[selinux-policy/f18] - Add mei_device_t - Make sure gpg content in homedir created with correct label - Allow dmesg to w
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Oct 2 11:04:11 UTC 2012
commit 3e92875e421ccb7427c45b0b6430d48221a06c92
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 2 13:03:35 2012 +0200
- Add mei_device_t
- Make sure gpg content in homedir created with correct label
- Allow dmesg to write to abrt cache files
- automount wants to search virtual memory sysctls
- Add support for hplip logs stored in /var/log/hp/tmp
- Add labeling for /etc/owncloud/config.php
- Allow setroubleshoot to send analysys to syslogd-journal
- Allow virsh_t to interact with new fenced daemon
- Allow gpg to write to /etc/mail/spamassassiin directories
- Make dovecot_deliver_t a mail server delivery type
- Add label for /var/tmp/DNS25
policy-rawhide.patch | 95 +++++++--
policy_contrib-rawhide.patch | 514 +++++++++++++++++++++++++-----------------
selinux-policy.spec | 15 ++-
3 files changed, 398 insertions(+), 226 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 99a9d9d..e5096be 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -99178,7 +99178,7 @@ index d6cc2d9..0685b19 100644
+
+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..4db3a65 100644
+index 72bc6d8..4cceb40 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -19,6 +19,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
@@ -99208,7 +99208,7 @@ index 72bc6d8..4db3a65 100644
+userdom_use_inherited_user_terminals(dmesg_t)
+
+optional_policy(`
-+ abrt_manage_pid_files(dmesg_t)
++ abrt_rw_inherited_cache(dmesg_t)
+')
optional_policy(`
@@ -102948,7 +102948,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 02b7ac1..29a7fc1 100644
+index 02b7ac1..b30f7b8 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,14 +15,17 @@
@@ -102970,7 +102970,7 @@ index 02b7ac1..29a7fc1 100644
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -57,8 +60,10 @@
+@@ -57,8 +60,11 @@
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -102978,10 +102978,11 @@ index 02b7ac1..29a7fc1 100644
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -125,13 +130,15 @@ ifdef(`distro_suse', `
+@@ -125,13 +131,15 @@ ifdef(`distro_suse', `
/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -102998,7 +102999,7 @@ index 02b7ac1..29a7fc1 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -195,12 +202,22 @@ ifdef(`distro_debian',`
+@@ -195,12 +203,22 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -103024,7 +103025,7 @@ index 02b7ac1..29a7fc1 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index d820975..21a21e4 100644
+index d820975..bc8ec03 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -103797,7 +103798,7 @@ index d820975..21a21e4 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4814,3 +5301,863 @@ interface(`dev_unconfined',`
+@@ -4814,3 +5301,917 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -103823,6 +103824,60 @@ index d820975..21a21e4 100644
+
+########################################
+## <summary>
++## Get the attributes of the mei devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_getattr_mei',`
++ gen_require(`
++ type device_t, mei_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, mei_device_t)
++')
++
++########################################
++## <summary>
++## Read the mei devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_mei',`
++ gen_require(`
++ type device_t, mei_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, mei_device_t)
++')
++
++########################################
++## <summary>
++## Read and write to mei devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_mei',`
++ gen_require(`
++ type device_t, mei_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, mei_device_t)
++')
++
++########################################
++## <summary>
+## Create all named devices with the correct label
+## </summary>
+## <param name="domain">
@@ -104662,7 +104717,7 @@ index d820975..21a21e4 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 06eda45..0018592 100644
+index 06eda45..ed26516 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -104697,7 +104752,7 @@ index 06eda45..0018592 100644
#
# Type for /dev/lirc
-@@ -118,6 +123,12 @@ dev_node(lirc_device_t)
+@@ -118,9 +123,18 @@ dev_node(lirc_device_t)
#
# Type for /dev/mapper/control
#
@@ -104710,7 +104765,13 @@ index 06eda45..0018592 100644
type lvm_control_t;
dev_node(lvm_control_t)
-@@ -218,6 +229,10 @@ files_mountpoint(sysfs_t)
++type mei_device_t;
++dev_node(mei_device_t)
++
+ #
+ # memory_device_t is the type of /dev/kmem,
+ # /dev/mem and /dev/port.
