read_kernel_sysctls(lpr_t)
+
+ corenet_all_recvfrom_unlabeled(lpr_t)
+@@ -256,7 +256,6 @@ domain_use_interactive_fds(lpr_t)
files_search_spool(lpr_t)
# for lpd config files (should have a new type)
@@ -28489,7 +28609,7 @@ index a03b63a..bee4750 100644
# for test print
files_read_usr_files(lpr_t)
#Added to cover read_content macro
-@@ -275,19 +273,21 @@ miscfiles_read_localization(lpr_t)
+@@ -275,19 +274,21 @@ miscfiles_read_localization(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
# Write to the user domain tty.
@@ -28516,7 +28636,7 @@ index a03b63a..bee4750 100644
# Send SIGHUP to lpd.
allow lpr_t lpd_t:process signal;
-@@ -305,17 +305,7 @@ tunable_policy(`use_lpd_server',`
+@@ -305,17 +306,7 @@ tunable_policy(`use_lpd_server',`
read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
')
@@ -28535,7 +28655,7 @@ index a03b63a..bee4750 100644
optional_policy(`
cups_read_config(lpr_t)
-@@ -324,5 +314,13 @@ optional_policy(`
+@@ -324,5 +315,13 @@ optional_policy(`
')
optional_policy(`
@@ -30671,7 +30791,7 @@ index 3a73e74..60e7237 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index b397fde..30bfefb 100644
+index b397fde..25a03ce 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -18,10 +18,11 @@
@@ -30819,7 +30939,7 @@ index b397fde..30bfefb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -275,28 +359,98 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -275,28 +359,100 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -30923,6 +31043,8 @@ index b397fde..30bfefb 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+')
+
diff --git a/mozilla.te b/mozilla.te
@@ -34811,10 +34933,17 @@ index 632a565..cd0e015 100644
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
-index abe3f7f..8c0b6f9 100644
+index abe3f7f..026e1e6 100644
--- a/nis.if
+++ b/nis.if
-@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
+@@ -27,14 +27,11 @@ interface(`nis_use_ypbind_uncond',`
+ gen_require(`
+ type var_yp_t;
+ ')
+-
+- allow $1 self:capability net_bind_service;
+-
+ allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
allow $1 var_yp_t:dir list_dir_perms;
@@ -34823,7 +34952,7 @@ index abe3f7f..8c0b6f9 100644
allow $1 var_yp_t:file read_file_perms;
corenet_all_recvfrom_unlabeled($1)
-@@ -49,14 +49,13 @@ interface(`nis_use_ypbind_uncond',`
+@@ -49,14 +46,13 @@ interface(`nis_use_ypbind_uncond',`
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
@@ -34841,7 +34970,7 @@ index abe3f7f..8c0b6f9 100644
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
-@@ -88,7 +87,7 @@ interface(`nis_use_ypbind_uncond',`
+@@ -88,7 +84,7 @@ interface(`nis_use_ypbind_uncond',`
## <rolecap/>
#
interface(`nis_use_ypbind',`
@@ -34850,7 +34979,7 @@ index abe3f7f..8c0b6f9 100644
nis_use_ypbind_uncond($1)
')
')
-@@ -105,7 +104,7 @@ interface(`nis_use_ypbind',`
+@@ -105,7 +101,7 @@ interface(`nis_use_ypbind',`
## <rolecap/>
#
interface(`nis_authenticate',`
@@ -34859,7 +34988,7 @@ index abe3f7f..8c0b6f9 100644
nis_use_ypbind_uncond($1)
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
-@@ -337,6 +336,55 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -337,6 +333,55 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
@@ -34915,7 +35044,7 @@ index abe3f7f..8c0b6f9 100644
## All of the rules required to administrate
## an nis environment
## </summary>
-@@ -354,22 +402,31 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -354,22 +399,31 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -34954,7 +35083,7 @@ index abe3f7f..8c0b6f9 100644
ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
-@@ -379,18 +436,24 @@ interface(`nis_admin',`
+@@ -379,18 +433,24 @@ interface(`nis_admin',`
role_transition $2 ypbind_initrc_exec_t system_r;
allow $2 system_r;
@@ -42952,6 +43081,35 @@ index d4000e0..f35afa4 100644
mta_send_mail(psad_t)
mta_read_queue(psad_t)
')
+diff --git a/ptchown.if b/ptchown.if
+index 96cc023..5919bbd 100644
