[selinux-policy/f17] * Tue May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-123 - Fix zarafa labeling - Allow guest_t
Miroslav Grepl
mgrepl at fedoraproject.org
Tue May 8 21:25:59 UTC 2012
commit 55cd4f36d234263984f2b3b0f900898c46368dd1
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue May 8 23:25:35 2012 +0200
* Tue May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- Add label for /var/run/nologin
policy-F16.patch | 496 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 15 ++-
2 files changed, 338 insertions(+), 173 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index c5becb8..192720f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1,5 +1,5 @@
diff --git a/Makefile b/Makefile
-index b8486a0..eadfda5 100644
+index b8486a0..7edc9f0 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@@ -15,7 +15,7 @@ index b8486a0..eadfda5 100644
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
@@ -62323,7 +62323,7 @@ index d5aaf0e..6b16aef 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..c687f14 100644
+index 6a5004b..5f12852 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -62334,7 +62334,7 @@ index 6a5004b..c687f14 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -18,18 +19,25 @@ role system_r types tmpreaper_t;
+@@ -18,33 +19,46 @@ role system_r types tmpreaper_t;
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
@@ -62360,7 +62360,10 @@ index 6a5004b..c687f14 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t)
++auth_use_nsswitch(tmpreaper_t)
++
+ logging_send_syslog_msg(tmpreaper_t)
+
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -62382,7 +62385,7 @@ index 6a5004b..c687f14 100644
')
optional_policy(`
-@@ -52,7 +64,9 @@ optional_policy(`
+@@ -52,7 +66,9 @@ optional_policy(`
')
optional_policy(`
@@ -62392,7 +62395,7 @@ index 6a5004b..c687f14 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +80,13 @@ optional_policy(`
+@@ -66,9 +82,13 @@ optional_policy(`
')
optional_policy(`
@@ -63783,10 +63786,10 @@ index 4a2e63b..e964f12 100644
+ mta_send_mail(gitosis_t)
+')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..4adbd9f 100644
+index 00a19e3..e4f0683 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,51 @@
+@@ -1,9 +1,52 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -63808,6 +63811,7 @@ index 00a19e3..4adbd9f 100644
+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
+/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
+
+/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -65299,7 +65303,7 @@ index f5afe78..3bc7250 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..8090e6a 100644
+index 2505654..6e75a73 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0)
@@ -65475,8 +65479,6 @@ index 2505654..8090e6a 100644
+
+dontaudit gkeyringd_domain config_home_t:file write;
+
-+userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
-+
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir)
@@ -65509,6 +65511,8 @@ index 2505654..8090e6a 100644
+
+miscfiles_read_localization(gkeyringd_domain)
+
++userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
++
+optional_policy(`
+ xserver_append_xdm_home_files(gkeyringd_domain)
+ xserver_read_xdm_home_files(gkeyringd_domain)
@@ -68650,6 +68654,143 @@ index d1eace5..add9f38 100644
+optional_policy(`
+ virt_manage_tmpfs_files(pulseaudio_t)
+')
+diff --git a/policy/modules/apps/pwauth.fc b/policy/modules/apps/pwauth.fc
+new file mode 100644
+index 0000000..e2f8687
+--- /dev/null
++++ b/policy/modules/apps/pwauth.fc
+@@ -0,0 +1,3 @@
++/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
++
++/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
+diff --git a/policy/modules/apps/pwauth.if b/policy/modules/apps/pwauth.if
+new file mode 100644
+index 0000000..86d25ea
+--- /dev/null
++++ b/policy/modules/apps/pwauth.if
+@@ -0,0 +1,74 @@
++
++## <summary>policy for pwauth</summary>
++
++########################################
++## <summary>
++## Transition to pwauth.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pwauth_domtrans',`
++ gen_require(`
++ type pwauth_t, pwauth_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, pwauth_exec_t, pwauth_t)
++')
++
++########################################
++## <summary>
++## Execute pwauth in the pwauth domain, and
++## allow the specified role the pwauth domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the pwauth domain.
