[selinux-policy/f17] - Allow gpsd_t to setattr on usbtty_device - Allow mail_munin_plugins domain to run postconf - Donta
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jan 3 12:15:48 UTC 2013
commit 29d9635c859884d34b63332f4338559ef1d2f40d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jan 3 13:14:27 2013 +0100
- Allow gpsd_t to setattr on usbtty_device
- Allow mail_munin_plugins domain to run postconf
- Dontaudit reading of domain states for mozilla-plugin-config
- Backport corenetwork.te.in fixes related to http and keystone p
- Backport cloudform policy from F18
- ALlow logrotate sys_ptrace capability
- Allow mscan to read /etc/MailScanner/conf.d directory
- Add support for HOME_DIR/.lyx
- Add support for rt4
- Back rhsmcertd policy from F18
- zoneminder needs to connect to httpd ports where remote cameras
- Add ntp_exec() interface
- Dontaudit settatr on user tmp files for mozilla plugins
- Allow colord-sane to read proc/sys/kernel/osrelease
- Allow setroubleshoot_fixit to execute rpm
- Allow logwatch to getattr on all dirs
- Allow chrome and mozilla_plugin to create msgq and semaphores
- systemd_logind_t is looking at all files under /run/user/apache
- Allow confine users to ptrace screen
policy-F16.patch | 267 +++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 23 ++++-
2 files changed, 209 insertions(+), 81 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 9c512c7..d46167e 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -64435,7 +64435,7 @@ index 4f7bd3c..9143343 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..dc342a7 100644
+index 7090dae..159414a 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
@@ -64445,7 +64445,7 @@ index 7090dae..dc342a7 100644
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
-# for mailx
-dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
-+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -64632,7 +64632,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..ee65fb8 100644
+index 75ce30f..5c04f2d 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@@ -64683,7 +64683,11 @@ index 75ce30f..ee65fb8 100644
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
-@@ -70,6 +81,10 @@ fs_getattr_all_fs(logwatch_t)
+@@ -67,9 +78,14 @@ files_dontaudit_search_boot(logwatch_t)
+ files_dontaudit_search_all_dirs(logwatch_t)
+
+ fs_getattr_all_fs(logwatch_t)
++fs_getattr_all_dirs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
@@ -64694,7 +64698,7 @@ index 75ce30f..ee65fb8 100644
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
-@@ -92,11 +107,14 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +108,14 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -64710,7 +64714,7 @@ index 75ce30f..ee65fb8 100644
files_getattr_all_file_type_fs(logwatch_t)
')
-@@ -145,3 +163,24 @@ optional_policy(`
+@@ -145,3 +164,24 @@ optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -68321,10 +68325,10 @@ index 0000000..efebae7
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..995ec10
+index 0000000..a0f7ed7
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,190 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -68362,6 +68366,8 @@ index 0000000..995ec10
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
++allow chrome_sandbox_t self:sem create_sem_perms;
++allow chrome_sandbox_t self:msgq create_msgq_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
@@ -72030,10 +72036,10 @@ index dff0f12..ecab36d 100644
init_dbus_chat_script(mono_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..82f8e65 100644
+index 93ac529..64d260e 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
-@@ -1,8 +1,17 @@
+@@ -1,8 +1,18 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -72045,13 +72051,14 @@ index 93ac529..82f8e65 100644
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
-@@ -14,16 +23,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -14,16 +24,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -72090,7 +72097,7 @@ index 93ac529..82f8e65 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..67c1168 100644
+index fbb5c5a..0202c5e 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -72233,7 +72240,7 @@ index fbb5c5a..67c1168 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +361,118 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,119 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -72357,10 +72364,11 @@ index fbb5c5a..67c1168 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..7208c08 100644
+index 2e9318b..836ce1c 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3)
@@ -72505,7 +72513,7 @@ index 2e9318b..7208c08 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -296,25 +318,35 @@ optional_policy(`
