[selinux-policy/f17] * Fri Jun 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10. - Dontaudit thumb to setattr on xdm_tmp
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jun 22 14:57:21 UTC 2012
commit 086c743628bcc8e4521d08eec662fda91c1f5787
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jun 22 16:56:59 2012 +0200
* Fri Jun 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.
- Dontaudit thumb to setattr on xdm_tmp dirs
- Allow wicd to execute ldconfig
- Add /var/run/cherokee\.pid labeling
- Allow snort to create netlink_socket
- Allow setpcap for rpcd_t
- Firstboot should be just creating tmp_t dirs
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Allow firstboot to create tmp_t files/directories
- Label tuned scripts located in /etc as bin_t
- Add port definition for mxi port
- Fix labeling for /var/log/lxdm.log.old
- Allow ddclient to read /etc/passwd
- change dovecot_deliver to manage mail_home_rw_t
- Remove razor/pyzor policy
- Allow local_login_t to execute tmux
- Allow mozilla_plugin_t to execute the dynamic link/loade
policy-F16.patch | 527 ++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 21 ++-
2 files changed, 336 insertions(+), 212 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 0e84a90..978c58c 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -59289,31 +59289,20 @@ index 8fa451c..f3a67c9 100644
')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
-index c4d8998..bd59f2e 100644
+index c4d8998..a7302e4 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
-@@ -19,6 +19,9 @@ role system_r types firstboot_t;
- type firstboot_etc_t;
- files_config_file(firstboot_etc_t)
-
-+type firstboot_tmp_t;
-+files_tmp_file(firstboot_tmp_t)
-+
- ########################################
- #
- # Local policy
-@@ -33,6 +36,10 @@ allow firstboot_t self:passwd rootok;
+@@ -33,6 +33,9 @@ allow firstboot_t self:passwd rootok;
allow firstboot_t firstboot_etc_t:file read_file_perms;
-+manage_dirs_pattern(firstboot_t, firstboot_tmp_t, firstboot_tmp_t)
-+manage_files_pattern(firstboot_t, firstboot_tmp_t, firstboot_tmp_t)
-+files_tmp_filetrans(firstboot_t, firstboot_tmp_t, { dir file })
++files_manage_generic_tmp_dirs(firstboot_t)
++files_manage_generic_tmp_files(firstboot_t)
+
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
-@@ -62,6 +69,8 @@ files_read_usr_files(firstboot_t)
+@@ -62,6 +65,8 @@ files_read_usr_files(firstboot_t)
files_manage_var_dirs(firstboot_t)
files_manage_var_files(firstboot_t)
files_manage_var_symlinks(firstboot_t)
@@ -59322,7 +59311,7 @@ index c4d8998..bd59f2e 100644
init_domtrans_script(firstboot_t)
init_rw_utmp(firstboot_t)
-@@ -75,12 +84,9 @@ logging_send_syslog_msg(firstboot_t)
+@@ -75,12 +80,9 @@ logging_send_syslog_msg(firstboot_t)
miscfiles_read_localization(firstboot_t)
@@ -59337,7 +59326,7 @@ index c4d8998..bd59f2e 100644
# Add/remove user home directories
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
-@@ -91,10 +97,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t)
+@@ -91,10 +93,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t)
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -59348,7 +59337,7 @@ index c4d8998..bd59f2e 100644
dbus_system_bus_client(firstboot_t)
optional_policy(`
-@@ -103,8 +105,18 @@ optional_policy(`
+@@ -103,8 +101,18 @@ optional_policy(`
')
optional_policy(`
@@ -59367,7 +59356,7 @@ index c4d8998..bd59f2e 100644
optional_policy(`
samba_rw_config(firstboot_t)
-@@ -113,7 +125,7 @@ optional_policy(`
+@@ -113,7 +121,7 @@ optional_policy(`
optional_policy(`
unconfined_domtrans(firstboot_t)
# The big hammer
@@ -59376,7 +59365,7 @@ index c4d8998..bd59f2e 100644
')
optional_policy(`
-@@ -125,6 +137,7 @@ optional_policy(`
+@@ -125,6 +133,7 @@ optional_policy(`
')
optional_policy(`
@@ -59384,7 +59373,7 @@ index c4d8998..bd59f2e 100644
gnome_manage_config(firstboot_t)
')
-@@ -132,4 +145,5 @@ optional_policy(`
+@@ -132,4 +141,5 @@ optional_policy(`
xserver_domtrans(firstboot_t)
xserver_rw_shm(firstboot_t)
xserver_unconfined(firstboot_t)
@@ -67178,7 +67167,7 @@ index fbb5c5a..ce9aee0 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..ceef6bd 100644
+index 2e9318b..e143bab 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -67248,7 +67237,7 @@ index 2e9318b..ceef6bd 100644
+auth_use_nsswitch(mozilla_t)
+
-+libs_exec_lib_files(mozilla_plugin_t)
++
+
logging_send_syslog_msg(mozilla_t)
@@ -67306,7 +67295,7 @@ index 2e9318b..ceef6bd 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -296,25 +311,34 @@ optional_policy(`
+@@ -296,25 +311,35 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -67338,18 +67327,19 @@ index 2e9318b..ceef6bd 100644
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
-+xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,6 +346,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,6 +347,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -67360,7 +67350,7 @@ index 2e9318b..ceef6bd 100644
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -331,22 +359,32 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -331,22 +360,32 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -67399,7 +67389,7 @@ index 2e9318b..ceef6bd 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +393,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +394,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -67407,7 +67397,7 @@ index 2e9318b..ceef6bd 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,11 +401,14 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +402,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -67422,7 +67412,14 @@ index 2e9318b..ceef6bd 100644
