[selinux-policy/f18] - Dontaudit net_admin capability for sendmail - Logwatch does access check on mdadm binary - Add rai
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 21 20:50:22 UTC 2013
commit 4d5373a93a83778568d9edf9c640c5a957dfccb0
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jan 21 21:49:04 2013 +0100
- Dontaudit net_admin capability for sendmail
- Logwatch does access check on mdadm binary
- Add raid_access_check_mdadm() iterface
- Allow gpg_t to manage all gnome files
- Add ~/.quakelive as mozilla_home_t content
- Dontaudit mdadm_t running ps command which is causing sys_ptrace avcs
- Allow virtd_t to create stream socket perms for svirt_socket_t, so that it can use guestmount.
- Need to allow virtd_t to write to /proc in order to open namespace sockets for write.
- Add a couple of dontaudit rules to silence the noice
- Allow zarafa_deliver_t to bind to lmtp port, also consolodate signal_perms and setrlimit and kill to use zarafa_doma
- Add mate-thumbnail-font as thumnailer
- Add pcscd_read_pid_files() interface
- Lots of probing avc's caused by execugting gpg from staff_t
- Looks like qpidd_t needs to read /dev/random
- firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean
- Added systemd support for ksmtuned
- Added booleans
ksmtuned_use_nfs
ksmtuned_use_cifs
- Add definition for 2003 as an lmtp port
- Add filename transition for opasswd
policy-f18-base.patch | 35 +++-
policy-f18-contrib.patch | 495 +++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 25 +++-
3 files changed, 416 insertions(+), 139 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index ab2beb7..4bf1f98 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -114387,7 +114387,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..fe01386 100644
+index fe2ee5e..d13e61a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
@@ -114572,8 +114572,9 @@ index fe2ee5e..fe01386 100644
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0)
network_port(lirc, tcp,8765,s0)
+-network_port(lmtp, tcp,24,s0, udp,24,s0)
+network_port(luci, tcp,8084,s0)
- network_port(lmtp, tcp,24,s0, udp,24,s0)
++network_port(lmtp, tcp,24,s0, udp,24,s0, tcp,2003,s0)
network_port(lrrd) # no defined portcon
+network_port(l2tp, tcp,1701,s0, udp,1701,s0)
network_port(mail, tcp,2000,s0, tcp,3905,s0)
@@ -128367,7 +128368,7 @@ index fc86b7c..ea115aa 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..f14edb7 100644
+index 130ced9..939b9fe 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -129164,7 +129165,7 @@ index 130ced9..f14edb7 100644
')
########################################
-@@ -1243,10 +1577,559 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1577,580 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -129726,6 +129727,27 @@ index 130ced9..f14edb7 100644
+ filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
+ files_search_tmp($1)
+')
++
++#######################################
++## <summary>
++## Read xdm process state files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_read_xdm_state',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ kernel_search_proc($1)
++ allow $1 xdm_t:dir list_dir_perms;
++ allow $1 xdm_t:file read_file_perms;
++ allow $1 xdm_t:lnk_file read_lnk_file_perms;
++')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index d40f750..9f53f97 100644
--- a/policy/modules/services/xserver.te
@@ -131177,7 +131199,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..4d4ec55 100644
+index f416ce9..424d494 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -131694,7 +131716,7 @@ index f416ce9..4d4ec55 100644
')
########################################
-@@ -1755,3 +1923,199 @@ interface(`auth_unconfined',`
+@@ -1755,3 +1923,200 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -131736,6 +131758,7 @@ index f416ce9..4d4ec55 100644
+ files_etc_filetrans($1, shadow_t, file, "shadow")
+ files_etc_filetrans($1, shadow_t, file, "shadow-")
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
++ files_etc_filetrans($1, shadow_t, file, "opasswd")
+ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 9adf141..2c2a4c5 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -3171,7 +3171,7 @@ index 6480167..7b2ad39 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..833af5e 100644
+index 0833afb..f3460ea 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3939,7 +3939,7 @@ index 0833afb..833af5e 100644
+')
+
+optional_policy(`
-+ pcscd_read_pub_files(httpd_t)
++ pcscd_read_pid_files(httpd_t)
+')
+
+optional_policy(`
@@ -5839,10 +5839,10 @@ index cf8e59f..ad57d4a 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 59aa54f..1cb1b4f 100644
