[selinux-policy/f17] * Mon Mar 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-99 - Back port some of the access that w
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 12 15:38:24 UTC 2012
commit af596d9df94b47d404c2a5ce39d296930a1f6687
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Mar 12 16:38:09 2012 +0100
* Mon Mar 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-99
- Back port some of the access that was allowed in nsplugin_t
- Add definitiona for couchdb ports
- Allow nagios to use inherited users ttys
- Add git support for mock
- Allow inetd to use rdate port
- Add own type for rdate port
- Allow samba to act as a portmapper
- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev
- New fixes needed for samba4
- Allow apps that use lib_t to read lib_t symlinks
modules-targeted.conf | 7 -
policy-F16.patch | 1004 ++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 14 +-
3 files changed, 750 insertions(+), 275 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 1cb3121..febad56 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -730,13 +730,6 @@ hddtemp = module
#
passenger = module
-# Layer: admin
-# Module: permissivedomains
-#
-# Contains all permissivedomains shipped by distribution
-#
-permissivedomains = module
-
# Layer: services
# Module: policykit
#
diff --git a/policy-F16.patch b/policy-F16.patch
index d765251..b812efe 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -57984,12 +57984,19 @@ index ec29391..28c9672 100644
optional_policy(`
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f..b5a91f8 100644
+index 407078f..41c9b24 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
-@@ -6,9 +6,12 @@
+@@ -1,14 +1,18 @@
+ /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+-/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+ /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
@@ -58235,114 +58242,6 @@ index 3470036..41f736e 100644
+ puppet_search_log(passenger_t)
+ puppet_search_pid(passenger_t)
+')
-diff --git a/policy/modules/admin/permissivedomains.fc b/policy/modules/admin/permissivedomains.fc
-new file mode 100644
-index 0000000..6e6a8fc
---- /dev/null
-+++ b/policy/modules/admin/permissivedomains.fc
-@@ -0,0 +1 @@
-+# No file contexts
-diff --git a/policy/modules/admin/permissivedomains.if b/policy/modules/admin/permissivedomains.if
-new file mode 100644
-index 0000000..bd83148
---- /dev/null
-+++ b/policy/modules/admin/permissivedomains.if
-@@ -0,0 +1 @@
-+## <summary>No Interfaces</summary>
-diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
-new file mode 100644
-index 0000000..ef49e10
---- /dev/null
-+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,88 @@
-+policy_module(permissivedomains,17)
-+
-+
-+optional_policy(`
-+ gen_require(`
-+ type blueman_t;
-+ ')
-+
-+ permissive blueman_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type httpd_zoneminder_script_t, zoneminder_t;
-+ ')
-+
-+ permissive httpd_zoneminder_script_t;
-+ permissive zoneminder_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type selinux_munin_plugin_t;
-+ ')
-+
-+ permissive selinux_munin_plugin_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type dnssec_trigger_t;
-+ ')
-+
-+ permissive dnssec_trigger_t;
-+')
-+
-+
-+optional_policy(`
-+ gen_require(`
-+ type obex_t;
-+ ')
-+
-+ permissive obex_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type sge_shepherd_t;
-+ type sge_execd_t;
-+ type sge_job_t;
-+ ')
-+
-+ permissive sge_shepherd_t;
-+ permissive sge_execd_t;
-+ permissive sge_job_t;
-+
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type matahari_rpcd_t;
-+ ')
-+
-+ permissive matahari_rpcd_t;
-+
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type keystone_t;
-+ ')
-+
-+ permissive keystone_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type pacemaker_t;
-+ ')
-+
-+ permissive pacemaker_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type nova_cert_t;
-+ ')
-+')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -60990,10 +60889,10 @@ index 0000000..5901e21
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..1553356
+index 0000000..efebae7
--- /dev/null
+++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,134 @@
+
+## <summary>policy for chrome</summary>
+
@@ -61081,6 +60980,7 @@ index 0000000..1553356
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
++ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
@@ -61129,10 +61029,10 @@ index 0000000..1553356
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..8e139c2
+index 0000000..6f05817
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,182 @@
+@@ -0,0 +1,183 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -61206,6 +61106,7 @@ index 0000000..8e139c2
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
++dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
+files_read_etc_files(chrome_sandbox_t)
+files_read_usr_files(chrome_sandbox_t)
@@ -63154,7 +63055,7 @@ index f5afe78..0932ebe 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..e018c27 100644
+index 2505654..70bc435 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0)
@@ -63225,7 +63126,7 @@ index 2505654..e018c27 100644
##############################
#
# Local Policy
-@@ -75,3 +116,153 @@ optional_policy(`
+@@ -75,3 +116,152 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -63378,7 +63279,6 @@ index 2505654..e018c27 100644
+domain_use_interactive_fds(gnomedomain)
+
+userdom_use_inherited_user_terminals(gnomedomain)
-+
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index e9853d4..6864b58 100644
--- a/policy/modules/apps/gpg.fc
@@ -64508,7 +64408,7 @@ index fbb5c5a..094d03b 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..859b089 100644
+index 2e9318b..ac078ba 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -64619,11 +64519,12 @@ index 2e9318b..859b089 100644
