[selinux-policy/f16] * Fri May 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0- - Allow jockey to use its own fifo_file
Miroslav Grepl
mgrepl at fedoraproject.org
Fri May 4 19:10:07 UTC 2012
commit 748e21ac5c97417185186f379c8083838e9ab69c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri May 4 21:09:52 2012 +0200
* Fri May 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-
- Allow jockey to use its own fifo_file
- Allow collectd to read /dev/random
- Allow collectd to send signal to itself
- Allow chronyd to send signal to itself
- Allow collectd to create packet socke
- Allow colord to create shm
- Fix description on httpd_graceful_shutdown
- Add httpd_graceful_shutdown boolean to allow httpd to con
- Add clamscan_can_scan_system boolean
- Allow mysqld to read kernel network state
- Dontaudit fail2ban looking at gnome content
- Allow ldconfig to create /var/cache/ldconfig
policy-F16.patch | 357 +++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 16 ++-
2 files changed, 265 insertions(+), 108 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 57fc850..5e3fd35 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -8168,7 +8168,7 @@ index 0000000..2a83f6e
+')
diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
new file mode 100644
-index 0000000..a323883
+index 0000000..6de888a
--- /dev/null
+++ b/policy/modules/apps/jockey.te
@@ -0,0 +1,37 @@
@@ -8193,7 +8193,7 @@ index 0000000..a323883
+#
+# jockey local policy
+#
-+
++allow jockey_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
+manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
@@ -16790,7 +16790,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..9b821b9 100644
+index fae1ab1..b062dce 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -16815,9 +16815,12 @@ index fae1ab1..9b821b9 100644
## <desc>
## <p>
-@@ -87,14 +102,20 @@ allow domain self:dir list_dir_perms;
+@@ -86,15 +101,23 @@ neverallow ~{ domain unlabeled_t } *:process *;
+ allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
++allow domain self:fifo_file rw_fifo_file_perms;
++
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+
@@ -16837,7 +16840,7 @@ index fae1ab1..9b821b9 100644
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -103,6 +124,16 @@ term_use_controlling_term(domain)
+@@ -103,6 +126,16 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
@@ -16854,7 +16857,7 @@ index fae1ab1..9b821b9 100644
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
-@@ -113,8 +144,13 @@ tunable_policy(`global_ssp',`
+@@ -113,8 +146,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -16868,7 +16871,7 @@ index fae1ab1..9b821b9 100644
')
optional_policy(`
-@@ -125,6 +161,8 @@ optional_policy(`
+@@ -125,6 +163,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -16877,7 +16880,7 @@ index fae1ab1..9b821b9 100644
')
########################################
-@@ -143,6 +181,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -143,6 +183,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -16886,7 +16889,7 @@ index fae1ab1..9b821b9 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -158,5 +198,222 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +200,222 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -26183,10 +26186,10 @@ index 6480167..6ecc96d 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..e8e4fa6 100644
+index 3136c6a..fcccdde 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,130 +18,232 @@ policy_module(apache, 2.2.1)
+@@ -18,130 +18,239 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -26276,6 +26279,13 @@ index 3136c6a..e8e4fa6 100644
+
+## <desc>
+## <p>
++## Allow HTTPD to connect to port 80 for graceful shutdown
++## </p>
++## </desc>
++gen_tunable(httpd_graceful_shutdown, false)
++
++## <desc>
++## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
## </desc>
@@ -26475,7 +26485,7 @@ index 3136c6a..e8e4fa6 100644
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -166,7 +268,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +275,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -26484,7 +26494,7 @@ index 3136c6a..e8e4fa6 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +279,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +286,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -26494,7 +26504,7 @@ index 3136c6a..e8e4fa6 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +321,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +328,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -26513,7 +26523,7 @@ index 3136c6a..e8e4fa6 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +341,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +348,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -26524,7 +26534,7 @@ index 3136c6a..e8e4fa6 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +352,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +359,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -26532,7 +26542,7 @@ index 3136c6a..e8e4fa6 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +374,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +381,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -26556,7 +26566,7 @@ index 3136c6a..e8e4fa6 100644