++## </summary>
++## </param>
++#
++interface(`pwauth_run',`
++ gen_require(`
++ type pwauth_t;
++ ')
++
++ pwauth_domtrans($1)
++ role $2 types pwauth_t;
++')
++
++########################################
++## <summary>
++## Role access for pwauth
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`pwauth_role',`
++ gen_require(`
++ type pwauth_t;
++ ')
++
++ role $1 types pwauth_t;
++
++ pwauth_domtrans($2)
++
++ ps_process_pattern($2, pwauth_t)
++ allow $2 pwauth_t:process signal;
++')
+diff --git a/policy/modules/apps/pwauth.te b/policy/modules/apps/pwauth.te
+new file mode 100644
+index 0000000..11bb8e1
+--- /dev/null
++++ b/policy/modules/apps/pwauth.te
+@@ -0,0 +1,42 @@
++policy_module(pwauth, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type pwauth_t;
++type pwauth_exec_t;
++application_domain(pwauth_t, pwauth_exec_t)
++role system_r types pwauth_t;
++
++type pwauth_var_run_t;
++files_pid_file(pwauth_var_run_t)
++
++########################################
++#
++# pwauth local policy
++#
++allow pwauth_t self:capability setuid;
++allow pwauth_t self:process setrlimit;
++
++allow pwauth_t self:fifo_file manage_fifo_file_perms;
++allow pwauth_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
++files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
++
++domain_use_interactive_fds(pwauth_t)
++
++files_read_etc_files(pwauth_t)
++
++auth_domtrans_chkpwd(pwauth_t)
++auth_use_nsswitch(pwauth_t)
++auth_read_shadow(pwauth_t)
++
++init_read_utmp(pwauth_t)
++
++logging_send_syslog_msg(pwauth_t)
++logging_send_audit_msgs(pwauth_t)
++
++miscfiles_read_localization(pwauth_t)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index 268d691..da3a26d 100644
--- a/policy/modules/apps/qemu.if
@@ -84446,7 +84587,7 @@ index c0f858d..10a0cd6 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..15b7925 100644
+index 1632f10..67cd103 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -1,5 +1,9 @@
@@ -84459,7 +84600,7 @@ index 1632f10..15b7925 100644
########################################
#
# Declarations
-@@ -8,17 +12,24 @@ policy_module(accountsd, 1.0.0)
+@@ -8,34 +12,46 @@ policy_module(accountsd, 1.0.0)
type accountsd_t;
type accountsd_exec_t;
dbus_system_domain(accountsd_t, accountsd_exec_t)
@@ -84485,7 +84626,10 @@ index 1632f10..15b7925 100644
manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
-@@ -28,14 +39,18 @@ kernel_read_kernel_sysctls(accountsd_t)
+ files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
+
++kernel_read_system_state(accountsd_t)
+ kernel_read_kernel_sysctls(accountsd_t)
corecmd_exec_bin(accountsd_t)
@@ -84504,7 +84648,7 @@ index 1632f10..15b7925 100644
miscfiles_read_localization(accountsd_t)
-@@ -50,8 +65,15 @@ usermanage_domtrans_passwd(accountsd_t)
+@@ -50,8 +66,15 @@ usermanage_domtrans_passwd(accountsd_t)
optional_policy(`
consolekit_read_log(accountsd_t)
@@ -85892,7 +86036,7 @@ index 6480167..d0bf548 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..37601ea 100644
+index 3136c6a..044e417 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
@@ -86698,10 +86842,14 @@ index 3136c6a..37601ea 100644
')
optional_policy(`
-@@ -577,6 +911,29 @@ optional_policy(`
+@@ -577,6 +911,33 @@ optional_policy(`
')
optional_policy(`
++ pwauth_domtrans(httpd_t)
++')
++
++optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability sys_resource;
+ allow httpd_t self:capability { fowner fsetid };
@@ -86728,7 +86876,7 @@ index 3136c6a..37601ea 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +948,11 @@ optional_policy(`
+@@ -591,6 +952,11 @@ optional_policy(`
')
optional_policy(`
@@ -86740,7 +86888,7 @@ index 3136c6a..37601ea 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +965,12 @@ optional_policy(`
+@@ -603,6 +969,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -86753,7 +86901,7 @@ index 3136c6a..37601ea 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +984,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +988,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -86766,7 +86914,7 @@ index 3136c6a..37601ea 100644
########################################
#
-@@ -654,28 +1026,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1030,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -86810,7 +86958,7 @@ index 3136c6a..37601ea 100644
')
########################################
-@@ -685,6 +1059,8 @@ optional_policy(`
