[selinux-policy/f17] * Mon Oct 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-159 - More fixes for passwd/group labelin
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Nov 5 22:36:28 UTC 2012
commit 1117be22d43e7f631823cec41c38ad7e066fc259
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Nov 5 23:34:12 2012 +0100
* Mon Oct 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-159
- More fixes for passwd/group labeling
- New ypbind pkg wants to search /var/run which is caused by sd_notify
- dbus needs to be able to read/write inherited fixed disk device_t passed thro
- Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans
- Add interface to make sure rpcbind.sock is created with the correct label
- Add support for OpenShift sbin labeling
policy-F16.patch | 552 ++++++++++++++++++++++++++++++---------------------
selinux-policy.spec | 10 +-
2 files changed, 338 insertions(+), 224 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 5e210c5..b5957fb 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -81631,7 +81631,7 @@ index 6a1e4d1..82432bb 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..0a5271f 100644
+index fae1ab1..9934739 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -81656,7 +81656,7 @@ index fae1ab1..0a5271f 100644
## <desc>
## <p>
-@@ -86,23 +101,39 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +101,40 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@@ -81687,6 +81687,7 @@ index fae1ab1..0a5271f 100644
+# allow all domains to search through default_t directory, since users sometimes
+# place labels within these directories. (samba_share_t) for example.
+files_search_default(domain)
++files_read_inherited_tmp_files(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
@@ -81697,7 +81698,7 @@ index fae1ab1..0a5271f 100644
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
-@@ -113,8 +144,13 @@ tunable_policy(`global_ssp',`
+@@ -113,8 +145,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -81711,7 +81712,7 @@ index fae1ab1..0a5271f 100644
')
optional_policy(`
-@@ -125,6 +161,8 @@ optional_policy(`
+@@ -125,6 +162,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -81720,7 +81721,7 @@ index fae1ab1..0a5271f 100644
')
########################################
-@@ -143,8 +181,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -143,8 +182,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -81735,7 +81736,7 @@ index fae1ab1..0a5271f 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +201,263 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +202,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -81848,6 +81849,10 @@ index fae1ab1..0a5271f 100644
+')
+
+optional_policy(`
++ rpcbind_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ sysnet_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -82145,7 +82150,7 @@ index c19518a..145c899 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..beea868 100644
+index ff006ea..5e933f1 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -83008,7 +83013,32 @@ index ff006ea..beea868 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4202,7 +4737,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4155,6 +4690,24 @@ interface(`files_setattr_all_tmp_dirs',`
+ allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+
++#######################################
++## <summary>
++## List all tmp directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file { append read_inherited_file_perms };
++')
++
+ ########################################
+ ## <summary>
+ ## List all tmp directories.
+@@ -4202,7 +4755,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -83017,7 +83047,7 @@ index ff006ea..beea868 100644
## </summary>
## </param>
#
-@@ -4262,7 +4797,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4815,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -83026,7 +83056,7 @@ index ff006ea..beea868 100644
## </summary>
## </param>
#
-@@ -4318,7 +4853,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4871,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -83035,7 +83065,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -4342,6 +4877,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4895,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -83052,7 +83082,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -4681,7 +5226,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5244,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -83061,7 +83091,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -4914,6 +5459,24 @@ interface(`files_list_var',`
+@@ -4914,6 +5477,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -83086,7 +83116,7 @@ index ff006ea..beea868 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5084,7 +5647,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5665,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -83095,7 +83125,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5219,7 +5782,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5800,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83104,7 +83134,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5259,6 +5822,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5840,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -83130,7 +83160,7 @@ index ff006ea..beea868 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5886,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5904,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -83156,7 +83186,7 @@ index ff006ea..beea868 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5918,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5936,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -83165,7 +83195,7 @@ index ff006ea..beea868 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5939,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5957,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -83181,7 +83211,7 @@ index ff006ea..beea868 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5954,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5972,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -83214,7 +83244,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5373,6 +5996,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +6014,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -83222,7 +83252,7 @@ index ff006ea..beea868 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +6009,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +6027,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -83230,7 +83260,7 @@ index ff006ea..beea868 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +6035,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +6053,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -83239,7 +83269,7 @@ index ff006ea..beea868 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +6051,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +6069,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -83256,7 +83286,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5452,7 +6075,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +6093,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -83265,7 +83295,7 @@ index ff006ea..beea868 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +6116,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +6134,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -83274,7 +83304,7 @@ index ff006ea..beea868 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +6138,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6156,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -83283,7 +83313,7 @@ index ff006ea..beea868 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6170,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6188,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -83294,7 +83324,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5608,6 +6231,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6249,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -83338,7 +83368,7 @@ index ff006ea..beea868 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,27 +6289,46 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,8 +6307,27 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -83346,54 +83376,29 @@ index ff006ea..beea868 100644
-## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_list_pids',`
-+interface(`files_dontaudit_search_all_pids',`
- gen_require(`
-- type var_t, var_run_t;
-+ attribute pidfile;
- ')
-
-- list_dirs_pattern($1, var_t, var_run_t)
-+ dontaudit $1 pidfile:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Read generic process ID files.