+--- a/ptchown.if
++++ b/ptchown.if
+@@ -18,6 +18,24 @@ interface(`ptchown_domtrans',`
+ domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+ ')
+
++#######################################
++## <summary>
++## Execute ptchown in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ptchown_exec',`
++ gen_require(`
++ type ptchown_exec_t;
++ ')
++
++ can_exec($1, ptchown_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute ptchown in the ptchown domain, and
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 84f23dc..5be2738 100644
--- a/pulseaudio.fc
@@ -46351,6 +46509,87 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
+diff --git a/realmd.fc b/realmd.fc
+new file mode 100644
+index 0000000..3c24ce4
+--- /dev/null
++++ b/realmd.fc
+@@ -0,0 +1 @@
++/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+diff --git a/realmd.if b/realmd.if
+new file mode 100644
+index 0000000..48ea717
+--- /dev/null
++++ b/realmd.if
+@@ -0,0 +1,21 @@
++
++## <summary>dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA</summary>
++
++########################################
++## <summary>
++## Execute realmd in the realmd_t domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`realmd_domtrans',`
++ gen_require(`
++ type realmd_t, realmd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, realmd_exec_t, realmd_t)
++')
+diff --git a/realmd.te b/realmd.te
+new file mode 100644
+index 0000000..158fd63
+--- /dev/null
++++ b/realmd.te
+@@ -0,0 +1,41 @@
++policy_module(realmd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type realmd_t;
++type realmd_exec_t;
++dbus_system_domain(realmd_t, realmd_exec_t)
++
++
++########################################
++#
++# realmd local policy
++#
++
++allow realmd_t self:capability { kill };
++
++domain_use_interactive_fds(realmd_t)
++
++files_read_etc_files(realmd_t)
++
++logging_send_syslog_msg(realmd_t)
++
++miscfiles_read_localization(realmd_t)
++
++optional_policy(`
++ kerberos_use(realmd_t)
++')
++
++optional_policy(`
++ samba_domtrans_net(realmd_t)
++ samba_read_config(realmd_t)
++')
++
++optional_policy(`
++ sssd_read_config(realmd_t)
++ sssd_write_config(realmd_t)
++ sssd_create_config(realmd_t)
++')
diff --git a/remotelogin.te b/remotelogin.te
index 0a76027..a3bc03a 100644
--- a/remotelogin.te
@@ -54183,7 +54422,7 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..2269290 100644
+index 1bbf73b..bf120b4 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -6,52 +6,41 @@ policy_module(spamassassin, 2.5.0)
@@ -54420,7 +54659,7 @@ index 1bbf73b..2269290 100644
')
########################################
-@@ -202,15 +268,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -202,15 +268,36 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -54437,6 +54676,9 @@ index 1bbf73b..2269290 100644
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_append_user_home_content_files(spamc_t)
++# for /root/.pyzor
++allow spamc_t self:capability dac_override;
++userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor")
+
+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -54445,6 +54687,7 @@ index 1bbf73b..2269290 100644
allow spamc_t spamd_t:unix_stream_socket connectto;
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+spamd_stream_connect(spamc_t)
++allow spamc_t spamd_tmp_t:file read_inherited_file_perms;
kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
@@ -54453,7 +54696,7 @@ index 1bbf73b..2269290 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -222,6 +305,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -222,6 +309,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -54461,7 +54704,7 @@ index 1bbf73b..2269290 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -234,15 +318,19 @@ corecmd_read_bin_sockets(spamc_t)
+@@ -234,15 +322,19 @@ corecmd_read_bin_sockets(spamc_t)
domain_use_interactive_fds(spamc_t)
