[selinux-policy/f16] * Wed Mar 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-79 - Allow system_mail to send log msgs -
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 7 09:03:25 UTC 2012
commit b3a28adc152fb93da9c146beee6fceda4842f6e9
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Mar 7 09:57:05 2012 +0100
* Wed Mar 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-79
- Allow system_mail to send log msgs
- Add login_userdomain attribute
- Dontaudit logrotate to getattr home content
- Label httpd.event as httpd_exec_t, it is an apache daemon
- Iscsi log file context specification fix
- Allow sssd sys_resource capability
- vsftpd reads network state
- Add labeling for /var/spool/postfix/dev/log
- Allow deltacloud to read kernel sysctl
- Fix virt_use_execmem boolean
policy-F16.patch | 438 +++++++++++++++++++++++++++++----------------------
selinux-policy.spec | 14 ++-
2 files changed, 263 insertions(+), 189 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 7bcb0ec..da8f6b8 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1312,7 +1312,7 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..b8152bc 100644
+index 7090dae..1c6d379 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
@@ -1351,7 +1351,15 @@ index 7090dae..b8152bc 100644
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
-@@ -102,6 +105,7 @@ files_read_var_lib_files(logrotate_t)
+@@ -85,6 +88,7 @@ auth_use_nsswitch(logrotate_t)
+ # Run helper programs.
+ corecmd_exec_bin(logrotate_t)
+ corecmd_exec_shell(logrotate_t)
++corecmd_getattr_all_executables(logrotate_t)
+
+ domain_signal_all_domains(logrotate_t)
+ domain_use_interactive_fds(logrotate_t)
+@@ -102,6 +106,7 @@ files_read_var_lib_files(logrotate_t)
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -1359,7 +1367,7 @@ index 7090dae..b8152bc 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +120,16 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +121,17 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -1376,6 +1384,7 @@ index 7090dae..b8152bc 100644
-
-mta_send_mail(logrotate_t)
+userdom_dontaudit_list_admin_dir(logrotate_t)
++userdom_dontaudit_getattr_user_home_content(logrotate_t)
ifdef(`distro_debian', `
- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
@@ -1383,7 +1392,7 @@ index 7090dae..b8152bc 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +143,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -1392,7 +1401,7 @@ index 7090dae..b8152bc 100644
')
optional_policy(`
-@@ -154,6 +157,10 @@ optional_policy(`
+@@ -154,6 +159,10 @@ optional_policy(`
')
optional_policy(`
@@ -1403,7 +1412,7 @@ index 7090dae..b8152bc 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +169,20 @@ optional_policy(`
+@@ -162,10 +171,20 @@ optional_policy(`
')
optional_policy(`
@@ -1424,7 +1433,7 @@ index 7090dae..b8152bc 100644
cups_domtrans(logrotate_t)
')
-@@ -178,6 +195,10 @@ optional_policy(`
+@@ -178,6 +197,10 @@ optional_policy(`
')
optional_policy(`
@@ -1435,7 +1444,7 @@ index 7090dae..b8152bc 100644
icecast_signal(logrotate_t)
')
-@@ -200,9 +221,12 @@ optional_policy(`
+@@ -200,9 +223,12 @@ optional_policy(`
')
optional_policy(`
@@ -1449,7 +1458,7 @@ index 7090dae..b8152bc 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +252,14 @@ optional_policy(`
+@@ -228,3 +254,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -10704,11 +10713,12 @@ index 0000000..809784d
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..a53f663
+index 0000000..cab7eab
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,489 @@
+@@ -0,0 +1,492 @@
+policy_module(sandbox,1.0.0)
++
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
@@ -10750,7 +10760,9 @@ index 0000000..a53f663
+#
+# sandbox xserver policy
+#
-+allow sandbox_xserver_t self:process { execmem execstack };
++
++allow sandbox_xserver_t self:process { execmem execstack signal_perms };
++
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
@@ -25053,7 +25065,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..3f8a147 100644
+index 9e39aa5..5a10781 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,30 @@
@@ -25088,7 +25100,7 @@ index 9e39aa5..3f8a147 100644
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -24,16 +33,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -24,16 +33,18 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -25109,11 +25121,12 @@ index 9e39aa5..3f8a147 100644
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-@@ -43,8 +53,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +54,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -25125,7 +25138,7 @@ index 9e39aa5..3f8a147 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +65,11 @@ ifdef(`distro_suse', `
+@@ -54,9 +66,11 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25137,7 +25150,7 @@ index 9e39aa5..3f8a147 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,20 +86,26 @@ ifdef(`distro_suse', `
+@@ -73,20 +87,26 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25166,7 +25179,7 @@ index 9e39aa5..3f8a147 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +124,27 @@ ifdef(`distro_debian', `
+@@ -105,7 +125,27 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -30285,10 +30298,10 @@ index 0000000..6451167
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..54d3487
+index 0000000..e22a32e
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,227 @@