--## </summary>
-+## List the contents of the runtime process
-+## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_list_pids',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
-+ type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
-+ list_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Read generic process ID files.
-+## </summary>
++## List the contents of the runtime process
++## ID directories (/var/run).
+ ## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
-@@ -5736,7 +6415,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6433,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83402,7 +83407,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5815,6 +6494,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6512,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -83519,7 +83524,7 @@ index ff006ea..beea868 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6621,62 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6639,62 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -83582,7 +83587,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5900,6 +6745,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6763,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -83673,7 +83678,7 @@ index ff006ea..beea868 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6042,7 +6971,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6989,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83682,7 +83687,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -6117,3 +7046,344 @@ interface(`files_unconfined',`
+@@ -6117,3 +7064,344 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -86336,7 +86341,7 @@ index 57c4a6a..d323c74 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..9282b84 100644
+index 1700ef2..b2bea9d 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -86348,7 +86353,37 @@ index 1700ef2..9282b84 100644
typeattribute $1 fixed_disk_raw_read;
')
-@@ -205,6 +207,7 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -188,6 +190,29 @@ interface(`storage_raw_rw_fixed_disk',`
+ storage_raw_write_fixed_disk($1)
+ ')
+
++#######################################
++## <summary>
++## Allow the caller to read/write inherited fixed disk
++## device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain allowed access.
++## </summary>
++## </param>
++#
++interface(`storage_rw_inherited_fixed_disk_dev',`
++ gen_require(`
++ type fixed_disk_device_t;
++ attribute fixed_disk_raw_write;
++ attribute fixed_disk_raw_read;
++ ')
++
++ allow $1 fixed_disk_device_t:chr_file { read write };
++ typeattribute $1 fixed_disk_raw_write;
++ typeattribute $1 fixed_disk_raw_read;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the caller to create fixed disk device nodes.
+@@ -205,6 +230,7 @@ interface(`storage_create_fixed_disk_dev',`
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
@@ -86356,7 +86391,7 @@ index 1700ef2..9282b84 100644
dev_add_entry_generic_dirs($1)
')
-@@ -269,6 +272,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+@@ -269,6 +295,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
dev_filetrans($1, fixed_disk_device_t, blk_file)
')
@@ -86405,7 +86440,7 @@ index 1700ef2..9282b84 100644
########################################
## <summary>
## Create block devices in on a tmpfs filesystem with the
-@@ -808,3 +853,369 @@ interface(`storage_unconfined',`
+@@ -808,3 +876,369 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -92467,10 +92502,10 @@ index 6480167..f9d3c63 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..745b9be 100644
+index 3136c6a..2a489c4 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,275 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -92674,7 +92709,6 @@ index 3136c6a..745b9be 100644
## <desc>
-## <p>
-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
--## </p>
+## <p>
+## Allow httpd to read user content
+## </p>
@@ -92689,10 +92723,17 @@ index 3136c6a..745b9be 100644
+gen_tunable(httpd_run_stickshift, false)
+
+## <desc>
++## <p>
++## Allow Apache to query NS records
+ ## </p>
+ ## </desc>
++gen_tunable(httpd_verify_dns, false)
++
++## <desc>
+## <p>
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+## </p>
- ## </desc>
++## </desc>
gen_tunable(httpd_ssi_exec, false)
## <desc>
@@ -92795,7 +92836,7 @@ index 3136c6a..745b9be 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -166,7 +298,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +305,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -92804,7 +92845,7 @@ index 3136c6a..745b9be 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +309,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +316,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -92814,7 +92855,7 @@ index 3136c6a..745b9be 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +351,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +358,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -92837,7 +92878,7 @@ index 3136c6a..745b9be 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +375,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +382,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -92848,7 +92889,7 @@ index 3136c6a..745b9be 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +386,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +393,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -92856,7 +92897,7 @@ index 3136c6a..745b9be 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +408,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +415,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -92880,7 +92921,7 @@ index 3136c6a..745b9be 100644
########################################