+@@ -218,6 +232,10 @@ files_mountpoint(sysfs_t)
fs_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
@@ -104721,7 +104782,7 @@ index 06eda45..0018592 100644
#
# Type for /dev/tpm
#
-@@ -265,6 +280,7 @@ dev_node(v4l_device_t)
+@@ -265,6 +283,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -104729,7 +104790,7 @@ index 06eda45..0018592 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -310,5 +326,5 @@ files_associate_tmp(device_node)
+@@ -310,5 +329,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -104877,7 +104938,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..26c940c 100644
+index cf04cb5..bfbf93f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.11.0)
@@ -104994,7 +105055,7 @@ index cf04cb5..26c940c 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +218,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +218,256 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -105066,6 +105127,10 @@ index cf04cb5..26c940c 100644
+')
+
+optional_policy(`
++ gpg_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ irc_filetrans_home_content(unconfined_domain_type)
+')
+
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 3c37b22..b9ac6dd 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -43,7 +43,7 @@ index 1bd5812..b5fe639 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 0b827c5..5ff3c88 100644
+index 0b827c5..cce58bb 100644
--- a/abrt.if
+++ b/abrt.if
@@ -2,6 +2,28 @@
@@ -90,7 +90,7 @@ index 0b827c5..5ff3c88 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -160,8 +183,45 @@ interface(`abrt_run_helper',`
+@@ -160,8 +183,26 @@ interface(`abrt_run_helper',`
########################################
## <summary>
@@ -116,6 +116,26 @@ index 0b827c5..5ff3c88 100644
+########################################
+## <summary>
+## Append abrt cache
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -169,12 +210,52 @@ interface(`abrt_run_helper',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`abrt_cache_manage',`
++interface(`abrt_append_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++
++ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Read/Write inherited abrt cache
+## </summary>
+## <param name="domain">
+## <summary>
@@ -123,26 +143,25 @@ index 0b827c5..5ff3c88 100644
+## </summary>
+## </param>
+#
-+interface(`abrt_append_cache',`
++interface(`abrt_rw_inherited_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
-+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Manage abrt cache
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -169,12 +229,14 @@ interface(`abrt_run_helper',`
- ## </summary>
- ## </param>
- #
--interface(`abrt_cache_manage',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`abrt_manage_cache',`
gen_require(`
type abrt_var_cache_t;
@@ -154,7 +173,7 @@ index 0b827c5..5ff3c88 100644
')
####################################
-@@ -253,6 +315,47 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +334,47 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -202,7 +221,7 @@ index 0b827c5..5ff3c88 100644
#####################################
## <summary>
## All of the rules required to administrate
-@@ -276,28 +379,135 @@ interface(`abrt_admin',`
+@@ -276,28 +398,135 @@ interface(`abrt_admin',`
type abrt_var_cache_t, abrt_var_log_t;
type abrt_var_run_t, abrt_tmp_t;
type abrt_initrc_exec_t;
@@ -1968,10 +1987,10 @@ index e81bdbd..e3a396b 100644
- usermanage_domtrans_admin_passwd(anaconda_t)
-')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..7263fd1 100644
+index fd9fa07..f53ba23 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,39 +1,56 @@
+@@ -1,39 +1,57 @@
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
@@ -1982,6 +2001,7 @@ index fd9fa07..7263fd1 100644
-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/owncloud/config\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
@@ -2036,7 +2056,7 @@ index fd9fa07..7263fd1 100644
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-@@ -43,8 +60,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +61,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -2048,7 +2068,7 @@ index fd9fa07..7263fd1 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +72,12 @@ ifdef(`distro_suse', `
+@@ -54,9 +73,12 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2061,7 +2081,7 @@ index fd9fa07..7263fd1 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +94,45 @@ ifdef(`distro_suse', `
+@@ -73,31 +95,45 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2111,7 +2131,7 @@ index fd9fa07..7263fd1 100644
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +144,25 @@ ifdef(`distro_debian', `
+@@ -109,3 +145,25 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -4833,7 +4853,7 @@ index d80a16b..ef740ef 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 39799db..9c2d82f 100644
+index 39799db..07d242d 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -4846,7 +4866,11 @@ index 39799db..9c2d82f 100644
########################################
#
# Local policy
-@@ -64,6 +67,7 @@ kernel_read_network_state(automount_t)
+@@ -61,9 +64,11 @@ kernel_read_fs_sysctls(automount_t)
+ kernel_read_proc_symlinks(automount_t)
+ kernel_read_system_state(automount_t)
+ kernel_read_network_state(automount_t)
++kernel_search_vm_sysctl(automount_t)
kernel_list_proc(automount_t)
kernel_dontaudit_search_xen_state(automount_t)
@@ -4854,7 +4878,7 @@ index 39799db..9c2d82f 100644
files_search_boot(automount_t)
# Automount is slowly adding all mount functionality internally
files_search_all(automount_t)
-@@ -79,7 +83,6 @@ fs_search_all(automount_t)
+@@ -79,7 +84,6 @@ fs_search_all(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
@@ -4862,7 +4886,7 @@ index 39799db..9c2d82f 100644
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
-@@ -113,7 +116,6 @@ files_dontaudit_write_var_dirs(automount_t)
+@@ -113,7 +117,6 @@ files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
files_list_mnt(automount_t)
files_getattr_home_dir(automount_t)
@@ -4870,7 +4894,7 @@ index 39799db..9c2d82f 100644
files_read_etc_runtime_files(automount_t)
# for if the mount point is not labelled
files_getattr_isid_type_dirs(automount_t)
-@@ -140,13 +142,8 @@ auth_use_nsswitch(automount_t)
+@@ -140,13 +143,8 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -4884,7 +4908,7 @@ index 39799db..9c2d82f 100644
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
-@@ -155,6 +152,13 @@ optional_policy(`
+@@ -155,6 +153,13 @@ optional_policy(`
')
optional_policy(`
@@ -5390,7 +5414,7 @@ index 44a1e3d..9b50c13 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 0968cb4..d81a285 100644
+index 0968cb4..70bebb1 100644
--- a/bind.te
+++ b/bind.te
@@ -6,6 +6,13 @@ policy_module(bind, 1.11.0)
@@ -5492,7 +5516,15 @@ index 0968cb4..d81a285 100644
init_dbus_chat_script(named_t)
sysnet_dbus_chat_dhcpc(named_t)
-@@ -199,6 +218,7 @@ optional_policy(`
+@@ -168,6 +187,7 @@ optional_policy(`
+
+ optional_policy(`
+ kerberos_keytab_template(named, named_t)
++ kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25")
+ ')