+@@ -685,6 +1063,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -86819,7 +86967,7 @@ index 3136c6a..37601ea 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1075,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1079,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -86845,7 +86993,7 @@ index 3136c6a..37601ea 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1121,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1125,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -86878,7 +87026,7 @@ index 3136c6a..37601ea 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1168,25 @@ optional_policy(`
+@@ -769,6 +1172,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -86904,7 +87052,7 @@ index 3136c6a..37601ea 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1207,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1211,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -86922,7 +87070,7 @@ index 3136c6a..37601ea 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1226,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1230,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -86979,7 +87127,7 @@ index 3136c6a..37601ea 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1277,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1281,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -87020,7 +87168,7 @@ index 3136c6a..37601ea 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1322,20 @@ optional_policy(`
+@@ -842,10 +1326,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -87041,7 +87189,7 @@ index 3136c6a..37601ea 100644
')
########################################
-@@ -891,11 +1381,142 @@ optional_policy(`
+@@ -891,11 +1385,142 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -108172,15 +108320,15 @@ index 0000000..5b84980
+')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
-index 0000000..cf95c97
+index 0000000..22adc4a
--- /dev/null
+++ b/policy/modules/services/matahari.fc
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,44 @@
+/etc/rc\.d/init\.d/matahari-host -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-net -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-service -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-sysconfig -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-+/etc/init.d/matahari-sysconfig-console -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init.d/matahari-sysconfig-console -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+
+/lib/systemd/system/matahari-host\.service -- gen_context(system_u:object_r:matahari_hostd_unit_file_t,s0)
+/lib/systemd/system/matahari-network\.service -- gen_context(system_u:object_r:matahari_netd_unit_file_t,s0)
@@ -108202,6 +108350,7 @@ index 0000000..cf95c97
+/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+
+/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
++/usr/sbin/matahari-dbus-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
+/usr/sbin/matahari-qmf-sysconfig-consoled -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
+
+/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
@@ -114317,7 +114466,7 @@ index 0000000..d3b9544
+')
diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
new file mode 100644
-index 0000000..016a6cc
+index 0000000..5285bef
--- /dev/null
+++ b/policy/modules/services/obex.te
@@ -0,0 +1,28 @@
@@ -114339,7 +114488,7 @@ index 0000000..016a6cc
+#
+
+allow obex_t self:fifo_file rw_fifo_file_perms;
-+allow obex_t self:socket create_socket_perms;
++allow obex_t self:socket create_stream_socket_perms;
+
+dev_read_urand(obex_t)
+
@@ -129030,7 +129179,7 @@ index 22adaca..60103b5 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..1cbfcad 100644
+index 2dad3c8..5ad9960 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -129172,14 +129321,14 @@ index 2dad3c8..1cbfcad 100644
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
+corenet_tcp_bind_generic_node(ssh_t)
-+corenet_tcp_bind_all_unreserved_ports(ssh_t)
++#corenet_tcp_bind_all_unreserved_ports(ssh_t)
+corenet_rw_tun_tap_dev(ssh_t)
+dev_read_rand(ssh_t)
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -162,31 +179,25 @@ logging_read_generic_logs(ssh_t)
+@@ -162,37 +179,36 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -129221,15 +129370,18 @@ index 2dad3c8..1cbfcad 100644
')
# for port forwarding
-@@ -196,10 +207,15 @@ tunable_policy(`user_tcp_server',`
- ')
-
- optional_policy(`
-+ gnome_stream_connect_gkeyringd(ssh_t)
+ tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_ssh_port(ssh_t)
+ corenet_tcp_bind_generic_node(ssh_t)
++ corenet_tcp_bind_all_unreserved_ports(ssh_t)
+')
+
+optional_policy(`
- xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
++ gnome_stream_connect_gkeyringd(ssh_t)
+ ')
+
+ optional_policy(`