+@@ -0,0 +1,228 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -30385,6 +30398,7 @@ index 0000000..54d3487
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
++kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
@@ -38465,7 +38479,7 @@ index 9d3201b..7da7267 100644
+ ftp_systemctl($1)
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..cd27af1 100644
+index 8a74a83..94c1fed 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -38566,6 +38580,15 @@ index 8a74a83..cd27af1 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+@@ -177,7 +206,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+
+ kernel_read_kernel_sysctls(ftpd_t)
+ kernel_read_system_state(ftpd_t)
+-kernel_search_network_state(ftpd_t)
++kernel_read_network_state(ftpd_t)
+
+ dev_read_sysfs(ftpd_t)
+ dev_read_urand(ftpd_t)
@@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -45384,7 +45407,7 @@ index 343cee3..4099451 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..7ede790 100644
+index 64268e4..705498f 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -45438,7 +45461,7 @@ index 64268e4..7ede790 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -79,9 +71,16 @@ selinux_getattr_fs(system_mail_t)
+@@ -79,9 +71,18 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
@@ -45453,10 +45476,12 @@ index 64268e4..7ede790 100644
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
+logging_append_all_logs(system_mail_t)
++
++logging_send_syslog_msg(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,14 +91,21 @@ optional_policy(`
+@@ -92,14 +93,21 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -45481,7 +45506,7 @@ index 64268e4..7ede790 100644
')
optional_policy(`
-@@ -108,9 +114,15 @@ optional_policy(`
+@@ -108,9 +116,15 @@ optional_policy(`
')
optional_policy(`
@@ -45497,7 +45522,7 @@ index 64268e4..7ede790 100644
')
optional_policy(`
-@@ -124,12 +136,9 @@ optional_policy(`
+@@ -124,12 +138,9 @@ optional_policy(`
')
optional_policy(`
@@ -45512,7 +45537,7 @@ index 64268e4..7ede790 100644
')
optional_policy(`
-@@ -146,6 +155,10 @@ optional_policy(`
+@@ -146,6 +157,10 @@ optional_policy(`
')
optional_policy(`
@@ -45523,7 +45548,7 @@ index 64268e4..7ede790 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,22 +171,13 @@ optional_policy(`
+@@ -158,22 +173,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -45549,7 +45574,7 @@ index 64268e4..7ede790 100644
')
optional_policy(`
-@@ -189,6 +193,10 @@ optional_policy(`
+@@ -189,6 +195,10 @@ optional_policy(`
')
optional_policy(`
@@ -45560,7 +45585,7 @@ index 64268e4..7ede790 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,15 +207,16 @@ optional_policy(`
+@@ -199,15 +209,16 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -45581,7 +45606,7 @@ index 64268e4..7ede790 100644
########################################
#
# Mailserver delivery local policy
-@@ -220,7 +229,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +231,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -45591,7 +45616,7 @@ index 64268e4..7ede790 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +252,10 @@ optional_policy(`
+@@ -242,6 +254,10 @@ optional_policy(`
')
optional_policy(`
@@ -45602,7 +45627,7 @@ index 64268e4..7ede790 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +263,25 @@ optional_policy(`
+@@ -249,16 +265,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -45630,7 +45655,7 @@ index 64268e4..7ede790 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -277,14 +300,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,14 +302,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files(mta_user_agent)
@@ -45647,7 +45672,7 @@ index 64268e4..7ede790 100644
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
-@@ -292,3 +315,114 @@ optional_policy(`
+@@ -292,3 +317,114 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -51970,7 +51995,7 @@ index 09aeffa..f8a0d88 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4a5387a..acf8ed1 100644
+index 4a5387a..b75ab1c 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,16 +19,16 @@ gen_require(`
@@ -51996,6 +52021,15 @@ index 4a5387a..acf8ed1 100644
## </desc>
gen_tunable(sepgsql_unconfined_dbadm, true)
+@@ -205,7 +205,7 @@ allow postgresql_t self:shm create_shm_perms;
+ allow postgresql_t self:tcp_socket create_stream_socket_perms;
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
++allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+
+ allow postgresql_t sepgsql_database_type:db_database *;
@@ -241,7 +241,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
@@ -61310,7 +61344,7 @@ index 941380a..ce8c972 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..b231b96 100644
+index 8ffa257..d0c7e39 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -61327,7 +61361,7 @@ index 8ffa257..b231b96 100644
#
-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+
-+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin };
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
@@ -63424,7 +63458,7 @@ index 7c5d8d8..45bac8e 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..a1bc102 100644
+index 3eca020..2cd5679 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@@ -63990,7 +64024,7 @@ index 3eca020..a1bc102 100644
miscfiles_read_localization(virt_domain)
+tunable_policy(`virt_use_execmem',`
-+ allow virtd_t virt_domain:process { execmem execstack };
++ allow virt_domain virt_domain:process { execmem execstack };
+')
+
optional_policy(`
@@ -67177,7 +67211,7 @@ index c9981d1..d0931f9 100644