+@@ -296,25 +318,37 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -72524,6 +72532,7 @@ index 2e9318b..7208c08 100644
+
allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
++allow mozilla_plugin_t self:msgq create_msgq_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_dgram_socket sendto;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -72533,6 +72542,7 @@ index 2e9318b..7208c08 100644
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+mozilla_filetrans_home_content(mozilla_plugin_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -72549,7 +72559,7 @@ index 2e9318b..7208c08 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,39 +354,61 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,39 +356,61 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -72618,7 +72628,7 @@ index 2e9318b..7208c08 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,15 +416,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +418,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -72642,12 +72652,13 @@ index 2e9318b..7208c08 100644
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -383,34 +445,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,34 +447,31 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
+term_getattr_ptmx(mozilla_plugin_t)
++userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
@@ -72691,7 +72702,7 @@ index 2e9318b..7208c08 100644
')
optional_policy(`
-@@ -421,24 +479,35 @@ optional_policy(`
+@@ -421,24 +482,35 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -72731,7 +72742,7 @@ index 2e9318b..7208c08 100644
')
optional_policy(`
-@@ -446,10 +515,106 @@ optional_policy(`
+@@ -446,10 +518,108 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -72790,6 +72801,7 @@ index 2e9318b..7208c08 100644
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+
+corecmd_exec_bin(mozilla_plugin_config_t)
+corecmd_exec_shell(mozilla_plugin_config_t)
@@ -72798,6 +72810,7 @@ index 2e9318b..7208c08 100644
+kernel_request_load_module(mozilla_plugin_config_t)
+
+domain_use_interactive_fds(mozilla_plugin_config_t)
++domain_dontaudit_read_all_domains_state(mozilla_plugin_config_t)
+
+files_read_etc_files(mozilla_plugin_config_t)
+files_read_usr_files(mozilla_plugin_config_t)
@@ -75686,7 +75699,7 @@ index c8254dd..340a2d7 100644
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index a57e81e..534470f 100644
+index a57e81e..871f8b2 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -25,6 +25,7 @@ template(`screen_role_template',`
@@ -75697,7 +75710,7 @@ index a57e81e..534470f 100644
')
########################################
-@@ -32,51 +33,20 @@ template(`screen_role_template',`
+@@ -32,51 +33,24 @@ template(`screen_role_template',`
# Declarations
#
@@ -75722,7 +75735,10 @@ index a57e81e..534470f 100644
- allow $1_screen_t self:fd use;
- allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
- allow $1_screen_t self:unix_dgram_socket create_socket_perms;
--
++ tunable_policy(`deny_ptrace',`',`
++ allow $3 $1_screen_t:process ptrace;
++ ')
+
- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
- manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
- manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
@@ -75753,7 +75769,7 @@ index a57e81e..534470f 100644
manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
-@@ -87,77 +57,41 @@ template(`screen_role_template',`
+@@ -87,77 +61,41 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -79501,7 +79517,7 @@ index 8e0f9cd..da3b374 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..08688bf 100644
+index 99b71cb..ec36f29 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -79635,9 +79651,10 @@ index 99b71cb..08688bf 100644
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
-+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
- network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
++network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
++network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
@@ -79665,7 +79682,7 @@ index 99b71cb..08688bf 100644
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
-+network_port(keystone, tcp,5000,s0, udp,5000,s0)
++network_port(keystone, tcp,5000,s0, udp,5000,s0, tcp, 35357,s0, udp, 35357,s0)
+network_port(rtsclient, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
@@ -91765,7 +91782,7 @@ index deca9d3..1aa76b0 100644
spamassassin_exec_client(amavis_t)
spamassassin_read_lib_files(amavis_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..5c1f951 100644
+index 9e39aa5..5a21117 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,41 +1,59 @@
@@ -91861,7 +91878,12 @@ index 9e39aa5..5c1f951 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,39 +95,87 @@ ifdef(`distro_suse', `
+@@ -69,43 +91,91 @@ ifdef(`distro_suse', `