#
-dontaudit mozilla_plugin_t self:capability { sys_ptrace };
-+dontaudit mozilla_plugin_t self:capability sys_nice;
-+
- allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+-allow mozilla_plugin_t self:process { setsched signal_perms execmem };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
-allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
++dontaudit mozilla_plugin_t self:capability { sys_nice sys_tty_config };
++
++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
allow mozilla_plugin_t self:udp_socket create_socket_perms;
@@ -69164,10 +69065,10 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..6d61e8b 100644
+index 3fae11a..7f7c853 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
-@@ -1,7 +1,7 @@
+@@ -1,9 +1,10 @@
#
# /bin
#
@@ -69175,8 +69076,11 @@ index 3fae11a..6d61e8b 100644
+/bin gen_context(system_u:object_r:bin_t,s0)
/bin/.* gen_context(system_u:object_r:bin_t,s0)
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -71,6 +71,13 @@ ifdef(`distro_redhat',`
+ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -71,6 +72,13 @@ ifdef(`distro_redhat',`
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -69190,7 +69094,7 @@ index 3fae11a..6d61e8b 100644
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -97,8 +104,6 @@ ifdef(`distro_redhat',`
+@@ -97,8 +105,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -69199,7 +69103,7 @@ index 3fae11a..6d61e8b 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,18 +135,14 @@ ifdef(`distro_debian',`
+@@ -130,18 +136,14 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -69220,7 +69124,7 @@ index 3fae11a..6d61e8b 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -152,7 +153,7 @@ ifdef(`distro_gentoo',`
+@@ -152,7 +154,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -69229,7 +69133,7 @@ index 3fae11a..6d61e8b 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +169,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +170,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -69237,7 +69141,7 @@ index 3fae11a..6d61e8b 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,67 +181,92 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +182,93 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -69252,6 +69156,7 @@ index 3fae11a..6d61e8b 100644
-/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -69375,7 +69280,7 @@ index 3fae11a..6d61e8b 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +274,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +276,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -69395,7 +69300,7 @@ index 3fae11a..6d61e8b 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +301,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +303,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -69406,7 +69311,7 @@ index 3fae11a..6d61e8b 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +324,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +326,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -69427,7 +69332,7 @@ index 3fae11a..6d61e8b 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +348,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +350,11 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -69441,7 +69346,7 @@ index 3fae11a..6d61e8b 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +362,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +364,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -69453,7 +69358,7 @@ index 3fae11a..6d61e8b 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +408,21 @@ ifdef(`distro_redhat', `
+@@ -363,20 +410,21 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -69479,7 +69384,7 @@ index 3fae11a..6d61e8b 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +431,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +433,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -69493,10 +69398,26 @@ index 3fae11a..6d61e8b 100644
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..650e796 100644
+index 9e9263a..b31e6da 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
-@@ -203,7 +203,7 @@ interface(`corecmd_getattr_bin_files',`
+@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks(bin_t)
+ search_dirs_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -158,6 +159,7 @@ interface(`corecmd_list_bin',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks(bin_t)
+ list_dirs_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -203,7 +205,7 @@ interface(`corecmd_getattr_bin_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -69505,7 +69426,15 @@ index 9e9263a..650e796 100644
## </summary>
## </param>
#
-@@ -254,6 +254,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
+@@ -231,6 +233,7 @@ interface(`corecmd_read_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks(bin_t)
+ read_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -254,6 +257,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
########################################
## <summary>
@@ -69530,7 +69459,39 @@ index 9e9263a..650e796 100644
## Read symbolic links in bin directories.
## </summary>
## <param name="domain">
-@@ -954,6 +972,24 @@ interface(`corecmd_exec_chroot',`
+@@ -285,6 +306,7 @@ interface(`corecmd_read_bin_pipes',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks(bin_t)
+ read_fifo_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -303,6 +325,7 @@ interface(`corecmd_read_bin_sockets',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks(bin_t)
+ read_sock_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -362,6 +385,7 @@ interface(`corecmd_manage_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks(bin_t)
+ manage_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -398,6 +422,7 @@ interface(`corecmd_mmap_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks(bin_t)
+ mmap_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -954,6 +979,24 @@ interface(`corecmd_exec_chroot',`
