[selinux-policy/f17] * Wed Mar 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-107 - Add numad policy and numad man pag
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 28 11:53:34 UTC 2012
commit f015714438b84fd33b8172ce6f8abb0e178de43c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Mar 28 13:53:09 2012 +0200
* Wed Mar 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-107
- Add numad policy and numad man page
- Add fixes for interface bugs discovered by SEWatch
- Add /tmp support for squid
- Add fix for #799102
* change default labeling for /var/run/slapd.* sockets
- Make thumb_t as userdom_home_reader
- label /var/lib/sss/mc same as pubconf, so getpw domains can read it
- Allow smbspool running as cups_t to stream connect to nmbd
- accounts needs to be able to execute passwd on behalf of users
- Allow systemd_tmpfiles_t to delete boot flags
- Allow dnssec_trigger to connect to apache ports
- Allow gnome keyring to create sock_files in ~/.cache
- google_authenticator is using .google_authenticator
- sandbox running from within firefox is exposing more leaks
- Dontaudit thumb to read/write /dev/card0
- Dontaudit getattr on init_exec_t for gnomeclock_t
- Allow certmonger to do a transition to certmonger_unconfined_t
- Allow dhcpc setsched which is caused by nmcli
- Add rpm_exec_t for /usr/sbin/bcfg2
- system cronjobs are sending dbus messages to systemd_logind
- Thumnailers read /dev/urand
modules-targeted.conf | 7 +
policy-F16.patch | 659 ++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 25 ++-
3 files changed, 541 insertions(+), 150 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 76e373d..900d323 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2508,3 +2508,10 @@ sge = module
# policy for jockey-backend
#
jockey = module
+
+# Layer: services
+# Module: numad
+#
+# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology
+#
+numad = module
diff --git a/policy-F16.patch b/policy-F16.patch
index 5f9ad72..b48f2e1 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -31873,6 +31873,113 @@ index 0000000..515419d
+
+.SH "SEE ALSO"
+selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/numad_selinux.8 b/man/man8/numad_selinux.8
+new file mode 100644
+index 0000000..7a63255
+--- /dev/null
++++ b/man/man8/numad_selinux.8
+@@ -0,0 +1,101 @@
++.TH "numad_selinux" "8" "numad" "dwalsh at redhat.com" "numad SELinux Policy documentation"
++.SH "NAME"
++numad_selinux \- Security Enhanced Linux Policy for the numad processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B numad
++(policy for numad)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible.
++.PP
++The following file types are defined for numad:
++
++
++.EX
++.PP
++.B numad_exec_t
++.EE
++
++- Set files with the numad_exec_t type, if you want to transition an executable to the numad_t domain.
++
++
++.EX
++.PP
++.B numad_unit_file_t
++.EE
++
++- Set files with the numad_unit_file_t type, if you want to treat the files as numad unit content.
++
++
++.EX
++.PP
++.B numad_var_log_t
++.EE
++
++- Set files with the numad_var_log_t type, if you want to treat the data as numad var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B numad_var_run_t
++.EE
++
++- Set files with the numad_var_run_t type, if you want to store the numad files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible.