application_dontaudit_signull(mozilla_plugin_t)
auth_use_nsswitch(mozilla_plugin_t)
-@@ -383,35 +425,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+
++libs_exec_ld_so(mozilla_plugin_t)
++libs_exec_lib_files(mozilla_plugin_t)
++
+ logging_send_syslog_msg(mozilla_plugin_t)
+
+ miscfiles_read_localization(mozilla_plugin_t)
+@@ -383,35 +429,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -67470,7 +67467,7 @@ index 2e9318b..ceef6bd 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,24 +455,32 @@ optional_policy(`
+@@ -421,24 +459,32 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -67507,18 +67504,18 @@ index 2e9318b..ceef6bd 100644
')
optional_policy(`
-@@ -446,10 +488,102 @@ optional_policy(`
+@@ -446,10 +492,102 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
- ')
-
- optional_policy(`
-+ pcscd_stream_connect(mozilla_plugin_t)
+')
+
+optional_policy(`
++ pcscd_stream_connect(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
+')
+
@@ -67536,7 +67533,7 @@ index 2e9318b..ceef6bd 100644
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t);
- ')
++')
+
+########################################
+#
@@ -67604,7 +67601,7 @@ index 2e9318b..ceef6bd 100644
+ typealias mozilla_home_t alias nsplugin_home_t;
+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
-+')
+ ')
+
+tunable_policy(`mozilla_plugin_enable_homedirs',`
+ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
@@ -71377,10 +71374,10 @@ index 0000000..9127cec
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..386f9a1
+index 0000000..9cc870f
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,110 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -71475,6 +71472,7 @@ index 0000000..386f9a1
+xserver_read_xdm_home_files(thumb_t)
+xserver_append_xdm_home_files(thumb_t)
+xserver_dontaudit_read_xdm_pid(thumb_t)
++xserver_dontaudit_xdm_tmp_dirs(thumb_t)
+xserver_stream_connect(thumb_t)
+
+optional_policy(`
@@ -72207,7 +72205,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..0ebbc4f 100644
+index 3fae11a..ee313ec 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -72258,7 +72256,16 @@ index 3fae11a..0ebbc4f 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,18 +138,14 @@ ifdef(`distro_debian',`
+@@ -110,6 +118,8 @@ ifdef(`distro_redhat',`
+ /etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0)
+
++/etc/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
+@@ -130,18 +140,14 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -72279,7 +72286,7 @@ index 3fae11a..0ebbc4f 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -152,7 +156,7 @@ ifdef(`distro_gentoo',`
+@@ -152,7 +158,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -72288,7 +72295,7 @@ index 3fae11a..0ebbc4f 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +172,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +174,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -72296,7 +72303,7 @@ index 3fae11a..0ebbc4f 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,67 +184,93 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +186,93 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -72435,7 +72442,7 @@ index 3fae11a..0ebbc4f 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +278,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +280,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -72455,7 +72462,7 @@ index 3fae11a..0ebbc4f 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +305,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +307,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -72466,7 +72473,7 @@ index 3fae11a..0ebbc4f 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +328,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +330,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -72487,7 +72494,7 @@ index 3fae11a..0ebbc4f 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +352,12 @@ ifdef(`distro_redhat', `
+@@ -306,10 +354,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -72502,7 +72509,7 @@ index 3fae11a..0ebbc4f 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +367,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +369,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -72514,7 +72521,7 @@ index 3fae11a..0ebbc4f 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +413,21 @@ ifdef(`distro_redhat', `
+@@ -363,20 +415,21 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -72540,7 +72547,7 @@ index 3fae11a..0ebbc4f 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +436,13 @@ ifdef(`distro_suse', `
+@@ -385,3 +438,13 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -74130,7 +74137,7 @@ index 8e0f9cd..da3b374 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..8cec913 100644
+index 99b71cb..5f4353e 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -74278,7 +74285,7 @@ index 99b71cb..8cec913 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +178,32 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,84 +178,118 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -74314,7 +74321,10 @@ index 99b71cb..8cec913 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,61 +213,82 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+ network_port(munin, tcp,4949,s0, udp,4949,s0)
