[selinux-policy/f17] * Tue Jun 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-134 - Allow mozilla_plugin execmod on mo
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jun 26 19:37:21 UTC 2012
commit c26f2f6b5d9232b35bd77c2f25bef8e0448111fc
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jun 26 21:36:53 2012 +0200
* Tue Jun 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-134
- Allow mozilla_plugin execmod on mozilla home files if allow_execmod
- Allow dovecot_deliver_t to read dovecot_var_run_t
- Add tomcat policy from F18
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Add kdumpctl policy
- Move thin policy out from cloudform.pp and add a new thin policy files
- pacemaker needs to communicate with corosync streams
- abrt is now started on demand by dbus
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_cobbler_rw_content_t
- Allow mozila_plugin to execute gstreamer home files
- Allow useradd to delete all file types stored in the users homedir
- rhsmcertd reads the rpm database
- Add support for lightdm
modules-targeted.conf | 14 +
permissivedomains.pp | Bin 94994 -> 100478 bytes
policy-F16.patch | 1165 +++++++++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 18 +-
4 files changed, 1016 insertions(+), 181 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 78530d4..5c535cf 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2542,3 +2542,17 @@ svnserve = module
# policy for man2html apps
#
man2html = module
+
+# Layer: services
+# Module: tomcat
+#
+# policy for tomcat apps
+#
+tomcat = module
+
+# Layer: services
+# Module: thinh
+#
+# policy for thin apps
+#
+thin = module
diff --git a/permissivedomains.pp b/permissivedomains.pp
index 6f9e1d2..8a7892e 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/policy-F16.patch b/policy-F16.patch
index 6a53864..6d0be41 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -59380,21 +59380,23 @@ index c4d8998..a7302e4 100644
+ xserver_stream_connect(firstboot_t)
')
diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc
-index c66934f..9f05409 100644
+index c66934f..dd91210 100644
--- a/policy/modules/admin/kdump.fc
+++ b/policy/modules/admin/kdump.fc
-@@ -3,3 +3,9 @@
+@@ -3,3 +3,11 @@
/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
-+/usr/lib/systemd/system/kdump.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
++/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdumpctl_unit_file_t,s0)
++
++/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
-index 4198ff5..9bf4898 100644
+index 4198ff5..d1ab262 100644
--- a/policy/modules/admin/kdump.if
+++ b/policy/modules/admin/kdump.if
@@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',`
@@ -59453,7 +59455,35 @@ index 4198ff5..9bf4898 100644
####################################
## <summary>
## Manage kdump configuration file.
-@@ -96,10 +138,14 @@ interface(`kdump_admin',`
+@@ -75,6 +117,27 @@ interface(`kdump_manage_config',`
+ allow $1 kdump_etc_t:file manage_file_perms;
+ ')
+
++###################################
++## <summary>
++## Manage kdump /var/tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kdump_manage_kdumpctl_tmp_files',`
++ gen_require(`
++ type kdumpctl_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
++ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
++ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
++')
++
+ ######################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -96,10 +159,14 @@ interface(`kdump_admin',`
gen_require(`
type kdump_t, kdump_etc_t;
type kdump_initrc_exec_t;
@@ -59469,7 +59499,7 @@ index 4198ff5..9bf4898 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -108,4 +154,8 @@ interface(`kdump_admin',`
+@@ -108,4 +175,8 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@@ -59479,20 +59509,30 @@ index 4198ff5..9bf4898 100644
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te
-index b29d8e2..ed79499 100644
+index b29d8e2..1889d88 100644
--- a/policy/modules/admin/kdump.te
+++ b/policy/modules/admin/kdump.te
-@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
+@@ -15,6 +15,19 @@ files_config_file(kdump_etc_t)
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_file_t;
+systemd_unit_file(kdump_unit_file_t)
+
++type kdumpctl_t;
++type kdumpctl_exec_t;
++init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
++
++type kdumpctl_unit_file_t;
++systemd_unit_file(kdumpctl_unit_file_t)
++
++type kdumpctl_tmp_t;
++files_tmp_file(kdumpctl_tmp_t)
++
#####################################
#
# kdump local policy
-@@ -24,6 +27,7 @@ allow kdump_t self:capability { sys_boot dac_override };
+@@ -24,6 +37,7 @@ allow kdump_t self:capability { sys_boot dac_override };
read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