++.PP
++The following process types are defined for numad:
++
++.EX
++.B numad_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), numad(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/nut_selinux.8 b/man/man8/nut_selinux.8
new file mode 100644
index 0000000..fe354e5
@@ -60651,7 +60758,7 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index b206bf6..2ba67e7 100644
+index b206bf6..0bc863c 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -6,7 +6,9 @@
@@ -60664,10 +60771,11 @@ index b206bf6..2ba67e7 100644
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -19,14 +21,20 @@
+@@ -19,14 +21,21 @@
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
++/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -60685,7 +60793,7 @@ index b206bf6..2ba67e7 100644
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-@@ -36,6 +44,8 @@ ifdef(`distro_redhat', `
+@@ -36,6 +45,8 @@ ifdef(`distro_redhat', `
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
@@ -63537,10 +63645,10 @@ index 00a19e3..3681873 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..0932ebe 100644
+index f5afe78..3850fd9 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,880 @@
+@@ -1,44 +1,899 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -63970,6 +64078,25 @@ index f5afe78..0932ebe 100644
+
+########################################
+## <summary>
++## Manage a sock_file in the generic cache home files (.cache)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_generic_cache_sockets',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
++')
++
++########################################
++## <summary>
+## Dontaudit read/write to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
@@ -64439,7 +64566,7 @@ index f5afe78..0932ebe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +882,92 @@ interface(`gnome_role',`
+@@ -46,37 +901,92 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -64543,7 +64670,7 @@ index f5afe78..0932ebe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +975,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +994,53 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -64608,7 +64735,7 @@ index f5afe78..0932ebe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1029,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1048,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -64630,7 +64757,7 @@ index f5afe78..0932ebe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1047,301 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1066,301 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -64949,7 +65076,7 @@ index f5afe78..0932ebe 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..70bc435 100644
+index 2505654..0bc94b0 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0)
@@ -65020,7 +65147,7 @@ index 2505654..70bc435 100644
##############################
#
# Local Policy
-@@ -75,3 +116,152 @@ optional_policy(`
+@@ -75,3 +116,153 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -65164,6 +65291,7 @@ index 2505654..70bc435 100644
+ gnome_read_home_config(gkeyringd_domain)
+ gnome_read_generic_cache_files(gkeyringd_domain)
+ gnome_write_generic_cache_files(gkeyringd_domain)
++ gnome_manage_generic_cache_sockets(gkeyringd_domain)
+')
+
+optional_policy(`
@@ -68897,10 +69025,10 @@ index 0000000..809784d
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..4e9f4a1
+index 0000000..3203ede
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,503 @@
+@@ -0,0 +1,509 @@
+policy_module(sandbox,1.0.0)
+
+dbus_stub()
@@ -69012,6 +69140,7 @@ index 0000000..4e9f4a1
+
+userdom_use_inherited_user_terminals(sandbox_xserver_t)
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
++userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
+
@@ -69210,6 +69339,7 @@ index 0000000..4e9f4a1
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
++userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
+
+fs_search_auto_mountpoints(sandbox_x_domain)
+
@@ -69256,6 +69386,10 @@ index 0000000..4e9f4a1
+auth_use_nsswitch(sandbox_x_client_t)
+
+optional_policy(`
++ colord_dbus_chat(sandbox_x_client_t)
++')
++
++optional_policy(`
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
@@ -69747,10 +69881,10 @@ index 1dc7a85..a01511f 100644
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..f40af5b 100644
+index 7590165..59539e8 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,63 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -69784,6 +69918,7 @@ index 7590165..f40af5b 100644
-files_read_etc_files(seunshare_t)
-files_mounton_all_poly_members(seunshare_t)
+dev_read_urand(seunshare_domain)
++dev_dontaudit_rw_dri(seunshare_domain)
-auth_use_nsswitch(seunshare_t)