########################################
#
# Apache server local policy
-@@ -281,11 +410,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +417,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -26570,7 +26580,7 @@ index 3136c6a..e8e4fa6 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +460,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +467,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -26581,7 +26591,7 @@ index 3136c6a..e8e4fa6 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +471,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +478,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -26592,7 +26602,7 @@ index 3136c6a..e8e4fa6 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +488,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +495,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -26602,7 +26612,7 @@ index 3136c6a..e8e4fa6 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +501,17 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +508,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -26617,11 +26627,13 @@ index 3136c6a..e8e4fa6 100644
+corenet_tcp_bind_puppet_port(httpd_t)
# Signal self for shutdown
-corenet_tcp_connect_http_port(httpd_t)
-+#corenet_tcp_connect_http_port(httpd_t)
++tunable_policy(`httpd_graceful_shutdown',`
++ corenet_tcp_connect_http_port(httpd_t)
++')
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +520,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +529,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -26637,7 +26649,7 @@ index 3136c6a..e8e4fa6 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +533,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +542,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26645,7 +26657,7 @@ index 3136c6a..e8e4fa6 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +545,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +554,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26749,7 +26761,7 @@ index 3136c6a..e8e4fa6 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -454,27 +650,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +659,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -26813,7 +26825,7 @@ index 3136c6a..e8e4fa6 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +714,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +723,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -26836,7 +26848,7 @@ index 3136c6a..e8e4fa6 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +744,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +753,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -26857,7 +26869,7 @@ index 3136c6a..e8e4fa6 100644
')
optional_policy(`
-@@ -513,7 +768,13 @@ optional_policy(`
+@@ -513,7 +777,13 @@ optional_policy(`
')
optional_policy(`
@@ -26872,7 +26884,7 @@ index 3136c6a..e8e4fa6 100644
')
optional_policy(`
-@@ -528,7 +789,19 @@ optional_policy(`
+@@ -528,7 +798,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -26893,7 +26905,7 @@ index 3136c6a..e8e4fa6 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +810,13 @@ optional_policy(`
+@@ -537,8 +819,13 @@ optional_policy(`
')
optional_policy(`
@@ -26908,7 +26920,7 @@ index 3136c6a..e8e4fa6 100644
')
')
-@@ -556,7 +834,21 @@ optional_policy(`
+@@ -556,7 +843,21 @@ optional_policy(`
')
optional_policy(`
@@ -26930,7 +26942,7 @@ index 3136c6a..e8e4fa6 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +859,7 @@ optional_policy(`
+@@ -567,6 +868,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -26938,7 +26950,7 @@ index 3136c6a..e8e4fa6 100644
')
optional_policy(`
-@@ -577,6 +870,20 @@ optional_policy(`
+@@ -577,6 +879,20 @@ optional_policy(`
')
optional_policy(`
@@ -26959,7 +26971,7 @@ index 3136c6a..e8e4fa6 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +898,11 @@ optional_policy(`
+@@ -591,6 +907,11 @@ optional_policy(`
')
optional_policy(`
@@ -26971,7 +26983,7 @@ index 3136c6a..e8e4fa6 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +915,12 @@ optional_policy(`
+@@ -603,6 +924,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -26984,7 +26996,7 @@ index 3136c6a..e8e4fa6 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +934,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +943,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -26997,7 +27009,7 @@ index 3136c6a..e8e4fa6 100644
########################################
#
-@@ -654,28 +976,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +985,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -27041,7 +27053,7 @@ index 3136c6a..e8e4fa6 100644
')
########################################
-@@ -685,6 +1009,8 @@ optional_policy(`