++network_port(mxi, tcp,8005, s0, udp, 8005,s0)
+ network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
+ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -74405,7 +74415,7 @@ index 99b71cb..8cec913 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +297,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +298,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -74419,7 +74429,7 @@ index 99b71cb..8cec913 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +314,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +315,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -74427,7 +74437,7 @@ index 99b71cb..8cec913 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +324,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +325,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -74440,7 +74450,7 @@ index 99b71cb..8cec913 100644
########################################
#
-@@ -282,9 +374,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +375,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -76735,7 +76745,7 @@ index fae1ab1..0a5271f 100644
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c19518a..7ace2f2 100644
+index c19518a..57d0131 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -76789,7 +76799,16 @@ index c19518a..7ace2f2 100644
#
# /lost+found
-@@ -146,7 +155,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -122,6 +131,8 @@ HOME_ROOT/lost\+found/.* <<none>>
+ /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+ /media/[^/]*/.* <<none>>
+ /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
++/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
++/var/run/media/.* <<none>>
+
+ #
+ # /misc
+@@ -146,7 +157,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
@@ -76798,7 +76817,7 @@ index c19518a..7ace2f2 100644
#
# /proc
-@@ -154,6 +163,12 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -154,6 +165,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
@@ -76811,7 +76830,7 @@ index c19518a..7ace2f2 100644
#
# /run
#
-@@ -190,6 +205,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -190,6 +207,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr -d gen_context(system_u:object_r:usr_t,s0)
/usr/.* gen_context(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>>
@@ -76819,7 +76838,7 @@ index c19518a..7ace2f2 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -206,6 +222,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -206,6 +224,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
@@ -76827,7 +76846,7 @@ index c19518a..7ace2f2 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -214,7 +231,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -214,7 +233,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -76835,7 +76854,7 @@ index c19518a..7ace2f2 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -230,17 +246,20 @@ ifndef(`distro_redhat',`
+@@ -230,17 +248,20 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -76857,7 +76876,7 @@ index c19518a..7ace2f2 100644
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
-@@ -257,3 +276,5 @@ ifndef(`distro_redhat',`
+@@ -257,3 +278,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -83571,10 +83590,10 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..07b26fb
+index 0000000..16e91da
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,392 @@
+@@ -0,0 +1,376 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -83899,18 +83918,10 @@ index 0000000..07b26fb
+')
+
+optional_policy(`
-+ ncftool_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
-+ prelink_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ portmap_run_helper(unconfined_t, unconfined_r)
+')
+
@@ -83941,18 +83952,10 @@ index 0000000..07b26fb
+')
+
+optional_policy(`
-+ vbetool_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
-+ vpn_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ webalizer_run(unconfined_t, unconfined_r)
+')
+
@@ -85707,7 +85710,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..c1e18e1 100644
+index 9e39aa5..0bd78fc 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,39 +1,54 @@
@@ -85798,7 +85801,7 @@ index 9e39aa5..c1e18e1 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,39 +92,72 @@ ifdef(`distro_suse', `
+@@ -73,39 +92,73 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -85837,6 +85840,7 @@ index 9e39aa5..c1e18e1 100644
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -88335,7 +88339,7 @@ index c804110..06a516f 100644
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
-index 804135f..613f77f 100644
+index 804135f..0f7ec8d 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@@ -88352,7 +88356,7 @@ index 804135f..613f77f 100644
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:socket create_socket_perms;
-+allow arpwatch_t self:netlink_socket create_socket_perms;;
++allow arpwatch_t self:netlink_socket create_socket_perms;
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -92636,10 +92640,10 @@ index 6077339..d10acd2 100644
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
new file mode 100644
-index 0000000..3fe384f
+index 0000000..0362135
--- /dev/null
+++ b/policy/modules/services/cloudform.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,23 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -92660,6 +92664,7 @@ index 0000000..3fe384f