+
+ optional_policy(`
+@@ -199,6 +219,7 @@ optional_policy(`
# cjp: why net_admin?!
allow ndc_t self:capability { dac_override net_admin };
@@ -5500,7 +5532,7 @@ index 0968cb4..d81a285 100644
allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
-@@ -211,13 +231,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
+@@ -211,13 +232,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
allow ndc_t named_conf_t:file read_file_perms;
@@ -5516,7 +5548,7 @@ index 0968cb4..d81a285 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -228,28 +248,26 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
+@@ -228,28 +249,26 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
domain_use_interactive_fds(ndc_t)
@@ -13798,7 +13830,7 @@ index 0000000..8b2fdba
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/cups.fc b/cups.fc
-index 848bb92..c584f5a 100644
+index 848bb92..e6ecaa5 100644
--- a/cups.fc
+++ b/cups.fc
@@ -19,7 +19,10 @@
@@ -13812,7 +13844,7 @@ index 848bb92..c584f5a 100644
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -52,18 +55,28 @@
+@@ -52,18 +55,30 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13824,6 +13856,8 @@ index 848bb92..c584f5a 100644
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0)
++
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -13973,7 +14007,7 @@ index 305ddf4..c960be7 100644
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
')
diff --git a/cups.te b/cups.te
-index e5a8924..b9c34bf 100644
+index e5a8924..a600239 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -13994,7 +14028,17 @@ index e5a8924..b9c34bf 100644
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
-@@ -104,6 +108,7 @@ ifdef(`enable_mls',`
+@@ -75,6 +79,9 @@ files_tmp_file(hplip_tmp_t)
+ type hplip_var_lib_t;
+ files_type(hplip_var_lib_t)
+
++type hplip_var_log_t;
++logging_log_file(hplip_var_log_t)
++
+ type hplip_var_run_t;
+ files_pid_file(hplip_var_run_t)
+
+@@ -104,6 +111,7 @@ ifdef(`enable_mls',`
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
@@ -14002,7 +14046,7 @@ index e5a8924..b9c34bf 100644
allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -123,6 +128,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -123,6 +131,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -14010,7 +14054,7 @@ index e5a8924..b9c34bf 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -137,6 +143,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+@@ -137,6 +146,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
@@ -14018,7 +14062,7 @@ index e5a8924..b9c34bf 100644
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
-@@ -146,11 +153,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -146,11 +156,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -14033,7 +14077,7 @@ index e5a8924..b9c34bf 100644
allow cupsd_t hplip_t:process { signal sigkill };
-@@ -159,14 +167,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+@@ -159,14 +170,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -14049,7 +14093,7 @@ index e5a8924..b9c34bf 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -211,6 +218,7 @@ mls_rangetrans_target(cupsd_t)
+@@ -211,6 +221,7 @@ mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
@@ -14057,7 +14101,7 @@ index e5a8924..b9c34bf 100644
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-@@ -220,11 +228,12 @@ corecmd_exec_bin(cupsd_t)
+@@ -220,11 +231,12 @@ corecmd_exec_bin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
@@ -14071,7 +14115,7 @@ index e5a8924..b9c34bf 100644
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
files_list_world_readable(cupsd_t)
-@@ -258,7 +267,6 @@ libs_exec_lib_files(cupsd_t)
+@@ -258,7 +270,6 @@ libs_exec_lib_files(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@@ -14079,7 +14123,7 @@ index e5a8924..b9c34bf 100644
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-@@ -270,12 +278,6 @@ files_dontaudit_list_home(cupsd_t)
+@@ -270,12 +281,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
@@ -14092,7 +14136,7 @@ index e5a8924..b9c34bf 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -287,6 +289,8 @@ optional_policy(`
+@@ -287,6 +292,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -14101,7 +14145,7 @@ index e5a8924..b9c34bf 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -297,8 +301,10 @@ optional_policy(`
+@@ -297,8 +304,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -14112,7 +14156,7 @@ index e5a8924..b9c34bf 100644
')
')
-@@ -311,10 +317,23 @@ optional_policy(`
+@@ -311,10 +320,23 @@ optional_policy(`
')
optional_policy(`
@@ -14136,7 +14180,7 @@ index e5a8924..b9c34bf 100644
mta_send_mail(cupsd_t)
')
-@@ -322,6 +341,8 @@ optional_policy(`
+@@ -322,6 +344,8 @@ optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -14145,7 +14189,7 @@ index e5a8924..b9c34bf 100644
')
optional_policy(`
-@@ -371,8 +392,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +395,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -14156,7 +14200,7 @@ index e5a8924..b9c34bf 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -381,7 +403,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+@@ -381,7 +406,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
@@ -14164,7 +14208,7 @@ index e5a8924..b9c34bf 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -407,7 +428,6 @@ domain_use_interactive_fds(cupsd_config_t)
+@@ -407,7 +431,6 @@ domain_use_interactive_fds(cupsd_config_t)
domain_dontaudit_search_all_domains_state(cupsd_config_t)