+files_search_all(seunshare_domain)
@@ -69804,6 +69939,7 @@ index 7590165..f40af5b 100644
-userdom_use_user_terminals(seunshare_t)
+miscfiles_read_localization(seunshare_domain)
++userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain)
+userdom_use_inherited_user_terminals(seunshare_domain)
+userdom_list_user_home_content(seunshare_domain)
ifdef(`hide_broken_symptoms', `
@@ -70402,10 +70538,10 @@ index 0000000..79515db
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..4d84806
+index 0000000..95befd6
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,96 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -70461,6 +70597,8 @@ index 0000000..4d84806
+corecmd_exec_shell(thumb_t)
+
+dev_read_sysfs(thumb_t)
++dev_read_urand(thumb_t)
++dev_dontaudit_rw_dri(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+
@@ -70480,6 +70618,7 @@ index 0000000..4d84806
+userdom_read_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
++userdom_home_reader(thumb_t)
+
+userdom_use_inherited_user_ptys(thumb_t)
+
@@ -89550,7 +89689,7 @@ index 7a6e5ba..e238dfd 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index c3e3f79..bbed82f 100644
+index c3e3f79..7d6e85e 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -18,12 +18,16 @@ files_pid_file(certmonger_var_run_t)
@@ -89606,7 +89745,7 @@ index c3e3f79..bbed82f 100644
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-@@ -58,15 +72,54 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,15 +72,57 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
@@ -89655,9 +89794,12 @@ index c3e3f79..bbed82f 100644
+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
+ role system_r types certmonger_unconfined_t;
+
++ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
++
+ unconfined_domain(certmonger_unconfined_t)
+
+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
++ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
+
+ unconfined_domain(certmonger_unconfined_t)
+')
@@ -93564,7 +93706,7 @@ index 35241ed..2f6f038 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..8946846 100644
+index f7583ab..86c5a58 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -94004,10 +94146,14 @@ index f7583ab..8946846 100644
')
optional_policy(`
-@@ -502,7 +611,13 @@ optional_policy(`
+@@ -502,7 +611,17 @@ optional_policy(`
')
optional_policy(`
++ systemd_dbus_chat_logind(system_cronjob_t)
++')
++
++optional_policy(`
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
+')
@@ -94018,7 +94164,7 @@ index f7583ab..8946846 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +710,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +714,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -94650,7 +94796,7 @@ index 305ddf4..4d70951 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..f9eb73f 100644
+index 0f28095..c50598f 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -94783,7 +94929,16 @@ index 0f28095..f9eb73f 100644
mta_send_mail(cupsd_t)
')
-@@ -371,8 +390,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -322,6 +341,8 @@ optional_policy(`
+ # cups execs smbtool which reads samba_etc_t files
+ samba_read_config(cupsd_t)
+ samba_rw_var_files(cupsd_t)
++ # needed by smbspool
++ samba_stream_connect_nmbd(cupsd_t)
+ ')
+
+ optional_policy(`
+@@ -371,8 +392,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -94794,7 +94949,7 @@ index 0f28095..f9eb73f 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +413,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +415,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -94805,7 +94960,7 @@ index 0f28095..f9eb73f 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +449,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +451,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -94819,7 +94974,7 @@ index 0f28095..f9eb73f 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +477,10 @@ optional_policy(`
+@@ -453,6 +479,10 @@ optional_policy(`
')
optional_policy(`
@@ -94830,7 +94985,7 @@ index 0f28095..f9eb73f 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +495,10 @@ optional_policy(`
+@@ -467,6 +497,10 @@ optional_policy(`
')
optional_policy(`
@@ -94841,7 +94996,7 @@ index 0f28095..f9eb73f 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -537,6 +569,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +571,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -94849,7 +95004,7 @@ index 0f28095..f9eb73f 100644
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +620,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +622,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -94882,7 +95037,7 @@ index 0f28095..f9eb73f 100644
')
########################################