+index 59aa54f..b5dadee 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -4,12 +4,18 @@
+@@ -4,12 +4,19 @@
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
@@ -5858,10 +5858,11 @@ index 59aa54f..1cb1b4f 100644
/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-chkconf -- gen_context(system_u:object_r:named_exec_t,s0)
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-@@ -40,6 +46,7 @@ ifdef(`distro_redhat',`
+@@ -40,6 +47,7 @@ ifdef(`distro_redhat',`
/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
@@ -8207,7 +8208,7 @@ index 7a6e5ba..7475aa5 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index c3e3f79..89db900 100644
+index c3e3f79..8dcec07 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,13 +18,19 @@ files_pid_file(certmonger_var_run_t)
@@ -8288,7 +8289,7 @@ index c3e3f79..89db900 100644
optional_policy(`
dbus_system_bus_client(certmonger_t)
-@@ -64,9 +97,46 @@ optional_policy(`
+@@ -64,9 +97,47 @@ optional_policy(`
')
optional_policy(`
@@ -8304,6 +8305,7 @@ index c3e3f79..89db900 100644
optional_policy(`
+ pcscd_read_pub_files(certmonger_t)
++ pcscd_read_pid_files(certmonger_t)
pcscd_stream_connect(certmonger_t)
')
+
@@ -11133,7 +11135,7 @@ index 733e4e6..fa2c3cb 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 74505cc..10d9a27 100644
+index 74505cc..69bf8c7 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
@@ -11243,7 +11245,7 @@ index 74505cc..10d9a27 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +130,19 @@ optional_policy(`
+@@ -96,5 +130,20 @@ optional_policy(`
')
optional_policy(`
@@ -11256,6 +11258,7 @@ index 74505cc..10d9a27 100644
+
+optional_policy(`
+ xserver_dbus_chat_xdm(colord_t)
++ xserver_read_xdm_state(colord_t)
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+')
@@ -15770,7 +15773,7 @@ index e6345ce..31f269b 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/dbus.if b/dbus.if
-index fb4bf82..126d543 100644
+index fb4bf82..90299b3 100644
--- a/dbus.if
+++ b/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -15858,7 +15861,7 @@ index fb4bf82..126d543 100644
- corecmd_read_bin_files($1_dbusd_t)
- corecmd_read_bin_pipes($1_dbusd_t)
- corecmd_read_bin_sockets($1_dbusd_t)
-
+-
- corenet_all_recvfrom_unlabeled($1_dbusd_t)
- corenet_all_recvfrom_netlabel($1_dbusd_t)
- corenet_tcp_sendrecv_generic_if($1_dbusd_t)
@@ -15868,7 +15871,7 @@ index fb4bf82..126d543 100644
- corenet_tcp_bind_reserved_port($1_dbusd_t)
-
- dev_read_urand($1_dbusd_t)
--
+
- domain_use_interactive_fds($1_dbusd_t)
- domain_read_all_domains_state($1_dbusd_t)
-
@@ -16070,7 +16073,7 @@ index fb4bf82..126d543 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -493,10 +445,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -493,10 +445,72 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -16124,6 +16127,27 @@ index fb4bf82..126d543 100644
+ ')
+
+ dontaudit $1 session_bus_type:dbus send_msg;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to send dbus
++## messages to system bus types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dbus_dontaudit_chat_system_bus',`
++ gen_require(`
++ attribute system_bus_type;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 system_bus_type:dbus send_msg;
++ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
index 625cb32..4dee5a0 100644
@@ -20177,10 +20201,10 @@ index 0000000..a446210
+')
diff --git a/dspam.te b/dspam.te
new file mode 100644
-index 0000000..e6f0960
+index 0000000..0b4f332
--- /dev/null
+++ b/dspam.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,114 @@
+
+policy_module(dspam, 1.0.0)
+
@@ -20216,6 +20240,7 @@ index 0000000..e6f0960
+#
+
+allow dspam_t self:capability net_admin;
++allow dspam_t self:tcp_socket { listen accept };
+
+allow dspam_t self:process { signal };
+
@@ -21342,10 +21367,10 @@ index 0000000..c4c7510
+')
diff --git a/firewalld.te b/firewalld.te
new file mode 100644
-index 0000000..b462d7b
+index 0000000..b8b2a3c
--- /dev/null
+++ b/firewalld.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,111 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -21373,10 +21398,17 @@ index 0000000..b462d7b
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
++type firewalld_tmp_t;
++files_tmp_file(firewalld_tmp_t)
++
++type firewalld_tmpfs_t;
++files_tmpfs_file(firewalld_tmpfs_t)
++
+########################################
+#
+# firewalld local policy
+#
++allow firewalld_t self:capability dac_override;
+dontaudit firewalld_t self:capability sys_tty_config;
+allow firewalld_t self:fifo_file rw_fifo_file_perms;
+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
@@ -21390,7 +21422,14 @@ index 0000000..b462d7b
+setattr_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+