corenet_sendrecv_zabbix_agent_client_packets($1)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 7f88f5f..7d8a06e 100644
+index 7f88f5f..67a111c 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1)
@@ -67235,7 +67269,7 @@ index 7f88f5f..7d8a06e 100644
# shared memory
rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-@@ -58,25 +75,55 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -58,25 +75,54 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
@@ -67266,8 +67300,7 @@ index 7f88f5f..7d8a06e 100644
zabbix_agent_tcp_connect(zabbix_t)
+tunable_policy(`zabbix_can_network',`
-+ corenet_tcp_connect_all_unreserved_ports(zabbix_t)
-+ corenet_tcp_connect_all_ephemeral_ports(zabbix_t)
++ corenet_tcp_connect_all_ports(zabbix_t)
+')
+
optional_policy(`
@@ -67293,7 +67326,7 @@ index 7f88f5f..7d8a06e 100644
########################################
#
# zabbix agent local policy
-@@ -134,3 +181,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
+@@ -134,3 +180,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
# Network access to zabbix server
zabbix_tcp_connect(zabbix_agent_t)
@@ -70695,7 +70728,7 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 55a6cd8..2af2952 100644
+index 55a6cd8..46835a9 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -80,6 +80,8 @@ allow ipsec_t self:udp_socket create_socket_perms;
@@ -70707,7 +70740,7 @@ index 55a6cd8..2af2952 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -128,13 +130,13 @@ corecmd_exec_bin(ipsec_t)
+@@ -128,19 +130,21 @@ corecmd_exec_bin(ipsec_t)
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
@@ -70727,7 +70760,15 @@ index 55a6cd8..2af2952 100644
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
-@@ -156,6 +158,8 @@ files_dontaudit_search_home(ipsec_t)
+ corenet_udp_bind_ipsecnat_port(ipsec_t)
+ corenet_sendrecv_generic_server_packets(ipsec_t)
+ corenet_sendrecv_isakmp_server_packets(ipsec_t)
++corenet_tcp_connect_http_port(ipsec_t)
++corenet_tcp_connect_ldap_port(ipsec_t)
+
+ dev_read_sysfs(ipsec_t)
+ dev_read_rand(ipsec_t)
+@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -70736,7 +70777,7 @@ index 55a6cd8..2af2952 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -169,6 +173,8 @@ logging_send_syslog_msg(ipsec_t)
+@@ -169,6 +175,8 @@ logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -70745,7 +70786,7 @@ index 55a6cd8..2af2952 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -245,6 +251,19 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -245,6 +253,19 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -70765,7 +70806,7 @@ index 55a6cd8..2af2952 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -277,9 +296,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +298,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -70777,7 +70818,7 @@ index 55a6cd8..2af2952 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -297,7 +317,7 @@ sysnet_manage_config(ipsec_mgmt_t)
+@@ -297,7 +319,7 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -70786,7 +70827,7 @@ index 55a6cd8..2af2952 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -324,10 +344,6 @@ optional_policy(`
+@@ -324,10 +346,6 @@ optional_policy(`
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -70797,7 +70838,7 @@ index 55a6cd8..2af2952 100644
ifdef(`TODO',`
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-@@ -377,12 +393,12 @@ corecmd_exec_shell(racoon_t)
+@@ -377,12 +395,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -70816,7 +70857,7 @@ index 55a6cd8..2af2952 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -411,6 +427,8 @@ miscfiles_read_localization(racoon_t)
+@@ -411,6 +429,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -70825,7 +70866,7 @@ index 55a6cd8..2af2952 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -448,5 +466,6 @@ miscfiles_read_localization(setkey_t)
+@@ -448,5 +468,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
@@ -71013,7 +71054,7 @@ index f3e1b57..d7fd7fb 100644
')
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
-index 14d9670..56960ca 100644
+index 14d9670..57d9b88 100644
--- a/policy/modules/system/iscsi.fc
+++ b/policy/modules/system/iscsi.fc
@@ -1,7 +1,12 @@
@@ -71026,7 +71067,7 @@ index 14d9670..56960ca 100644
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+
/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+/var/log/iscsiuio\.log.* gen_context(system_u:object_r:iscsi_log_t,s0)
++/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
+
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
@@ -71928,7 +71969,7 @@ index a0b379d..bf90918 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..cd16709 100644
+index 02f4c97..7470a2e 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,13 @@
@@ -71954,7 +71995,16 @@ index 02f4c97..cd16709 100644
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -73,4 +80,8 @@ ifdef(`distro_redhat',`
+@@ -54,6 +61,8 @@ ifndef(`distro_gentoo',`
+ ifdef(`distro_redhat',`
+ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+ /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
++/var/spool/postfix/dev -d gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+ ')
+
+ /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+@@ -73,4 +82,8 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -77681,7 +77731,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..e03d9fb 100644