########################################
## <summary>
@@ -69555,7 +69516,7 @@ index 9e9263a..650e796 100644
## Get the attributes of all executable files.
## </summary>
## <param name="domain">
-@@ -1049,6 +1085,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -1049,6 +1092,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
@@ -70955,7 +70916,7 @@ index 4f3b542..1552f90 100644
+ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..9456824 100644
+index 99b71cb..5ae71f9 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -71019,7 +70980,7 @@ index 99b71cb..9456824 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -65,30 +93,37 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -65,30 +93,38 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -71054,11 +71015,12 @@ index 99b71cb..9456824 100644
network_port(cobbler, tcp,25151,s0)
+network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
network_port(comsat, udp,512,s0)
++network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,14 +134,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,14 +135,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -71082,7 +71044,7 @@ index 99b71cb..9456824 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -115,11 +159,13 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -115,11 +160,13 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -71091,14 +71053,14 @@ index 99b71cb..9456824 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
+network_port(interwise, tcp,7778,s0, udp,7778,s0)
+network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +175,27 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +176,27 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -71129,7 +71091,7 @@ index 99b71cb..9456824 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +205,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +206,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -71162,10 +71124,11 @@ index 99b71cb..9456824 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,34 +242,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,34 +243,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
++network_port(rdate, tcp,37,s0, udp,37,s0)
+network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -71209,12 +71172,12 @@ index 99b71cb..9456824 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +284,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +286,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
-network_port(vnc, tcp,5900,s0)
-+network_port(vnc, tcp,5900-5999,s0)
++network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0)
network_port(wccp, udp,2048,s0)
+network_port(websm, tcp,9090,s0, udp,9090,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
@@ -71223,7 +71186,7 @@ index 99b71cb..9456824 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +301,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +303,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -71231,7 +71194,7 @@ index 99b71cb..9456824 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +311,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +313,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -71244,7 +71207,7 @@ index 99b71cb..9456824 100644
########################################
#
-@@ -282,9 +361,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +363,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -73107,7 +73070,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..2be8074 100644
+index fae1ab1..b221c52 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -73208,7 +73171,7 @@ index fae1ab1..2be8074 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,232 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,236 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -73230,6 +73193,18 @@ index fae1ab1..2be8074 100644
+')
+
+optional_policy(`
++ libs_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ logging_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ miscfiles_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ alsa_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -73262,14 +73237,6 @@ index fae1ab1..2be8074 100644
+')
+
+optional_policy(`
-+ libs_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ miscfiles_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
+ mta_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -78858,10 +78825,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..aed3d37 100644
+index e14b961..5bacc97 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,60 @@ policy_module(sysadm, 2.2.1)
+@@ -5,39 +5,62 @@ policy_module(sysadm, 2.2.1)
# Declarations
#
@@ -78913,6 +78880,8 @@ index e14b961..aed3d37 100644
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
++logging_filetrans_named_content(sysadm_t)
++
+miscfiles_filetrans_named_content(sysadm_t)
+miscfiles_read_hwdata(sysadm_t)
+
@@ -78933,7 +78902,7 @@ index e14b961..aed3d37 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -51,13 +72,8 @@ ifdef(`direct_sysadm_daemon',`
+@@ -51,13 +74,8 @@ ifdef(`direct_sysadm_daemon',`
')
')
@@ -78948,7 +78917,7 @@ index e14b961..aed3d37 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -67,9 +83,9 @@ optional_policy(`
+@@ -67,9 +85,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -78959,7 +78928,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -98,6 +114,10 @@ optional_policy(`
+@@ -98,6 +116,10 @@ optional_policy(`
')
optional_policy(`
@@ -78970,7 +78939,7 @@ index e14b961..aed3d37 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +130,20 @@ optional_policy(`
+@@ -110,11 +132,20 @@ optional_policy(`
')
optional_policy(`
@@ -78981,19 +78950,19 @@ index e14b961..aed3d37 100644
+
+optional_policy(`
+ consoletype_exec(sysadm_t)
++')
++
++optional_policy(`
++ daemonstools_run_start(sysadm_t, sysadm_r)
')
optional_policy(`
- cvs_exec(sysadm_t)
-+ daemonstools_run_start(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
optional_policy(`
-@@ -128,6 +157,10 @@ optional_policy(`
+@@ -128,6 +159,10 @@ optional_policy(`
')
optional_policy(`
@@ -79004,7 +78973,7 @@ index e14b961..aed3d37 100644
dmesg_exec(sysadm_t)
')
-@@ -163,6 +196,13 @@ optional_policy(`
+@@ -163,6 +198,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -79018,7 +78987,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -170,15 +210,20 @@ optional_policy(`
+@@ -170,15 +212,20 @@ optional_policy(`
')
optional_policy(`