-+# should be fixed to cooperate with systemd to create /var/run/firewalld directory
++manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
++files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
++allow firewalld_t firewalld_tmp_t:file execute;
++
++manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
++fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
++allow firewalld_t firewalld_tmpfs_t:file execute;
++
+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
+files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+can_exec(firewalld_t, firewalld_var_run_t)
@@ -25793,7 +25832,7 @@ index 6d50300..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 72a113e..29063e5 100644
+index 72a113e..4a17541 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0)
@@ -25896,7 +25935,7 @@ index 72a113e..29063e5 100644
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-@@ -77,16 +100,16 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+@@ -77,16 +100,17 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
allow gpg_t gpg_secret_t:dir create_dir_perms;
@@ -25907,6 +25946,7 @@ index 72a113e..29063e5 100644
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
kernel_read_sysctl(gpg_t)
++kernel_getattr_core_if(gpg_t)
corecmd_exec_shell(gpg_t)
corecmd_exec_bin(gpg_t)
@@ -25915,7 +25955,14 @@ index 72a113e..29063e5 100644
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
corenet_udp_sendrecv_generic_if(gpg_t)
-@@ -106,7 +129,6 @@ fs_list_inotifyfs(gpg_t)
+@@ -100,38 +124,43 @@ corenet_sendrecv_all_client_packets(gpg_t)
+ dev_read_rand(gpg_t)
+ dev_read_urand(gpg_t)
+ dev_read_generic_usb_dev(gpg_t)
++dev_dontaudit_getattr_all(gpg_t)
+
+ fs_getattr_xattr_fs(gpg_t)
+ fs_list_inotifyfs(gpg_t)
domain_use_interactive_fds(gpg_t)
@@ -25923,12 +25970,14 @@ index 72a113e..29063e5 100644
files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)
-@@ -114,24 +136,23 @@ auth_use_nsswitch(gpg_t)
+ auth_use_nsswitch(gpg_t)
- logging_send_syslog_msg(gpg_t)
+-logging_send_syslog_msg(gpg_t)
++init_dontaudit_getattr_initctl(gpg_t)
-miscfiles_read_localization(gpg_t)
--
++logging_send_syslog_msg(gpg_t)
+
-userdom_use_user_terminals(gpg_t)
+userdom_use_inherited_user_terminals(gpg_t)
# sign/encrypt user files
@@ -25947,19 +25996,22 @@ index 72a113e..29063e5 100644
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_t)
- fs_manage_nfs_files(gpg_t)
--')
+userdom_home_manager(gpg_t)
++
++optional_policy(`
++ gpm_dontaudit_getattr_gpmctl(gpg_t)
+ ')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_t)
- fs_manage_cifs_files(gpg_t)
+optional_policy(`
-+ gnome_read_config(gpg_t)
++ gnome_manage_config(gpg_t)
+ gnome_stream_connect_gkeyringd(gpg_t)
')
optional_policy(`
-@@ -140,15 +161,19 @@ optional_policy(`
+@@ -140,15 +169,19 @@ optional_policy(`
')
optional_policy(`
@@ -25983,7 +26035,7 @@ index 72a113e..29063e5 100644
########################################
#
# GPG helper local policy
-@@ -166,7 +191,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+@@ -166,7 +199,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
dontaudit gpg_helper_t gpg_secret_t:file read;
@@ -25991,7 +26043,7 @@ index 72a113e..29063e5 100644
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
corenet_raw_sendrecv_generic_if(gpg_helper_t)
-@@ -180,11 +204,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
+@@ -180,11 +212,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
@@ -26004,7 +26056,7 @@ index 72a113e..29063e5 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -198,15 +221,17 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -198,15 +229,17 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -26023,7 +26075,7 @@ index 72a113e..29063e5 100644
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
-@@ -223,43 +248,34 @@ corecmd_read_bin_symlinks(gpg_agent_t)
+@@ -223,43 +256,34 @@ corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
@@ -26072,7 +26124,7 @@ index 72a113e..29063e5 100644
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -294,10 +310,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+@@ -294,10 +318,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
@@ -26084,7 +26136,7 @@ index 72a113e..29063e5 100644
corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
corenet_tcp_bind_generic_node(gpg_pinentry_t)
corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
-@@ -310,7 +326,6 @@ dev_read_rand(gpg_pinentry_t)
+@@ -310,7 +334,6 @@ dev_read_rand(gpg_pinentry_t)
files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
@@ -26092,7 +26144,7 @@ index 72a113e..29063e5 100644
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
fs_getattr_tmpfs(gpg_pinentry_t)
-@@ -320,18 +335,19 @@ auth_use_nsswitch(gpg_pinentry_t)