@@ -59500,6 +59540,91 @@ index b29d8e2..ed79499 100644
files_read_etc_runtime_files(kdump_t)
files_read_kernel_img(kdump_t)
+@@ -36,3 +50,84 @@ dev_read_framebuffer(kdump_t)
+ dev_read_sysfs(kdump_t)
+
+ term_use_console(kdump_t)
++
++#######################################
++#
++# kdumpctl local policy
++#
++
++#cjp:almost all rules are needed by dracut
++
++kdump_domtrans(kdumpctl_t)
++
++allow kdumpctl_t self:capability dac_override;
++allow kdumpctl_t self:process setfscreate;
++
++allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
++
++read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
++
++kernel_read_system_state(kdumpctl_t)
++
++corecmd_exec_bin(kdumpctl_t)
++corecmd_exec_shell(kdumpctl_t)
++
++dev_read_sysfs(kdumpctl_t)
++# dracut
++dev_manage_all_dev_nodes(kdumpctl_t)
++
++domain_use_interactive_fds(kdumpctl_t)
++
++files_create_kernel_img(kdumpctl_t)
++files_read_etc_files(kdumpctl_t)
++files_read_etc_runtime_files(kdumpctl_t)
++files_read_usr_files(kdumpctl_t)
++files_read_kernel_modules(kdumpctl_t)
++files_getattr_all_dirs(kdumpctl_t)
++
++fs_getattr_all_fs(kdumpctl_t)
++
++application_executable_ioctl(kdumpctl_t)
++
++auth_read_passwd(kdumpctl_t)
++
++init_exec(kdumpctl_t)
++systemd_exec_systemctl(kdumpctl_t)
++
++libs_exec_ld_so(kdumpctl_t)
++
++logging_send_syslog_msg(kdumpctl_t)
++
++miscfiles_read_localization(kdumpctl_t)
++
++optional_policy(`
++ gpg_exec(kdumpctl_t)
++')
++
++optional_policy(`
++ lvm_read_config(kdumpctl_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(kdumpctl_t)
++ modutils_list_module_config(kdumpctl_t)
++ modutils_read_module_config(kdumpctl_t)
++')
++
++optional_policy(`
++ plymouthd_domtrans_plymouth(kdumpctl_t)
++')
++
++optional_policy(`
++ ssh_exec(kdumpctl_t)
++')
++
++optional_policy(`
++ unconfined_domain(kdumpctl_t)
++')
diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if
index c18c920..582f7f3 100644
--- a/policy/modules/admin/kismet.if
@@ -62674,7 +62799,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..f1654c5 100644
+index 441cf22..032ccdd 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -62931,7 +63056,7 @@ index 441cf22..f1654c5 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -495,24 +521,19 @@ seutil_read_file_contexts(useradd_t)
+@@ -495,24 +521,20 @@ seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
seutil_domtrans_semanage(useradd_t)
seutil_domtrans_setfiles(useradd_t)
@@ -62950,6 +63075,7 @@ index 441cf22..f1654c5 100644
-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
++userdom_delete_all_user_home_content(useradd_t)
mta_manage_spool(useradd_t)
@@ -67167,7 +67293,7 @@ index fbb5c5a..ce9aee0 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..e143bab 100644
+index 2e9318b..71b15ca 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -67467,7 +67593,7 @@ index 2e9318b..e143bab 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,24 +459,32 @@ optional_policy(`
+@@ -421,24 +459,33 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -67484,6 +67610,7 @@ index 2e9318b..e143bab 100644
gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
+ gnome_filetrans_home_content(mozilla_plugin_t)
++ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
@@ -67504,18 +67631,18 @@ index 2e9318b..e143bab 100644
')
optional_policy(`
-@@ -446,10 +492,102 @@ optional_policy(`
+@@ -446,10 +493,105 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ pcscd_stream_connect(mozilla_plugin_t)
')
optional_policy(`
++ pcscd_stream_connect(mozilla_plugin_t)
++')
++
++optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
+')
+
@@ -67601,12 +67728,15 @@ index 2e9318b..e143bab 100644
+ typealias mozilla_home_t alias nsplugin_home_t;
+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
- ')
++')
+
+tunable_policy(`mozilla_plugin_enable_homedirs',`
+ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+')
+
++tunable_policy(`allow_execmod',`
++ userdom_execmod_user_home_files(mozilla_plugin_t)
+ ')
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
--- a/policy/modules/apps/mplayer.if
@@ -84344,10 +84474,10 @@ index e88b95f..9b6536a 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..196cfc9 100644
+index 1bd5812..b5fe639 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -1,13 +1,16 @@
+@@ -1,12 +1,16 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -84361,13 +84491,13 @@ index 1bd5812..196cfc9 100644
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-
-+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
++/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+
++/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
+
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-
-@@ -15,6 +18,19 @@