+@@ -200,6 +216,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -129237,7 +129389,7 @@ index 2dad3c8..1cbfcad 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,19 +225,14 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +226,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -129259,7 +129411,7 @@ index 2dad3c8..1cbfcad 100644
#################################
#
# sshd local policy
-@@ -232,33 +243,45 @@ optional_policy(`
+@@ -232,33 +244,45 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -129314,7 +129466,7 @@ index 2dad3c8..1cbfcad 100644
')
optional_policy(`
-@@ -266,11 +289,24 @@ optional_policy(`
+@@ -266,11 +290,24 @@ optional_policy(`
')
optional_policy(`
@@ -129340,7 +129492,7 @@ index 2dad3c8..1cbfcad 100644
')
optional_policy(`
-@@ -284,6 +320,15 @@ optional_policy(`
+@@ -284,6 +321,15 @@ optional_policy(`
')
optional_policy(`
@@ -129356,7 +129508,7 @@ index 2dad3c8..1cbfcad 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +337,26 @@ optional_policy(`
+@@ -292,26 +338,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -129402,7 +129554,7 @@ index 2dad3c8..1cbfcad 100644
') dnl endif TODO
########################################
-@@ -322,19 +367,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +368,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -129430,7 +129582,7 @@ index 2dad3c8..1cbfcad 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +403,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +404,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -129444,7 +129596,7 @@ index 2dad3c8..1cbfcad 100644
')
optional_policy(`
-@@ -363,3 +417,76 @@ optional_policy(`
+@@ -363,3 +418,76 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -136297,10 +136449,10 @@ index 7f88f5f..67a111c 100644
zabbix_tcp_connect(zabbix_agent_t)
+
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
-index 3defaa1..963b70c 100644
+index 3defaa1..7436a1c 100644
--- a/policy/modules/services/zarafa.fc
+++ b/policy/modules/services/zarafa.fc
-@@ -8,7 +8,8 @@
+@@ -8,8 +8,10 @@
/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
@@ -136308,14 +136460,20 @@ index 3defaa1..963b70c 100644
+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/log/zarafa/dagent\.log -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
-@@ -20,7 +21,7 @@
+ /var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
+@@ -18,9 +20,11 @@
+ /var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+
/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
++/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
-/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
++/var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
@@ -145048,7 +145206,7 @@ index 170e2c7..6c56785 100644
+ auth_relabelto_shadow($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..623ae72 100644
+index 7ed9819..c0109fd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,6 +11,7 @@ gen_require(`
@@ -145222,7 +145380,7 @@ index 7ed9819..623ae72 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -312,6 +339,10 @@ kernel_use_fds(restorecond_t)
+@@ -312,9 +339,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -145232,7 +145390,11 @@ index 7ed9819..623ae72 100644
+
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
- fs_getattr_xattr_fs(restorecond_t)
+-fs_getattr_xattr_fs(restorecond_t)
++fs_getattr_all_fs(restorecond_t)
+ fs_list_inotifyfs(restorecond_t)
+
+ selinux_validate_context(restorecond_t)
@@ -323,8 +354,8 @@ selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
@@ -146336,10 +146498,10 @@ index 34d0ec5..92fa1e9 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..0d3e625
+index 0000000..638351c
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,29 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -146360,8 +146522,9 @@ index 0000000..0d3e625
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
-+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
++/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
@@ -146370,10 +146533,10 @@ index 0000000..0d3e625
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..3b0ab09
+index 0000000..0898030
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,694 @@
+@@ -0,0 +1,696 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -146990,8 +147153,10 @@ index 0000000..3b0ab09
+interface(`systemd_filetrans_named_content',`
+ gen_require(`
+ type systemd_passwd_var_run_t;
++ type systemd_logind_var_run_t;
+ ')
+
++ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
@@ -148777,7 +148942,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..cc989a4 100644
+index 4b2878a..917240b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -149781,17 +149946,20 @@ index 4b2878a..cc989a4 100644
')
')