+
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
++/var/run/aeolus-configserv(/.*)? gen_context(system_u:object_r:thin_var_run_t,s0)
+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
@@ -92710,10 +92715,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..787b40a
+index 0000000..01f88c9
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,237 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -92929,7 +92934,8 @@ index 0000000..787b40a
+logging_log_filetrans(thin_t, thin_log_t, { file dir })
+
+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
-+files_pid_filetrans(thin_t, thin_var_run_t, { file })
++manage_dirs_pattern(thin_t, thin_var_run_t, thin_var_run_t)
++files_pid_filetrans(thin_t, thin_var_run_t, { file dir })
+
+corecmd_exec_bin(thin_t)
+
@@ -98505,7 +98511,7 @@ index 0a1a61b..64742c6 100644
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
-index 24ba98a..b8d064a 100644
+index 24ba98a..2b5df96 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
@@ -98554,10 +98560,12 @@ index 24ba98a..b8d064a 100644
corenet_tcp_connect_all_ports(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
-@@ -89,6 +100,8 @@ files_read_usr_files(ddclient_t)
+@@ -89,6 +100,10 @@ files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
++auth_read_passwd(ddclient_t)
++
+mta_send_mail(ddclient_t)
+
logging_send_syslog_msg(ddclient_t)
@@ -100861,7 +100869,7 @@ index e1d7dc5..13e4800 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..0e55b6d 100644
+index acf6d4f..828fb40 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,4 +1,4 @@
@@ -100959,17 +100967,15 @@ index acf6d4f..0e55b6d 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -152,18 +162,34 @@ userdom_manage_user_home_content_symlinks(dovecot_t)
- userdom_manage_user_home_content_pipes(dovecot_t)
+@@ -153,6 +163,7 @@ userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
-+mta_manage_home_rw(dovecot_t)
++mta_manage_home_rw(dovecot_t)
mta_manage_spool(dovecot_t)
-+mta_read_home_rw(dovecot_t)
optional_policy(`
- kerberos_keytab_template(dovecot, dovecot_t)
+@@ -160,10 +171,24 @@ optional_policy(`
')
optional_policy(`
@@ -100994,7 +101000,7 @@ index acf6d4f..0e55b6d 100644
seutil_sigchld_newrole(dovecot_t)
')
-@@ -180,8 +206,8 @@ optional_policy(`
+@@ -180,8 +205,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -101005,7 +101011,7 @@ index acf6d4f..0e55b6d 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +216,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -101015,7 +101021,7 @@ index acf6d4f..0e55b6d 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +230,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -101028,7 +101034,7 @@ index acf6d4f..0e55b6d 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +248,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +247,8 @@ files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
@@ -101038,7 +101044,7 @@ index acf6d4f..0e55b6d 100644
init_rw_utmp(dovecot_auth_t)
-@@ -236,6 +269,8 @@ optional_policy(`
+@@ -236,6 +268,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -101047,7 +101053,7 @@ index acf6d4f..0e55b6d 100644
')
optional_policy(`
-@@ -243,6 +278,8 @@ optional_policy(`
+@@ -243,6 +277,8 @@ optional_policy(`
')
optional_policy(`
@@ -101056,7 +101062,7 @@ index acf6d4f..0e55b6d 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +287,42 @@ optional_policy(`
+@@ -250,23 +286,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -101101,7 +101107,7 @@ index acf6d4f..0e55b6d 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +339,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +338,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -101129,7 +101135,7 @@ index acf6d4f..0e55b6d 100644
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
-+ mta_read_home_rw(dovecot_deliver_t)
++ mta_manage_home_rw(dovecot_deliver_t)
+')
+
+optional_policy(`
@@ -110931,7 +110937,7 @@ index 256166a..a8fe27a 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..d5a1725 100644
+index 343cee3..68e2429 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -111347,7 +111353,7 @@ index 343cee3..d5a1725 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -899,3 +983,169 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +983,170 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -111440,6 +111446,7 @@ index 343cee3..d5a1725 100644
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+
+ ifdef(`distro_redhat',`
@@ -113441,7 +113448,7 @@ index 2324d9e..da61d01 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..103f6f8 100644
+index 0619395..ff617f1 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -113539,7 +113546,14 @@ index 0619395..103f6f8 100644
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
-@@ -133,30 +165,37 @@ logging_send_syslog_msg(NetworkManager_t)
+@@ -128,35 +160,44 @@ init_domtrans_script(NetworkManager_t)
+
+ auth_use_nsswitch(NetworkManager_t)
+
++libs_exec_ldconfig(NetworkManager_t)
++
+ logging_send_syslog_msg(NetworkManager_t)
+
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -113579,7 +113593,7 @@ index 0619395..103f6f8 100644
')
optional_policy(`
-@@ -176,10 +215,17 @@ optional_policy(`
+@@ -176,10 +217,17 @@ optional_policy(`
')
optional_policy(`
@@ -113597,7 +113611,7 @@ index 0619395..103f6f8 100644
')
')