#
# Apache server local policy
-@@ -281,11 +444,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +451,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -92894,7 +92935,7 @@ index 3136c6a..745b9be 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +501,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -92906,7 +92947,7 @@ index 3136c6a..745b9be 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +513,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -92917,7 +92958,7 @@ index 3136c6a..745b9be 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +523,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +530,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -92927,7 +92968,7 @@ index 3136c6a..745b9be 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +536,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +543,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -92948,7 +92989,7 @@ index 3136c6a..745b9be 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +557,13 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +564,13 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -92965,7 +93006,7 @@ index 3136c6a..745b9be 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +571,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +578,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -92973,7 +93014,7 @@ index 3136c6a..745b9be 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +583,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +590,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -93077,7 +93118,7 @@ index 3136c6a..745b9be 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -454,27 +688,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +695,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -93141,7 +93182,7 @@ index 3136c6a..745b9be 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +752,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +759,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -93164,7 +93205,7 @@ index 3136c6a..745b9be 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +782,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +789,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -93185,7 +93226,7 @@ index 3136c6a..745b9be 100644
')
optional_policy(`
-@@ -513,7 +806,13 @@ optional_policy(`
+@@ -513,7 +813,13 @@ optional_policy(`
')
optional_policy(`
@@ -93200,7 +93241,7 @@ index 3136c6a..745b9be 100644
')
optional_policy(`
-@@ -528,7 +827,25 @@ optional_policy(`
+@@ -528,7 +834,25 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -93227,7 +93268,7 @@ index 3136c6a..745b9be 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,13 +854,24 @@ optional_policy(`
+@@ -537,13 +861,24 @@ optional_policy(`
')
optional_policy(`
@@ -93253,7 +93294,7 @@ index 3136c6a..745b9be 100644
')
optional_policy(`
-@@ -556,7 +884,21 @@ optional_policy(`
+@@ -556,7 +891,21 @@ optional_policy(`
')
optional_policy(`
@@ -93275,7 +93316,7 @@ index 3136c6a..745b9be 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +909,7 @@ optional_policy(`
+@@ -567,6 +916,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -93283,13 +93324,17 @@ index 3136c6a..745b9be 100644
')
optional_policy(`
-@@ -577,6 +920,51 @@ optional_policy(`
+@@ -577,6 +927,55 @@ optional_policy(`
')
optional_policy(`
+ pwauth_domtrans(httpd_t)
+')
+
++tunable_policy(`httpd_verify_dns',`
++ corenet_udp_bind_all_ephemeral_ports(httpd_t)
++')
++
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
@@ -93335,7 +93380,7 @@ index 3136c6a..745b9be 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +979,11 @@ optional_policy(`
+@@ -591,6 +990,11 @@ optional_policy(`
')
optional_policy(`
@@ -93347,7 +93392,7 @@ index 3136c6a..745b9be 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +996,12 @@ optional_policy(`
+@@ -603,6 +1007,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -93360,7 +93405,7 @@ index 3136c6a..745b9be 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +1015,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +1026,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -93373,7 +93418,7 @@ index 3136c6a..745b9be 100644
########################################
#
-@@ -654,28 +1057,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1068,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -93417,7 +93462,7 @@ index 3136c6a..745b9be 100644
')
########################################
-@@ -685,6 +1090,8 @@ optional_policy(`
+@@ -685,6 +1101,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -93426,7 +93471,7 @@ index 3136c6a..745b9be 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1106,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1117,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -93452,7 +93497,7 @@ index 3136c6a..745b9be 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1152,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1163,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -93485,7 +93530,7 @@ index 3136c6a..745b9be 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1199,25 @@ optional_policy(`
+@@ -769,6 +1210,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -93511,7 +93556,7 @@ index 3136c6a..745b9be 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1238,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1249,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -93529,7 +93574,7 @@ index 3136c6a..745b9be 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1257,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1268,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -93586,7 +93631,7 @@ index 3136c6a..745b9be 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1308,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1319,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -93627,7 +93672,7 @@ index 3136c6a..745b9be 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1353,20 @@ optional_policy(`
+@@ -842,10 +1364,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -93648,7 +93693,7 @@ index 3136c6a..745b9be 100644
')
########################################
-@@ -891,11 +1412,146 @@ optional_policy(`
+@@ -891,11 +1423,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -93666,7 +93711,7 @@ index 3136c6a..745b9be 100644
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
-+')
+ ')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
@@ -93775,7 +93820,7 @@ index 3136c6a..745b9be 100644
+
+optional_policy(`
+ nscd_socket_use(httpd_script_type)
- ')
++')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
@@ -94969,7 +95014,7 @@ index 59aa54f..b01072c 100644
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..9b50c13 100644
+index 44a1e3d..bc50fd6 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -95002,7 +95047,15 @@ index 44a1e3d..9b50c13 100644
