[selinux-policy] - Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read sy
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 28 19:12:17 UTC 2013
commit aab1932f467c98a163cef4a916400727251f27b1
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jan 28 20:11:03 2013 +0100
- Change ssh_use_pts to use macro and only inherited sshd_devpts_t
- Allow confined users to read systemd_logind seat information
- libmpg ships badly created libraries
- Add support for strongswan.service
- Add labeling for strongswan
- Allow l2tpd_t to read network manager content in /run directory
- Allow rsync to getattr any file in rsync_data_t
- Add labeling and filename transition for .grl-podcasts
policy-rawhide-base.patch | 276 ++++++++++++++++++++++++++---------------
policy-rawhide-contrib.patch | 30 +++--
selinux-policy.spec | 12 ++-
3 files changed, 206 insertions(+), 112 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 5cb6337..3ca93a0 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -26309,7 +26309,7 @@ index 0000000..310ea6d
\ No newline at end of file
diff --git a/man/man8/condor_collector_selinux.8 b/man/man8/condor_collector_selinux.8
new file mode 100644
-index 0000000..b0807ef
+index 0000000..b0807efa
--- /dev/null
+++ b/man/man8/condor_collector_selinux.8
@@ -0,0 +1,261 @@
@@ -228517,8 +228517,43 @@ index dd3be8d..aab0c5a 100644
+ allow daemon direct_run_init:process sigchld;
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
+diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
+index 662e79b..a452892 100644
+--- a/policy/modules/system/ipsec.fc
++++ b/policy/modules/system/ipsec.fc
+@@ -1,6 +1,8 @@
+ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
++
+ /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+ /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+ /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+@@ -8,6 +10,8 @@
+ /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+ /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
++/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++
+ /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+ /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+@@ -26,10 +30,12 @@
+ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+ /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+ /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/libexec/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+
+ /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+ /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
+ /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
++/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+
+ /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..9d66bf7 100644
+index 0d4c8d3..ac0a652 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',`
@@ -228553,11 +228588,48 @@ index 0d4c8d3..9d66bf7 100644
')
########################################
+@@ -369,3 +367,26 @@ interface(`ipsec_run_setkey',`
+ ipsec_domtrans_setkey($1)
+ role $2 types setkey_t;
+ ')
++
++#######################################
++## <summary>
++## Execute strongswan in the ipsec_mgmt domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ipsec_mgmt_systemctl',`
++ gen_require(`
++ type ipsec_mgmt_unit_file_t;
++ type ipsec_mgmt_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 ipsec_mgmt_unit_file_t:file read_file_perms;
++ allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ipsec_mgmt_t)
++')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..ed744d2 100644
+index 9e54bf9..35992c7 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
-@@ -73,13 +73,15 @@ role system_r types setkey_t;
+@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+ corecmd_shell_entry_type(ipsec_mgmt_t)
+ role system_r types ipsec_mgmt_t;
+
++type ipsec_mgmt_unit_file_t;
++systemd_unit_file(ipsec_mgmt_unit_file_t)
++
+ type ipsec_mgmt_lock_t;
+ files_lock_file(ipsec_mgmt_lock_t)
+
+@@ -73,13 +76,15 @@ role system_r types setkey_t;
#
allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
@@ -228574,7 +228646,7 @@ index 9e54bf9..ed744d2 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -128,20 +130,21 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +133,21 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -228603,7 +228675,7 @@ index 9e54bf9..ed744d2 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,6 +160,8 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,6 +163,8 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -228612,7 +228684,7 @@ index 9e54bf9..ed744d2 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -165,11 +170,13 @@ auth_use_nsswitch(ipsec_t)
+@@ -165,11 +173,13 @@ auth_use_nsswitch(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -228627,7 +228699,7 @@ index 9e54bf9..ed744d2 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -187,9 +194,9 @@ optional_policy(`
+@@ -187,9 +197,9 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -228640,7 +228712,7 @@ index 9e54bf9..ed744d2 100644
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -246,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +256,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -228657,7 +228729,7 @@ index 9e54bf9..ed744d2 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +275,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -228666,7 +228738,7 @@ index 9e54bf9..ed744d2 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +300,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -228678,7 +228750,7 @@ index 9e54bf9..ed744d2 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +310,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +313,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -228700,7 +228772,7 @@ index 9e54bf9..ed744d2 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -370,13 +391,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +394,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -228720,7 +228792,7 @@ index 9e54bf9..ed744d2 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +421,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +424,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -228733,7 +228805,7 @@ index 9e54bf9..ed744d2 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +459,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +462,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -228935,7 +229007,7 @@ index 5dfa44b..938e2ec 100644
optional_policy(`
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..bd25d6e 100644
+index 73bb3c0..e96fdf3 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -229048,11 +229120,12 @@ index 73bb3c0..bd25d6e 100644
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -241,13 +254,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+@@ -241,13 +254,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -229063,7 +229136,7 @@ index 73bb3c0..bd25d6e 100644
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +279,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -269,20 +280,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -229094,7 +229167,7 @@ index 73bb3c0..bd25d6e 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +308,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +309,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -237659,7 +237732,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..0bb7b4d 100644
+index 3c5dba7..f2fe86e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -237675,7 +237748,7 @@ index 3c5dba7..0bb7b4d 100644
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -44,79 +46,131 @@ template(`userdom_base_user_template',`
+@@ -44,79 +46,132 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -237831,6 +237904,7 @@ index 3c5dba7..0bb7b4d 100644
+ systemd_read_logind_sessions_files($1_usertype)
+ systemd_write_inhibit_pipes($1_usertype)
+ systemd_write_inherited_logind_sessions_pipes($1_usertype)
++ systemd_login_read_pid_files($1_usertype)