files_read_usr_files(cupsd_config_t)
@@ -14172,7 +14216,7 @@ index e5a8924..b9c34bf 100644
files_read_etc_runtime_files(cupsd_config_t)
files_read_var_symlinks(cupsd_config_t)
-@@ -418,18 +438,15 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -418,18 +441,15 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -14193,7 +14237,7 @@ index e5a8924..b9c34bf 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +470,10 @@ optional_policy(`
+@@ -453,6 +473,10 @@ optional_policy(`
')
optional_policy(`
@@ -14204,7 +14248,7 @@ index e5a8924..b9c34bf 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +488,10 @@ optional_policy(`
+@@ -467,6 +491,10 @@ optional_policy(`
')
optional_policy(`
@@ -14215,7 +14259,7 @@ index e5a8924..b9c34bf 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -526,7 +551,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+@@ -526,7 +554,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
@@ -14223,7 +14267,7 @@ index e5a8924..b9c34bf 100644
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
-@@ -537,19 +561,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,19 +564,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -14244,7 +14288,7 @@ index e5a8924..b9c34bf 100644
miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
cups_stream_connect(cupsd_lpd_t)
-@@ -577,7 +600,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
+@@ -577,7 +603,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -14252,7 +14296,7 @@ index e5a8924..b9c34bf 100644
files_read_usr_files(cups_pdf_t)
corecmd_exec_shell(cups_pdf_t)
-@@ -585,25 +607,23 @@ corecmd_exec_bin(cups_pdf_t)
+@@ -585,25 +610,23 @@ corecmd_exec_bin(cups_pdf_t)
auth_use_nsswitch(cups_pdf_t)
@@ -14287,7 +14331,19 @@ index e5a8924..b9c34bf 100644
')
########################################
-@@ -647,7 +667,6 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -638,6 +661,11 @@ files_search_etc(hplip_t)
+ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+ manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+
++manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file })
++
+ manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+ files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+
+@@ -647,7 +675,6 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
@@ -14295,7 +14351,7 @@ index e5a8924..b9c34bf 100644
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +680,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +688,10 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -14309,7 +14365,7 @@ index e5a8924..b9c34bf 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -685,19 +704,23 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,19 +712,23 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -14337,7 +14393,7 @@ index e5a8924..b9c34bf 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -743,7 +766,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,7 +774,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -14345,7 +14401,7 @@ index e5a8924..b9c34bf 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +782,10 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -760,13 +790,10 @@ fs_search_auto_mountpoints(ptal_t)
domain_use_interactive_fds(ptal_t)
@@ -18100,7 +18156,7 @@ index e1d7dc5..66d42bb 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te
-index 2df7766..ac6dbc1 100644
+index 2df7766..0022b87 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -4,12 +4,12 @@ policy_module(dovecot, 1.14.0)
@@ -18277,14 +18333,14 @@ index 2df7766..ac6dbc1 100644
+ mta_manage_home_rw(dovecot_t)
+ mta_manage_spool(dovecot_t)
+')
-
- optional_policy(`
-- kerberos_keytab_template(dovecot, dovecot_t)
++
++optional_policy(`
+ kerberos_keytab_template(dovecot_t, dovecot_t)
+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- kerberos_keytab_template(dovecot, dovecot_t)
+ gnome_manage_data(dovecot_t)
+')
+
@@ -18426,7 +18482,7 @@ index 2df7766..ac6dbc1 100644
dovecot_stream_connect_auth(dovecot_deliver_t)
-@@ -283,24 +322,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +322,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -18437,8 +18493,16 @@ index 2df7766..ac6dbc1 100644
- fs_manage_nfs_dirs(dovecot_t)
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
--')
+userdom_home_manager(dovecot_deliver_t)
++
++optional_policy(`
++ gnome_manage_data(dovecot_deliver_t)
++')
++
++optional_policy(`
++ mta_mailserver_delivery(dovecot_deliver_t)
++ mta_read_queue(dovecot_deliver_t)
+ ')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_deliver_t)
@@ -18448,20 +18512,11 @@ index 2df7766..ac6dbc1 100644
- fs_manage_cifs_files(dovecot_t)
- fs_manage_cifs_symlinks(dovecot_t)
+optional_policy(`
-+ gnome_manage_data(dovecot_deliver_t)
++ postfix_use_fds_master(dovecot_deliver_t)
')
optional_policy(`
- mta_manage_spool(dovecot_deliver_t)
-+ mta_read_queue(dovecot_deliver_t)
-+ mta_manage_home_rw(dovecot_deliver_t)
-+')
-+
-+optional_policy(`
-+ postfix_use_fds_master(dovecot_deliver_t)
-+')
-+
-+optional_policy(`
+- mta_manage_spool(dovecot_deliver_t)
+ # Handle sieve scripts
+ sendmail_domtrans(dovecot_deliver_t)
')
@@ -24398,20 +24453,22 @@ index 4fde46b..74a2212 100644
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
diff --git a/gpg.fc b/gpg.fc
-index 5207fc2..2dd4ff9 100644
+index 5207fc2..a7848a2 100644
--- a/gpg.fc
+++ b/gpg.fc
-@@ -1,6 +1,8 @@
+@@ -1,6 +1,10 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
++/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0)