+ /var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -91901,7 +91923,7 @@ index 9e39aa5..5c1f951 100644
')
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -99023,10 +99045,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..aeb4bc6
+index 0000000..7643855
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,202 @@
+@@ -0,0 +1,204 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -99087,6 +99109,7 @@ index 0000000..aeb4bc6
+
+dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
++dev_read_sysfs(cloudform_domain)
+
+files_read_etc_files(cloudform_domain)
+
@@ -99096,7 +99119,6 @@ index 0000000..aeb4bc6
+miscfiles_read_localization(cloudform_domain)
+
+########################################
-+#
+# deltacloudd local policy
+#
+
@@ -99131,6 +99153,8 @@ index 0000000..aeb4bc6
+
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
++corenet_tcp_connect_http_port(deltacloudd_t)
++corenet_tcp_connect_keystone_port(deltacloudd_t)
+
+auth_use_nsswitch(deltacloudd_t)
+
@@ -100138,7 +100162,7 @@ index 733e4e6..fa2c3cb 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..dbd4f7f 100644
+index 74505cc..0b4939f 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
@@ -100170,7 +100194,7 @@ index 74505cc..dbd4f7f 100644
allow colord_t self:udp_socket create_socket_perms;
allow colord_t self:unix_dgram_socket create_socket_perms;
-@@ -41,8 +48,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,8 +48,16 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -100179,14 +100203,16 @@ index 74505cc..dbd4f7f 100644
+kernel_read_system_state(colord_t)
kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
++kernel_read_kernel_sysctls(colord_t)
+
++#
+# reads *.ini files
+corecmd_exec_bin(colord_t)
+corecmd_exec_shell(colord_t)
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +63,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +65,8 @@ corenet_udp_bind_generic_node(colord_t)
corenet_udp_bind_ipp_port(colord_t)
corenet_tcp_connect_ipp_port(colord_t)
@@ -100195,7 +100221,7 @@ index 74505cc..dbd4f7f 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +80,35 @@ files_list_mnt(colord_t)
+@@ -65,19 +82,35 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -100232,7 +100258,7 @@ index 74505cc..dbd4f7f 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +120,12 @@ optional_policy(`
+@@ -89,6 +122,12 @@ optional_policy(`
')
optional_policy(`
@@ -100245,7 +100271,7 @@ index 74505cc..dbd4f7f 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +133,20 @@ optional_policy(`
+@@ -96,5 +135,20 @@ optional_policy(`
')
optional_policy(`
@@ -111183,7 +111209,7 @@ index a627b34..c4cfc6d 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..3f7065f 100644
+index 03742d8..aef43e4 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
@@ -111198,7 +111224,7 @@ index 03742d8..3f7065f 100644
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,16 +39,25 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+@@ -38,16 +39,26 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
@@ -111222,10 +111248,11 @@ index 03742d8..3f7065f 100644
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
+term_use_usb_ttys(gpsd_t)
++term_setattr_usb_ttys(gpsd_t)
auth_use_nsswitch(gpsd_t)
-@@ -56,6 +66,12 @@ logging_send_syslog_msg(gpsd_t)
+@@ -56,6 +67,12 @@ logging_send_syslog_msg(gpsd_t)
miscfiles_read_localization(gpsd_t)
optional_policy(`
@@ -115718,10 +115745,10 @@ index 0000000..bd1d48e
+')
diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te
new file mode 100644
-index 0000000..82e5f09
+index 0000000..43eaa63
--- /dev/null
+++ b/policy/modules/services/mailscanner.te
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,88 @@
+policy_module(mailscanner, 1.0.0)
+
+########################################
@@ -115755,6 +115782,7 @@ index 0000000..82e5f09
+allow mscan_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
++list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
+
+manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
+files_pid_filetrans(mscan_t, mscan_var_run_t, file)
@@ -118591,7 +118619,7 @@ index 64268e4..58ec9a6 100644
+ uucp_manage_spool(user_mail_domain)
+')
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
-index fd71d69..5987e1c 100644
+index fd71d69..d51cb65 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
@@ -41,6 +41,9 @@
@@ -118612,7 +118640,7 @@ index fd71d69..5987e1c 100644
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -58,11 +62,13 @@
+@@ -58,12 +62,15 @@
/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@@ -118626,6 +118654,8 @@ index fd71d69..5987e1c 100644
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+ /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index c358d8f..7c097ec 100644