-@@ -191,6 +237,7 @@ optional_policy(`
+@@ -191,6 +239,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -113605,7 +113619,7 @@ index 0619395..103f6f8 100644
')
optional_policy(`
-@@ -202,23 +249,45 @@ optional_policy(`
+@@ -202,23 +251,45 @@ optional_policy(`
')
optional_policy(`
@@ -113640,18 +113654,18 @@ index 0619395..103f6f8 100644
# Dispatcher starting and stoping ntp
ntp_initrc_domtrans(NetworkManager_t)
+ ntp_systemctl(NetworkManager_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(NetworkManager_t)
')
optional_policy(`
++ modutils_domtrans_insmod(NetworkManager_t)
++')
++
++optional_policy(`
+ openvpn_read_config(NetworkManager_t)
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +303,10 @@ optional_policy(`
+@@ -234,6 +305,10 @@ optional_policy(`
')
optional_policy(`
@@ -113662,7 +113676,7 @@ index 0619395..103f6f8 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +314,7 @@ optional_policy(`
+@@ -241,6 +316,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -113670,7 +113684,7 @@ index 0619395..103f6f8 100644
')
optional_policy(`
-@@ -254,6 +328,10 @@ optional_policy(`
+@@ -254,6 +330,10 @@ optional_policy(`
')
optional_policy(`
@@ -113681,7 +113695,7 @@ index 0619395..103f6f8 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +341,7 @@ optional_policy(`
+@@ -263,6 +343,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -116813,10 +116827,10 @@ index e9cf8a4..9a7e5dc 100644
diff --git a/policy/modules/services/piranha.fc b/policy/modules/services/piranha.fc
new file mode 100644
-index 0000000..2c7e06f
+index 0000000..20ea9f5
--- /dev/null
+++ b/policy/modules/services/piranha.fc
-@@ -0,0 +1,26 @@
+@@ -0,0 +1,24 @@
+
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
@@ -116825,8 +116839,6 @@ index 0000000..2c7e06f
+
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
-+/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
-+
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
@@ -119172,7 +119184,7 @@ index 46bee12..99499ef 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..aa63a83 100644
+index a32c4b3..57dde1e 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.12.1)
@@ -119588,7 +119600,7 @@ index a32c4b3..aa63a83 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +733,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +733,76 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -119610,6 +119622,7 @@ index a32c4b3..aa63a83 100644
+allow postfix_domain self:unix_stream_socket connectto;
+allow postfix_domain self:fifo_file rw_fifo_file_perms;
+
++allow postfix_master_t postfix_domain:fifo_file { read write };
+allow postfix_master_t postfix_domain:process signal;
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+allow postfix_domain postfix_master_t:file read;
@@ -125548,7 +125561,7 @@ index cda37bb..b3469d6 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..f30c62e 100644
+index b1468ed..b23ea37 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -125596,7 +125609,12 @@ index b1468ed..f30c62e 100644
type nfsd_rw_t;
files_type(nfsd_rw_t)
-@@ -62,9 +68,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+@@ -58,13 +64,14 @@ files_mountpoint(var_lib_nfs_t)
+ # RPC local policy
+ #
+
+-allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
++allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
@@ -125698,16 +125716,17 @@ index b1468ed..f30c62e 100644
storage_dontaudit_read_fixed_disk(nfsd_t)
storage_raw_read_removable_device(nfsd_t)
-@@ -148,6 +184,8 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,6 +184,9 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
++userdom_list_user_tmp(nfsd_t)
+
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
-@@ -158,7 +196,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -125715,7 +125734,7 @@ index b1468ed..f30c62e 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +207,11 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +208,11 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -125729,7 +125748,7 @@ index b1468ed..f30c62e 100644
')
########################################
-@@ -181,7 +221,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +222,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -125738,7 +125757,7 @@ index b1468ed..f30c62e 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +239,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +240,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -125746,7 +125765,7 @@ index b1468ed..f30c62e 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +251,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +252,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -125763,7 +125782,7 @@ index b1468ed..f30c62e 100644
')
optional_policy(`
-@@ -226,6 +267,11 @@ optional_policy(`
+@@ -226,6 +268,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -128716,15 +128735,16 @@ index c117e8b..e428bb9 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
-index 179bc1b..735c400 100644
+index 179bc1b..ad84161 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
-@@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t)
+@@ -32,17 +32,18 @@ files_pid_file(snort_var_run_t)
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
++allow snort_t self:netlink_socket create_socket_perms;
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
@@ -128764,13 +128784,17 @@ index 93fe7bf..1b07ed4 100644