## Execute ndc in the ndc domain.
## </summary>
## <param name="domain">
-@@ -186,7 +209,7 @@ interface(`bind_write_config',`
+@@ -167,6 +190,7 @@ interface(`bind_read_config',`
+ type named_conf_t;
+ ')
+
++ allow $1 named_conf_t:dir list_dir_perms;
+ read_files_pattern($1, named_conf_t, named_conf_t)
+ ')
+
+@@ -186,7 +210,7 @@ interface(`bind_write_config',`
')
write_files_pattern($1, named_conf_t, named_conf_t)
@@ -95011,7 +95064,7 @@ index 44a1e3d..9b50c13 100644
')
########################################
-@@ -210,6 +233,25 @@ interface(`bind_manage_config_dirs',`
+@@ -210,6 +234,25 @@ interface(`bind_manage_config_dirs',`
########################################
## <summary>
@@ -95037,7 +95090,7 @@ index 44a1e3d..9b50c13 100644
## Search the BIND cache directory.
## </summary>
## <param name="domain">
-@@ -266,7 +308,7 @@ interface(`bind_setattr_pid_dirs',`
+@@ -266,7 +309,7 @@ interface(`bind_setattr_pid_dirs',`
type named_var_run_t;
')
@@ -95046,7 +95099,7 @@ index 44a1e3d..9b50c13 100644
')
########################################
-@@ -284,7 +326,7 @@ interface(`bind_setattr_zone_dirs',`
+@@ -284,7 +327,7 @@ interface(`bind_setattr_zone_dirs',`
type named_zone_t;
')
@@ -95055,7 +95108,7 @@ index 44a1e3d..9b50c13 100644
')