--- a/policy/modules/services/munin.if
@@ -118723,7 +118753,7 @@ index c358d8f..7c097ec 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..c5ef1a3 100644
+index f17583b..ec75d02 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -118786,7 +118816,19 @@ index f17583b..c5ef1a3 100644
sysnet_exec_ifconfig(munin_t)
-@@ -145,6 +152,7 @@ optional_policy(`
+@@ -128,6 +135,11 @@ optional_policy(`
+ manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+ manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+ apache_search_sys_content(munin_t)
++
++ read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
++ read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
++
++ files_search_var_lib(httpd_munin_script_t)
+ ')
+
+ optional_policy(`
+@@ -145,6 +157,7 @@ optional_policy(`
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
@@ -118794,7 +118836,7 @@ index f17583b..c5ef1a3 100644
mta_read_queue(munin_t)
')
-@@ -155,10 +163,13 @@ optional_policy(`
+@@ -155,10 +168,13 @@ optional_policy(`
optional_policy(`
netutils_domtrans_ping(munin_t)
@@ -118808,7 +118850,7 @@ index f17583b..c5ef1a3 100644
')
optional_policy(`
-@@ -182,6 +193,7 @@ optional_policy(`
+@@ -182,6 +198,7 @@ optional_policy(`
# local policy for disk plugins
#
@@ -118816,7 +118858,7 @@ index f17583b..c5ef1a3 100644
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -192,13 +204,16 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+@@ -192,13 +209,16 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
files_read_etc_files(disk_munin_plugin_t)
files_read_etc_runtime_files(disk_munin_plugin_t)
@@ -118836,7 +118878,14 @@ index f17583b..c5ef1a3 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,30 +236,48 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -217,34 +237,57 @@ optional_policy(`
+
+ allow mail_munin_plugin_t self:capability dac_override;
+
++allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
++allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++
+ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
@@ -118844,21 +118893,23 @@ index f17583b..c5ef1a3 100644
+logging_read_generic_logs(mail_munin_plugin_t)
-fs_getattr_all_fs(mail_munin_plugin_t)
++sysnet_read_config(mail_munin_plugin_t)
+
+-logging_read_generic_logs(mail_munin_plugin_t)
+optional_policy(`
+ exim_read_log(mail_munin_plugin_t)
+')
--logging_read_generic_logs(mail_munin_plugin_t)
+-mta_read_config(mail_munin_plugin_t)
+-mta_send_mail(mail_munin_plugin_t)
+-mta_read_queue(mail_munin_plugin_t)
+optional_policy(`
+ mta_read_config(mail_munin_plugin_t)
+ mta_send_mail(mail_munin_plugin_t)
+ mta_list_queue(mail_munin_plugin_t)
+ mta_read_queue(mail_munin_plugin_t)
+')
-
--mta_read_config(mail_munin_plugin_t)
--mta_send_mail(mail_munin_plugin_t)
--mta_read_queue(mail_munin_plugin_t)
++
+optional_policy(`
+ nscd_socket_use(mail_munin_plugin_t)
+')
@@ -118891,7 +118942,7 @@ index f17583b..c5ef1a3 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +288,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +298,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -118906,7 +118957,7 @@ index f17583b..c5ef1a3 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +309,10 @@ optional_policy(`
+@@ -279,6 +319,10 @@ optional_policy(`
')
optional_policy(`
@@ -118917,7 +118968,7 @@ index f17583b..c5ef1a3 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +320,10 @@ optional_policy(`
+@@ -286,6 +330,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -118928,7 +118979,7 @@ index f17583b..c5ef1a3 100644
##################################
#
# local policy for system plugins
-@@ -295,13 +333,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,13 +343,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -118945,7 +118996,7 @@ index f17583b..c5ef1a3 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +350,43 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +360,43 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -121646,10 +121697,36 @@ index e79dccc..2a3c6af 100644
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..0044e73 100644
+index e80f8c0..16e7cb0 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
-@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',`
+@@ -37,6 +37,25 @@ interface(`ntp_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute ntp server in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ntp_exec',`
++ gen_require(`
++ type ntpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, ntpd_exec_t)
++')
++
++########################################
++## <summary>
+ ## Execute ntp in the ntp domain, and
+ ## allow the specified role the ntp domain.
+ ## </summary>
+@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -121698,7 +121775,7 @@ index e80f8c0..0044e73 100644