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
-index 6b3abf9..21f3e07 100644
+index 6b3abf9..710a033 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
-@@ -1,15 +1,38 @@
+@@ -1,15 +1,50 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+
+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
@@ -128802,12 +128826,20 @@ index 6b3abf9..21f3e07 100644
+/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+
++/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0)
+/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0)
++/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamdd_initrc_exec_t,s0)
+
+/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0)
+
++/var/lib/pyzord(/.*)? gen_context(system_u:object_r:spamc_var_lib_t,s0)
+/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
++
++/var/log/pyzord\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/razor-agent\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
++
++/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0)
++/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index c954f31..82fc7f6 100644
--- a/policy/modules/services/spamassassin.if
@@ -129025,10 +129057,10 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..9d10f0b 100644
+index ec1eb1e..171aea4 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
-@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
+@@ -6,56 +6,123 @@ policy_module(spamassassin, 2.4.0)
#
## <desc>
@@ -129109,6 +129141,28 @@ index ec1eb1e..9d10f0b 100644
+
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
++ typealias spamc_t alias pyzor_t;
++ typealias spamc_exec_t alias pyzor_exec_t;
++ typealias spamd_t alias pyzord_t;
++ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
++ typealias spamd_exec_t alias pyzord_exec_t;
++ typealias spamc_tmp_t alias pyzor_tmp_t;
++ typealias spamd_log_t alias pyzor_log_t;
++ typealias spamd_log_t alias pyzord_log_t;
++ typealias spamd_var_lib_t alias pyzor_var_lib_t;
++ typealias spamd_etc_t alias pyzor_etc_t;
++ typealias spamc_home_t alias pyzor_home_t;
++ typealias spamc_home_t alias user_pyzor_home_t;
++ typealias spamc_t alias razor_t;
++ typealias spamc_exec_t alias razor_exec_t;
++ typealias spamd_log_t alias razor_log_t;
++ typealias spamd_var_lib_t alias razor_var_lib_t;
++ typealias spamd_etc_t alias razor_etc_t;
++ typealias spamc_home_t alias razor_home_t;
++ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
++ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
++ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
++ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+',`
+ type spamassassin_t;
+ type spamassassin_exec_t;
@@ -129167,7 +129221,7 @@ index ec1eb1e..9d10f0b 100644
type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)
-@@ -102,12 +147,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+@@ -102,12 +169,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
@@ -129182,7 +129236,7 @@ index ec1eb1e..9d10f0b 100644
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -148,6 +195,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -148,6 +217,9 @@ tunable_policy(`spamassassin_can_network',`
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -129192,7 +129246,7 @@ index ec1eb1e..9d10f0b 100644
sysnet_read_config(spamassassin_t)
')
-@@ -158,18 +208,6 @@ tunable_policy(`spamd_enable_home_dirs',`
+@@ -158,18 +230,6 @@ tunable_policy(`spamd_enable_home_dirs',`
userdom_manage_user_home_content_symlinks(spamd_t)
')
@@ -129211,7 +129265,7 @@ index ec1eb1e..9d10f0b 100644
optional_policy(`
# Write pid file and socket in ~/.evolution/cache/tmp
evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
-@@ -184,6 +222,8 @@ optional_policy(`
+@@ -184,6 +244,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -129220,7 +129274,7 @@ index ec1eb1e..9d10f0b 100644
')
########################################
-@@ -206,15 +246,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +268,32 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -129253,7 +129307,7 @@ index ec1eb1e..9d10f0b 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +283,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +305,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -129261,7 +129315,7 @@ index ec1eb1e..9d10f0b 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -244,9 +302,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +324,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -129276,7 +129330,7 @@ index ec1eb1e..9d10f0b 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +317,35 @@ seutil_read_config(spamc_t)
+@@ -254,27 +339,35 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -129318,7 +129372,7 @@ index ec1eb1e..9d10f0b 100644
')
########################################
-@@ -286,7 +357,7 @@ optional_policy(`
+@@ -286,7 +379,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -129327,7 +129381,7 @@ index ec1eb1e..9d10f0b 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +373,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +395,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -129346,7 +129400,7 @@ index ec1eb1e..9d10f0b 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +392,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -129364,7 +129418,7 @@ index ec1eb1e..9d10f0b 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,23 +449,23 @@ files_read_var_lib_files(spamd_t)