@@ -54482,7 +54725,7 @@ index 1bbf73b..2269290 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -250,27 +338,35 @@ seutil_read_config(spamc_t)
+@@ -250,27 +342,35 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -54524,7 +54767,7 @@ index 1bbf73b..2269290 100644
')
########################################
-@@ -282,7 +378,7 @@ optional_policy(`
+@@ -282,7 +382,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -54533,7 +54776,7 @@ index 1bbf73b..2269290 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -298,10 +394,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -298,10 +398,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -54552,7 +54795,7 @@ index 1bbf73b..2269290 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -310,11 +413,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -310,11 +417,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -54570,7 +54813,7 @@ index 1bbf73b..2269290 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -356,30 +463,29 @@ corecmd_exec_bin(spamd_t)
+@@ -356,30 +467,29 @@ corecmd_exec_bin(spamd_t)
domain_use_interactive_fds(spamd_t)
files_read_usr_files(spamd_t)
@@ -54609,7 +54852,7 @@ index 1bbf73b..2269290 100644
')
optional_policy(`
-@@ -395,7 +501,9 @@ optional_policy(`
+@@ -395,7 +505,9 @@ optional_policy(`
')
optional_policy(`
@@ -54619,7 +54862,7 @@ index 1bbf73b..2269290 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -404,25 +512,17 @@ optional_policy(`
+@@ -404,25 +516,17 @@ optional_policy(`
')
optional_policy(`
@@ -54647,7 +54890,7 @@ index 1bbf73b..2269290 100644
postgresql_stream_connect(spamd_t)
')
-@@ -433,6 +533,10 @@ optional_policy(`
+@@ -433,6 +537,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -54658,7 +54901,7 @@ index 1bbf73b..2269290 100644
')
optional_policy(`
-@@ -440,6 +544,7 @@ optional_policy(`
+@@ -440,6 +548,7 @@ optional_policy(`
')
optional_policy(`
@@ -54666,7 +54909,7 @@ index 1bbf73b..2269290 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -447,3 +552,50 @@ optional_policy(`
+@@ -447,3 +556,50 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -54839,10 +55082,15 @@ index d24bd07..624dd50 100644
+ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
+')
diff --git a/sssd.fc b/sssd.fc
-index 4271815..4bc00ea 100644
+index 4271815..fb5520f 100644
--- a/sssd.fc
+++ b/sssd.fc
-@@ -4,6 +4,8 @@
+@@ -1,9 +1,13 @@
+ /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+
++/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
++
+ /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
@@ -54852,7 +55100,7 @@ index 4271815..4bc00ea 100644
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
diff --git a/sssd.if b/sssd.if
-index 941380a..e1095f0 100644
+index 941380a..ff89df6 100644
--- a/sssd.if
+++ b/sssd.if
@@ -5,9 +5,9 @@
@@ -54867,7 +55115,71 @@ index 941380a..e1095f0 100644
## </param>
#
interface(`sssd_domtrans',`
-@@ -89,6 +89,7 @@ interface(`sssd_manage_pids',`
+@@ -36,6 +36,63 @@ interface(`sssd_initrc_domtrans',`
+ init_labeled_script_domtrans($1, sssd_initrc_exec_t)
+ ')
+
++#######################################
++## <summary>
++## Read sssd configuration.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_read_config',`
++ gen_require(`
++ type sssd_conf_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, sssd_conf_t, sssd_conf_t)
++')
++
++######################################
++## <summary>
++## Write sssd configuration.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_write_config',`
++ gen_require(`
++ type sssd_conf_t;
++ ')
++
++ files_search_etc($1)
++ write_files_pattern($1, sssd_conf_t, sssd_conf_t)
++')
++
++#####################################
++## <summary>
++## Write sssd configuration.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_create_config',`
++ gen_require(`
++ type sssd_conf_t;
++ ')
++
++ files_search_etc($1)
++ create_files_pattern($1, sssd_conf_t, sssd_conf_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read sssd public files.