+index 4b2878a..88476fe 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -78515,15 +78565,22 @@ index 4b2878a..e03d9fb 100644
')
')
-@@ -712,13 +875,26 @@ template(`userdom_login_user_template', `
+@@ -708,17 +871,33 @@ template(`userdom_common_user_template',`
+ template(`userdom_login_user_template', `
+ gen_require(`
+ class context contains;
++ attribute login_userdomain;
+ ')
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
-+ userdom_manage_home_role($1_r, $1_usertype)
++ typeattribute $1_t login_userdomain;
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_home_role($1_r, $1_usertype)
++
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
@@ -78547,7 +78604,7 @@ index 4b2878a..e03d9fb 100644
userdom_change_password_template($1)
-@@ -736,72 +912,80 @@ template(`userdom_login_user_template', `
+@@ -736,72 +915,80 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -78661,7 +78718,7 @@ index 4b2878a..e03d9fb 100644
')
')
-@@ -833,6 +1017,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1020,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -78671,7 +78728,7 @@ index 4b2878a..e03d9fb 100644
##############################
#
# Local policy
-@@ -874,45 +1061,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1064,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -78740,37 +78797,36 @@ index 4b2878a..e03d9fb 100644
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
-+
-+ optional_policy(`
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ fprintd_dbus_chat($1_t)
- ')
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
++ ')
++ ')
++
++ optional_policy(`
+ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
@@ -78782,9 +78838,10 @@ index 4b2878a..e03d9fb 100644
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ rtkit_scheduled($1_usertype)
')
@@ -78801,7 +78858,7 @@ index 4b2878a..e03d9fb 100644
')
')
-@@ -947,7 +1207,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1210,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -78810,7 +78867,7 @@ index 4b2878a..e03d9fb 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1216,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1219,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -78828,7 +78885,7 @@ index 4b2878a..e03d9fb 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1241,72 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1244,72 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -78879,11 +78936,9 @@ index 4b2878a..e03d9fb 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ execmem_role_template($1, $1_r, $1_t)
+ ')
+
@@ -78902,15 +78957,17 @@ index 4b2878a..e03d9fb 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1315,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1318,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -78921,7 +78978,7 @@ index 4b2878a..e03d9fb 100644
')
')
-@@ -1039,7 +1353,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1356,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -78930,7 +78987,7 @@ index 4b2878a..e03d9fb 100644
')
##############################
-@@ -1066,6 +1380,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1383,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -78938,7 +78995,7 @@ index 4b2878a..e03d9fb 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1389,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1392,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -78948,7 +79005,7 @@ index 4b2878a..e03d9fb 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1406,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1409,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -78956,7 +79013,7 @@ index 4b2878a..e03d9fb 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1424,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1427,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -78970,7 +79027,7 @@ index 4b2878a..e03d9fb 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1441,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1444,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -79013,7 +79070,7 @@ index 4b2878a..e03d9fb 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1482,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1485,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -79022,7 +79079,7 @@ index 4b2878a..e03d9fb 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1543,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1546,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -79031,7 +79088,7 @@ index 4b2878a..e03d9fb 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1557,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1560,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -79042,7 +79099,7 @@ index 4b2878a..e03d9fb 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1570,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1573,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -79071,7 +79128,7 @@ index 4b2878a..e03d9fb 100644
')
optional_policy(`
-@@ -1251,12 +1598,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1601,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -79087,7 +79144,7 @@ index 4b2878a..e03d9fb 100644
')
optional_policy(`
-@@ -1279,50 +1626,99 @@ template(`userdom_security_admin_template',`
+@@ -1279,49 +1629,98 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -79156,7 +79213,6 @@ index 4b2878a..e03d9fb 100644
')
- allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
--')