+@@ -367,23 +471,23 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -129396,7 +129450,7 @@ index ec1eb1e..9d10f0b 100644
')
optional_policy(`
-@@ -399,7 +481,9 @@ optional_policy(`
+@@ -399,7 +503,9 @@ optional_policy(`
')
optional_policy(`
@@ -129406,7 +129460,7 @@ index ec1eb1e..9d10f0b 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +492,17 @@ optional_policy(`
+@@ -408,25 +514,17 @@ optional_policy(`
')
optional_policy(`
@@ -129434,7 +129488,7 @@ index ec1eb1e..9d10f0b 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +513,10 @@ optional_policy(`
+@@ -437,6 +535,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -129445,7 +129499,7 @@ index ec1eb1e..9d10f0b 100644
')
optional_policy(`
-@@ -444,6 +524,7 @@ optional_policy(`
+@@ -444,6 +546,7 @@ optional_policy(`
')
optional_policy(`
@@ -129453,7 +129507,7 @@ index ec1eb1e..9d10f0b 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -451,3 +532,51 @@ optional_policy(`
+@@ -451,3 +554,51 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -130252,7 +130306,7 @@ index 22adaca..7f010a4 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..6dbec51 100644
+index 2dad3c8..1715973 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -130595,6 +130649,10 @@ index 2dad3c8..6dbec51 100644
-
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, userdomain)
+- ')
+-',`
+- optional_policy(`
+- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
@@ -130615,10 +130673,6 @@ index 2dad3c8..6dbec51 100644
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
')
--',`
-- optional_policy(`
-- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
-- ')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
@@ -130670,7 +130724,7 @@ index 2dad3c8..6dbec51 100644
')
optional_policy(`
-@@ -363,3 +419,76 @@ optional_policy(`
+@@ -363,3 +419,83 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -130704,11 +130758,18 @@ index 2dad3c8..6dbec51 100644
+#
+# chroot_user_t local policy
+#
++allow chroot_user_t self:unix_dgram_socket create_socket_perms;
++
++corecmd_exec_shell(chroot_user_t)
++
++term_search_ptys(chroot_user_t)
++term_use_ptmx(chroot_user_t)
+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
+userdom_exec_user_home_content_files(chroot_user_t)
++userdom_use_inherited_user_ptys(chroot_user_t)
+
+tunable_policy(`ssh_chroot_rw_homedirs',`
+ files_list_home(chroot_user_t)
@@ -134951,7 +135012,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..b53c4fa 100644
+index 4966c94..a4235ab 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -135076,7 +135137,7 @@ index 4966c94..b53c4fa 100644
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -138604,10 +138665,38 @@ index f9a06d2..3d407c6 100644
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index 1b6619e..3aed6ad 100644
+index 1b6619e..232be41 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -189,6 +189,24 @@ interface(`application_dontaudit_signal',`
+@@ -43,6 +43,27 @@ interface(`application_executable_file',`
+ corecmd_executable_file($1)
+ ')
+
++#######################################
++## <summary>
++## Make the specified type usable for files
++## that are exectuables, such as binary programs.
++## This does not include shared libraries.
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used for files.
++## </summary>
++## </param>
++#
++interface(`application_executable_ioctl',`
++ gen_require(`
++ attribute application_exec_type;
++ ')
++
++ allow $1 application_exec_type:file ioctl;
++
++')
++
+ ########################################
+ ## <summary>
+ ## Execute application executables in the caller domain.
+@@ -189,6 +210,24 @@ interface(`application_dontaudit_signal',`
########################################
## <summary>
@@ -138632,7 +138721,7 @@ index 1b6619e..3aed6ad 100644
## Do not audit attempts to send kill signals
## to all application domains.
## </summary>
-@@ -205,3 +223,21 @@ interface(`application_dontaudit_sigkill',`
+@@ -205,3 +244,21 @@ interface(`application_dontaudit_sigkill',`
dontaudit $1 application_domain_type:process sigkill;
')
@@ -138762,7 +138851,7 @@ index 28ad538..82def3d 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..a0bd29b 100644
+index 73554ec..c71cf8e 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -138885,7 +138974,7 @@ index 73554ec..a0bd29b 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,9 +196,83 @@ interface(`auth_login_pgm_domain',`
+@@ -155,13 +196,92 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -138928,13 +139017,18 @@ index 73554ec..a0bd29b 100644
+ ')
+
+ optional_policy(`
-+ ssh_agent_exec($1)
-+ ssh_read_user_home_files($1)
++ # allow execute tmux
++ screen_exec($1)
+ ')
-+')
+
-+########################################
-+## <summary>
++ optional_policy(`
++ ssh_agent_exec($1)
++ ssh_read_user_home_files($1)
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Read authlogin state files.
+## </summary>
+## <param name="domain">
@@ -138965,13 +139059,17 @@ index 73554ec..a0bd29b 100644
+interface(`authlogin_rw_pipes',`
+ gen_require(`
+ attribute polydomain;
- ')
++ ')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -368,13 +483,15 @@ interface(`auth_domtrans_chk_passwd',`
++')
++
++########################################
++## <summary>
+ ## Use the login program as an entry point program.