+@@ -320,18 +343,19 @@ auth_use_nsswitch(gpg_pinentry_t)
logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
@@ -26118,7 +26170,7 @@ index 72a113e..29063e5 100644
')
optional_policy(`
-@@ -340,6 +356,12 @@ optional_policy(`
+@@ -340,6 +364,12 @@ optional_policy(`
')
optional_policy(`
@@ -26131,7 +26183,7 @@ index 72a113e..29063e5 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -349,4 +371,27 @@ optional_policy(`
+@@ -349,4 +379,27 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -30283,53 +30335,125 @@ index 9dd6880..77c768b 100644
optional_policy(`
diff --git a/ksmtuned.fc b/ksmtuned.fc
-index 9c0c835..8360166 100644
+index 9c0c835..c950a6a 100644
--- a/ksmtuned.fc
+++ b/ksmtuned.fc
-@@ -3,3 +3,5 @@
- /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+@@ -1,5 +1,9 @@
+ /etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
+-/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
++/usr/lib/systemd/system/ksmtuned.* -- gen_context(system_u:object_r:ksmtuned_unit_file_t,s0)
++
++/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
+
+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
-index 6fd0b4c..568f842 100644
+index 6fd0b4c..49ef16c 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
-@@ -55,12 +55,14 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -36,6 +36,29 @@ interface(`ksmtuned_initrc_domtrans',`
+ init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
+ ')
+
++#######################################
++## <summary>
++## Execute ksmtuned server in the ksmtunedd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ksmtuned_systemctl',`
++ gen_require(`
++ type ksmtuned_unit_file_t;
++ type ksmtuned_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 ksmtuned_unit_file_t:file read_file_perms;
++ allow $1 ksmtuned_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ksmtuned_t)
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -55,12 +78,15 @@ interface(`ksmtuned_initrc_domtrans',`
#
interface(`ksmtuned_admin',`
gen_require(`
- type ksmtuned_t, ksmtuned_var_run_t;
- type ksmtuned_initrc_exec_t;
-+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
++ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t;
')
- allow $1 ksmtuned_t:process { ptrace signal_perms };
- ps_process_pattern(ksmtumed_t)
+ allow $1 ksmtuned_t:process signal_perms;
+ ps_process_pattern($1, ksmtuned_t)
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ksmtuned_t:process ptrace;
+ ')
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
+@@ -71,4 +97,11 @@ interface(`ksmtuned_admin',`
+ role_transition $2 ksmtuned_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ logging_search_logs($1)
++ admin_pattern($1, ksmtuned_log_t)
++
++ ksmtuned_systemctl($1)
++ admin_pattern($1, ksmtuned_unit_file_t)
++ allow $1 ksmtuned_unit_file_t:service all_service_perms;
++
+ ')
diff --git a/ksmtuned.te b/ksmtuned.te
-index a73b7a1..d143b12 100644
+index a73b7a1..355e6f0 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
-@@ -9,6 +9,9 @@ type ksmtuned_t;
+@@ -5,13 +5,33 @@ policy_module(ksmtuned, 1.0.0)
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow ksmtuned to use nfs file systems
++## </p>
++## </desc>
++gen_tunable(ksmtuned_use_nfs, false)
++
++## <desc>
++## <p>
++## Allow ksmtuned to use cifs/Samba file systems
++## </p>
++## </desc>
++gen_tunable(ksmtuned_use_cifs, false)
++
+ type ksmtuned_t;
type ksmtuned_exec_t;
init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
-+type ksmtuned_log_t;
-+logging_log_file(ksmtuned_log_t)
++type ksmtuned_unit_file_t;
++systemd_unit_file(ksmtuned_unit_file_t)
+
type ksmtuned_initrc_exec_t;
init_script_file(ksmtuned_initrc_exec_t)
-@@ -20,9 +23,13 @@ files_pid_file(ksmtuned_var_run_t)
++type ksmtuned_log_t;
++logging_log_file(ksmtuned_log_t)
++
+ type ksmtuned_var_run_t;
+ files_pid_file(ksmtuned_var_run_t)
+
+@@ -20,9 +40,13 @@ files_pid_file(ksmtuned_var_run_t)
# ksmtuned local policy
#
@@ -30344,7 +30468,7 @@ index a73b7a1..d143b12 100644
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
-@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t)
+@@ -31,9 +55,25 @@ kernel_read_system_state(ksmtuned_t)
dev_rw_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
@@ -30357,12 +30481,21 @@ index a73b7a1..d143b12 100644
+mls_file_read_to_clearance(ksmtuned_t)
+
+term_use_all_inherited_terms(ksmtuned_t)
++
++auth_use_nsswitch(ksmtuned_t)
++
++logging_send_syslog_msg(ksmtuned_t)
-files_read_etc_files(ksmtuned_t)
-+auth_use_nsswitch(ksmtuned_t)
++tunable_policy(`ksmtuned_use_nfs',`
++ fs_read_nfs_files(ksmtuned_t)
++')
-miscfiles_read_localization(ksmtuned_t)
-+logging_send_syslog_msg(ksmtuned_t)