@@ -79042,7 +79011,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -198,22 +243,20 @@ optional_policy(`
+@@ -198,22 +245,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -79071,7 +79040,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -225,25 +268,47 @@ optional_policy(`
+@@ -225,25 +270,47 @@ optional_policy(`
')
optional_policy(`
@@ -79119,7 +79088,7 @@ index e14b961..aed3d37 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,31 +318,32 @@ optional_policy(`
+@@ -253,31 +320,32 @@ optional_policy(`
')
optional_policy(`
@@ -79159,7 +79128,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -302,12 +368,18 @@ optional_policy(`
+@@ -302,12 +370,18 @@ optional_policy(`
')
optional_policy(`
@@ -79179,7 +79148,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -332,7 +404,10 @@ optional_policy(`
+@@ -332,7 +406,10 @@ optional_policy(`
')
optional_policy(`
@@ -79191,7 +79160,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -343,19 +418,15 @@ optional_policy(`
+@@ -343,19 +420,15 @@ optional_policy(`
')
optional_policy(`
@@ -79213,7 +79182,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -367,45 +438,45 @@ optional_policy(`
+@@ -367,45 +440,45 @@ optional_policy(`
')
optional_policy(`
@@ -79270,7 +79239,7 @@ index e14b961..aed3d37 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +489,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +491,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -79281,7 +79250,7 @@ index e14b961..aed3d37 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +506,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +508,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -79289,7 +79258,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -446,11 +514,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +516,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -79300,8 +79269,9 @@ index e14b961..aed3d37 100644
optional_policy(`
- java_role(sysadm_r, sysadm_t)
+ lockdev_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ mock_admin(sysadm_t)
+ ')
@@ -79340,9 +79310,8 @@ index e14b961..aed3d37 100644
+
+ optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
@@ -89487,6 +89456,356 @@ index 04969e5..a603e70 100644
rgmanager_manage_tmpfs_files(corosync_t)
')
+
+diff --git a/policy/modules/services/couchdb.fc b/policy/modules/services/couchdb.fc
+new file mode 100644
+index 0000000..3f0d629
+--- /dev/null
++++ b/policy/modules/services/couchdb.fc
+@@ -0,0 +1,9 @@
++/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
++
++/usr/lib/systemd/system/couchdb.service -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
++
++/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
++
++/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0)
++
++/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
+diff --git a/policy/modules/services/couchdb.if b/policy/modules/services/couchdb.if
+new file mode 100644
+index 0000000..9efb8c6
+--- /dev/null
++++ b/policy/modules/services/couchdb.if
+@@ -0,0 +1,245 @@
++
++## <summary>policy for couchdb</summary>
++
++########################################
++## <summary>
++## Transition to couchdb.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`couchdb_domtrans',`
++ gen_require(`
++ type couchdb_t, couchdb_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, couchdb_exec_t, couchdb_t)
++')
++########################################
++## <summary>
++## Read couchdb's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`couchdb_read_log',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++## <summary>
++## Append to couchdb log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_append_log',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++## <summary>
++## Manage couchdb log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_manage_log',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, couchdb_log_t, couchdb_log_t)
++ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
++ manage_lnk_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++## <summary>
++## Search couchdb lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_search_lib',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ allow $1 couchdb_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read couchdb lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_read_lib_files',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage couchdb lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_manage_lib_files',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage couchdb lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_manage_lib_dirs',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read couchdb PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_read_pid_files',`
++ gen_require(`
++ type couchdb_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 couchdb_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute couchdb server in the couchdb domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`couchdb_systemctl',`
++ gen_require(`
++ type couchdb_t;
++ type couchdb_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 couchdb_unit_file_t:file read_file_perms;
++ allow $1 couchdb_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, couchdb_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an couchdb environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`couchdb_admin',`
++ gen_require(`
++ type couchdb_t;
++ type couchdb_log_t;
++ type couchdb_var_lib_t;
++ type couchdb_var_run_t;
++ type couchdb_unit_file_t;
++ ')
++
++ allow $1 couchdb_t:process { ptrace signal_perms };
++ ps_process_pattern($1, couchdb_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, couchdb_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, couchdb_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, couchdb_var_run_t)
++
++ couchdb_systemctl($1)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/couchdb.te b/policy/modules/services/couchdb.te
+new file mode 100644
+index 0000000..153c2ad
+--- /dev/null
++++ b/policy/modules/services/couchdb.te
+@@ -0,0 +1,78 @@
++policy_module(couchdb, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type couchdb_t;
++type couchdb_exec_t;
++init_daemon_domain(couchdb_t, couchdb_exec_t)
++
++type couchdb_tmp_t;
++files_tmp_file(couchdb_tmp_t)
++
++type couchdb_log_t;
++logging_log_file(couchdb_log_t)
++
++type couchdb_var_lib_t;
++files_type(couchdb_var_lib_t)
++
++type couchdb_var_run_t;
++files_pid_file(couchdb_var_run_t)
++