+@@ -89,6 +146,7 @@ interface(`sssd_manage_pids',`
type sssd_var_run_t;
')
@@ -54875,7 +55187,7 @@ index 941380a..e1095f0 100644
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
-@@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',`
+@@ -128,7 +186,6 @@ interface(`sssd_dontaudit_search_lib',`
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
@@ -54883,7 +55195,7 @@ index 941380a..e1095f0 100644
')
########################################
-@@ -148,6 +148,7 @@ interface(`sssd_read_lib_files',`
+@@ -148,6 +205,7 @@ interface(`sssd_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
@@ -54891,7 +55203,7 @@ index 941380a..e1095f0 100644
')
########################################
-@@ -168,6 +169,7 @@ interface(`sssd_manage_lib_files',`
+@@ -168,6 +226,7 @@ interface(`sssd_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
@@ -54899,7 +55211,7 @@ index 941380a..e1095f0 100644
')
########################################
-@@ -193,7 +195,7 @@ interface(`sssd_dbus_chat',`
+@@ -193,7 +252,7 @@ interface(`sssd_dbus_chat',`
########################################
## <summary>
@@ -54908,7 +55220,7 @@ index 941380a..e1095f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -225,21 +227,18 @@ interface(`sssd_stream_connect',`
+@@ -225,21 +284,18 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
@@ -54937,10 +55249,18 @@ index 941380a..e1095f0 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/sssd.te b/sssd.te
-index 8ffa257..20d8944 100644
+index 8ffa257..706c52b 100644
--- a/sssd.te
+++ b/sssd.te
-@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
+@@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t)
+ type sssd_initrc_exec_t;
+ init_script_file(sssd_initrc_exec_t)
+
++type sssd_conf_t;
++files_config_file(sssd_conf_t)
++
+ type sssd_public_t;
+ files_pid_file(sssd_public_t)
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
@@ -54948,7 +55268,7 @@ index 8ffa257..20d8944 100644
type sssd_var_log_t;
logging_log_file(sssd_var_log_t)
-@@ -28,9 +29,11 @@ files_pid_file(sssd_var_run_t)
+@@ -28,18 +32,23 @@ files_pid_file(sssd_var_run_t)
#
# sssd local policy
#
@@ -54962,8 +55282,10 @@ index 8ffa257..20d8944 100644
+allow sssd_t self:key manage_key_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
++
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -38,8 +41,9 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
@@ -54974,7 +55296,7 @@ index 8ffa257..20d8944 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,18 +52,25 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,18 +57,25 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -55000,7 +55322,7 @@ index 8ffa257..20d8944 100644
fs_list_inotifyfs(sssd_t)
-@@ -68,10 +79,14 @@ selinux_validate_context(sssd_t)
+@@ -68,10 +84,14 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
@@ -55016,7 +55338,7 @@ index 8ffa257..20d8944 100644
init_read_utmp(sssd_t)
-@@ -79,6 +94,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +99,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -55029,7 +55351,7 @@ index 8ffa257..20d8944 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +108,19 @@ optional_policy(`
+@@ -87,4 +113,19 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -55039,16 +55361,296 @@ index 8ffa257..20d8944 100644
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
- ')
++')
+
+optional_policy(`
+ ldap_stream_connect(sssd_t)
-+')
+ ')
+
+userdom_home_reader(sssd_t)
+
+
+
+diff --git a/stapserver.fc b/stapserver.fc
+new file mode 100644
+index 0000000..0ccce59
+--- /dev/null
++++ b/stapserver.fc
+@@ -0,0 +1,7 @@
++/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0)
++
++/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0)
++
++/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0)
++
++/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0)
+diff --git a/stapserver.if b/stapserver.if
+new file mode 100644
+index 0000000..89b20d3
+--- /dev/null
++++ b/stapserver.if
+@@ -0,0 +1,156 @@
++
++## <summary> Instrumentation System Server </summary>
++
++########################################
++## <summary>
++## Execute stapserver in the stapserver domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`stapserver_domtrans',`
++ gen_require(`
++ type stapserver_t, stapserver_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, stapserver_exec_t, stapserver_t)