-@@ -639,7 +671,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -94891,7 +95046,7 @@ index 0f28095..f9eb73f 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +717,9 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +719,9 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -94901,7 +95056,7 @@ index 0f28095..f9eb73f 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -97072,10 +97227,10 @@ index 0000000..c2ac646
+
diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc
new file mode 100644
-index 0000000..3aae725
+index 0000000..6fc4865
--- /dev/null
+++ b/policy/modules/services/dirsrv.fc
-@@ -0,0 +1,20 @@
+@@ -0,0 +1,23 @@
+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
@@ -97089,6 +97244,9 @@ index 0000000..3aae725
+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
++# BZ:
++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
++
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
@@ -97931,10 +98089,10 @@ index 0000000..a9dbcf2
+')
diff --git a/policy/modules/services/dnssec.te b/policy/modules/services/dnssec.te
new file mode 100755
-index 0000000..8aa75f3
+index 0000000..98ba6e1
--- /dev/null
+++ b/policy/modules/services/dnssec.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,61 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -97972,6 +98130,7 @@ index 0000000..8aa75f3
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
++corenet_tcp_connect_http_port(dnssec_trigger_t)
+
+dev_read_urand(dnssec_trigger_t)
+
@@ -98409,10 +98568,10 @@ index 0000000..60c19b9
+
diff --git a/policy/modules/services/drbd.if b/policy/modules/services/drbd.if
new file mode 100644
-index 0000000..f92ef50
+index 0000000..659d051
--- /dev/null
+++ b/policy/modules/services/drbd.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,127 @@
+
+## <summary>policy for drbd</summary>
+
@@ -98522,12 +98681,6 @@ index 0000000..f92ef50
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`drbd_admin',`
+ gen_require(`
@@ -99608,10 +99761,10 @@ index 0000000..83279fb
+/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0)
diff --git a/policy/modules/services/fcoemon.if b/policy/modules/services/fcoemon.if
new file mode 100644
-index 0000000..f25a1cb
+index 0000000..33508c1
--- /dev/null
+++ b/policy/modules/services/fcoemon.if
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,88 @@
+
+## <summary>policy for fcoemon</summary>
+
@@ -99682,12 +99835,6 @@ index 0000000..f25a1cb
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`fcoemon_admin',`
+ gen_require(`
@@ -101744,7 +101891,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..a250b06 100644
+index 4fde46b..a6022e7 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -14,19 +14,28 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
@@ -101780,7 +101927,7 @@ index 4fde46b..a250b06 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +44,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +44,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -101807,6 +101954,7 @@ index 4fde46b..a250b06 100644
+ ntp_domtrans_ntpdate(gnomeclock_t)
+ ntp_initrc_domtrans(gnomeclock_t)
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
++ init_dontaudit_getattr_exec(gnomeclock_t)
+ ntp_systemctl(gnomeclock_t)
+')
+
@@ -104602,7 +104750,7 @@ index 0000000..deb55ee
+ ppp_signal(l2tpd_t)
+')
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index c62f23e..63e3be1 100644
+index c62f23e..276a021 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -1,6 +1,12 @@
@@ -104623,7 +104771,7 @@ index c62f23e..63e3be1 100644
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
-+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
++#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 3aa8fa7..27cb806 100644
--- a/policy/modules/services/ldap.if
@@ -111407,6 +111555,152 @@ index c61adc8..09bb140 100644
auth_use_nsswitch(ntpd_t)
+diff --git a/policy/modules/services/numad.fc b/policy/modules/services/numad.fc
+new file mode 100644
+index 0000000..d4aeefc
+--- /dev/null
++++ b/policy/modules/services/numad.fc
+@@ -0,0 +1,7 @@
++/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
++
++/usr/lib/systemd/system/numad\.service -- gen_context(system_u:object_r:numad_unit_file_t,s0)
++
++/var/log/numad\.log -- gen_context(system_u:object_r:numad_var_log_t,s0)
++
++/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
+diff --git a/policy/modules/services/numad.if b/policy/modules/services/numad.if
+new file mode 100644
+index 0000000..2f2fb49
+--- /dev/null
++++ b/policy/modules/services/numad.if
+@@ -0,0 +1,78 @@
++
++## <summary>policy for numad</summary>
++
++########################################