++type couchdb_unit_file_t;
++systemd_unit_file(couchdb_unit_file_t)
++
++########################################
++#
++# couchdb local policy
++#
++allow couchdb_t self:fifo_file rw_fifo_file_perms;
++allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
++allow couchdb_t self:tcp_socket create_stream_socket_perms;
++allow couchdb_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
++manage_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
++logging_log_filetrans(couchdb_t, couchdb_log_t, { dir file })
++
++manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
++manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
++files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
++
++manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
++manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
++files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, { dir file })
++
++manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
++manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
++files_pid_filetrans(couchdb_t, couchdb_var_run_t, { dir file })
++
++can_exec(couchdb_t, couchdb_exec_t)
++
++kernel_read_system_state(couchdb_t)
++
++corecmd_exec_bin(couchdb_t)
++corecmd_exec_shell(couchdb_t)
++
++corenet_tcp_bind_generic_node(couchdb_t)
++corenet_udp_bind_generic_node(couchdb_t)
++corenet_tcp_bind_couchdb_port(couchdb_t)
++
++dev_list_sysfs(couchdb_t)
++dev_read_sysfs(couchdb_t)
++dev_read_urand(couchdb_t)
++
++domain_use_interactive_fds(couchdb_t)
++
++files_read_etc_files(couchdb_t)
++
++fs_getattr_tmpfs(couchdb_t)
++
++auth_use_nsswitch(couchdb_t)
++
++libs_exec_lib_files(couchdb_t)
++
++miscfiles_read_localization(couchdb_t)
++
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 01d31f1..8e2754b 100644
--- a/policy/modules/services/courier.fc
@@ -99253,19 +99572,21 @@ index df48e5e..878d9df 100644
type inetd_t;
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
-index c51a7b2..75a08f9 100644
+index c51a7b2..5b0226e 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
-@@ -89,6 +89,8 @@ corenet_tcp_bind_ftp_port(inetd_t)
+@@ -89,6 +89,10 @@ corenet_tcp_bind_ftp_port(inetd_t)
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_echo_port(inetd_t)
+corenet_udp_bind_echo_port(inetd_t)
++corenet_tcp_bind_rdate_port(inetd_t)
++corenet_udp_bind_rdate_port(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
-@@ -149,7 +151,10 @@ miscfiles_read_localization(inetd_t)
+@@ -149,7 +153,10 @@ miscfiles_read_localization(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -103390,10 +103711,10 @@ index 0000000..1d76fb8
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..4389219
+index 0000000..621fc5a
--- /dev/null
+++ b/policy/modules/services/mock.te
-@@ -0,0 +1,251 @@
+@@ -0,0 +1,253 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -103456,7 +103777,8 @@ index 0000000..4389219
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
-+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file })
++manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
++files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
@@ -103481,6 +103803,7 @@ index 0000000..4389219
+corecmd_exec_shell(mock_t)
+corecmd_dontaudit_exec_all_executables(mock_t)
+
++corenet_tcp_connect_git_port(mock_t)
+corenet_tcp_connect_http_port(mock_t)
+corenet_tcp_connect_ftp_port(mock_t)
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
@@ -103739,10 +104062,10 @@ index 657a9fc..0b9bf04 100644
admin_pattern($1, httpd_mojomojo_script_t)
admin_pattern($1, httpd_mojomojo_content_t)
diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te
-index 83f002c..ed69996 100644
+index 83f002c..fa8a3d5 100644
--- a/policy/modules/services/mojomojo.te
+++ b/policy/modules/services/mojomojo.te
-@@ -7,6 +7,9 @@ policy_module(mojomojo, 1.0.0)
+@@ -7,12 +7,17 @@ policy_module(mojomojo, 1.0.0)
apache_content_template(mojomojo)
@@ -103752,17 +104075,15 @@ index 83f002c..ed69996 100644
########################################
#
# mojomojo local policy
-@@ -14,6 +17,10 @@ apache_content_template(mojomojo)
-
- allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+ #
+-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
-+
+
corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
- corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
index d72276f..cb8c563 100644
--- a/policy/modules/services/mpd.if
@@ -105777,7 +106098,7 @@ index 8581040..7d8e93b 100644
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..08386a8 100644
+index bf64a4c..5d6fe80 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -5,6 +5,8 @@ policy_module(nagios, 1.10.0)
@@ -105962,7 +106283,7 @@ index bf64a4c..08386a8 100644
# needed by check_users plugin
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
-@@ -389,3 +412,48 @@ optional_policy(`
+@@ -389,3 +412,49 @@ optional_policy(`
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -106011,6 +106332,7 @@ index bf64a4c..08386a8 100644
+miscfiles_read_localization(nagios_plugin_domain)
+
+userdom_use_inherited_user_ptys(nagios_plugin_domain)
++userdom_use_inherited_user_ttys(nagios_plugin_domain)
diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
index 74da57f..b94bb3b 100644
--- a/policy/modules/services/nessus.fc
@@ -118048,7 +118370,7 @@ index a07b2f4..36b4903 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
-index 69a6074..8ed95f2 100644
+index 69a6074..a314e70 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
@@ -11,9 +11,13 @@
@@ -118065,16 +118387,17 @@ index 69a6074..8ed95f2 100644
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-@@ -36,6 +40,8 @@
+@@ -36,6 +40,9 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
-+/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
++/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+
++/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -51,3 +57,7 @@
+@@ -51,3 +58,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -118367,10 +118690,25 @@ index 82cb169..6cdb535 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..895d6c0 100644
+index e30bb63..bba1598 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
-@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
+@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false)
+
+ ## <desc>
+ ## <p>
++## Allow samba to act as a portmapper
++##
++## </p>
++## </desc>
++gen_tunable(samba_portmapper, false)
++
++## <desc>
++## <p>
+ ## Allow samba to share users home directories.