++')
++########################################
++## <summary>
++## Read stapserver's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`stapserver_read_log',`
++ gen_require(`
++ type stapserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, stapserver_log_t, stapserver_log_t)
++')
++
++########################################
++## <summary>
++## Append to stapserver log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`stapserver_append_log',`
++ gen_require(`
++ type stapserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, stapserver_log_t, stapserver_log_t)
++')
++
++########################################
++## <summary>
++## Manage stapserver log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`stapserver_manage_log',`
++ gen_require(`
++ type stapserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t)
++ manage_files_pattern($1, stapserver_log_t, stapserver_log_t)
++ manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t)
++')
++########################################
++## <summary>
++## Read stapserver PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`stapserver_read_pid_files',`
++ gen_require(`
++ type stapserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 stapserver_var_run_t:file read_file_perms;
++')
++
++#######################################
++## <summary>
++## Manage stapserver lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`stapserver_manage_lib',`
++ gen_require(`
++ type stapserver_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
++ manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an stapserver environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`stapserver_admin',`
++ gen_require(`
++ type stapserver_t;
++ type stapserver_log_t;
++ type stapserver_var_run_t;
++ ')
++
++ allow $1 stapserver_t:process { ptrace signal_perms };
++ ps_process_pattern($1, stapserver_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, stapserver_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, stapserver_var_run_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/stapserver.te b/stapserver.te
+new file mode 100644
+index 0000000..fa12095
+--- /dev/null
++++ b/stapserver.te
+@@ -0,0 +1,99 @@
++policy_module(stapserver, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type stapserver_t;
++type stapserver_exec_t;
++init_daemon_domain(stapserver_t, stapserver_exec_t)
++
++type stapserver_var_lib_t;
++files_type(stapserver_var_lib_t)
++
++type stapserver_log_t;
++logging_log_file(stapserver_log_t)
++
++type stapserver_var_run_t;
++files_pid_file(stapserver_var_run_t)
++
++########################################
++#
++# stapserver local policy
++#
++
++#runuser
++allow stapserver_t self:capability { setuid setgid };
++allow stapserver_t self:process setsched;
++
++allow stapserver_t self:capability { dac_override kill };
++allow stapserver_t self:process { setrlimit signal };
++
++allow stapserver_t self:fifo_file rw_fifo_file_perms;
++allow stapserver_t self:key write;
++allow stapserver_t self:unix_stream_socket create_stream_socket_perms;
++allow stapserver_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
++manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
++files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
++
++manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
++manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
++logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
++
++manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
++manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
++files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
++
++kernel_read_system_state(stapserver_t)
++kernel_read_kernel_sysctls(stapserver_t)
++
++corecmd_exec_bin(stapserver_t)
++corecmd_exec_shell(stapserver_t)
++
++domain_read_all_domains_state(stapserver_t)
++domain_use_interactive_fds(stapserver_t)
++
++dev_read_sysfs(stapserver_t)
++dev_read_rand(stapserver_t)
++dev_read_urand(stapserver_t)
++
++files_list_tmp(stapserver_t)
++files_read_usr_files(stapserver_t)
++files_search_kernel_modules(stapserver_t)
++
++auth_use_nsswitch(stapserver_t)
++
++init_read_utmp(stapserver_t)
++
++logging_send_audit_msgs(stapserver_t)
++logging_send_syslog_msg(stapserver_t)
++
++miscfiles_read_localization(stapserver_t)
++#lspci
++miscfiles_read_hwdata(stapserver_t)