+@@ -15,6 +19,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -91386,7 +91516,7 @@ index 7a6e5ba..e238dfd 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index c3e3f79..3bf8b0c 100644
+index c3e3f79..c94fbcb 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -18,12 +18,16 @@ files_pid_file(certmonger_var_run_t)
@@ -91407,7 +91537,7 @@ index c3e3f79..3bf8b0c 100644
allow certmonger_t self:process { getsched setsched sigkill };
allow certmonger_t self:fifo_file rw_file_perms;
allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
-@@ -32,16 +36,23 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -32,16 +36,24 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -91429,10 +91559,11 @@ index c3e3f79..3bf8b0c 100644
corenet_tcp_sendrecv_all_ports(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
+corenet_tcp_connect_http_port(certmonger_t)
++corenet_tcp_connect_pki_ca_port(certmonger_t)
dev_read_urand(certmonger_t)
-@@ -51,6 +62,11 @@ files_read_etc_files(certmonger_t)
+@@ -51,6 +63,11 @@ files_read_etc_files(certmonger_t)
files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
@@ -91444,7 +91575,7 @@ index c3e3f79..3bf8b0c 100644
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-@@ -58,15 +74,60 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,15 +75,60 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
@@ -92640,17 +92771,16 @@ index 6077339..d10acd2 100644
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
new file mode 100644
-index 0000000..0362135
+index 0000000..7182054
--- /dev/null
+++ b/policy/modules/services/cloudform.fc
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,19 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
-+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
+
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
@@ -92660,12 +92790,9 @@ index 0000000..0362135
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/thin\.log -- gen_context(system_u:object_r:thin_log_t,s0)
+
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
-+/var/run/aeolus-configserv(/.*)? gen_context(system_u:object_r:thin_var_run_t,s0)
-+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
new file mode 100644
@@ -92715,10 +92842,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..01f88c9
+index 0000000..579dff8
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,237 @@
+@@ -0,0 +1,192 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -92730,10 +92857,6 @@ index 0000000..01f88c9
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(mongod)
-+cloudform_domain_template(thin)
-+
-+type thin_log_t;
-+logging_log_file(thin_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
@@ -92768,9 +92891,6 @@ index 0000000..01f88c9
+type mongod_var_run_t;
+files_pid_file(mongod_var_run_t)
+
-+type thin_var_run_t;
-+files_pid_file(thin_var_run_t)
-+
+type iwhd_log_t;
+logging_log_file(iwhd_log_t)
+
@@ -92918,44 +93038,6 @@ index 0000000..01f88c9
+ sysnet_dns_name_resolve(mongod_t)
+')
+
-+########################################
-+#
-+# thin local policy
-+#
-+
-+allow thin_t self:capability { setuid kill setgid dac_override };
-+
-+allow thin_t self:netlink_route_socket r_netlink_socket_perms;
-+allow thin_t self:udp_socket create_socket_perms;
-+allow thin_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(thin_t, thin_log_t, thin_log_t)
-+manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
-+logging_log_filetrans(thin_t, thin_log_t, { file dir })
-+
-+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
-+manage_dirs_pattern(thin_t, thin_var_run_t, thin_var_run_t)
-+files_pid_filetrans(thin_t, thin_var_run_t, { file dir })
-+
-+corecmd_exec_bin(thin_t)
-+
-+corenet_tcp_bind_generic_node(thin_t)
-+corenet_tcp_bind_ntop_port(thin_t)
-+corenet_tcp_connect_postgresql_port(thin_t)
-+corenet_tcp_connect_all_ports(iwhd_t)
-+
-+files_read_usr_files(thin_t)
-+
-+fs_search_auto_mountpoints(thin_t)
-+
-+init_read_utmp(thin_t)
-+
-+kernel_read_kernel_sysctls(thin_t)
-+
-+optional_policy(`
-+ sysnet_read_config(thin_t)
-+')
-+
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
index 049e2b6..dcc7de8 100644
--- a/policy/modules/services/cmirrord.fc
@@ -93001,10 +93083,10 @@ index f8463c0..126b293 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
-index 1cf6c4e..0858f92 100644
+index 1cf6c4e..b64cef9 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
-@@ -1,7 +1,35 @@
+@@ -1,7 +1,37 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -93019,6 +93101,8 @@ index 1cf6c4e..0858f92 100644
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
++/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_cobbler_rw_content_t,s0)
++
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
@@ -94855,7 +94939,7 @@ index 3a6d7eb..bb32bf0 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