+@@ -685,6 +1018,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -27050,7 +27062,7 @@ index 3136c6a..e8e4fa6 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1025,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1034,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27076,7 +27088,7 @@ index 3136c6a..e8e4fa6 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1071,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1080,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27109,7 +27121,7 @@ index 3136c6a..e8e4fa6 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1118,25 @@ optional_policy(`
+@@ -769,6 +1127,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27135,7 +27147,7 @@ index 3136c6a..e8e4fa6 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1157,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1166,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27153,7 +27165,7 @@ index 3136c6a..e8e4fa6 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1176,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1185,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27210,7 +27222,7 @@ index 3136c6a..e8e4fa6 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1227,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1236,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27251,7 +27263,7 @@ index 3136c6a..e8e4fa6 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1272,20 @@ optional_policy(`
+@@ -842,10 +1281,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27272,7 +27284,7 @@ index 3136c6a..e8e4fa6 100644
')
########################################
-@@ -891,11 +1331,49 @@ optional_policy(`
+@@ -891,11 +1340,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -27290,13 +27302,13 @@ index 3136c6a..e8e4fa6 100644
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
-+')
+ ')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
- ')
++')
+
+########################################
+#
@@ -30269,7 +30281,7 @@ index 9a0da94..714f905 100644
+ chronyd_systemctl($1)
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
-index fa82327..1a486b0 100644
+index fa82327..6bf2b26 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
@@ -30285,7 +30297,12 @@ index fa82327..1a486b0 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -34,9 +40,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
+@@ -30,13 +36,18 @@ files_pid_file(chronyd_var_run_t)
+ #
+
+ allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+-allow chronyd_t self:process { getcap setcap setrlimit };
++allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:udp_socket create_socket_perms;
allow chronyd_t self:unix_dgram_socket create_socket_perms;
@@ -30406,10 +30423,10 @@ index 1f11572..9eb2461 100644
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..9f2a358 100644
+index f758323..c78e22d 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
-@@ -1,9 +1,16 @@
+@@ -1,9 +1,23 @@
policy_module(clamav, 1.9.0)
## <desc>
@@ -30423,13 +30440,20 @@ index f758323..9f2a358 100644
+gen_tunable(clamscan_read_user_content, false)
+
+## <desc>
++## <p>
++## Allow clamscan to non security files on a system
++## </p>
++## </desc>
++gen_tunable(clamscan_can_scan_system, false)
++
++## <desc>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
-@@ -64,6 +71,8 @@ logging_log_file(freshclam_var_log_t)
+@@ -64,6 +78,8 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
@@ -30438,7 +30462,7 @@ index f758323..9f2a358 100644
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -80,6 +89,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+@@ -80,6 +96,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
# var/lib files for clamd
@@ -30446,7 +30470,7 @@ index f758323..9f2a358 100644
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
-@@ -89,9 +99,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+@@ -89,9 +106,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
# pid file
@@ -30458,7 +30482,7 @@ index f758323..9f2a358 100644
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -110,6 +121,7 @@ corenet_tcp_bind_generic_node(clamd_t)
+@@ -110,6 +128,7 @@ corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
@@ -30466,7 +30490,7 @@ index f758323..9f2a358 100644
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
-@@ -127,13 +139,6 @@ logging_send_syslog_msg(clamd_t)
+@@ -127,13 +146,6 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
@@ -30480,7 +30504,7 @@ index f758323..9f2a358 100644
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
-@@ -142,13 +147,31 @@ optional_policy(`
+@@ -142,13 +154,31 @@ optional_policy(`
')
optional_policy(`
@@ -30513,7 +30537,7 @@ index f758323..9f2a358 100644
')
########################################
-@@ -178,10 +201,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +208,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -30532,7 +30556,7 @@ index f758323..9f2a358 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +218,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +225,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -30540,7 +30564,7 @@ index f758323..9f2a358 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +237,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +244,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -30563,7 +30587,7 @@ index f758323..9f2a358 100644