+ ## </summary>
+ ## <param name="domain">
+@@ -368,13 +488,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -138988,7 +139086,7 @@ index 73554ec..a0bd29b 100644
')
########################################
-@@ -421,6 +538,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +543,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -139014,7 +139112,7 @@ index 73554ec..a0bd29b 100644
')
########################################
-@@ -440,7 +576,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -440,7 +581,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -139022,7 +139120,7 @@ index 73554ec..a0bd29b 100644
')
########################################
-@@ -637,6 +772,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +777,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -139033,7 +139131,7 @@ index 73554ec..a0bd29b 100644
')
#######################################
-@@ -736,7 +875,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +880,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -139085,7 +139183,7 @@ index 73554ec..a0bd29b 100644
')
#######################################
-@@ -932,9 +1114,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1119,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -139119,7 +139217,7 @@ index 73554ec..a0bd29b 100644
')
########################################
-@@ -1013,6 +1216,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1013,6 +1221,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -139130,7 +139228,7 @@ index 73554ec..a0bd29b 100644
')
########################################
-@@ -1130,6 +1337,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1130,6 +1342,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -139138,7 +139236,7 @@ index 73554ec..a0bd29b 100644
')
#######################################
-@@ -1387,6 +1595,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1600,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -139164,7 +139262,7 @@ index 73554ec..a0bd29b 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1537,37 +1764,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1769,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -139224,7 +139322,7 @@ index 73554ec..a0bd29b 100644
## </p>
## </desc>
## <param name="domain">
-@@ -1575,87 +1814,206 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1819,206 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
## </summary>
## </param>
@@ -142443,7 +142541,7 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 55a6cd8..02378d2 100644
+index 55a6cd8..8cbbbf3 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -73,13 +73,15 @@ role system_r types setkey_t;
@@ -142500,7 +142598,13 @@ index 55a6cd8..02378d2 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -169,6 +175,8 @@ logging_send_syslog_msg(ipsec_t)
+@@ -164,11 +170,14 @@ auth_use_nsswitch(ipsec_t)
+ init_use_fds(ipsec_t)
+ init_use_script_ptys(ipsec_t)
+
++logging_read_all_logs(ipsec_mgmt_t)
+ logging_send_syslog_msg(ipsec_t)
+
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -142509,7 +142613,7 @@ index 55a6cd8..02378d2 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,9 +194,9 @@ optional_policy(`
+@@ -186,9 +195,9 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -142522,7 +142626,7 @@ index 55a6cd8..02378d2 100644
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -245,6 +254,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -142539,7 +142643,7 @@ index 55a6cd8..02378d2 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -254,6 +273,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -142548,7 +142652,7 @@ index 55a6cd8..02378d2 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +298,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -142560,7 +142664,7 @@ index 55a6cd8..02378d2 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -297,7 +318,12 @@ sysnet_manage_config(ipsec_mgmt_t)
+@@ -297,7 +319,12 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -142574,7 +142678,7 @@ index 55a6cd8..02378d2 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -324,10 +350,6 @@ optional_policy(`
+@@ -324,10 +351,6 @@ optional_policy(`
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -142585,7 +142689,7 @@ index 55a6cd8..02378d2 100644
ifdef(`TODO',`
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-@@ -377,12 +399,12 @@ corecmd_exec_shell(racoon_t)
+@@ -377,12 +400,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -142604,7 +142708,7 @@ index 55a6cd8..02378d2 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -411,6 +433,8 @@ miscfiles_read_localization(racoon_t)
+@@ -411,6 +434,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -142613,7 +142717,7 @@ index 55a6cd8..02378d2 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -448,5 +472,6 @@ miscfiles_read_localization(setkey_t)
+@@ -448,5 +473,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
@@ -147946,10 +148050,10 @@ index 0000000..161f271
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..0898030
+index 0000000..1f323e4
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,696 @@
+@@ -0,0 +1,697 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -148419,6 +148523,7 @@ index 0000000..0898030
+ type systemd_passwd_var_run_t;
+ ')
+
++ init_search_pid_dirs($1)
+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1d93f96..8dabc5e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 132%{?dist}
+Release: 133%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,25 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jun 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-133
+- Dontaudit thumb to setattr on xdm_tmp dirs
+- Allow wicd to execute ldconfig
+- Add /var/run/cherokee\.pid labeling
+- Allow snort to create netlink_socket
+- Allow setpcap for rpcd_t
+- Firstboot should be just creating tmp_t dirs
+- Transition xauth files within firstboot_tmp_t
+- Fix labeling of /run/media to match /media
+- Allow firstboot to create tmp_t files/directories
+- Label tuned scripts located in /etc as bin_t
+- Add port definition for mxi port
+- Fix labeling for /var/log/lxdm.log.old
+- Allow ddclient to read /etc/passwd
+- change dovecot_deliver to manage mail_home_rw_t
+- Remove razor/pyzor policy
+- Allow local_login_t to execute tmux
+- Allow mozilla_plugin_t to execute the dynamic link/loader
+
* Mon Jun 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-132
- apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
More information about the scm-commits
mailing list