-index 5220c9d..11e5dc4 100644
+index 5220c9d..25babd6 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
@@ -94884,7 +94968,15 @@ index 5220c9d..11e5dc4 100644
#######################################
## <summary>
## Allow the specified domain to read corosync's log files.
-@@ -58,6 +77,29 @@ interface(`corosync_stream_connect',`
+@@ -52,12 +71,37 @@ interface(`corosync_read_log',`
+ interface(`corosync_stream_connect',`
+ gen_require(`
+ type corosync_t, corosync_var_run_t;
++ type corosync_var_lib_t;
+ ')
+
+ files_search_pids($1)
++ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
')
@@ -94914,7 +95006,7 @@ index 5220c9d..11e5dc4 100644
######################################
## <summary>
## All of the rules required to administrate
-@@ -80,11 +122,16 @@ interface(`corosyncd_admin',`
+@@ -80,11 +124,16 @@ interface(`corosyncd_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
@@ -94932,7 +95024,7 @@ index 5220c9d..11e5dc4 100644
init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
-@@ -103,4 +150,8 @@ interface(`corosyncd_admin',`
+@@ -103,4 +152,8 @@ interface(`corosyncd_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
@@ -100869,7 +100961,7 @@ index e1d7dc5..13e4800 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..828fb40 100644
+index acf6d4f..b2ed37a 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,4 +1,4 @@
@@ -101062,7 +101154,7 @@ index acf6d4f..828fb40 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +286,42 @@ optional_policy(`
+@@ -250,23 +286,43 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -101086,6 +101178,7 @@ index acf6d4f..828fb40 100644
+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
+
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
++read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect(dovecot_deliver_t)
+
@@ -101107,7 +101200,7 @@ index acf6d4f..828fb40 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +338,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +339,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -116407,10 +116500,10 @@ index 0000000..e05c78f
+')
diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
new file mode 100644
-index 0000000..99ab306
+index 0000000..35a450f
--- /dev/null
+++ b/policy/modules/services/pacemaker.te
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,54 @@
+policy_module(pacemaker, 1.0.0)
+
+########################################
@@ -116460,6 +116553,11 @@ index 0000000..99ab306
+logging_send_syslog_msg(pacemaker_t)
+
+miscfiles_read_localization(pacemaker_t)
++
++optional_policy(`
++ corosync_stream_connect(pacemaker_t)
++')
++
diff --git a/policy/modules/services/pads.fc b/policy/modules/services/pads.fc
index 0870c56..6d5fb1d 100644
--- a/policy/modules/services/pads.fc
@@ -124704,10 +124802,10 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..cff25a9
+index 0000000..fd0cbc3
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,71 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -124777,6 +124875,8 @@ index 0000000..cff25a9
+miscfiles_read_certs(rhsmcertd_t)
+
+sysnet_dns_name_resolve(rhsmcertd_t)
++
++rpm_read_db(rhsmcertd_t)
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327..ed5dc05 100644
--- a/policy/modules/services/ricci.fc
@@ -126603,7 +126703,7 @@ index 82cb169..9642fe3 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..110ed47 100644
+index e30bb63..a874aa4 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,4 +1,4 @@
@@ -126991,16 +127091,17 @@ index e30bb63..110ed47 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +842,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +842,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
++samba_stream_connect_nmbd(winbind_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +865,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +866,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -127025,7 +127126,7 @@ index e30bb63..110ed47 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +896,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +897,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -127033,7 +127134,7 @@ index e30bb63..110ed47 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +914,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +915,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -127048,7 +127149,7 @@ index e30bb63..110ed47 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -864,6 +932,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -864,6 +933,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -127060,7 +127161,7 @@ index e30bb63..110ed47 100644
kerberos_use(winbind_t)
')
-@@ -904,7 +977,8 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +978,8 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -127070,7 +127171,7 @@ index e30bb63..110ed47 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,19 +996,34 @@ optional_policy(`
+@@ -922,19 +997,34 @@ optional_policy(`
#
optional_policy(`
@@ -131813,6 +131914,671 @@ index 665bf7c..55c5868 100644
+optional_policy(`
+ iscsi_manage_semaphores(tgtd_t)
+')
+diff --git a/policy/modules/services/thin.fc b/policy/modules/services/thin.fc
+new file mode 100644
+index 0000000..62d2c77
+--- /dev/null
++++ b/policy/modules/services/thin.fc
+@@ -0,0 +1,10 @@
++/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
++/usr/bin/thinStarter -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
++
++/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0)
++
++/var/log/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0)
++/var/log/thin\.log -- gen_context(system_u:object_r:thin_log_t,s0)
++
++/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0)
++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
+diff --git a/policy/modules/services/thin.if b/policy/modules/services/thin.if
+new file mode 100644
+index 0000000..6de86e5
+--- /dev/null
++++ b/policy/modules/services/thin.if
+@@ -0,0 +1,42 @@
++## <summary>thin policy</summary>
++
++#######################################
++## <summary>
++## Creates types and rules for a basic
++## thin daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`thin_domain_template',`