++## <summary>
++## Transition to numad.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`numad_domtrans',`
++ gen_require(`
++ type numad_t, numad_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, numad_exec_t, numad_t)
++')
++########################################
++## <summary>
++## Execute numad server in the numad domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`numad_systemctl',`
++ gen_require(`
++ type numad_t;
++ type numad_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 numad_unit_file_t:file read_file_perms;
++ allow $1 numad_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, numad_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an numad environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`numad_admin',`
++ gen_require(`
++ type numad_t;
++ type numad_unit_file_t;
++ ')
++
++ allow $1 numad_t:process { ptrace signal_perms };
++ ps_process_pattern($1, numad_t)
++
++ numad_systemctl($1)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/numad.te b/policy/modules/services/numad.te
+new file mode 100644
+index 0000000..e3ac955
+--- /dev/null
++++ b/policy/modules/services/numad.te
+@@ -0,0 +1,43 @@
++policy_module(numad, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type numad_t;
++type numad_exec_t;
++init_daemon_domain(numad_t, numad_exec_t)
++
++type numad_unit_file_t;
++systemd_unit_file(numad_unit_file_t)
++
++type numad_var_log_t;
++logging_log_file(numad_var_log_t)
++
++type numad_var_run_t;
++files_pid_file(numad_var_run_t)
++
++########################################
++#
++# numad local policy
++#
++
++allow numad_t self:process { fork };
++allow numad_t self:fifo_file rw_fifo_file_perms;
++allow numad_t self:msgq create_msgq_perms;
++allow numad_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
++logging_log_filetrans(numad_t, numad_var_log_t, { file })
++
++manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
++files_pid_filetrans(numad_t, numad_var_run_t, { file })
++
++kernel_read_system_state(numad_t)
++
++domain_use_interactive_fds(numad_t)
++
++files_read_etc_files(numad_t)
++
++miscfiles_read_localization(numad_t)
diff --git a/policy/modules/services/nut.fc b/policy/modules/services/nut.fc
index 0a929ef..371119d 100644
--- a/policy/modules/services/nut.fc
@@ -122099,10 +122393,36 @@ index 69a6074..a314e70 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..219a8d8 100644
+index 82cb169..0ed7e14 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
-@@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',`
+@@ -42,6 +42,25 @@ interface(`samba_signal_nmbd',`
+
+ ########################################
+ ## <summary>
++## Connect to nmbd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`samba_stream_connect_nmbd',`
++ gen_require(`
++ type nmbd_t, nmbd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++')
++
++########################################
++## <summary>
+ ## Execute samba server in the samba domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -60,6 +79,29 @@ interface(`samba_initrc_domtrans',`
########################################
## <summary>
@@ -122132,7 +122452,7 @@ index 82cb169..219a8d8 100644
## Execute samba net in the samba_net domain.
## </summary>
## <param name="domain">
-@@ -79,6 +102,25 @@ interface(`samba_domtrans_net',`
+@@ -79,6 +121,25 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
@@ -122158,7 +122478,7 @@ index 82cb169..219a8d8 100644
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -103,6 +145,51 @@ interface(`samba_run_net',`
+@@ -103,6 +164,51 @@ interface(`samba_run_net',`
role $2 types samba_net_t;
')
@@ -122210,7 +122530,7 @@ index 82cb169..219a8d8 100644
########################################
## <summary>
## Execute smbmount in the smbmount domain.
-@@ -327,7 +414,6 @@ interface(`samba_search_var',`
+@@ -327,7 +433,6 @@ interface(`samba_search_var',`
type samba_var_t;
')
@@ -122218,7 +122538,7 @@ index 82cb169..219a8d8 100644
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
-@@ -348,7 +434,6 @@ interface(`samba_read_var_files',`
+@@ -348,7 +453,6 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
@@ -122226,7 +122546,7 @@ index 82cb169..219a8d8 100644
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -388,7 +473,6 @@ interface(`samba_rw_var_files',`
+@@ -388,7 +492,6 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
@@ -122234,7 +122554,7 @@ index 82cb169..219a8d8 100644
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -409,9 +493,9 @@ interface(`samba_manage_var_files',`
+@@ -409,9 +512,9 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
@@ -122245,7 +122565,7 @@ index 82cb169..219a8d8 100644
')