++
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --git a/gpg.if b/gpg.if
-index 6d50300..46cc164 100644
+index 6d50300..2f0feca 100644
--- a/gpg.if
+++ b/gpg.if
@@ -54,15 +54,16 @@ interface(`gpg_role',`
@@ -24498,8 +24555,30 @@ index 6d50300..46cc164 100644
########################################
## <summary>
## Send generic signals to user gpg processes.
+@@ -179,3 +218,21 @@ interface(`gpg_list_user_secrets',`
+ list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+ userdom_search_user_home_dirs($1)
+ ')
++
++########################################
++## <summary>
++## Transition to gpg named home content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gpg_filetrans_home_content',`
++ gen_require(`
++ type gpg_secret_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
++')
diff --git a/gpg.te b/gpg.te
-index 72a113e..fd9ad06 100644
+index 72a113e..29063e5 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0)
@@ -24602,15 +24681,18 @@ index 72a113e..fd9ad06 100644
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-@@ -77,6 +100,7 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+@@ -77,16 +100,16 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
allow gpg_t gpg_secret_t:dir create_dir_perms;
+manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
- userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
-@@ -86,7 +110,6 @@ kernel_read_sysctl(gpg_t)
+-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
++userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
+
+ kernel_read_sysctl(gpg_t)
+
corecmd_exec_shell(gpg_t)
corecmd_exec_bin(gpg_t)
@@ -24626,7 +24708,7 @@ index 72a113e..fd9ad06 100644
files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)
-@@ -114,24 +136,26 @@ auth_use_nsswitch(gpg_t)
+@@ -114,24 +136,23 @@ auth_use_nsswitch(gpg_t)
logging_send_syslog_msg(gpg_t)
@@ -24643,27 +24725,26 @@ index 72a113e..fd9ad06 100644
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_stream_connect(gpg_t)
- mta_write_config(gpg_t)
+-mta_write_config(gpg_t)
++mta_manage_config(gpg_t)
++mta_read_spool(gpg_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_t)
- fs_manage_nfs_files(gpg_t)
+-')
+userdom_home_manager(gpg_t)
-+
-+optional_policy(`
-+ gnome_read_config(gpg_t)
-+ gnome_stream_connect_gkeyringd(gpg_t)
- ')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_t)
- fs_manage_cifs_files(gpg_t)
+optional_policy(`
-+ mta_read_spool(gpg_t)
++ gnome_read_config(gpg_t)
++ gnome_stream_connect_gkeyringd(gpg_t)
')
optional_policy(`
-@@ -140,15 +164,19 @@ optional_policy(`
+@@ -140,15 +161,19 @@ optional_policy(`
')
optional_policy(`
@@ -24687,7 +24768,7 @@ index 72a113e..fd9ad06 100644
########################################
#
# GPG helper local policy
-@@ -166,7 +194,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+@@ -166,7 +191,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
dontaudit gpg_helper_t gpg_secret_t:file read;
@@ -24695,7 +24776,7 @@ index 72a113e..fd9ad06 100644
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
corenet_raw_sendrecv_generic_if(gpg_helper_t)
-@@ -180,11 +207,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
+@@ -180,11 +204,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
@@ -24708,7 +24789,7 @@ index 72a113e..fd9ad06 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -198,15 +224,17 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -198,15 +221,17 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -24727,7 +24808,7 @@ index 72a113e..fd9ad06 100644
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
-@@ -223,43 +251,34 @@ corecmd_read_bin_symlinks(gpg_agent_t)
+@@ -223,43 +248,34 @@ corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
@@ -24776,7 +24857,7 @@ index 72a113e..fd9ad06 100644
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -294,10 +313,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+@@ -294,10 +310,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
@@ -24788,7 +24869,7 @@ index 72a113e..fd9ad06 100644
corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
corenet_tcp_bind_generic_node(gpg_pinentry_t)
corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
-@@ -310,7 +329,6 @@ dev_read_rand(gpg_pinentry_t)
+@@ -310,7 +326,6 @@ dev_read_rand(gpg_pinentry_t)
files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
@@ -24796,7 +24877,7 @@ index 72a113e..fd9ad06 100644
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
fs_getattr_tmpfs(gpg_pinentry_t)
-@@ -320,18 +338,19 @@ auth_use_nsswitch(gpg_pinentry_t)
+@@ -320,18 +335,19 @@ auth_use_nsswitch(gpg_pinentry_t)
logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
@@ -24822,7 +24903,7 @@ index 72a113e..fd9ad06 100644