++ gen_require(`
++ attribute thin_domain;
++ ')
++
++ type $1_t, thin_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ can_exec($1_t, $1_exec_t)
++')
++
++######################################
++## <summary>
++## Execute mongod in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`thin_exec',`
++ gen_require(`
++ type thin_exec_t;
++ ')
++
++ can_exec($1, thin_exec_t)
++')
+diff --git a/policy/modules/services/thin.te b/policy/modules/services/thin.te
+new file mode 100644
+index 0000000..d1903e6
+--- /dev/null
++++ b/policy/modules/services/thin.te
+@@ -0,0 +1,105 @@
++policy_module(thin, 1.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute thin_domain;
++
++thin_domain_template(thin)
++
++type thin_log_t;
++logging_log_file(thin_log_t)
++
++type thin_var_run_t;
++files_pid_file(thin_var_run_t)
++
++thin_domain_template(thin_aeolus_configserver)
++
++type thin_aeolus_configserver_lib_t;
++files_type(thin_aeolus_configserver_lib_t)
++
++type thin_aeolus_configserver_log_t;
++logging_log_file(thin_aeolus_configserver_log_t)
++
++type thin_aeolus_configserver_var_run_t;
++files_pid_file(thin_aeolus_configserver_var_run_t)
++
++########################################
++#
++# thin_domain local policy
++#
++
++allow thin_domain self:fifo_file rw_fifo_file_perms;
++allow thin_domain self:tcp_socket create_stream_socket_perms;
++
++# we want to stay in a new thin domain if we call thin binary from a script
++# # initrc_t at thin_test_exec_t->thin_test_t at thin_exec_t->thin_test_t
++can_exec(thin_domain, thin_exec_t)
++
++kernel_read_system_state(thin_domain)
++
++corecmd_exec_bin(thin_domain)
++
++dev_read_rand(thin_domain)
++dev_read_urand(thin_domain)
++
++files_read_etc_files(thin_domain)
++
++auth_read_passwd(thin_domain)
++
++miscfiles_read_certs(thin_domain)
++miscfiles_read_localization(thin_domain)
++
++files_read_usr_files(thin_domain)
++
++fs_search_auto_mountpoints(thin_domain)
++
++init_read_utmp(thin_domain)
++
++kernel_read_kernel_sysctls(thin_domain)
++
++optional_policy(`
++ sysnet_read_config(thin_domain)
++')
++
++########################################
++#
++# thin local policy
++#
++
++allow thin_t self:capability { setuid kill setgid dac_override };
++
++allow thin_t self:netlink_route_socket r_netlink_socket_perms;
++allow thin_t self:udp_socket create_socket_perms;
++allow thin_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(thin_t, thin_log_t, thin_log_t)
++manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
++logging_log_filetrans(thin_t, thin_log_t, { file dir })
++
++manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
++files_pid_filetrans(thin_t, thin_var_run_t, { file })
++
++corenet_tcp_bind_generic_node(thin_t)
++corenet_tcp_bind_ntop_port(thin_t)
++corenet_tcp_connect_postgresql_port(thin_t)
++
++
++#######################################
++#
++# thin aeolus configserver local policy
++#
++
++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
++files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir })
++
++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
++logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir })
++
++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
++files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
+diff --git a/policy/modules/services/tomcat.fc b/policy/modules/services/tomcat.fc
+new file mode 100644
+index 0000000..1647b92
+--- /dev/null
++++ b/policy/modules/services/tomcat.fc
+@@ -0,0 +1,11 @@
++/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0)
++
++/usr/sbin/tomcat -- gen_context(system_u:object_r:tomcat_exec_t,s0)
++
++/var/cache/tomcat(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0)
++
++/var/lib/tomcat(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0)
++
++/var/log/tomcat(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0)
++
++/var/run/tomcat.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
+diff --git a/policy/modules/services/tomcat.if b/policy/modules/services/tomcat.if
+new file mode 100644
+index 0000000..23251b7
+--- /dev/null
++++ b/policy/modules/services/tomcat.if
+@@ -0,0 +1,353 @@
++
++## <summary>policy for tomcat</summary>
++
++######################################
++## <summary>
++## Creates types and rules for a basic
++## tomcat daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`tomcat_domain_template',`
++ gen_require(`
++ attribute tomcat_domain;
++ ')
++
++ type $1_t, tomcat_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ can_exec($1_t, $1_exec_t)
++
++')
++
++########################################
++## <summary>
++## Transition to tomcat.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tomcat_domtrans',`
++ gen_require(`
++ type tomcat_t, tomcat_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, tomcat_exec_t, tomcat_t)
++')
++
++########################################
++## <summary>
++## Search tomcat cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_search_cache',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ allow $1 tomcat_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read tomcat cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_read_cache_files',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## tomcat cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_manage_cache_files',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
++')
++
++########################################
++## <summary>
++## Manage tomcat cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_manage_cache_dirs',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t)
++')
++
++########################################
++## <summary>
++## Read tomcat's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`tomcat_read_log',`
++ gen_require(`
++ type tomcat_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, tomcat_log_t, tomcat_log_t)
++')
++
++########################################
++## <summary>
++## Append to tomcat log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_append_log',`
++ gen_require(`