########################################
#
# clamscam local policy
-@@ -242,15 +274,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +281,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -30588,12 +30612,16 @@ index f758323..9f2a358 100644
+ userdom_dontaudit_read_user_home_content_files(clamscan_t)
+')
+
++tunable_policy(`clamscan_can_scan_system',`
++ files_read_non_security_files(clamscan_t)
++')
++
kernel_read_kernel_sysctls(clamscan_t)
+kernel_read_system_state(clamscan_t)
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +310,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +321,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -31652,10 +31680,10 @@ index 0000000..ed13d1e
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..ab1d55b
+index 0000000..7bd44e8
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,85 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -31688,10 +31716,12 @@ index 0000000..ab1d55b
+#
+# collectd local policy
+#
++
+allow collectd_t self:capability ipc_lock;
-+allow collectd_t self:process fork;
++allow collectd_t self:process { signal fork };
+
+allow collectd_t self:fifo_file rw_fifo_file_perms;
++allow collectd_t self:packet_socket create_socket_perms;
+allow collectd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
@@ -31709,6 +31739,8 @@ index 0000000..ab1d55b
+kernel_read_system_state(collectd_t)
+
+dev_read_sysfs(collectd_t)
++dev_read_urand(collectd_t)
++dev_read_rand(collectd_t)
+
+files_getattr_all_dirs(collectd_t)
+files_read_etc_files(collectd_t)
@@ -31738,7 +31770,7 @@ index 0000000..ab1d55b
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..294727a 100644
+index 74505cc..de4b5c7 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -5,9 +5,17 @@ policy_module(colord, 1.0.0)
@@ -31759,7 +31791,7 @@ index 74505cc..294727a 100644
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
-@@ -23,9 +31,11 @@ files_type(colord_var_lib_t)
+@@ -23,9 +31,12 @@ files_type(colord_var_lib_t)
# colord local policy
#
allow colord_t self:capability { dac_read_search dac_override };
@@ -31768,10 +31800,11 @@ index 74505cc..294727a 100644
allow colord_t self:fifo_file rw_fifo_file_perms;
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:tcp_socket create_stream_socket_perms;
++allow colord_t self:shm create_shm_perms;
allow colord_t self:udp_socket create_socket_perms;
allow colord_t self:unix_dgram_socket create_socket_perms;
-@@ -41,8 +51,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,8 +52,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -31787,7 +31820,7 @@ index 74505cc..294727a 100644
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +66,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +67,8 @@ corenet_udp_bind_generic_node(colord_t)
corenet_udp_bind_ipp_port(colord_t)
corenet_tcp_connect_ipp_port(colord_t)
@@ -31796,7 +31829,7 @@ index 74505cc..294727a 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +83,35 @@ files_list_mnt(colord_t)
+@@ -65,19 +84,35 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -31833,7 +31866,7 @@ index 74505cc..294727a 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +123,12 @@ optional_policy(`
+@@ -89,6 +124,12 @@ optional_policy(`
')
optional_policy(`
@@ -31846,7 +31879,7 @@ index 74505cc..294727a 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +136,16 @@ optional_policy(`
+@@ -96,5 +137,16 @@ optional_policy(`
')
optional_policy(`
@@ -38292,7 +38325,7 @@ index f590a1f..338e5bf 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..2599f96 100644
+index 2a69e5e..2fd17d8 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
@@ -38346,7 +38379,7 @@ index 2a69e5e..2599f96 100644
files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +107,38 @@ optional_policy(`
+@@ -94,5 +107,43 @@ optional_policy(`
')
optional_policy(`
@@ -38385,6 +38418,11 @@ index 2a69e5e..2599f96 100644
+files_search_pids(fail2ban_client_t)
+
+miscfiles_read_localization(fail2ban_client_t)
++
++optional_policy(`
++ gnome_dontaudit_search_config(fail2ban_client_t)
++')
++
diff --git a/policy/modules/services/fcoemon.fc b/policy/modules/services/fcoemon.fc
new file mode 100644
index 0000000..83279fb
@@ -46975,7 +47013,7 @@ index e9c0982..b3b1d5a 100644
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..c51cbf6 100644
+index 0a0d63c..e71dc4c 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -47018,7 +47056,7 @@ index 0a0d63c..c51cbf6 100644
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;
-@@ -78,13 +85,20 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+@@ -78,13 +85,21 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
@@ -47032,6 +47070,7 @@ index 0a0d63c..c51cbf6 100644
+read_files_pattern(mysqld_t, mysqld_home_t, mysqld_home_t)
kernel_read_system_state(mysqld_t)
++kernel_read_network_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
+corecmd_exec_bin(mysqld_t)
@@ -47040,7 +47079,7 @@ index 0a0d63c..c51cbf6 100644
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