-@@ -833,6 +1025,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1025,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
+ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
+ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
+
++ seutil_read_file_contexts($1_t)
++ seutil_read_default_contexts($1_t)
++
##############################
#
# Local policy
-@@ -874,45 +1069,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1072,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -149864,41 +150032,41 @@ index 4b2878a..cc989a4 100644
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
- ')
++ ')
+
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ fprintd_dbus_chat($1_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ policykit_role($1_r, $1_usertype)
+ ')
')
optional_policy(`
- java_role($1_r, $1_t)
++ policykit_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
@@ -149921,7 +150089,7 @@ index 4b2878a..cc989a4 100644
')
')
-@@ -947,7 +1215,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1218,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -149930,7 +150098,7 @@ index 4b2878a..cc989a4 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1224,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1227,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -149948,7 +150116,7 @@ index 4b2878a..cc989a4 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1249,60 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1252,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -149979,9 +150147,11 @@ index 4b2878a..cc989a4 100644
+
+ optional_policy(`
+ cdrecord_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ cron_role($1_r, $1_t)
+ ')
+
@@ -150008,17 +150178,15 @@ index 4b2878a..cc989a4 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1311,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1314,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -150029,7 +150197,7 @@ index 4b2878a..cc989a4 100644
')
')
-@@ -1039,7 +1349,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1352,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -150038,7 +150206,7 @@ index 4b2878a..cc989a4 100644
')
##############################
-@@ -1066,6 +1376,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1379,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -150046,7 +150214,7 @@ index 4b2878a..cc989a4 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1388,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -150056,7 +150224,7 @@ index 4b2878a..cc989a4 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1405,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -150064,7 +150232,7 @@ index 4b2878a..cc989a4 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1423,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -150078,7 +150246,7 @@ index 4b2878a..cc989a4 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1440,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -150121,7 +150289,7 @@ index 4b2878a..cc989a4 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1481,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -150130,7 +150298,7 @@ index 4b2878a..cc989a4 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1542,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -150139,7 +150307,7 @@ index 4b2878a..cc989a4 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1556,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -150150,7 +150318,7 @@ index 4b2878a..cc989a4 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1569,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -150179,7 +150347,7 @@ index 4b2878a..cc989a4 100644
')
optional_policy(`
-@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1597,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -150195,7 +150363,7 @@ index 4b2878a..cc989a4 100644
')
optional_policy(`
-@@ -1279,11 +1622,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1625,60 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -150256,7 +150424,7 @@ index 4b2878a..cc989a4 100644
ubac_constrained($1)
')
-@@ -1395,12 +1787,32 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,11 +1790,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -150266,7 +150434,6 @@ index 4b2878a..cc989a4 100644
########################################
## <summary>
--## Do not audit attempts to search user home directories.
+## Search user tmp directories.
+## </summary>
+## <param name="domain">
@@ -150286,11 +150453,10 @@ index 4b2878a..cc989a4 100644
+
+########################################
+## <summary>
-+## Do not audit attempts to search user home directories.
+ ## Do not audit attempts to search user home directories.