+ typeattribute $1 user_tmpfs_type;
+
+ files_tmpfs_file($1)
@@ -79198,11 +79254,10 @@ index 4b2878a..e03d9fb 100644
+ ')
+
+ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
-+')
+ ')
########################################
- ## <summary>
-@@ -1395,6 +1791,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1794,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -79210,7 +79265,7 @@ index 4b2878a..e03d9fb 100644
files_search_home($1)
')
-@@ -1441,6 +1838,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1841,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -79225,7 +79280,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -1456,9 +1861,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1864,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -79237,7 +79292,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -1515,6 +1922,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1925,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -79280,7 +79335,7 @@ index 4b2878a..e03d9fb 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2032,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2035,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -79289,7 +79344,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -1603,10 +2048,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2051,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -79304,7 +79359,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -1649,6 +2096,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2099,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -79348,7 +79403,7 @@ index 4b2878a..e03d9fb 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2152,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2155,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -79374,7 +79429,7 @@ index 4b2878a..e03d9fb 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2201,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2204,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -79412,7 +79467,7 @@ index 4b2878a..e03d9fb 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2241,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2244,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -79430,7 +79485,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -1779,6 +2307,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2310,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -79491,7 +79546,7 @@ index 4b2878a..e03d9fb 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2392,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2395,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -79501,7 +79556,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -1827,21 +2408,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2411,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -79515,19 +79570,18 @@ index 4b2878a..e03d9fb 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -1941,6 +2516,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2519,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -79552,7 +79606,7 @@ index 4b2878a..e03d9fb 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2601,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2604,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -79561,7 +79615,7 @@ index 4b2878a..e03d9fb 100644
files_search_home($1)
')
-@@ -2039,7 +2632,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2635,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -79570,7 +79624,7 @@ index 4b2878a..e03d9fb 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2751,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2754,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -79585,7 +79639,7 @@ index 4b2878a..e03d9fb 100644
files_search_tmp($1)
')
-@@ -2182,7 +2775,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2778,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -79594,7 +79648,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -2390,7 +2983,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2986,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -79603,7 +79657,7 @@ index 4b2878a..e03d9fb 100644
files_search_tmp($1)
')
-@@ -2419,6 +3012,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3015,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -79629,7 +79683,7 @@ index 4b2878a..e03d9fb 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3047,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3050,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -79645,7 +79699,7 @@ index 4b2878a..e03d9fb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3075,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3078,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -79654,7 +79708,7 @@ index 4b2878a..e03d9fb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3083,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3086,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -79689,7 +79743,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -2572,7 +3201,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3204,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -79698,7 +79752,7 @@ index 4b2878a..e03d9fb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,33 +3209,63 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,48 +3212,97 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -79733,18 +79787,23 @@ index 4b2878a..e03d9fb 100644
-## not be allowed for non-interactive domains.