++ type tomcat_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, tomcat_log_t, tomcat_log_t)
++')
++
++########################################
++## <summary>
++## Manage tomcat log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_manage_log',`
++ gen_require(`
++ type tomcat_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t)
++ manage_files_pattern($1, tomcat_log_t, tomcat_log_t)
++ manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t)
++')
++
++########################################
++## <summary>
++## Search tomcat lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_search_lib',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ allow $1 tomcat_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read tomcat lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_read_lib_files',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage tomcat lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_manage_lib_files',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage tomcat lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_manage_lib_dirs',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read tomcat PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_read_pid_files',`
++ gen_require(`
++ type tomcat_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 tomcat_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute tomcat server in the tomcat domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tomcat_systemctl',`
++ gen_require(`
++ type tomcat_t;
++ type tomcat_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 tomcat_unit_file_t:file read_file_perms;
++ allow $1 tomcat_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, tomcat_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an tomcat environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`tomcat_admin',`
++ gen_require(`
++ type tomcat_t;
++ type tomcat_cache_t;
++ type tomcat_log_t;
++ type tomcat_var_lib_t;
++ type tomcat_var_run_t;
++ type tomcat_unit_file_t;
++ ')
++
++ allow $1 tomcat_t:process { ptrace signal_perms };
++ ps_process_pattern($1, tomcat_t)
++
++ files_search_var($1)
++ admin_pattern($1, tomcat_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, tomcat_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, tomcat_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, tomcat_var_run_t)
++
++ tomcat_systemctl($1)
++ admin_pattern($1, tomcat_unit_file_t)
++ allow $1 tomcat_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/tomcat.te b/policy/modules/services/tomcat.te
+new file mode 100644
+index 0000000..a986de8
+--- /dev/null
++++ b/policy/modules/services/tomcat.te
+@@ -0,0 +1,108 @@
++policy_module(tomcat, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute tomcat_domain;
++
++tomcat_domain_template(tomcat)
++
++type tomcat_cache_t;
++files_type(tomcat_cache_t)
++
++type tomcat_log_t;
++logging_log_file(tomcat_log_t)
++
++type tomcat_var_lib_t;
++files_type(tomcat_var_lib_t)
++
++type tomcat_var_run_t;
++files_pid_file(tomcat_var_run_t)
++
++type tomcat_tmp_t;
++files_tmp_file(tomcat_tmp_t)
++
++type tomcat_unit_file_t;
++systemd_unit_file(tomcat_unit_file_t)
++
++#######################################
++#
++# tomcat local policy
++#
++
++optional_policy(`
++ unconfined_domain(tomcat_t)
++')
++
++########################################
++#
++# tomcat domain local policy
++#
++
++allow tomcat_t self:process execmem;
++allow tomcat_t self:process { signal signull };
++
++allow tomcat_t self:tcp_socket { accept listen };
++allow tomcat_domain self:fifo_file rw_fifo_file_perms;
++allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t)
++manage_files_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t)
++manage_lnk_files_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t)
++files_var_filetrans(tomcat_domain, tomcat_cache_t, { dir file })
++
++manage_dirs_pattern(tomcat_domain, tomcat_log_t, tomcat_log_t)
++manage_files_pattern(tomcat_domain, tomcat_log_t, tomcat_log_t)
++logging_log_filetrans(tomcat_domain, tomcat_log_t, { dir file })
++
++manage_dirs_pattern(tomcat_domain, tomcat_var_lib_t, tomcat_var_lib_t)
++manage_files_pattern(tomcat_domain, tomcat_var_lib_t, tomcat_var_lib_t)
++files_var_lib_filetrans(tomcat_domain, tomcat_var_lib_t, { dir file })
++
++manage_dirs_pattern(tomcat_domain, tomcat_var_run_t, tomcat_var_run_t)
++manage_files_pattern(tomcat_domain, tomcat_var_run_t, tomcat_var_run_t)
++files_pid_filetrans(tomcat_domain, tomcat_var_run_t, { dir file })
++
++manage_dirs_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t)
++manage_files_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t)
++manage_fifo_files_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t)
++files_tmp_filetrans(tomcat_t, tomcat_tmp_t, { file fifo_file dir })
++
++# we want to stay in a new tomcat domain if we call tomcat binary from a script
++# initrc_t at tomcat_test_exec_t->tomcat_test_t at tomcat_exec_t->tomcat_test_t
++can_exec(tomcat_domain, tomcat_exec_t)
++
++kernel_read_system_state(tomcat_domain)
++kernel_read_network_state(tomcat_domain)
++
++corecmd_exec_bin(tomcat_domain)
++corecmd_exec_shell(tomcat_domain)
++
++corenet_tcp_bind_generic_node(tomcat_domain)
++corenet_udp_bind_generic_node(tomcat_domain)
++corenet_tcp_bind_http_port(tomcat_domain)
++corenet_tcp_bind_http_cache_port(tomcat_domain)
++corenet_tcp_bind_mxi_port(tomcat_domain)
++corenet_tcp_connect_http_port(tomcat_domain)
++corenet_tcp_connect_mxi_port(tomcat_domain)
++
++dev_read_rand(tomcat_domain)
++dev_read_urand(tomcat_domain)
++dev_read_sysfs(tomcat_domain)
++
++domain_use_interactive_fds(tomcat_domain)
++
++fs_getattr_all_fs(tomcat_domain)
++fs_read_hugetlbfs_files(tomcat_domain)
++
++files_read_etc_files(tomcat_domain)
++files_read_usr_files(tomcat_domain)
++
++auth_read_passwd(tomcat_domain)
++
++miscfiles_read_localization(tomcat_domain)
++
++sysnet_dns_name_resolve(tomcat_domain)
++
diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
index e2e06b2..6752bc3 100644
--- a/policy/modules/services/tor.fc
@@ -135029,7 +135795,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..a4235ab 100644