## </summary>
## <desc>
- ## <p>
-@@ -1441,6 +1853,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1856,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -150305,7 +150471,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -1456,9 +1876,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1879,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -150317,7 +150483,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -1515,6 +1937,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1940,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -150360,7 +150526,7 @@ index 4b2878a..cc989a4 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2047,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2050,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -150369,7 +150535,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -1603,10 +2063,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2066,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -150384,7 +150550,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -1649,6 +2111,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2114,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -150428,7 +150594,7 @@ index 4b2878a..cc989a4 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2167,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2170,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -150454,7 +150620,7 @@ index 4b2878a..cc989a4 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2216,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2219,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -150492,7 +150658,7 @@ index 4b2878a..cc989a4 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2256,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2259,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -150510,7 +150676,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -1779,6 +2322,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2325,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -150571,7 +150737,7 @@ index 4b2878a..cc989a4 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2407,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2410,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -150581,7 +150747,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -1827,20 +2423,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2426,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -150595,18 +150761,19 @@ index 4b2878a..cc989a4 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -1941,6 +2531,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -1941,6 +2534,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -150631,7 +150798,7 @@ index 4b2878a..cc989a4 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2616,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2619,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -150640,7 +150807,7 @@ index 4b2878a..cc989a4 100644
files_search_home($1)
')
-@@ -2039,7 +2647,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2650,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -150649,7 +150816,7 @@ index 4b2878a..cc989a4 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2766,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2769,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -150664,7 +150831,7 @@ index 4b2878a..cc989a4 100644
files_search_tmp($1)
')
-@@ -2182,7 +2790,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2793,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -150673,7 +150840,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -2390,7 +2998,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +3001,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -150682,7 +150849,7 @@ index 4b2878a..cc989a4 100644
files_search_tmp($1)
')
-@@ -2419,6 +3027,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3030,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -150708,7 +150875,7 @@ index 4b2878a..cc989a4 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3062,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3065,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -150724,7 +150891,7 @@ index 4b2878a..cc989a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3090,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3093,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -150733,7 +150900,7 @@ index 4b2878a..cc989a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3098,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3101,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -150768,7 +150935,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -2572,7 +3216,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3219,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -150777,7 +150944,7 @@ index 4b2878a..cc989a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,83 +3224,151 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,75 +3227,143 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -150862,14 +151029,7 @@ index 4b2878a..cc989a4 100644
-## is an explicit transition, requiring the
-## caller to use setexeccon().
+## Read and write a inherited user TTYs and PTYs.
- ## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed to transition.
--## </summary>
--## </param>
--#
--interface(`userdom_spec_domtrans_all_users',`
++## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read and write inherited user
@@ -150959,18 +151119,10 @@ index 4b2878a..cc989a4 100644
+## Execute a shell in all user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_spec_domtrans_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-@@ -2713,69 +3425,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2713,69 +3428,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -151071,7 +151223,7 @@ index 4b2878a..cc989a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2783,12 +3494,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3497,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -151086,7 +151238,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -2852,7 +3563,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3566,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -151095,7 +151247,7 @@ index 4b2878a..cc989a4 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3579,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3582,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -151129,7 +151281,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -2972,7 +3667,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3670,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -151138,7 +151290,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -3027,7 +3722,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3725,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -151185,7 +151337,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -3045,7 +3778,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3781,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -151194,7 +151346,7 @@ index 4b2878a..cc989a4 100644
')
########################################
-@@ -3064,6 +3797,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3800,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -151202,7 +151354,7 @@ index 4b2878a..cc989a4 100644
kernel_search_proc($1)
')
-@@ -3140,6 +3874,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3877,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -151245,7 +151397,7 @@ index 4b2878a..cc989a4 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +3930,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3933,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -151270,7 +151422,7 @@ index 4b2878a..cc989a4 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3982,1292 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3985,1292 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 86dc660..3609121 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 122%{?dist}
+Release: 123%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-123
+- Fix zarafa labeling
+- Allow guest_t to fix labeling
+- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
+- add lxc_contexts
+- Allow accountsd to read /proc
+- Allow restorecond to getattr on all file sytems
+- tmpwatch now calls getpw
+- Allow apache daemon to transition to pwauth domain
+- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
+- The obex socket seems to be a stream socket
+- dd label for /var/run/nologin
+
* Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
More information about the scm-commits
mailing list