')
optional_policy(`
-@@ -340,6 +359,12 @@ optional_policy(`
+@@ -340,6 +356,12 @@ optional_policy(`
')
optional_policy(`
@@ -24835,7 +24916,7 @@ index 72a113e..fd9ad06 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -349,4 +374,27 @@ optional_policy(`
+@@ -349,4 +371,27 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -27848,7 +27929,7 @@ index 0c52f60..2b8ea1e 100644
optional_policy(`
diff --git a/kerberos.fc b/kerberos.fc
-index 3525d24..7a41958 100644
+index 3525d24..8c702c9 100644
--- a/kerberos.fc
+++ b/kerberos.fc
@@ -13,13 +13,14 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@@ -27870,7 +27951,7 @@ index 3525d24..7a41958 100644
/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-@@ -27,7 +28,16 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+@@ -27,7 +28,17 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
@@ -27878,9 +27959,10 @@ index 3525d24..7a41958 100644
-/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-+
-+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++
++/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
@@ -27890,7 +27972,7 @@ index 3525d24..7a41958 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index 604f67b..c0e0a8f 100644
+index 604f67b..55121d7 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -82,14 +82,11 @@ interface(`kerberos_use',`
@@ -28024,7 +28106,7 @@ index 604f67b..c0e0a8f 100644
ps_process_pattern($1, kpropd_t)
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +378,115 @@ interface(`kerberos_admin',`
+@@ -378,3 +378,116 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -28131,6 +28213,7 @@ index 604f67b..c0e0a8f 100644
+ kerberos_etc_filetrans_keytab($1, "krb5.keytab")
+ kerberos_filetrans_admin_home_content($1)
+
++ kerberos_tmp_filetrans_host_rcache($1, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
@@ -33711,7 +33794,7 @@ index afa18c8..f6e2bb8 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index 4e2a5ba..1185c88c 100644
+index 4e2a5ba..739553a 100644
--- a/mta.if
+++ b/mta.if
@@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -34000,7 +34083,33 @@ index 4e2a5ba..1185c88c 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -496,6 +536,7 @@ interface(`mta_read_aliases',`
+@@ -481,6 +521,25 @@ interface(`mta_write_config',`
+
+ ########################################
+ ## <summary>
++## Manage mail server configuration.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mta_manage_config',`
++ gen_require(`
++ type etc_mail_t;
++ ')
++
++ manage_files_pattern($1, etc_mail_t, etc_mail_t)
++')
++
++########################################
++## <summary>
+ ## Read mail address aliases.
+ ## </summary>
+ ## <param name="domain">
+@@ -496,6 +555,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -34008,7 +34117,7 @@ index 4e2a5ba..1185c88c 100644
')
########################################
-@@ -534,7 +575,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -534,7 +594,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -34017,7 +34126,7 @@ index 4e2a5ba..1185c88c 100644
')
########################################
-@@ -554,7 +595,7 @@ interface(`mta_rw_aliases',`
+@@ -554,7 +614,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -34026,7 +34135,7 @@ index 4e2a5ba..1185c88c 100644
')
#######################################
-@@ -576,6 +617,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -576,6 +636,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
@@ -34052,7 +34161,7 @@ index 4e2a5ba..1185c88c 100644
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
-@@ -648,8 +708,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -648,8 +727,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -34063,7 +34172,7 @@ index 4e2a5ba..1185c88c 100644
')
#######################################
-@@ -679,7 +739,26 @@ interface(`mta_spool_filetrans',`
+@@ -679,7 +758,26 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
@@ -34091,7 +34200,7 @@ index 4e2a5ba..1185c88c 100644
')
########################################
-@@ -699,8 +778,8 @@ interface(`mta_rw_spool',`
+@@ -699,8 +797,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -34102,7 +34211,7 @@ index 4e2a5ba..1185c88c 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -840,7 +919,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -840,7 +938,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -34111,7 +34220,7 @@ index 4e2a5ba..1185c88c 100644
')
########################################
-@@ -866,6 +945,36 @@ interface(`mta_manage_queue',`
+@@ -866,6 +964,36 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -34148,7 +34257,7 @@ index 4e2a5ba..1185c88c 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -901,3 +1010,170 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -901,3 +1029,171 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -34239,6 +34348,7 @@ index 4e2a5ba..1185c88c 100644