########################################
-@@ -308,6 +350,27 @@ interface(`bind_read_zone',`
+@@ -308,6 +351,27 @@ interface(`bind_read_zone',`
########################################
## <summary>
@@ -95083,7 +95136,7 @@ index 44a1e3d..9b50c13 100644
## Manage BIND zone files.
## </summary>
## <param name="domain">
-@@ -359,18 +422,26 @@ interface(`bind_udp_chat_named',`
+@@ -359,18 +423,26 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -95116,7 +95169,7 @@ index 44a1e3d..9b50c13 100644
bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
-@@ -391,9 +462,12 @@ interface(`bind_admin',`
+@@ -391,9 +463,12 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -104196,7 +104249,7 @@ index 1a1becd..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..37c9ef1 100644
+index 1bff6ee..f8993c2 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -104267,7 +104320,12 @@ index 1bff6ee..37c9ef1 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -136,11 +145,31 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -133,14 +142,36 @@ seutil_read_config(system_dbusd_t)
+ seutil_read_default_contexts(system_dbusd_t)
+ seutil_sigchld_newrole(system_dbusd_t)
+
++storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
++
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -104299,7 +104357,7 @@ index 1bff6ee..37c9ef1 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +180,162 @@ optional_policy(`
+@@ -151,12 +182,162 @@ optional_policy(`
')
optional_policy(`
@@ -104320,7 +104378,7 @@ index 1bff6ee..37c9ef1 100644
#
-# Unconfined access to this module
+# system_bus_type rules
- #
++#
+role system_r types system_bus_type;
+
+fs_search_all(system_bus_type)
@@ -104341,7 +104399,7 @@ index 1bff6ee..37c9ef1 100644
+optional_policy(`
+ abrt_stream_connect(system_bus_type)
+')
-
++
+optional_policy(`
+ rpm_script_dbus_chat(system_bus_type)
+')
@@ -104355,7 +104413,7 @@ index 1bff6ee..37c9ef1 100644
+')
+
+########################################
-+#
+ #
+# session_bus_type rules
+#
+dontaudit session_bus_type self:capability sys_resource;
@@ -104434,7 +104492,7 @@ index 1bff6ee..37c9ef1 100644
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
-+
+
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
+')
@@ -119647,7 +119705,7 @@ index 2324d9e..da61d01 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..7c2d938 100644
+index 0619395..9a5791f 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -119747,7 +119805,7 @@ index 0619395..7c2d938 100644
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
-@@ -128,35 +162,44 @@ init_domtrans_script(NetworkManager_t)
+@@ -128,35 +162,52 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -119784,6 +119842,14 @@ index 0619395..7c2d938 100644
+userdom_read_home_certs(NetworkManager_t)
userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(NetworkManager_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(NetworkManager_t)
++')
optional_policy(`
avahi_domtrans(NetworkManager_t)
@@ -119794,7 +119860,7 @@ index 0619395..7c2d938 100644
')
optional_policy(`
-@@ -176,10 +219,17 @@ optional_policy(`
+@@ -176,10 +227,17 @@ optional_policy(`
')
optional_policy(`
@@ -119812,7 +119878,7 @@ index 0619395..7c2d938 100644
')
')
-@@ -191,6 +241,7 @@ optional_policy(`
+@@ -191,6 +249,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -119820,7 +119886,7 @@ index 0619395..7c2d938 100644
')
optional_policy(`
-@@ -202,23 +253,45 @@ optional_policy(`
+@@ -202,23 +261,45 @@ optional_policy(`
')
optional_policy(`
@@ -119866,7 +119932,7 @@ index 0619395..7c2d938 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +307,10 @@ optional_policy(`
+@@ -234,6 +315,10 @@ optional_policy(`
')
optional_policy(`
@@ -119877,7 +119943,7 @@ index 0619395..7c2d938 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +318,7 @@ optional_policy(`
+@@ -241,6 +326,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -119885,7 +119951,7 @@ index 0619395..7c2d938 100644
')
optional_policy(`
-@@ -254,6 +332,10 @@ optional_policy(`
+@@ -254,6 +340,10 @@ optional_policy(`
')
optional_policy(`
@@ -119896,7 +119962,7 @@ index 0619395..7c2d938 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +345,7 @@ optional_policy(`
+@@ -263,6 +353,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -120117,7 +120183,7 @@ index abe3f7f..8ba3aef 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..9f3b09b 100644
+index 4876cae..702f372 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -18,12 +18,12 @@ init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -120176,7 +120242,16 @@ index 4876cae..9f3b09b 100644
manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t)
files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
-@@ -142,8 +139,8 @@ optional_policy(`
+@@ -108,6 +105,8 @@ domain_use_interactive_fds(ypbind_t)
+ files_read_etc_files(ypbind_t)
+ files_list_var(ypbind_t)
+
++init_search_pid_dirs(ypbind_t)
++
+ logging_send_syslog_msg(ypbind_t)
+
+ miscfiles_read_localization(ypbind_t)
+@@ -142,8 +141,8 @@ optional_policy(`
allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
@@ -120186,7 +120261,7 @@ index 4876cae..9f3b09b 100644
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -156,6 +153,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+@@ -156,6 +155,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
@@ -120195,7 +120270,7 @@ index 4876cae..9f3b09b 100644
kernel_list_proc(yppasswdd_t)
kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
-@@ -186,6 +185,7 @@ selinux_get_fs_mount(yppasswdd_t)
+@@ -186,6 +187,7 @@ selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
auth_relabel_shadow(yppasswdd_t)
@@ -120203,7 +120278,7 @@ index 4876cae..9f3b09b 100644
auth_etc_filetrans_shadow(yppasswdd_t)
corecmd_exec_bin(yppasswdd_t)
-@@ -211,6 +211,10 @@ optional_policy(`
+@@ -211,6 +213,10 @@ optional_policy(`
')
optional_policy(`
@@ -120214,7 +120289,7 @@ index 4876cae..9f3b09b 100644
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -224,8 +228,8 @@ optional_policy(`
+@@ -224,8 +230,8 @@ optional_policy(`
#
dontaudit ypserv_t self:capability sys_tty_config;
@@ -120224,7 +120299,7 @@ index 4876cae..9f3b09b 100644
allow ypserv_t self:unix_dgram_socket create_socket_perms;
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -236,10 +240,6 @@ manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
+@@ -236,10 +242,6 @@ manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
allow ypserv_t ypserv_conf_t:file read_file_perms;
@@ -122263,7 +122338,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/policy/modules/services/openshift.fc b/policy/modules/services/openshift.fc
new file mode 100644
-index 0000000..fbadaba
+index 0000000..c9a5f74
--- /dev/null
+++ b/policy/modules/services/openshift.fc
@@ -0,0 +1,24 @@
@@ -122282,12 +122357,12 @@ index 0000000..fbadaba
+
+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
+
-+/usr/bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
++/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
-+/usr/bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
-+/usr/bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/sbin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
@@ -133306,7 +133381,7 @@ index f5c47d6..482b584 100644
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
-index a96249c..a345080 100644
+index a96249c..46c8335 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -5,9 +5,9 @@
@@ -133340,7 +133415,32 @@ index a96249c..a345080 100644
')
########################################
-@@ -117,6 +116,24 @@ interface(`rpcbind_manage_lib_files',`
+@@ -57,6 +56,24 @@ interface(`rpcbind_read_pid_files',`
+ allow $1 rpcbind_var_run_t:file read_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Transition to rpcbind named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpcbind_filetrans_named_content',`
++ gen_require(`
++ type rpcbind_var_run_t;
++ ')
++
++ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock")
++')
++
+ ########################################
+ ## <summary>
+ ## Search rpcbind lib directories.
+@@ -117,6 +134,24 @@ interface(`rpcbind_manage_lib_files',`
########################################
## <summary>
@@ -133365,7 +133465,7 @@ index a96249c..a345080 100644
## All of the rules required to administrate
## an rpcbind environment
## </summary>
-@@ -138,11 +155,20 @@ interface(`rpcbind_admin',`
+@@ -138,11 +173,20 @@ interface(`rpcbind_admin',`
type rpcbind_initrc_exec_t;
')
@@ -147713,7 +147813,7 @@ index 28ad538..9c82aad 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..3740647 100644
+index 73554ec..2088101 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -148003,18 +148103,17 @@ index 73554ec..3740647 100644
')
########################################
-@@ -637,6 +800,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +800,9 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
+ files_var_filetrans($1, shadow_t, file, "shadow")
+ files_var_filetrans($1, shadow_t, file, "shadow-")
-+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
')
#######################################
-@@ -736,7 +903,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +902,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -148066,7 +148165,7 @@ index 73554ec..3740647 100644
')
#######################################
-@@ -932,9 +1142,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1141,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -148100,7 +148199,7 @@ index 73554ec..3740647 100644
')
########################################
-@@ -1013,6 +1244,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1013,6 +1243,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -148111,7 +148210,7 @@ index 73554ec..3740647 100644
')
########################################
-@@ -1130,6 +1365,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1130,6 +1364,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -148119,7 +148218,7 @@ index 73554ec..3740647 100644
')
#######################################
-@@ -1387,6 +1623,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1622,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -148145,7 +148244,7 @@ index 73554ec..3740647 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1537,37 +1792,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1791,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -148205,7 +148304,7 @@ index 73554ec..3740647 100644
## </p>
## </desc>
## <param name="domain">
-@@ -1575,87 +1842,206 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1841,209 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
## </summary>
## </param>
@@ -148260,12 +148359,12 @@ index 73554ec..3740647 100644
+ #files_etc_filetrans($1, passwd_file_t, file, "passwd+")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
-+ files_etc_filetrans($1, shadow_t, file, "group.lock")