+index 4966c94..c628935 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -135099,7 +135865,7 @@ index 4966c94..a4235ab 100644
#
# /opt
#
-@@ -48,28 +72,31 @@ ifdef(`distro_redhat',`
+@@ -48,28 +72,32 @@ ifdef(`distro_redhat',`
# /tmp
#
@@ -135121,6 +135887,7 @@ index 4966c94..a4235ab 100644
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -135138,22 +135905,25 @@ index 4966c94..a4235ab 100644
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-@@ -90,17 +117,45 @@ ifdef(`distro_debian', `
+@@ -90,17 +118,49 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
-+/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -135166,13 +135936,14 @@ index 4966c94..a4235ab 100644
+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
@@ -143608,7 +144379,7 @@ index 808ba93..f94b80a 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..648d152 100644
+index e5836d3..0150aea 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -59,9 +59,11 @@ optional_policy(`
@@ -143672,7 +144443,7 @@ index e5836d3..648d152 100644
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +147,10 @@ optional_policy(`
+@@ -131,6 +147,14 @@ optional_policy(`
')
optional_policy(`
@@ -143680,10 +144451,14 @@ index e5836d3..648d152 100644
+')
+
+optional_policy(`
++ kdump_manage_kdumpctl_tmp_files(ldconfig_t)
++')
++
++optional_policy(`
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +161,3 @@ optional_policy(`
+@@ -141,6 +165,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -145272,7 +146047,7 @@ index 9c0faab..91360ac 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..ff9ad67 100644
+index a0eef20..3cd6b11 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,9 +1,5 @@
@@ -145435,7 +146210,7 @@ index a0eef20..ff9ad67 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,41 +191,38 @@ miscfiles_read_localization(insmod_t)
+@@ -174,41 +191,42 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -145482,11 +146257,15 @@ index a0eef20..ff9ad67 100644
optional_policy(`
- nscd_socket_use(insmod_t)
++ kdump_manage_kdumpctl_tmp_files(insmod_t)
++')
++
++optional_policy(`
+ mount_domtrans(insmod_t)
')
optional_policy(`
-@@ -228,6 +242,7 @@ optional_policy(`
+@@ -228,6 +246,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -145494,7 +146273,7 @@ index a0eef20..ff9ad67 100644
')
optional_policy(`
-@@ -236,6 +251,10 @@ optional_policy(`
+@@ -236,6 +255,10 @@ optional_policy(`
')
optional_policy(`
@@ -145505,7 +146284,7 @@ index a0eef20..ff9ad67 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -296,7 +315,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +319,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
@@ -150487,7 +151266,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..6a544e3 100644
+index 4b2878a..c2d7c97 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -152299,7 +153078,7 @@ index 4b2878a..6a544e3 100644
')
########################################
-@@ -1779,6 +2331,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2331,78 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -152357,10 +153136,28 @@ index 4b2878a..6a544e3 100644
+
+########################################
+## <summary>
++## Delete all files in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_delete_all_user_home_content',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
++')
++
++########################################
++## <summary>
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2416,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2434,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -152370,7 +153167,7 @@ index 4b2878a..6a544e3 100644
')
########################################
-@@ -1827,20 +2432,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2450,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -152384,18 +153181,19 @@ index 4b2878a..6a544e3 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -1941,6 +2540,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -1941,6 +2558,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -152420,7 +153218,7 @@ index 4b2878a..6a544e3 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2625,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2643,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -152429,7 +153227,7 @@ index 4b2878a..6a544e3 100644
files_search_home($1)
')
-@@ -2039,7 +2656,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2674,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -152438,7 +153236,7 @@ index 4b2878a..6a544e3 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2775,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2793,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -152453,7 +153251,7 @@ index 4b2878a..6a544e3 100644
files_search_tmp($1)
')
-@@ -2182,7 +2799,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2817,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -152462,7 +153260,7 @@ index 4b2878a..6a544e3 100644
')
########################################
-@@ -2390,7 +3007,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +3025,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -152471,7 +153269,7 @@ index 4b2878a..6a544e3 100644
files_search_tmp($1)
')
-@@ -2419,6 +3036,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3054,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -152497,7 +153295,7 @@ index 4b2878a..6a544e3 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3071,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3089,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -152513,7 +153311,7 @@ index 4b2878a..6a544e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3099,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3117,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -152522,7 +153320,7 @@ index 4b2878a..6a544e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3107,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,19 +3125,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -152536,11 +153334,32 @@ index 4b2878a..6a544e3 100644
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of a user domain tty.