-@@ -122,13 +136,8 @@ miscfiles_read_localization(mysqld_t)
+@@ -122,13 +137,8 @@ miscfiles_read_localization(mysqld_t)
sysnet_read_config(mysqld_t)
@@ -47055,7 +47094,7 @@ index 0a0d63c..c51cbf6 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -155,9 +164,11 @@ optional_policy(`
+@@ -155,9 +165,11 @@ optional_policy(`
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
@@ -47067,7 +47106,7 @@ index 0a0d63c..c51cbf6 100644
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
-@@ -170,26 +181,33 @@ kernel_read_system_state(mysqld_safe_t)
+@@ -170,26 +182,33 @@ kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
@@ -53053,7 +53092,7 @@ index b524673..921a60f 100644
+ ppp_systemctl($1)
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..f530c23 100644
+index 2af42e7..499a41b 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -53159,7 +53198,7 @@ index 2af42e7..f530c23 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -176,7 +184,7 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,9 +184,10 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -53167,8 +53206,11 @@ index 2af42e7..f530c23 100644
+userdom_use_inherited_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
++userdom_search_admin_dir(pppd_t)
-@@ -187,13 +195,21 @@ optional_policy(`
+ ppp_exec(pppd_t)
+
+@@ -187,13 +196,21 @@ optional_policy(`
')
optional_policy(`
@@ -53191,7 +53233,7 @@ index 2af42e7..f530c23 100644
')
optional_policy(`
-@@ -243,14 +259,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +260,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -53211,7 +53253,7 @@ index 2af42e7..f530c23 100644
dev_read_sysfs(pptp_t)
-@@ -265,9 +285,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
+@@ -265,9 +286,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_generic_node(pptp_t)
@@ -56880,10 +56922,10 @@ index 0000000..811c52e
+
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..4d1d0c7
+index 0000000..8d25cc5
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,67 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -56915,6 +56957,9 @@ index 0000000..4d1d0c7
+# rhsmcertd local policy
+#
+
++allow rhsmcertd_t self:capability sys_nice;
++allow rhsmcertd_t self:process { signal signull getsched setsched };
++
+allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
+allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -56929,8 +56974,10 @@ index 0000000..4d1d0c7
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
++files_pid_filetrans(rhsmcertd_var_run_t, rhsmcertd_var_run_t, { file dir })
+
+kernel_read_system_state(rhsmcertd_t)
++kernel_read_network_state(rhsmcertd_t)
+
+corecmd_exec_bin(rhsmcertd_t)
+
@@ -56938,6 +56985,7 @@ index 0000000..4d1d0c7
+
+files_read_etc_files(rhsmcertd_t)
+files_read_usr_files(rhsmcertd_t)
++files_list_tmp(rhsmcertd_t)
+
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_certs(rhsmcertd_t)
@@ -62843,12 +62891,59 @@ index 665bf7c..a1ea37a 100644
+optional_policy(`
+ iscsi_manage_semaphores(tgtd_t)
+')
+diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
+index e2e06b2..e210bd0 100644
+--- a/policy/modules/services/tor.fc
++++ b/policy/modules/services/tor.fc
+@@ -4,6 +4,8 @@
+ /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+ /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+
++/lib/systemd/system/tor\.service -- gen_context(system_u:object_r:tor_unit_file_t,s0)
++
+ /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+ /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
-index 904f13e..464347f 100644
+index 904f13e..cfc087a 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
-@@ -42,7 +42,7 @@ interface(`tor_admin',`
+@@ -18,6 +18,30 @@ interface(`tor_domtrans',`
+ domtrans_pattern($1, tor_exec_t, tor_t)
+ ')
+
++#######################################
++## <summary>
++## Execute tor server in the tor domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tor_systemctl',`
++ gen_require(`
++ type tor_t;
++ type tor_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 tor_unit_file_t:file read_file_perms;
++ allow $1 tor_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, tor_t)
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -40,9 +64,10 @@ interface(`tor_admin',`
+ type tor_t, tor_var_log_t, tor_etc_t;
+ type tor_var_lib_t, tor_var_run_t;
type tor_initrc_exec_t;
++ type tor_unit_file_t;
')
- allow $1 tor_t:process { ptrace signal_perms getattr };
@@ -62856,11 +62951,34 @@ index 904f13e..464347f 100644
ps_process_pattern($1, tor_t)
init_labeled_script_domtrans($1, tor_initrc_exec_t)
+@@ -61,4 +86,13 @@ interface(`tor_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, tor_var_run_t)
++
++ tor_systemctl($1)
++ admin_pattern($1, tor_unit_file_t)
++ allow $1 tor_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+ ')
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
-index c842cad..037dd90 100644
+index c842cad..799fac3 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
-@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t)