+ ')
+
+ userdom_search_user_home_dirs($1)
++ userdom_search_admin_dir($1)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
@@ -34276,7 +34386,7 @@ index 4e2a5ba..1185c88c 100644
+
+########################################
+## <summary>
-+## Transition to mta named content
++## Transition to mta named home content
+## </summary>
+## <param name="domain">
+## <summary>
@@ -34299,7 +34409,7 @@ index 4e2a5ba..1185c88c 100644
+
+########################################
+## <summary>
-+## Transition to apache named content
++## Transition to mta named content
+## </summary>
+## <param name="domain">
+## <summary>
@@ -43136,7 +43246,7 @@ index 9759ed8..17c097d 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index 86700ed..3496938 100644
+index 86700ed..ac3821e 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -1,4 +1,4 @@
@@ -43208,7 +43318,7 @@ index 86700ed..3496938 100644
+term_use_unallocated_ttys(plymouthd_t)
+
+optional_policy(`
-+ gnome_dontaudit_search_config(plymouthd_t)
++ gnome_read_config(plymouthd_t)
+')
+
+optional_policy(`
@@ -51146,14 +51256,15 @@ index 3786c45..1ad9c12 100644
rpc_domtrans_nfsd(rgmanager_t)
rpc_domtrans_rpcd(rgmanager_t)
diff --git a/rhcs.fc b/rhcs.fc
-index c2ba53b..1f935bf 100644
+index c2ba53b..bd4e3c0 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,20 +1,25 @@
+@@ -1,22 +1,28 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
@@ -51173,57 +51284,16 @@ index c2ba53b..1f935bf 100644
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
- /var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+-/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+ /var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+ /var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index de37806..8ed6546 100644
+index de37806..3578975 100644
--- a/rhcs.if
+++ b/rhcs.if
-@@ -1,3 +1,43 @@
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
- ## <summary>RHCS - Red Hat Cluster Suite</summary>
-
- #######################################
-@@ -13,7 +53,7 @@
+@@ -13,7 +13,7 @@
#
template(`rhcs_domain_template',`
gen_require(`
@@ -51232,7 +51302,7 @@ index de37806..8ed6546 100644
')
##############################
-@@ -25,13 +65,13 @@ template(`rhcs_domain_template',`
+@@ -25,13 +25,13 @@ template(`rhcs_domain_template',`
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
@@ -51248,20 +51318,20 @@ index de37806..8ed6546 100644
files_pid_file($1_var_run_t)
##############################
-@@ -50,8 +90,11 @@ template(`rhcs_domain_template',`
+@@ -50,8 +50,11 @@ template(`rhcs_domain_template',`
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
-
-+ auth_use_nsswitch($1_t)
+
++ auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
')
######################################
-@@ -59,9 +102,9 @@ template(`rhcs_domain_template',`
+@@ -59,9 +62,9 @@ template(`rhcs_domain_template',`
## Execute a domain transition to run dlm_controld.
## </summary>
## <param name="domain">
@@ -51273,7 +51343,7 @@ index de37806..8ed6546 100644
## </param>
#
interface(`rhcs_domtrans_dlm_controld',`
-@@ -133,6 +176,24 @@ interface(`rhcs_domtrans_fenced',`
+@@ -133,6 +136,24 @@ interface(`rhcs_domtrans_fenced',`
domtrans_pattern($1, fenced_exec_t, fenced_t)
')
@@ -51298,16 +51368,35 @@ index de37806..8ed6546 100644
######################################
## <summary>
## Allow read and write access to fenced semaphores.
-@@ -156,7 +217,7 @@ interface(`rhcs_rw_fenced_semaphores',`
+@@ -156,7 +177,26 @@ interface(`rhcs_rw_fenced_semaphores',`
######################################
## <summary>
-## Connect to fenced over an unix domain stream socket.
++## Read fenced PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_read_fenced_pid_files',`
++ gen_require(`
++ type fenced_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
++')
++
++######################################
++## <summary>
+## Connect to fenced over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -169,9 +230,8 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -169,9 +209,8 @@ interface(`rhcs_stream_connect_fenced',`
type fenced_var_run_t, fenced_t;
')
@@ -51318,7 +51407,7 @@ index de37806..8ed6546 100644
')
#####################################
-@@ -237,7 +297,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+@@ -237,7 +276,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
#####################################
## <summary>
@@ -51327,7 +51416,7 @@ index de37806..8ed6546 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,6 +395,65 @@ interface(`rhcs_rw_groupd_shm',`