++## Execute user tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2490,9 +3143,27 @@ interface(`userdom_manage_user_tmpfs_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_getattr_user_ttys',`
++interface(`userdom_execute_user_tmpfs_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file execute;
+')
+
+########################################
+## <summary>
-+## Execute user tmpfs files.
++## Get the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -152548,29 +153367,24 @@ index 4b2878a..6a544e3 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_execute_user_tmpfs_files',`
++interface(`userdom_getattr_user_ttys',`
+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ allow $1 user_tmpfs_t:file execute;
- ')
++ type user_tty_device_t;
+ ')
- ########################################
-@@ -2572,7 +3225,7 @@ interface(`userdom_use_user_ttys',`
+ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
+@@ -2572,6 +3243,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
--## Read and write a user domain pty.
+## Read and write a inherited user domain tty.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2580,7 +3233,25 @@ interface(`userdom_use_user_ttys',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_use_user_ptys',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`userdom_use_inherited_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
@@ -152581,19 +153395,10 @@ index 4b2878a..6a544e3 100644
+
+########################################
+## <summary>
-+## Read and write a user domain pty.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_use_user_ptys',`
- gen_require(`
- type user_devpts_t;
- ')
-@@ -2590,22 +3261,34 @@ interface(`userdom_use_user_ptys',`
+ ## Read and write a user domain pty.
+ ## </summary>
+ ## <param name="domain">
+@@ -2590,22 +3279,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -152636,7 +153441,7 @@ index 4b2878a..6a544e3 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3297,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3315,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -152674,7 +153479,7 @@ index 4b2878a..6a544e3 100644
')
########################################
-@@ -2640,8 +3342,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3360,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -152704,7 +153509,7 @@ index 4b2878a..6a544e3 100644
')
########################################
-@@ -2713,69 +3434,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,69 +3452,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -152805,7 +153610,7 @@ index 4b2878a..6a544e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2783,12 +3503,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3521,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -152820,7 +153625,7 @@ index 4b2878a..6a544e3 100644
')
########################################
-@@ -2852,7 +3572,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3590,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -152829,7 +153634,7 @@ index 4b2878a..6a544e3 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3588,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3606,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -152863,7 +153668,7 @@ index 4b2878a..6a544e3 100644
')
########################################
-@@ -2972,7 +3676,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3694,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -152872,7 +153677,7 @@ index 4b2878a..6a544e3 100644
')
########################################
-@@ -3027,7 +3731,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3749,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -152919,7 +153724,7 @@ index 4b2878a..6a544e3 100644
')
########################################
-@@ -3045,7 +3787,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3805,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -152928,7 +153733,7 @@ index 4b2878a..6a544e3 100644
')
########################################
-@@ -3064,6 +3806,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3824,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -152936,7 +153741,7 @@ index 4b2878a..6a544e3 100644
kernel_search_proc($1)
')
-@@ -3140,6 +3883,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3901,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -152979,7 +153784,7 @@ index 4b2878a..6a544e3 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +3939,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3957,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -153004,7 +153809,7 @@ index 4b2878a..6a544e3 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3991,1282 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +4009,1282 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8dabc5e..f771c71 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 133%{?dist}
+Release: 134%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jun 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-134
+- Allow mozilla_plugin execmod on mozilla home files if allow_execmod
+- Allow dovecot_deliver_t to read dovecot_var_run_t
+- Add tomcat policy from F18
+- Allow ldconfig and insmod to manage kdumpctl tmp files
+- Add kdumpctl policy
+- Move thin policy out from cloudform.pp and add a new thin policy files
+- pacemaker needs to communicate with corosync streams
+- abrt is now started on demand by dbus
+- Allow certmonger to talk directly to Dogtag servers
+- Change labeling for /var/lib/cobbler/webui_sessions to httpd_cobbler_rw_content_t
+- Allow mozila_plugin to execute gstreamer home files
+- Allow useradd to delete all file types stored in the users homedir
+- rhsmcertd reads the rpm database
+- Add support for lightdm
+
* Fri Jun 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-133
- Dontaudit thumb to setattr on xdm_tmp dirs
- Allow wicd to execute ldconfig
More information about the scm-commits
mailing list