########################################
## <summary>
## Read and write ntpd shared memory.
-@@ -122,6 +164,25 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +183,25 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
@@ -121724,7 +121801,7 @@ index e80f8c0..0044e73 100644
## All of the rules required to administrate
## an ntp environment
## </summary>
-@@ -140,12 +201,15 @@ interface(`ntp_rw_shm',`
+@@ -140,12 +220,15 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -121743,7 +121820,7 @@ index e80f8c0..0044e73 100644
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -162,4 +226,8 @@ interface(`ntp_admin',`
+@@ -162,4 +245,8 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -133182,10 +133259,10 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..2c3926d
+index 0000000..db40d8b
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,87 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -133239,12 +133316,17 @@ index 0000000..2c3926d
+kernel_read_network_state(rhsmcertd_t)
+kernel_read_system_state(rhsmcertd_t)
+
++corenet_tcp_connect_http_port(rhsmcertd_t)
++
+files_list_tmp(rhsmcertd_t)
+
+corecmd_exec_bin(rhsmcertd_t)
++corecmd_exec_shell(rhsmcertd_t)
+
++dev_read_rand(rhsmcertd_t)
+dev_read_urand(rhsmcertd_t)
+dev_read_sysfs(rhsmcertd_t)
++dev_read_raw_memory(rhsmcertd_t)
+
+files_read_etc_files(rhsmcertd_t)
+files_read_usr_files(rhsmcertd_t)
@@ -133256,9 +133338,9 @@ index 0000000..2c3926d
+
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_certs(rhsmcertd_t)
-+
++
+sysnet_dns_name_resolve(rhsmcertd_t)
-+
++
+rpm_read_db(rhsmcertd_t)
+
+optional_policy(`
@@ -136562,7 +136644,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..50880aa 100644
+index 086cd5f..8ba245d 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -136688,7 +136770,7 @@ index 086cd5f..50880aa 100644
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +193,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,7 +193,15 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -136700,8 +136782,10 @@ index 086cd5f..50880aa 100644
+')
+
optional_policy(`
++ rpm_exec(setroubleshoot_fixit_t)
rpm_signull(setroubleshoot_fixit_t)
rpm_read_db(setroubleshoot_fixit_t)
+ rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
diff --git a/policy/modules/services/sge.fc b/policy/modules/services/sge.fc
new file mode 100644
index 0000000..160ddc2
@@ -148485,10 +148569,10 @@ index 0000000..b34b8b4
+
diff --git a/policy/modules/services/zoneminder.te b/policy/modules/services/zoneminder.te
new file mode 100644
-index 0000000..9562539
+index 0000000..a694e43
--- /dev/null
+++ b/policy/modules/services/zoneminder.te
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,125 @@
+policy_module(zoneminder, 1.0.0)
+
+########################################
@@ -148566,6 +148650,7 @@ index 0000000..9562539
+
+corenet_tcp_bind_http_cache_port(zoneminder_t)
+corenet_tcp_bind_transproxy_port(zoneminder_t)
++corenet_tcp_connect_http_port(zoneminder_t)
+
+dev_read_sysfs(zoneminder_t)
+dev_read_rand(zoneminder_t)
@@ -159165,10 +159250,10 @@ index 0000000..1f323e4
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..414e491
+index 0000000..7fe5746
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,420 @@
+@@ -0,0 +1,424 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -159311,6 +159396,10 @@ index 0000000..414e491
+userdom_manage_user_tmp_sockets(systemd_logind_t)
+
+optional_policy(`
++ apache_read_tmp_files(systemd_logind_t)
++')
++
++optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
+ cron_read_state_crond(systemd_logind_t)
+')
@@ -160883,7 +160972,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..9feac30 100644
+index 4b2878a..d28441e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -163440,7 +163529,7 @@ index 4b2878a..9feac30 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +4077,1285 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +4077,1303 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -164401,6 +164490,24 @@ index 4b2878a..9feac30 100644
+ allow $1 user_tmp_t:file read_inherited_file_perms;
+')
+
++#######################################
++## <summary>
++## Dontaudit attempt to set attributes on user temporary file system files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_setattr_user_tmpfs',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ dontaudit $1 user_tmpfs_t:file setattr;
++')
++
+########################################
+## <summary>
+## Read/write all inherited users files in /tmp
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bfcae13..1162a91 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 165%{?dist}
+Release: 166%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Dec 3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-166
+- Allow gpsd_t to setattr on usbtty_device
+- Allow mail_munin_plugins domain to run postconf
+- Dontaudit reading of domain states for mozilla-plugin-config
+- Backport corenetwork.te.in fixes related to http and keystone ports
+- Backport cloudform policy from F18
+- ALlow logrotate sys_ptrace capability
+- Allow mscan to read /etc/MailScanner/conf.d directory
+- Add support for HOME_DIR/.lyx
+- Add support for rt4
+- Back rhsmcertd policy from F18
+- zoneminder needs to connect to httpd ports where remote cameras are listening
+- Add ntp_exec() interface
+- Dontaudit settatr on user tmp files for mozilla plugins
+- Allow colord-sane to read proc/sys/kernel/osrelease
+- Allow setroubleshoot_fixit to execute rpm
+- Allow logwatch to getattr on all dirs
+- Allow chrome and mozilla_plugin to create msgq and semaphores
+- systemd_logind_t is looking at all files under /run/user/apache
+- Allow confine users to ptrace screen
+
* Mon Dec 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-165
- Add php-fpm support
- Allow munin disk plugins to get attributes of all directories
More information about the scm-commits
mailing list