+ ## </p>
+ ## </desc>
+@@ -85,6 +93,9 @@ files_config_file(samba_etc_t)
type samba_initrc_exec_t;
init_script_file(samba_initrc_exec_t)
@@ -118380,7 +118718,7 @@ index e30bb63..895d6c0 100644
type samba_log_t;
logging_log_file(samba_log_t)
-@@ -152,9 +155,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+@@ -152,9 +163,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
type winbind_log_t;
logging_log_file(winbind_log_t)
@@ -118390,7 +118728,15 @@ index e30bb63..895d6c0 100644
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
-@@ -215,7 +215,7 @@ miscfiles_read_localization(samba_net_t)
+@@ -181,7 +189,6 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+ manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
+ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+-
+ kernel_read_proc_symlinks(samba_net_t)
+ kernel_read_system_state(samba_net_t)
+
+@@ -215,7 +222,7 @@ miscfiles_read_localization(samba_net_t)
samba_read_var_files(samba_net_t)
@@ -118399,7 +118745,7 @@ index e30bb63..895d6c0 100644
userdom_list_user_home_dirs(samba_net_t)
optional_policy(`
-@@ -224,13 +224,14 @@ optional_policy(`
+@@ -224,13 +231,14 @@ optional_policy(`
optional_policy(`
kerberos_use(samba_net_t)
@@ -118415,15 +118761,17 @@ index e30bb63..895d6c0 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -249,6 +250,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -248,7 +256,9 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
allow smbd_t nmbd_t:process { signal signull };
++allow winbind_t smbd_var_run_t:dir search_dir_perms;
allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-@@ -263,7 +265,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -263,12 +273,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -118432,7 +118780,13 @@ index e30bb63..895d6c0 100644
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -279,7 +281,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
++files_var_filetrans(smbd_t, samba_var_t, dir)
+
+ allow smbd_t smbcontrol_t:process { signal signull };
+
+@@ -279,7 +290,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -118441,7 +118795,15 @@ index e30bb63..895d6c0 100644
allow smbd_t swat_t:process signal;
-@@ -323,15 +325,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -316,6 +327,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
+
+ dev_read_sysfs(smbd_t)
+ dev_read_urand(smbd_t)
++dev_dontaudit_write_urand(smbd_t)
+ dev_getattr_mtrr_dev(smbd_t)
+ dev_dontaudit_getattr_usbfs_dirs(smbd_t)
+ # For redhat bug 566984
+@@ -323,15 +335,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -118460,7 +118822,7 @@ index e30bb63..895d6c0 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +348,7 @@ files_read_usr_files(smbd_t)
+@@ -343,6 +358,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -118468,7 +118830,19 @@ index e30bb63..895d6c0 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -385,12 +391,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -372,6 +388,11 @@ tunable_policy(`allow_smbd_anon_write',`
+ miscfiles_manage_public_files(smbd_t)
+ ')
+
++tunable_policy(`samba_portmapper',`
++ corenet_tcp_bind_epmap_port(smbd_t)
++ corenet_tcp_bind_all_unreserved_ports(smbd_t)
++')
++
+ tunable_policy(`samba_domain_controller',`
+ gen_require(`
+ class passwd passwd;
+@@ -385,12 +406,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -118482,7 +118856,7 @@ index e30bb63..895d6c0 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +411,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +426,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -118493,7 +118867,18 @@ index e30bb63..895d6c0 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -445,26 +450,25 @@ optional_policy(`
+@@ -422,6 +442,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ldap_stream_connect(smbd_t)
++')
++
++optional_policy(`
+ lpd_exec_lpr(smbd_t)
+ ')
+
+@@ -445,26 +469,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -118527,7 +118912,7 @@ index e30bb63..895d6c0 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +488,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +507,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -118539,7 +118924,7 @@ index e30bb63..895d6c0 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -555,18 +561,21 @@ optional_policy(`
+@@ -555,18 +580,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -118565,7 +118950,7 @@ index e30bb63..895d6c0 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +583,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +602,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -118586,7 +118971,7 @@ index e30bb63..895d6c0 100644
########################################
#
-@@ -644,19 +661,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +680,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -118611,7 +118996,7 @@ index e30bb63..895d6c0 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +696,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +715,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -118621,7 +119006,7 @@ index e30bb63..895d6c0 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +712,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +731,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -118636,7 +119021,7 @@ index e30bb63..895d6c0 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +732,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +751,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -118644,7 +119029,7 @@ index e30bb63..895d6c0 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +777,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +796,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -118653,16 +119038,17 @@ index e30bb63..895d6c0 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +808,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +827,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