++tunable_policy(`ksmtuned_use_cifs',`
++ fs_read_cifs_files(ksmtuned_t)
++ samba_read_share_files(ksmtuned_t)
++')
diff --git a/ktalk.te b/ktalk.te
index ca5cfdf..a4457d0 100644
--- a/ktalk.te
@@ -31838,7 +31971,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/logwatch.te b/logwatch.te
-index 75ce30f..061b725 100644
+index 75ce30f..548e60c 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@@ -31921,7 +32054,18 @@ index 75ce30f..061b725 100644
files_getattr_all_file_type_fs(logwatch_t)
')
-@@ -145,3 +160,24 @@ optional_policy(`
+@@ -138,6 +153,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ raid_access_check_mdadm(logwatch_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(logwatch_t)
+ ')
+
+@@ -145,3 +164,24 @@ optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -34426,10 +34570,10 @@ index 6647a35..f3b35e1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 3a73e74..0fa08be 100644
+index 3a73e74..4cecf11 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -2,8 +2,18 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
+@@ -2,8 +2,19 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -34442,13 +34586,14 @@ index 3a73e74..0fa08be 100644
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
-@@ -16,6 +26,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -16,6 +27,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -34461,7 +34606,7 @@ index 3a73e74..0fa08be 100644
ifdef(`distro_debian',`
/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
')
-@@ -23,11 +39,20 @@ ifdef(`distro_debian',`
+@@ -23,11 +40,20 @@ ifdef(`distro_debian',`
#
# /lib
#
@@ -34489,7 +34634,7 @@ index 3a73e74..0fa08be 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index b397fde..cccec7e 100644
+index b397fde..eda9218 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -18,10 +18,11 @@
@@ -34639,7 +34784,7 @@ index b397fde..cccec7e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -275,28 +361,119 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -275,28 +361,120 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -34760,6 +34905,7 @@ index b397fde..cccec7e 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
@@ -43232,10 +43378,10 @@ index 0000000..6e20e72
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..d97b009
+index 0000000..fc83882
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,383 @@
+@@ -0,0 +1,384 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -43351,8 +43497,9 @@ index 0000000..d97b009
+allow openshift_domain self:shm create_shm_perms;
+allow openshift_domain self:sem create_sem_perms;
+dontaudit openshift_domain self:dir write;
-+
++dontaudit openshift_t self:unix_stream_socket recvfrom;
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
++dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
+allow openshift_domain self:tcp_socket create_stream_socket_perms;
+allow openshift_domain self:fifo_file manage_fifo_file_perms;
+allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -44852,7 +44999,7 @@ index 87f17e8..63ee18a 100644
/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --git a/pcscd.if b/pcscd.if
-index 1c2a091..3ead3cc 100644
+index 1c2a091..2f1ff6a 100644
--- a/pcscd.if
+++ b/pcscd.if
@@ -34,7 +34,7 @@ interface(`pcscd_read_pub_files',`
@@ -44864,6 +45011,32 @@ index 1c2a091..3ead3cc 100644
')
########################################
+@@ -75,6 +75,25 @@ interface(`pcscd_manage_pub_pipes',`
+ manage_fifo_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+ ')
+
++#######################################
++## <summary>
++## Read pcscd pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pcscd_read_pid_files',`
++ gen_require(`
++ type pcscd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Connect to pcscd over an unix stream socket.
diff --git a/pcscd.te b/pcscd.te
index ceafba6..47b690d 100644
--- a/pcscd.te
@@ -53027,7 +53200,7 @@ index 5a9630c..bedca3a 100644
+ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
')
diff --git a/qpid.te b/qpid.te
-index cb7ecb5..68f26ad 100644
+index cb7ecb5..23a33c5 100644
--- a/qpid.te
+++ b/qpid.te
@@ -12,12 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -53048,7 +53221,7 @@ index cb7ecb5..68f26ad 100644
########################################
#
# qpidd local policy
-@@ -30,34 +33,41 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -30,34 +33,42 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket create_stream_socket_perms;
allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
@@ -53084,6 +53257,7 @@ index cb7ecb5..68f26ad 100644
+dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
++dev_read_rand(qpidd_t)
files_read_etc_files(qpidd_t)
+files_read_usr_files(qpidd_t)