-+ files_etc_filetrans($1, shadow_t, file, "passwd.lock")
-+ files_etc_filetrans($1, shadow_t, file, "passwd.adjunct")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
++ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "group.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.adjunct")
+ files_etc_filetrans($1, shadow_t, file, "shadow")
+ files_etc_filetrans($1, shadow_t, file, "shadow-")
-+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
+ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
@@ -148402,6 +148501,9 @@ index 73554ec..3740647 100644
+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
+ files_etc_filetrans($1, passwd_file_t, file, "group")
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
++ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "group.lock")
+')
+
+########################################
@@ -150244,7 +150346,7 @@ index 94fd8dd..09f0ac4 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..369a9cf 100644
+index 29a9565..5e6570b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -150464,18 +150566,17 @@ index 29a9565..369a9cf 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +267,146 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +267,142 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
+storage_raw_rw_fixed_disk(init_t)
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ modutils_domtrans_insmod(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -150580,15 +150681,12 @@ index 29a9565..369a9cf 100644
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
-+optional_policy(`
-+ systemd_filetrans_named_content(init_t)
-+')
-+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ lvm_rw_pipes(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -150613,10 +150711,18 @@ index 29a9565..369a9cf 100644
')
optional_policy(`
-@@ -203,6 +414,17 @@ optional_policy(`
+@@ -203,6 +410,25 @@ optional_policy(`
')
optional_policy(`
++ rpcbind_filetrans_named_content(init_t)
++')
++
++optional_policy(`
++ systemd_filetrans_named_content(init_t)
++')
++
++optional_policy(`
+ udev_read_db(init_t)
+ udev_relabelto_db(init_t)
+ udev_create_kobject_uevent_socket(init_t)
@@ -150631,7 +150737,7 @@ index 29a9565..369a9cf 100644
unconfined_domain(init_t)
')
-@@ -212,8 +434,8 @@ optional_policy(`
+@@ -212,8 +438,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -150642,7 +150748,7 @@ index 29a9565..369a9cf 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +463,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +467,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -150658,7 +150764,7 @@ index 29a9565..369a9cf 100644
init_write_initctl(initrc_t)
-@@ -258,20 +483,34 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +487,34 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -150697,7 +150803,7 @@ index 29a9565..369a9cf 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +518,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +522,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -150705,7 +150811,7 @@ index 29a9565..369a9cf 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +529,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +533,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -150716,7 +150822,7 @@ index 29a9565..369a9cf 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,17 +540,16 @@ dev_manage_generic_files(initrc_t)
+@@ -298,17 +544,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -150736,7 +150842,7 @@ index 29a9565..369a9cf 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -316,6 +557,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +561,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -150744,7 +150850,7 @@ index 29a9565..369a9cf 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +565,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +569,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -150756,7 +150862,7 @@ index 29a9565..369a9cf 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +584,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +588,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -150770,7 +150876,7 @@ index 29a9565..369a9cf 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,9 +599,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,9 +603,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -150784,7 +150890,7 @@ index 29a9565..369a9cf 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +614,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +618,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -150792,7 +150898,7 @@ index 29a9565..369a9cf 100644
selinux_get_enforce_mode(initrc_t)
-@@ -370,10 +622,13 @@ storage_getattr_fixed_disk_dev(initrc_t)
+@@ -370,10 +626,13 @@ storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
storage_setattr_removable_dev(initrc_t)
@@ -150806,7 +150912,7 @@ index 29a9565..369a9cf 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +649,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +653,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -150828,7 +150934,7 @@ index 29a9565..369a9cf 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +712,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +716,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -150839,7 +150945,7 @@ index 29a9565..369a9cf 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +736,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +740,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -150848,7 +150954,7 @@ index 29a9565..369a9cf 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +751,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +755,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -150856,7 +150962,7 @@ index 29a9565..369a9cf 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -513,6 +772,7 @@ ifdef(`distro_redhat',`