++allow winbind_t smbd_var_run_t:dir search_dir_perms;
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +831,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +851,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -118684,7 +119070,7 @@ index e30bb63..895d6c0 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +859,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +879,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -118692,7 +119078,7 @@ index e30bb63..895d6c0 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +877,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +897,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -118707,7 +119093,7 @@ index e30bb63..895d6c0 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +894,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +914,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -118720,7 +119106,7 @@ index e30bb63..895d6c0 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +941,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +961,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -118729,10 +119115,16 @@ index e30bb63..895d6c0 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +959,18 @@ optional_policy(`
+@@ -922,19 +979,34 @@ optional_policy(`
#
optional_policy(`
+- type samba_unconfined_script_t;
+- type samba_unconfined_script_exec_t;
+- domain_type(samba_unconfined_script_t)
+- domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+- corecmd_shell_entry_type(samba_unconfined_script_t)
+- role system_r types samba_unconfined_script_t;
+ type samba_unconfined_net_t;
+ domain_type(samba_unconfined_net_t)
+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
@@ -118745,18 +119137,24 @@ index e30bb63..895d6c0 100644
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
+
- type samba_unconfined_script_t;
- type samba_unconfined_script_exec_t;
- domain_type(samba_unconfined_script_t)
-@@ -932,9 +981,12 @@ optional_policy(`
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++type samba_unconfined_script_t;
++type samba_unconfined_script_exec_t;
++domain_type(samba_unconfined_script_t)
++domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
++corecmd_shell_entry_type(samba_unconfined_script_t)
++role system_r types samba_unconfined_script_t;
+
+- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
++allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+optional_policy(`
unconfined_domain(samba_unconfined_script_t)
+')
- tunable_policy(`samba_run_unconfined',`
+- tunable_policy(`samba_run_unconfined',`
++tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
- ')
+',`
@@ -121845,7 +122243,7 @@ index 22adaca..6ec295a 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..4a63fae 100644
+index 2dad3c8..9a5c6a6 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -121994,7 +122392,7 @@ index 2dad3c8..4a63fae 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -162,31 +179,24 @@ logging_read_generic_logs(ssh_t)
+@@ -162,31 +179,25 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -122013,6 +122411,7 @@ index 2dad3c8..4a63fae 100644
userdom_read_user_tmp_files(ssh_t)
+userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
++userdom_rw_inherited_user_home_content_files(ssh_t)
+userdom_read_home_certs(ssh_t)
+userdom_home_manager(ssh_t)
@@ -122035,7 +122434,7 @@ index 2dad3c8..4a63fae 100644
')
# for port forwarding
-@@ -196,10 +206,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +207,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@@ -122051,7 +122450,7 @@ index 2dad3c8..4a63fae 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,19 +224,14 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +225,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -122073,7 +122472,7 @@ index 2dad3c8..4a63fae 100644
#################################
#
# sshd local policy
-@@ -232,33 +242,39 @@ optional_policy(`
+@@ -232,33 +243,39 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -122122,7 +122521,7 @@ index 2dad3c8..4a63fae 100644
')
optional_policy(`
-@@ -266,11 +282,24 @@ optional_policy(`
+@@ -266,11 +283,24 @@ optional_policy(`
')
optional_policy(`
@@ -122148,7 +122547,7 @@ index 2dad3c8..4a63fae 100644
')
optional_policy(`
-@@ -284,6 +313,15 @@ optional_policy(`
+@@ -284,6 +314,15 @@ optional_policy(`
')
optional_policy(`
@@ -122164,7 +122563,7 @@ index 2dad3c8..4a63fae 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +330,26 @@ optional_policy(`
+@@ -292,26 +331,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -122210,7 +122609,7 @@ index 2dad3c8..4a63fae 100644
') dnl endif TODO
########################################