-## </p>
-## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="both" weight="10"/>
+ #
+-interface(`userdom_use_user_terminals',`
+interface(`userdom_use_user_ptys',`
-+ gen_require(`
+ gen_require(`
+- type user_tty_device_t, user_devpts_t;
+ type user_devpts_t;
-+ ')
-+
-+ allow $1 user_devpts_t:chr_file rw_term_perms;
+ ')
+
+- allow $1 user_tty_device_t:chr_file rw_term_perms;
+ allow $1 user_devpts_t:chr_file rw_term_perms;
+- term_list_ptys($1)
+')
+
+########################################
@@ -79778,22 +79837,18 @@ index 4b2878a..e03d9fb 100644
+## access.
+## </p>
+## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
-@@ -2614,14 +3273,33 @@ interface(`userdom_use_user_ptys',`
- ## </param>
- ## <infoflow type="both" weight="10"/>
- #
--interface(`userdom_use_user_terminals',`
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="both" weight="10"/>
++#
+interface(`userdom_use_inherited_user_terminals',`
- gen_require(`
- type user_tty_device_t, user_devpts_t;
- ')
-
-- allow $1 user_tty_device_t:chr_file rw_term_perms;
-- allow $1 user_devpts_t:chr_file rw_term_perms;
-- term_list_ptys($1)
++ gen_require(`
++ type user_tty_device_t, user_devpts_t;
++ ')
++
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
@@ -79819,7 +79874,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -2640,8 +3318,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3321,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -79849,7 +79904,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -2713,6 +3410,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3413,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -79874,7 +79929,7 @@ index 4b2878a..e03d9fb 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2736,24 +3451,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3454,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -79899,7 +79954,7 @@ index 4b2878a..e03d9fb 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3469,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3472,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -79925,7 +79980,7 @@ index 4b2878a..e03d9fb 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3530,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3533,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -79934,7 +79989,7 @@ index 4b2878a..e03d9fb 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3546,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3549,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -79968,7 +80023,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -2972,7 +3634,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3637,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -79977,7 +80032,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -3027,7 +3689,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3692,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -80024,7 +80079,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -3045,7 +3745,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3748,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -80033,7 +80088,7 @@ index 4b2878a..e03d9fb 100644
')
########################################
-@@ -3064,6 +3764,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3767,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -80041,7 +80096,7 @@ index 4b2878a..e03d9fb 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3843,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3846,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -80066,7 +80121,7 @@ index 4b2878a..e03d9fb 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3160,6 +3879,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3882,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -80091,7 +80146,7 @@ index 4b2878a..e03d9fb 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3931,1165 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3934,1165 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -81258,7 +81313,7 @@ index 4b2878a..e03d9fb 100644
+ #')
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..d6c3860 100644
+index 9b4a930..107f262 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -81270,7 +81325,7 @@ index 9b4a930..d6c3860 100644
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect, false)
-@@ -43,6 +43,20 @@ gen_tunable(user_rw_noexattrfile, false)
+@@ -43,12 +43,27 @@ gen_tunable(user_rw_noexattrfile, false)
## <desc>
## <p>
@@ -81291,7 +81346,14 @@ index 9b4a930..d6c3860 100644
## Allow w to display everyone
## </p>
## </desc>
-@@ -59,6 +73,19 @@ attribute unpriv_userdomain;
+ gen_tunable(user_ttyfile_stat, false)
+
+ attribute admindomain;
++attribute login_userdomain;
+
+ # all user domains
+ attribute userdomain;
+@@ -59,6 +74,19 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
@@ -81311,7 +81373,7 @@ index 9b4a930..d6c3860 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +98,77 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +99,77 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2479833..53d8324 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 78%{?dist}
+Release: 79%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Mar 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-79
+- Allow system_mail to send log msgs
+- Add login_userdomain attribute
+- Dontaudit logrotate to getattr home content
+- Label httpd.event as httpd_exec_t, it is an apache daemon
+- Iscsi log file context specification fix
+- Allow sssd sys_resource capability
+- vsftpd reads network state
+- Add labeling for /var/spool/postfix/dev/log
+- Allow deltacloud to read kernel sysctl
+- Fix virt_use_execmem boolean
+
* Wed Feb 29 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-78
- Allow memcache to create sock_file
More information about the scm-commits
mailing list