++
++userdom_use_user_terminals(stapserver_t)
++
++optional_policy(`
++ consoletype_exec(stapserver_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(stapserver_t)
++')
++
++optional_policy(`
++ hostname_exec(stapserver_t)
++')
++
++optional_policy(`
++ plymouthd_exec_plymouth(stapserver_t)
++')
++
++optional_policy(`
++ rpm_exec(stapserver_t)
++')
++
diff --git a/stunnel.te b/stunnel.te
index f646c66..6fef759 100644
--- a/stunnel.te
@@ -61234,7 +61836,7 @@ index 77d41b6..cc73c96 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index d995c70..17e2d43 100644
+index d995c70..da9a6e1 100644
--- a/xen.te
+++ b/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.11.1)
@@ -61316,12 +61918,23 @@ index d995c70..17e2d43 100644
files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
-@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -309,7 +315,9 @@ files_etc_filetrans_etc_runtime(xend_t, file)
+ files_read_usr_files(xend_t)
+ files_read_default_symlinks(xend_t)
+
++term_setattr_generic_ptys(xend_t)
+ term_getattr_all_ptys(xend_t)
++term_setattr_all_ptys(xend_t)
+ term_use_generic_ptys(xend_t)
+ term_use_ptmx(xend_t)
+ term_getattr_pty_fs(xend_t)
+@@ -320,13 +328,11 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
-lvm_domtrans(xend_t)
--
++auth_read_passwd(xend_t)
+
miscfiles_read_localization(xend_t)
miscfiles_read_hwdata(xend_t)
@@ -61330,7 +61943,7 @@ index d995c70..17e2d43 100644
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
@@ -61339,7 +61952,7 @@ index d995c70..17e2d43 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +349,23 @@ optional_policy(`
+@@ -349,6 +353,27 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -61356,6 +61969,10 @@ index d995c70..17e2d43 100644
+')
+
+optional_policy(`
++ ptchown_exec(xend_t)
++')
++
++optional_policy(`
+ virt_search_images(xend_t)
+ virt_read_config(xend_t)
+')
@@ -61363,7 +61980,7 @@ index d995c70..17e2d43 100644
########################################
#
# Xen console local policy
-@@ -374,8 +391,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +399,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -61372,7 +61989,7 @@ index d995c70..17e2d43 100644
files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
-@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +436,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -61384,7 +62001,7 @@ index d995c70..17e2d43 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +466,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -61396,7 +62013,7 @@ index d995c70..17e2d43 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +475,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +483,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -61493,7 +62110,7 @@ index d995c70..17e2d43 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +490,4 @@ optional_policy(`
+@@ -559,8 +498,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9689a36..16e2d0f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.0
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,28 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jul 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-10
+- Add realmd and stapserver policies
+- Allow useradd to manage stap-server lib files
+- Tighten up capabilities for confined users
+- Label /etc/security/opasswd as shadow_t
+- Add label for /dev/ecryptfs
+- Allow condor_startd_t to start sshd with the ranged
+- Allow lpstat.cups to read fips_enabled file
+- Allow pyzor running as spamc_t to create /root/.pyzor directory
+- Add labelinf for amavisd-snmp init script
+- Add support for amavisd-snmp
+- Allow fprintd sigkill self
+- Allow xend (w/o libvirt) to start virtual machines
+- Allow aiccu to read /etc/passwd
+- Allow condor_startd to Make specified domain MCS trusted for setting any category set for the processes it executes
+- Add condor_startd_ranged_domtrans_to() interface
+- Add ssd_conf_t for /etc/sssd
+- accountsd needs to fchown some files/directories
+- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
+- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works, adding dontaudit
+- Allow xend_t to read the /etc/passwd file
+
* Wed Jul 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-9
- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
More information about the scm-commits
mailing list