@@ -54021,7 +54195,7 @@ index ed9c70d..c298507 100644
+
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
-index b1a85b5..db0d815 100644
+index b1a85b5..6d6ec1d 100644
--- a/raid.if
+++ b/raid.if
@@ -47,6 +47,24 @@ interface(`raid_run_mdadm',`
@@ -54049,8 +54223,31 @@ index b1a85b5..db0d815 100644
## Create, read, write, and delete the mdadm pid files.
## </summary>
## <desc>
+@@ -73,3 +91,22 @@ interface(`raid_manage_mdadm_pid',`
+ # mdadm policy
+ allow $1 mdadm_var_run_t:file manage_file_perms;
+ ')
++
++#######################################
++## <summary>
++## Check access to the mdadm executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`raid_access_check_mdadm',`
++ gen_require(`
++ type mdadm_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
++')
diff --git a/raid.te b/raid.te
-index a8a12b7..a6cbba3 100644
+index a8a12b7..83609a4 100644
--- a/raid.te
+++ b/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -54067,11 +54264,13 @@ index a8a12b7..a6cbba3 100644
########################################
#
-@@ -23,18 +21,20 @@ files_pid_file(mdadm_var_run_t)
+@@ -22,21 +20,24 @@ files_pid_file(mdadm_var_run_t)
+ #
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
- dontaudit mdadm_t self:capability sys_tty_config;
+-dontaudit mdadm_t self:capability sys_tty_config;
-allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
++dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace };
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
+allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -54093,8 +54292,11 @@ index a8a12b7..a6cbba3 100644
+kernel_request_load_module(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
kernel_getattr_core_if(mdadm_t)
++kernel_setsched(mdadm_t)
-@@ -52,15 +52,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+ # Helper program access
+ corecmd_exec_bin(mdadm_t)
+@@ -52,15 +53,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
@@ -54116,7 +54318,7 @@ index a8a12b7..a6cbba3 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -69,16 +72,17 @@ mls_file_write_all_levels(mdadm_t)
+@@ -69,16 +73,17 @@ mls_file_write_all_levels(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
@@ -54136,7 +54338,7 @@ index a8a12b7..a6cbba3 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
userdom_dontaudit_use_user_terminals(mdadm_t)
-@@ -86,6 +90,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
+@@ -86,6 +91,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
mta_send_mail(mdadm_t)
optional_policy(`
@@ -57566,7 +57768,7 @@ index dddabcf..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index 330d01f..fd96b3c 100644
+index 330d01f..b046d49 100644
--- a/rpc.te
+++ b/rpc.te
@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
@@ -57789,7 +57991,7 @@ index 330d01f..fd96b3c 100644
')
optional_policy(`
-@@ -226,6 +271,11 @@ optional_policy(`
+@@ -226,10 +271,15 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -57801,6 +58003,11 @@ index 330d01f..fd96b3c 100644
')
optional_policy(`
+- pcscd_read_pub_files(gssd_t)
++ pcscd_read_pid_files(gssd_t)
+ ')
+
+ optional_policy(`
diff --git a/rpcbind.fc b/rpcbind.fc
index f5c47d6..164ce1f 100644
--- a/rpcbind.fc
@@ -59332,7 +59539,7 @@ index 82cb169..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 905883f..7e70344 100644
+index 905883f..aa1849f 100644
--- a/samba.te
+++ b/samba.te
@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
@@ -59401,7 +59608,7 @@ index 905883f..7e70344 100644
files_read_usr_symlinks(samba_net_t)
auth_use_nsswitch(samba_net_t)
-@@ -211,15 +219,16 @@ auth_manage_cache(samba_net_t)
+@@ -211,30 +219,33 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -59422,7 +59629,9 @@ index 905883f..7e70344 100644
')
optional_policy(`
-@@ -228,13 +237,15 @@ optional_policy(`
+- pcscd_read_pub_files(samba_net_t)
++ pcscd_read_pid_files(samba_net_t)
+ ')
optional_policy(`
kerberos_use(samba_net_t)
@@ -62105,7 +62314,7 @@ index 7e94c7c..ca74cd9 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/sendmail.te b/sendmail.te
-index 22dac1f..a536819 100644
+index 22dac1f..43db349 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -62120,7 +62329,15 @@ index 22dac1f..a536819 100644
########################################
#
-@@ -52,7 +51,6 @@ kernel_read_kernel_sysctls(sendmail_t)
+@@ -29,6 +28,7 @@ role system_r types unconfined_sendmail_t;
+ #
+
+ allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
++dontaudit sendmail_t self:capability net_admin;
+ allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
+ allow sendmail_t self:fifo_file rw_fifo_file_perms;
+ allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
@@ -62128,7 +62345,7 @@ index 22dac1f..a536819 100644
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_generic_if(sendmail_t)
corenet_tcp_sendrecv_generic_node(sendmail_t)
-@@ -79,17 +77,18 @@ corecmd_exec_bin(sendmail_t)
+@@ -79,17 +78,18 @@ corecmd_exec_bin(sendmail_t)
domain_use_interactive_fds(sendmail_t)
@@ -62148,7 +62365,7 @@ index 22dac1f..a536819 100644
auth_use_nsswitch(sendmail_t)
-@@ -100,10 +99,10 @@ logging_send_syslog_msg(sendmail_t)
+@@ -100,10 +100,10 @@ logging_send_syslog_msg(sendmail_t)
logging_dontaudit_write_generic_logs(sendmail_t)
miscfiles_read_generic_certs(sendmail_t)
@@ -62161,7 +62378,7 @@ index 22dac1f..a536819 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -115,6 +114,10 @@ mta_manage_spool(sendmail_t)
+@@ -115,6 +115,10 @@ mta_manage_spool(sendmail_t)
mta_sendmail_exec(sendmail_t)
optional_policy(`
@@ -62172,7 +62389,7 @@ index 22dac1f..a536819 100644
cron_read_pipes(sendmail_t)
')
-@@ -128,7 +131,14 @@ optional_policy(`
+@@ -128,7 +132,14 @@ optional_policy(`
')
optional_policy(`