+@@ -335,6 +374,65 @@ interface(`rhcs_rw_groupd_shm',`
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
@@ -51393,7 +51482,7 @@ index de37806..8ed6546 100644
######################################
## <summary>
## Execute a domain transition to run qdiskd.
-@@ -353,3 +472,80 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -353,3 +451,80 @@ interface(`rhcs_domtrans_qdiskd',`
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')
@@ -51475,7 +51564,7 @@ index de37806..8ed6546 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/rhcs.te b/rhcs.te
-index 93c896a..79f8185 100644
+index 93c896a..f8548d0 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0)
@@ -51547,7 +51636,7 @@ index 93c896a..79f8185 100644
can_exec(fenced_t, fenced_exec_t)
-@@ -82,13 +101,19 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -82,13 +101,21 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -51558,7 +51647,9 @@ index 93c896a..79f8185 100644
+corenet_udp_bind_ionixnetmon_port(fenced_t)
+corenet_tcp_bind_zented_port(fenced_t)
++corenet_udp_bind_zented_port(fenced_t)
corenet_tcp_connect_http_port(fenced_t)
++corenet_tcp_connect_zented_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -51567,7 +51658,7 @@ index 93c896a..79f8185 100644
files_read_usr_symlinks(fenced_t)
storage_raw_read_fixed_disk(fenced_t)
-@@ -97,16 +122,35 @@ storage_raw_read_removable_device(fenced_t)
+@@ -97,16 +124,35 @@ storage_raw_read_removable_device(fenced_t)
term_getattr_pty_fs(fenced_t)
term_use_ptmx(fenced_t)
@@ -51606,7 +51697,7 @@ index 93c896a..79f8185 100644
')
optional_policy(`
-@@ -114,13 +158,46 @@ optional_policy(`
+@@ -114,13 +160,46 @@ optional_policy(`
lvm_read_config(fenced_t)
')
@@ -51654,7 +51745,7 @@ index 93c896a..79f8185 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +216,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +218,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -51665,7 +51756,7 @@ index 93c896a..79f8185 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,12 +227,12 @@ optional_policy(`
+@@ -154,12 +229,12 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -51680,7 +51771,7 @@ index 93c896a..79f8185 100644
init_rw_script_tmp_files(groupd_t)
-@@ -168,8 +241,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +243,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -51690,7 +51781,7 @@ index 93c896a..79f8185 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -182,7 +254,7 @@ kernel_read_system_state(qdiskd_t)
+@@ -182,7 +256,7 @@ kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
@@ -51699,7 +51790,7 @@ index 93c896a..79f8185 100644
corecmd_exec_shell(qdiskd_t)
dev_read_sysfs(qdiskd_t)
-@@ -197,19 +269,14 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -197,19 +271,14 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
@@ -51721,7 +51812,7 @@ index 93c896a..79f8185 100644
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +290,24 @@ optional_policy(`
+@@ -223,18 +292,24 @@ optional_policy(`
# rhcs domains common policy
#
@@ -57939,7 +58030,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..4a59722 100644
+index 086cd5f..497c1b4 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -58017,7 +58108,7 @@ index 086cd5f..4a59722 100644
term_dontaudit_use_all_ptys(setroubleshootd_t)
term_dontaudit_use_all_ttys(setroubleshootd_t)
-@@ -104,7 +112,8 @@ auth_use_nsswitch(setroubleshootd_t)
+@@ -104,15 +112,15 @@ auth_use_nsswitch(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
@@ -58027,16 +58118,16 @@ index 086cd5f..4a59722 100644
locallogin_dontaudit_use_fds(setroubleshootd_t)
-@@ -112,8 +121,6 @@ logging_send_audit_msgs(setroubleshootd_t)
+ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
-
--modutils_read_module_config(setroubleshootd_t)
-
+-modutils_read_module_config(setroubleshootd_t)
++logging_stream_connect_syslog(setroubleshootd_t)
+
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
- seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,10 +128,23 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,10 +129,23 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -58060,7 +58151,7 @@ index 086cd5f..4a59722 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,10 +171,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -151,10 +172,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -58076,7 +58167,7 @@ index 086cd5f..4a59722 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,7 +186,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -162,7 +187,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -65158,7 +65249,7 @@ index 32a3c13..0cbca75 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index 2124b6a..e18ac1c 100644
+index 2124b6a..d85be92 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,6 +1,14 @@
@@ -65178,7 +65269,7 @@ index 2124b6a..e18ac1c 100644
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +20,51 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +20,50 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -65190,7 +65281,6 @@ index 2124b6a..e18ac1c 100644
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
-+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
-/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
@@ -65989,7 +66079,7 @@ index 6f0736b..d5b53ed 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..3db2296 100644
+index 947bbc6..bf78cc7 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
@@ -66627,7 +66717,7 @@ index 947bbc6..3db2296 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,23 +667,480 @@ files_search_all(virt_domain)
+@@ -449,23 +667,484 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -66772,6 +66862,10 @@ index 947bbc6..3db2296 100644
+')
+
+optional_policy(`
++ rhcs_domtrans_fenced(virsh_t)
++')
++
++optional_policy(`
+ rpm_exec(virsh_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f032e78..0dea5c8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Nov 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-29
+- Add mei_device_t
+- Make sure gpg content in homedir created with correct label
+- Allow dmesg to write to abrt cache files
+- automount wants to search virtual memory sysctls
+- Add support for hplip logs stored in /var/log/hp/tmp
+- Add labeling for /etc/owncloud/config.php
+- Allow setroubleshoot to send analysys to syslogd-journal
+- Allow virsh_t to interact with new fenced daemon
+- Allow gpg to write to /etc/mail/spamassassiin directories
+- Make dovecot_deliver_t a mail server delivery type
+- Add label for /var/tmp/DNS25
+
* Thu Sep 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-28
- Fixes for tomcat_domain template interface
More information about the scm-commits
mailing list