+@@ -513,6 +776,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -150864,7 +150970,7 @@ index 29a9565..369a9cf 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -522,8 +782,35 @@ ifdef(`distro_redhat',`
+@@ -522,8 +786,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -150900,7 +151006,7 @@ index 29a9565..369a9cf 100644
')
optional_policy(`
-@@ -531,14 +818,27 @@ ifdef(`distro_redhat',`
+@@ -531,14 +822,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -150928,7 +151034,7 @@ index 29a9565..369a9cf 100644
')
')
-@@ -549,6 +849,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +853,39 @@ ifdef(`distro_suse',`
')
')
@@ -150968,7 +151074,7 @@ index 29a9565..369a9cf 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +894,8 @@ optional_policy(`
+@@ -561,6 +898,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -150977,7 +151083,7 @@ index 29a9565..369a9cf 100644
')
optional_policy(`
-@@ -577,6 +912,7 @@ optional_policy(`
+@@ -577,6 +916,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -150985,7 +151091,7 @@ index 29a9565..369a9cf 100644
')
optional_policy(`
-@@ -589,6 +925,17 @@ optional_policy(`
+@@ -589,6 +929,17 @@ optional_policy(`
')
optional_policy(`
@@ -151003,7 +151109,7 @@ index 29a9565..369a9cf 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +952,13 @@ optional_policy(`
+@@ -605,9 +956,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -151017,7 +151123,7 @@ index 29a9565..369a9cf 100644
')
optional_policy(`
-@@ -632,6 +983,10 @@ optional_policy(`
+@@ -632,6 +987,10 @@ optional_policy(`
')
optional_policy(`
@@ -151028,7 +151134,7 @@ index 29a9565..369a9cf 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +1004,15 @@ optional_policy(`
+@@ -649,6 +1008,15 @@ optional_policy(`
')
optional_policy(`
@@ -151044,7 +151150,7 @@ index 29a9565..369a9cf 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1053,7 @@ optional_policy(`
+@@ -689,6 +1057,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -151052,7 +151158,7 @@ index 29a9565..369a9cf 100644
')
optional_policy(`
-@@ -706,7 +1071,13 @@ optional_policy(`
+@@ -706,7 +1075,13 @@ optional_policy(`
')
optional_policy(`
@@ -151066,7 +151172,7 @@ index 29a9565..369a9cf 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1100,10 @@ optional_policy(`
+@@ -729,6 +1104,10 @@ optional_policy(`
')
optional_policy(`
@@ -151077,7 +151183,7 @@ index 29a9565..369a9cf 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1113,20 @@ optional_policy(`
+@@ -738,10 +1117,20 @@ optional_policy(`
')
optional_policy(`
@@ -151098,7 +151204,7 @@ index 29a9565..369a9cf 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1135,10 @@ optional_policy(`
+@@ -750,6 +1139,10 @@ optional_policy(`
')
optional_policy(`
@@ -151109,7 +151215,7 @@ index 29a9565..369a9cf 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1160,6 @@ optional_policy(`
+@@ -771,8 +1164,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -151118,7 +151224,7 @@ index 29a9565..369a9cf 100644
')
optional_policy(`
-@@ -781,6 +1168,10 @@ optional_policy(`
+@@ -781,6 +1172,10 @@ optional_policy(`
')
optional_policy(`
@@ -151129,7 +151235,7 @@ index 29a9565..369a9cf 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -790,10 +1181,12 @@ optional_policy(`
+@@ -790,10 +1185,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -151142,7 +151248,7 @@ index 29a9565..369a9cf 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1198,6 @@ optional_policy(`
+@@ -805,7 +1202,6 @@ optional_policy(`
')
optional_policy(`
@@ -151150,7 +151256,7 @@ index 29a9565..369a9cf 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1207,30 @@ optional_policy(`
+@@ -815,11 +1211,30 @@ optional_policy(`
')
optional_policy(`
@@ -151182,7 +151288,7 @@ index 29a9565..369a9cf 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1240,18 @@ optional_policy(`
+@@ -829,6 +1244,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -151201,7 +151307,7 @@ index 29a9565..369a9cf 100644
')
optional_policy(`
-@@ -844,6 +1267,10 @@ optional_policy(`
+@@ -844,6 +1271,10 @@ optional_policy(`
')
optional_policy(`
@@ -151212,7 +151318,7 @@ index 29a9565..369a9cf 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1281,165 @@ optional_policy(`
+@@ -854,3 +1285,165 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7324d5e..cf58a08 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 158%{?dist}
+Release: 159%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Oct 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-159
+- More fixes for passwd/group labeling
+- New ypbind pkg wants to search /var/run which is caused by sd_notify
+- dbus needs to be able to read/write inherited fixed disk device_t passed through it
+- Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans
+- Add interface to make sure rpcbind.sock is created with the correct label
+- Add support for OpenShift sbin labeling
+
* Tue Oct 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-158
- Fix labeling for passwd*
More information about the scm-commits
mailing list