@@ -62187,7 +62404,7 @@ index 22dac1f..a536819 100644
')
optional_policy(`
-@@ -149,7 +159,14 @@ optional_policy(`
+@@ -149,7 +160,14 @@ optional_policy(`
')
optional_policy(`
@@ -62202,7 +62419,7 @@ index 22dac1f..a536819 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +185,13 @@ optional_policy(`
+@@ -168,20 +186,13 @@ optional_policy(`
')
optional_policy(`
@@ -67769,10 +67986,10 @@ index 0000000..2b878d8
+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
diff --git a/thumb.fc b/thumb.fc
new file mode 100644
-index 0000000..059e12c
+index 0000000..601aea3
--- /dev/null
+++ b/thumb.fc
-@@ -0,0 +1,16 @@
+@@ -0,0 +1,17 @@
+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0)
@@ -67787,6 +68004,7 @@ index 0000000..059e12c
+/usr/bin/whaaw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/[^/]*thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/mate-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
+
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
@@ -71327,7 +71545,7 @@ index 6f0736b..882e76b 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..75efecc 100644
+index 947bbc6..cd04086 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0)
@@ -71715,7 +71933,7 @@ index 947bbc6..75efecc 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +326,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +326,23 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -71731,6 +71949,7 @@ index 947bbc6..75efecc 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
+kernel_setsched(virtd_t)
++kernel_write_proc_files(virtd_t)
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
@@ -71739,7 +71958,7 @@ index 947bbc6..75efecc 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +354,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +355,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -71773,7 +71992,7 @@ index 947bbc6..75efecc 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +386,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +387,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -71792,7 +72011,7 @@ index 947bbc6..75efecc 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +412,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +413,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -71802,7 +72021,7 @@ index 947bbc6..75efecc 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +422,36 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +423,36 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -71839,7 +72058,7 @@ index 947bbc6..75efecc 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +470,10 @@ optional_policy(`
+@@ -322,6 +471,10 @@ optional_policy(`
')
optional_policy(`
@@ -71850,7 +72069,7 @@ index 947bbc6..75efecc 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +487,34 @@ optional_policy(`
+@@ -335,19 +488,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -71886,7 +72105,7 @@ index 947bbc6..75efecc 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +529,12 @@ optional_policy(`
+@@ -362,6 +530,12 @@ optional_policy(`
')
optional_policy(`
@@ -71899,7 +72118,7 @@ index 947bbc6..75efecc 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +542,11 @@ optional_policy(`
+@@ -369,11 +543,11 @@ optional_policy(`
')
optional_policy(`
@@ -71916,7 +72135,7 @@ index 947bbc6..75efecc 100644
')
optional_policy(`
-@@ -384,6 +557,7 @@ optional_policy(`
+@@ -384,6 +558,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -71924,7 +72143,7 @@ index 947bbc6..75efecc 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +576,86 @@ optional_policy(`
+@@ -402,35 +577,86 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -72020,7 +72239,7 @@ index 947bbc6..75efecc 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +663,625 @@ dev_write_sound(virt_domain)
+@@ -438,34 +664,625 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -72304,7 +72523,7 @@ index 947bbc6..75efecc 100644
+manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
+
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
-+allow virtd_t virtd_lxc_t:process { signal signull sigkill };
++allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill };
+
+allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
@@ -72649,7 +72868,7 @@ index 947bbc6..75efecc 100644
+
+type svirt_socket_t;
+role system_r types svirt_socket_t;
-+allow svirt_t svirt_socket_t:unix_stream_socket connectto;
++allow svirt_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
diff --git a/vlock.te b/vlock.te
index 2511093..669dc13 100644
--- a/vlock.te
@@ -74198,7 +74417,7 @@ index 11c1b12..fc5d128 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index e88b95f..e7427a2 100644
+index e88b95f..6df3c37 100644
--- a/xguest.te
+++ b/xguest.te
@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
@@ -74266,7 +74485,7 @@ index e88b95f..e7427a2 100644
')
')
-@@ -76,23 +90,97 @@ optional_policy(`
+@@ -76,23 +90,105 @@ optional_policy(`
')
optional_policy(`
@@ -74277,24 +74496,32 @@ index e88b95f..e7427a2 100644
+
+
+optional_policy(`
++ colord_dbus_chat(xguest_t)
++')
++
++optional_policy(`
+ chrome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
++ dbus_dontaudit_chat_system_bus(xguest_t)
++')
++
++optional_policy(`
hal_dbus_chat(xguest_t)
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ apache_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
-+ gnome_role(xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
++ gnome_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
@@ -74303,7 +74530,7 @@ index e88b95f..e7427a2 100644
+')
+
+optional_policy(`
-+ pcscd_read_pub_files(xguest_t)
++ pcscd_read_pid_files(xguest_t)
+ pcscd_stream_connect(xguest_t)
+')
+
@@ -74314,7 +74541,7 @@ index e88b95f..e7427a2 100644
optional_policy(`
tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
-+ networkmanager_read_lib_files(xguest_t)
++ networkmanager_read_lib_files(xguest_t)
+ ')
+')
+
@@ -74722,7 +74949,7 @@ index 21ae664..3d08962 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/zarafa.te b/zarafa.te
-index 91267bc..0aa9870 100644
+index 91267bc..b261d41 100644
--- a/zarafa.te
+++ b/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -74736,19 +74963,25 @@ index 91267bc..0aa9870 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -48,10 +52,9 @@ auth_use_nsswitch(zarafa_deliver_t)
+@@ -43,15 +47,12 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+
+ auth_use_nsswitch(zarafa_deliver_t)
+
++corenet_tcp_bind_lmtp_port(zarafa_deliver_t)
++
+ ########################################
+ #
# zarafa_gateway local policy
#
-
+-
-allow zarafa_gateway_t self:capability { chown kill };
-+allow zarafa_gateway_t self:capability { kill };
- allow zarafa_gateway_t self:process setrlimit;
-
+-allow zarafa_gateway_t self:process setrlimit;
+-
-corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
corenet_all_recvfrom_netlabel(zarafa_gateway_t)
corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
-@@ -59,16 +62,28 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -59,16 +60,28 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -74780,7 +75013,7 @@ index 91267bc..0aa9870 100644
corenet_all_recvfrom_netlabel(zarafa_ical_t)
corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
-@@ -83,7 +98,6 @@ auth_use_nsswitch(zarafa_ical_t)
+@@ -83,7 +96,6 @@ auth_use_nsswitch(zarafa_ical_t)
# zarafa-monitor local policy
#
@@ -74788,16 +75021,17 @@ index 91267bc..0aa9870 100644
auth_use_nsswitch(zarafa_monitor_t)
-@@ -92,7 +106,7 @@ auth_use_nsswitch(zarafa_monitor_t)
+@@ -92,8 +104,7 @@ auth_use_nsswitch(zarafa_monitor_t)
# zarafa_server local policy
#
-allow zarafa_server_t self:capability { chown kill net_bind_service };
-+allow zarafa_server_t self:capability { kill net_bind_service };
- allow zarafa_server_t self:process setrlimit;
+-allow zarafa_server_t self:process setrlimit;
++allow zarafa_server_t self:capability net_bind_service;
manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
-@@ -101,11 +115,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+ manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
+@@ -101,11 +112,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
@@ -74811,29 +75045,24 @@ index 91267bc..0aa9870 100644
corenet_all_recvfrom_netlabel(zarafa_server_t)
corenet_tcp_sendrecv_generic_if(zarafa_server_t)
corenet_tcp_sendrecv_generic_node(zarafa_server_t)
-@@ -135,11 +149,10 @@ optional_policy(`
+@@ -135,11 +146,8 @@ optional_policy(`
# zarafa_spooler local policy
#
-allow zarafa_spooler_t self:capability { chown kill };
-+allow zarafa_spooler_t self:capability { kill };
-
+-
can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
-corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
corenet_all_recvfrom_netlabel(zarafa_spooler_t)
corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
-@@ -150,11 +163,35 @@ auth_use_nsswitch(zarafa_spooler_t)
+@@ -150,12 +158,32 @@ auth_use_nsswitch(zarafa_spooler_t)
########################################
#
+# zarafa_gateway local policy
+#
-+
-+allow zarafa_gateway_t self:capability { kill };
-+allow zarafa_gateway_t self:process setrlimit;
-+
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
@@ -74857,11 +75086,13 @@ index 91267bc..0aa9870 100644
# bad permission on /etc/zarafa
-allow zarafa_domain self:capability { dac_override setgid setuid };
-+allow zarafa_domain self:capability { dac_override chown setgid setuid };
- allow zarafa_domain self:process signal;
+-allow zarafa_domain self:process signal;
++allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
++allow zarafa_domain self:process { signal_perms setrlimit };
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
allow zarafa_domain self:tcp_socket create_stream_socket_perms;
-@@ -164,8 +201,8 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+ allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
+@@ -164,8 +192,8 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 24e1eb6..3c23cc1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 71%{?dist}
+Release: 72%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,29 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-72
+- Dontaudit net_admin capability for sendmail
+- Logwatch does access check on mdadm binary
+- Add raid_access_check_mdadm() iterface
+- Allow gpg_t to manage all gnome files
+- Add ~/.quakelive as mozilla_home_t content
+- Dontaudit mdadm_t running ps command which is causing sys_ptrace avcs
+- Allow virtd_t to create stream socket perms for svirt_socket_t, so that it can use guestmount.
+- Need to allow virtd_t to write to /proc in order to open namespace sockets for write.
+- Add a couple of dontaudit rules to silence the noice
+- Allow zarafa_deliver_t to bind to lmtp port, also consolodate signal_perms and setrlimit and kill to use zarafa_domain attribute
+- Add mate-thumbnail-font as thumnailer
+- Add pcscd_read_pid_files() interface
+- Lots of probing avc's caused by execugting gpg from staff_t
+- Looks like qpidd_t needs to read /dev/random
+- firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow
+- Added systemd support for ksmtuned
+- Added booleans
+ ksmtuned_use_nfs
+ ksmtuned_use_cifs
+- Add definition for 2003 as an lmtp port
+- Add filename transition for opasswd
+
* Tue Jan 15 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-71
- Allow udev to communicate with the logind daemon
- Add labeling for texlive bash scripts
More information about the scm-commits
mailing list