########################################
-@@ -419,15 +503,14 @@ interface(`samba_manage_var_files',`
+@@ -419,15 +522,14 @@ interface(`samba_manage_var_files',`
## Execute a domain transition to run smbcontrol.
## </summary>
## <param name="domain">
@@ -122264,7 +122584,7 @@ index 82cb169..219a8d8 100644
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
-@@ -564,6 +647,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -564,6 +666,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -122272,7 +122592,7 @@ index 82cb169..219a8d8 100644
')
########################################
-@@ -644,6 +728,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +747,37 @@ interface(`samba_stream_connect_winbind',`
########################################
## <summary>
@@ -122310,7 +122630,7 @@ index 82cb169..219a8d8 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -661,33 +776,33 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,33 +795,33 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -122365,7 +122685,7 @@ index 82cb169..219a8d8 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -709,9 +824,6 @@ interface(`samba_admin',`
+@@ -709,9 +843,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -122375,7 +122695,7 @@ index 82cb169..219a8d8 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +839,9 @@ interface(`samba_admin',`
+@@ -727,4 +858,9 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -123229,10 +123549,10 @@ index 0000000..d5c3c3f
+/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if
new file mode 100644
-index 0000000..fe23f5a
+index 0000000..182057f
--- /dev/null
+++ b/policy/modules/services/sblim.if
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,76 @@
+
+## <summary> policy for SBLIM Gatherer </summary>
+
@@ -123286,12 +123606,6 @@ index 0000000..fe23f5a
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`sblim_admin',`
+ gen_require(`
@@ -125284,7 +125598,7 @@ index d2496bd..c7614d7 100644
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..7b3d2db 100644
+index 4b2230e..51dc8d8 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -125321,7 +125635,26 @@ index 4b2230e..7b3d2db 100644
type squid_initrc_exec_t;
init_script_file(squid_initrc_exec_t)
-@@ -90,6 +90,7 @@ files_pid_filetrans(squid_t, squid_var_run_t, file)
+@@ -40,6 +40,9 @@ logging_log_file(squid_log_t)
+ type squid_tmpfs_t;
+ files_tmpfs_file(squid_tmpfs_t)
+
++type squid_tmp_t;
++files_tmp_file(squid_tmp_t)
++
+ type squid_var_run_t;
+ files_pid_file(squid_var_run_t)
+
+@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+ manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+ fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+
++manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
++manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
++files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
++
+ manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+ files_pid_filetrans(squid_t, squid_var_run_t, file)
kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
@@ -125329,7 +125662,7 @@ index 4b2230e..7b3d2db 100644
files_dontaudit_getattr_boot_dirs(squid_t)
-@@ -169,7 +170,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
@@ -125339,7 +125672,7 @@ index 4b2230e..7b3d2db 100644
')
tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +187,7 @@ optional_policy(`
+@@ -185,6 +194,7 @@ optional_policy(`
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -125347,7 +125680,7 @@ index 4b2230e..7b3d2db 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -206,3 +209,7 @@ optional_policy(`
+@@ -206,3 +216,7 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -127784,10 +128117,10 @@ index 0000000..2ba852c
+
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
new file mode 100644
-index 0000000..c6be180
+index 0000000..8c74340
--- /dev/null
+++ b/policy/modules/services/vdagent.if
-@@ -0,0 +1,128 @@
+@@ -0,0 +1,122 @@
+
+## <summary>policy for vdagent</summary>
+
@@ -127895,12 +128228,6 @@ index 0000000..c6be180
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`vdagent_admin',`
+ gen_require(`
@@ -133653,16 +133980,18 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..29f3011 100644
+index 28ad538..bb13287 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -1,3 +1,5 @@
+@@ -1,3 +1,7 @@
+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
++HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-@@ -5,7 +7,12 @@
+@@ -5,7 +9,12 @@
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
@@ -133675,7 +134004,7 @@ index 28ad538..29f3011 100644
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-@@ -16,13 +23,22 @@ ifdef(`distro_suse', `
+@@ -16,13 +25,22 @@ ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -133700,7 +134029,7 @@ index 28ad538..29f3011 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,6 +46,8 @@ ifdef(`distro_gentoo', `
+@@ -30,6 +48,8 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -133709,7 +134038,7 @@ index 28ad538..29f3011 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -39,11 +57,13 @@ ifdef(`distro_gentoo', `
+@@ -39,11 +59,13 @@ ifdef(`distro_gentoo', `
/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
@@ -133725,7 +134054,7 @@ index 28ad538..29f3011 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..02e667b 100644
+index 73554ec..dec450c 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -134172,7 +134501,7 @@ index 73554ec..02e667b 100644