+@@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t)
+ type tor_var_run_t;
+ files_pid_file(tor_var_run_t)
+
++type tor_unit_file_t;
++systemd_unit_file(tor_unit_file_t)
++
+ ########################################
+ #
+ # tor local policy
#
allow tor_t self:capability { setgid setuid sys_tty_config };
@@ -62868,7 +62986,7 @@ index c842cad..037dd90 100644
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -87,6 +88,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+@@ -87,6 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
corenet_tcp_bind_tor_port(tor_t)
@@ -62876,7 +62994,7 @@ index c842cad..037dd90 100644
corenet_udp_bind_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_sendrecv_dns_server_packets(tor_t)
-@@ -95,9 +97,11 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -95,9 +100,11 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -72563,7 +72681,7 @@ index 560dc48..964d353 100644
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..4ff705d 100644
+index 808ba93..792321c 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -207,6 +207,23 @@ interface(`libs_search_lib',`
@@ -72646,7 +72764,7 @@ index 808ba93..4ff705d 100644
')
########################################
-@@ -534,3 +533,24 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +533,26 @@ interface(`lib_filetrans_shared_lib',`
interface(`files_lib_filetrans_shared_lib',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -72664,27 +72782,33 @@ index 808ba93..4ff705d 100644
+interface(`libs_filetrans_named_content',`
+ gen_require(`
+ type ld_so_cache_t;
++ type ldconfig_cache_t;
+ ')
+
++ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..cc8dabb 100644
+index e5836d3..648d152 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
-@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
+@@ -59,9 +59,11 @@ optional_policy(`
+ allow ldconfig_t self:capability { dac_override sys_chroot };
+
++manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
++files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig")
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -75,10 +75,14 @@ kernel_read_system_state(ldconfig_t)
+@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t)
fs_getattr_xattr_fs(ldconfig_t)
@@ -72699,7 +72823,7 @@ index e5836d3..cc8dabb 100644
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
-@@ -94,7 +98,8 @@ miscfiles_read_localization(ldconfig_t)
+@@ -94,7 +100,8 @@ miscfiles_read_localization(ldconfig_t)
logging_send_syslog_msg(ldconfig_t)
@@ -72709,7 +72833,7 @@ index e5836d3..cc8dabb 100644
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
-@@ -103,6 +108,12 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +110,12 @@ ifdef(`distro_ubuntu',`
')
')
@@ -72722,7 +72846,7 @@ index e5836d3..cc8dabb 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -114,6 +125,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +127,9 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -72732,7 +72856,7 @@ index e5836d3..cc8dabb 100644
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +145,10 @@ optional_policy(`
+@@ -131,6 +147,10 @@ optional_policy(`
')
optional_policy(`
@@ -72743,7 +72867,7 @@ index e5836d3..cc8dabb 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +159,3 @@ optional_policy(`
+@@ -141,6 +161,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -76649,10 +76773,10 @@ index 0000000..db57bc7
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..1688a39
+index 0000000..d77929b
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,504 @@
+@@ -0,0 +1,523 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -76765,6 +76889,25 @@ index 0000000..1688a39
+ allow $1 systemd_unit_file_type:dir list_dir_perms;
+')
+
++#####################################
++## <summary>
++## Allow domain to getattr all systemd unit files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_getattr_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:file getattr_file_perms;
++')
++
+######################################
+## <summary>
+## Allow domain to read all systemd unit files.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 565a4fe..042c5d3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 87%{?dist}
+Release: 88%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri May 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-88
+- Allow jockey to use its own fifo_file
+- Allow collectd to read /dev/random
+- Allow collectd to send signal to itself
+- Allow chronyd to send signal to itself
+- Allow collectd to create packet socke
+- Allow colord to create shm
+- Fix description on httpd_graceful_shutdown
+- Add httpd_graceful_shutdown boolean to allow httpd to connect to port 80
+- Add clamscan_can_scan_system boolean
+- Allow mysqld to read kernel network state
+- Dontaudit fail2ban looking at gnome content
+- Allow ldconfig to create /var/cache/ldconfig
+
* Wed Apr 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-87
- More fixes for l2tpd
* Allow pppd to stream connet to l2tpd
More information about the scm-commits
mailing list