-@@ -322,19 +360,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +361,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -122238,7 +122637,7 @@ index 2dad3c8..4a63fae 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +396,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +397,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -122252,7 +122651,7 @@ index 2dad3c8..4a63fae 100644
')
optional_policy(`
-@@ -363,3 +410,77 @@ optional_policy(`
+@@ -363,3 +411,77 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -133960,11 +134359,22 @@ index 560dc48..75a2fbd 100644
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..4ff705d 100644
+index 808ba93..296a2e2 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
-@@ -207,6 +207,23 @@ interface(`libs_search_lib',`
+@@ -147,6 +147,7 @@ interface(`libs_manage_ld_so',`
+ type lib_t, ld_so_t;
+ ')
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ manage_files_pattern($1, lib_t, ld_so_t)
+ ')
+
+@@ -205,8 +206,26 @@ interface(`libs_search_lib',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
allow $1 lib_t:dir search_dir_perms;
')
+########################################
@@ -133987,7 +134397,13 @@ index 808ba93..4ff705d 100644
########################################
## <summary>
-@@ -253,24 +270,6 @@ interface(`libs_manage_lib_dirs',`
+@@ -248,29 +267,12 @@ interface(`libs_manage_lib_dirs',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ allow $1 lib_t:dir manage_dir_perms;
+ ')
########################################
## <summary>
@@ -134012,16 +134428,25 @@ index 808ba93..4ff705d 100644
## Read files in the library directories, such
## as static libraries.
## </summary>
-@@ -421,7 +420,7 @@ interface(`libs_manage_shared_libs',`
+@@ -345,6 +347,7 @@ interface(`libs_manage_lib_files',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ manage_files_pattern($1, lib_t, lib_t)
+ ')
+
+@@ -421,7 +424,8 @@ interface(`libs_manage_shared_libs',`
type lib_t, textrel_shlib_t;
')
- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
')
########################################
-@@ -440,9 +439,9 @@ interface(`libs_use_shared_libs',`
+@@ -440,9 +444,9 @@ interface(`libs_use_shared_libs',`
')
files_search_usr($1)
@@ -134034,7 +134459,7 @@ index 808ba93..4ff705d 100644
allow $1 textrel_shlib_t:file execmod;
')
-@@ -483,7 +482,7 @@ interface(`libs_relabel_shared_libs',`
+@@ -483,7 +487,7 @@ interface(`libs_relabel_shared_libs',`
type lib_t, textrel_shlib_t;
')
@@ -134043,7 +134468,7 @@ index 808ba93..4ff705d 100644
')
########################################
-@@ -534,3 +533,24 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +538,24 @@ interface(`lib_filetrans_shared_lib',`
interface(`files_lib_filetrans_shared_lib',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -134462,7 +134887,7 @@ index 02f4c97..7bd737a 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 831b909..118f708 100644
+index 831b909..62b1c59 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -134716,6 +135141,32 @@ index 831b909..118f708 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
+@@ -1043,3 +1206,25 @@ interface(`logging_admin',`
+ logging_admin_audit($1, $2)
+ logging_admin_syslog($1, $2)
+ ')
++
++########################################
++## <summary>
++## Transition to logging named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_filetrans_named_content',`
++ gen_require(`
++ type var_log_t;
++ type audit_spool_t;
++ ')
++
++ files_var_filetrans($1, var_log_t, dir, "webmin")
++ files_spool_filetrans($1, var_log_t, dir, "rsyslog")
++ files_spool_filetrans($1, var_log_t, dir, "log")
++ files_spool_filetrans($1, audit_spool_t, dir, "audit")
++')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index b6ec597..b365df9 100644
--- a/policy/modules/system/logging.te
@@ -140648,7 +141099,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..ead2cbb 100644
+index 4b2878a..12759f5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -143082,7 +143533,7 @@ index 4b2878a..ead2cbb 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3927,1254 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3927,1273 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -143652,6 +144103,25 @@ index 4b2878a..ead2cbb 100644
+
+########################################
+## <summary>
++## Read/Write files inherited
++## in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_rw_inherited_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Append files inherited
+## in a user home subdirectory.
+## </summary>
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e4588ed..81cb451 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 98%{?dist}
+Release: 99%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -483,6 +483,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-99
+- Back port some of the access that was allowed in nsplugin_t
+- Add definitiona for couchdb ports
+- Allow nagios to use inherited users ttys
+- Add git support for mock
+- Allow inetd to use rdate port
+- Add own type for rdate port
+- Allow samba to act as a portmapper
+- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev
+- New fixes needed for samba4
+- Allow apps that use lib_t to read lib_t symlinks
+
* Fri Mar 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-98
- Add policy for nove-cert
- Add labeling for nova-openstack systemd unit files
More information about the scm-commits
mailing list