## </p>
## </desc>
## <param name="domain">
-@@ -1575,87 +1808,200 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1808,202 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
## </summary>
## </param>
@@ -134384,6 +134713,7 @@ index 73554ec..02e667b 100644
')
+
+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
')
########################################
@@ -134422,6 +134752,7 @@ index 73554ec..02e667b 100644
- typeattribute $1 can_write_shadow_passwords;
- typeattribute $1 can_relabelto_shadow_passwords;
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b7a5f00..a22fe6d 100644
@@ -135117,7 +135448,7 @@ index 354ce93..4738083 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..6248940 100644
+index 94fd8dd..6acffdb 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -135329,7 +135660,15 @@ index 94fd8dd..6248940 100644
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
-@@ -451,6 +501,10 @@ interface(`init_exec',`
+@@ -442,7 +492,6 @@ interface(`init_domtrans',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`init_exec',`
+ gen_require(`
+@@ -451,6 +500,29 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -135337,10 +135676,29 @@ index 94fd8dd..6248940 100644
+ tunable_policy(`init_systemd',`
+ systemd_exec_systemctl($1)
+ ')
++')
++
++#######################################
++## <summary>
++## Dontaudit getattr on the init program.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`init_dontaudit_getattr_exec',`
++ gen_require(`
++ type init_exec_t;
++ ')
++
++ dontaudit $1 init_exec_t:file getattr;
')
########################################
-@@ -509,6 +563,24 @@ interface(`init_sigchld',`
+@@ -509,6 +581,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -135365,7 +135723,7 @@ index 94fd8dd..6248940 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +591,66 @@ interface(`init_sigchld',`
+@@ -519,10 +609,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -135434,7 +135792,7 @@ index 94fd8dd..6248940 100644
')
########################################
-@@ -688,19 +816,25 @@ interface(`init_telinit',`
+@@ -688,19 +834,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -135461,7 +135819,7 @@ index 94fd8dd..6248940 100644
')
')
-@@ -730,7 +864,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +882,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -135470,7 +135828,7 @@ index 94fd8dd..6248940 100644
## </summary>
## </param>
#
-@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +925,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -135494,7 +135852,7 @@ index 94fd8dd..6248940 100644
')
')
-@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +953,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -135517,11 +135875,11 @@ index 94fd8dd..6248940 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -135534,13 +135892,17 @@ index 94fd8dd..6248940 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +1043,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -135555,7 +135917,7 @@ index 94fd8dd..6248940 100644
files_search_etc($1)
')
-@@ -961,7 +1123,9 @@ interface(`init_ptrace',`
+@@ -961,7 +1141,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -135566,7 +135928,7 @@ index 94fd8dd..6248940 100644
')
########################################
-@@ -1079,6 +1243,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1261,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -135591,7 +135953,7 @@ index 94fd8dd..6248940 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1312,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1330,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -135605,7 +135967,7 @@ index 94fd8dd..6248940 100644
')
########################################
-@@ -1375,6 +1552,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1570,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -135633,7 +135995,7 @@ index 94fd8dd..6248940 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1659,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1677,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -135659,7 +136021,7 @@ index 94fd8dd..6248940 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1736,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1754,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -135684,7 +136046,7 @@ index 94fd8dd..6248940 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1586,6 +1821,24 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1839,24 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -135709,7 +136071,7 @@ index 94fd8dd..6248940 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1674,7 +1927,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1945,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -135718,7 +136080,7 @@ index 94fd8dd..6248940 100644
')
########################################
-@@ -1715,6 +1968,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1986,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -135847,7 +136209,7 @@ index 94fd8dd..6248940 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2124,266 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2142,266 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -142372,7 +142734,7 @@ index ff80d0a..22c9f0d 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..9291d3a 100644
+index 34d0ec5..40d2d20 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -142399,7 +142761,7 @@ index 34d0ec5..9291d3a 100644
type dhcpc_state_t;
files_type(dhcpc_state_t)
-@@ -34,18 +44,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
+@@ -34,17 +44,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
type net_conf_t alias resolv_conf_t;
@@ -142416,12 +142778,11 @@ index 34d0ec5..9291d3a 100644
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
--
-+allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms };
++allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms };
+
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
- allow dhcpc_t self:udp_socket create_socket_perms;
-@@ -57,8 +66,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -142433,7 +142794,7 @@ index 34d0ec5..9291d3a 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -66,6 +78,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
+@@ -66,6 +79,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -142442,7 +142803,7 @@ index 34d0ec5..9291d3a 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -91,25 +105,28 @@ corecmd_exec_shell(dhcpc_t)
+@@ -91,25 +106,28 @@ corecmd_exec_shell(dhcpc_t)
corenet_all_recvfrom_unlabeled(dhcpc_t)
corenet_all_recvfrom_netlabel(dhcpc_t)
@@ -142479,7 +142840,7 @@ index 34d0ec5..9291d3a 100644
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -129,14 +146,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -129,14 +147,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -142499,7 +142860,7 @@ index 34d0ec5..9291d3a 100644
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -151,7 +171,18 @@ ifdef(`distro_ubuntu',`
+@@ -151,7 +172,18 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -142519,7 +142880,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -171,6 +202,8 @@ optional_policy(`
+@@ -171,6 +203,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -142528,7 +142889,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -192,17 +225,31 @@ optional_policy(`
+@@ -192,17 +226,31 @@ optional_policy(`
')
optional_policy(`
@@ -142560,7 +142921,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -213,6 +260,11 @@ optional_policy(`
+@@ -213,6 +261,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -142572,7 +142933,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -255,6 +307,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +308,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -142580,7 +142941,7 @@ index 34d0ec5..9291d3a 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +329,12 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +330,12 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -142593,7 +142954,7 @@ index 34d0ec5..9291d3a 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -290,7 +347,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -290,7 +348,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -142602,7 +142963,7 @@ index 34d0ec5..9291d3a 100644
init_use_fds(ifconfig_t)
init_use_script_ptys(ifconfig_t)
-@@ -301,11 +358,11 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +359,11 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -142617,7 +142978,7 @@ index 34d0ec5..9291d3a 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +371,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +372,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -142636,7 +142997,7 @@ index 34d0ec5..9291d3a 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +393,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +394,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -142651,7 +143012,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -335,7 +409,15 @@ optional_policy(`
+@@ -335,7 +410,15 @@ optional_policy(`
')
optional_policy(`
@@ -142668,7 +143029,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -356,3 +438,9 @@ optional_policy(`
+@@ -356,3 +439,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7499c0a..d1f9902 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 106%{?dist}
+Release: 107%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -484,6 +484,29 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Mar 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-107
+- Add numad policy and numad man page
+- Add fixes for interface bugs discovered by SEWatch
+- Add /tmp support for squid
+- Add fix for #799102
+ * change default labeling for /var/run/slapd.* sockets
+- Make thumb_t as userdom_home_reader
+- label /var/lib/sss/mc same as pubconf, so getpw domains can read it
+- Allow smbspool running as cups_t to stream connect to nmbd
+- accounts needs to be able to execute passwd on behalf of users
+- Allow systemd_tmpfiles_t to delete boot flags
+- Allow dnssec_trigger to connect to apache ports
+- Allow gnome keyring to create sock_files in ~/.cache
+- google_authenticator is using .google_authenticator
+- sandbox running from within firefox is exposing more leaks
+- Dontaudit thumb to read/write /dev/card0
+- Dontaudit getattr on init_exec_t for gnomeclock_t
+- Allow certmonger to do a transition to certmonger_unconfined_t
+- Allow dhcpc setsched which is caused by nmcli
+- Add rpm_exec_t for /usr/sbin/bcfg2
+- system cronjobs are sending dbus messages to systemd_logind
+- Thumnailers read /dev/urand
+
* Thu Mar 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-106
- Allow auditctl getcap
- Allow vdagent to use libsystemd-login
More information about the scm-commits
mailing list