+
+ tunable_policy(`deny_execmem',`', `
# Allow loading DSOs that require executable stack.
@@ -237859,7 +237933,7 @@ index 3c5dba7..0bb7b4d 100644
')
#######################################
-@@ -150,6 +204,8 @@ interface(`userdom_ro_home_role',`
+@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -237868,7 +237942,7 @@ index 3c5dba7..0bb7b4d 100644
##############################
#
# Domain access to home dir
-@@ -167,27 +223,6 @@ interface(`userdom_ro_home_role',`
+@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -237896,7 +237970,7 @@ index 3c5dba7..0bb7b4d 100644
')
#######################################
-@@ -219,8 +254,11 @@ interface(`userdom_ro_home_role',`
+@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -237908,7 +237982,7 @@ index 3c5dba7..0bb7b4d 100644
##############################
#
# Domain access to home dir
-@@ -229,43 +267,47 @@ interface(`userdom_manage_home_role',`
+@@ -229,43 +268,47 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -237972,7 +238046,7 @@ index 3c5dba7..0bb7b4d 100644
')
')
-@@ -273,6 +315,25 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +316,25 @@ interface(`userdom_manage_home_role',`
## <summary>
## Manage user temporary files
## </summary>
@@ -237998,7 +238072,7 @@ index 3c5dba7..0bb7b4d 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,17 +348,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +349,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -238068,7 +238142,7 @@ index 3c5dba7..0bb7b4d 100644
')
#######################################
-@@ -317,11 +425,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +426,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -238100,7 +238174,7 @@ index 3c5dba7..0bb7b4d 100644
## Role access for the user tmpfs type
## that the user has full access.
## </summary>
-@@ -348,59 +476,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +477,60 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -238191,7 +238265,7 @@ index 3c5dba7..0bb7b4d 100644
')
#######################################
-@@ -431,6 +560,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +561,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -238199,7 +238273,7 @@ index 3c5dba7..0bb7b4d 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +593,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +594,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -238210,7 +238284,7 @@ index 3c5dba7..0bb7b4d 100644
')
')
-@@ -491,7 +621,8 @@ template(`userdom_common_user_template',`
+@@ -491,7 +622,8 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -238220,7 +238294,7 @@ index 3c5dba7..0bb7b4d 100644
##############################
#
-@@ -501,41 +632,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +633,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -238295,7 +238369,7 @@ index 3c5dba7..0bb7b4d 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +687,121 @@ template(`userdom_common_user_template',`
+@@ -546,93 +688,121 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -238455,7 +238529,7 @@ index 3c5dba7..0bb7b4d 100644
')
optional_policy(`
-@@ -646,19 +815,17 @@ template(`userdom_common_user_template',`
+@@ -646,19 +816,17 @@ template(`userdom_common_user_template',`
# for running depmod as part of the kernel packaging process
optional_policy(`
@@ -238480,7 +238554,7 @@ index 3c5dba7..0bb7b4d 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +838,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +839,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -238489,7 +238563,7 @@ index 3c5dba7..0bb7b4d 100644
')
optional_policy(`
-@@ -680,9 +847,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +848,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -238502,7 +238576,7 @@ index 3c5dba7..0bb7b4d 100644
')
')
-@@ -693,32 +860,36 @@ template(`userdom_common_user_template',`
+@@ -693,32 +861,36 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -238550,7 +238624,7 @@ index 3c5dba7..0bb7b4d 100644
')
')
-@@ -743,17 +914,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +915,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -238589,7 +238663,7 @@ index 3c5dba7..0bb7b4d 100644
userdom_change_password_template($1)
-@@ -761,82 +948,100 @@ template(`userdom_login_user_template', `
+@@ -761,82 +949,100 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -238726,7 +238800,7 @@ index 3c5dba7..0bb7b4d 100644
')
')
-@@ -868,6 +1073,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1074,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -238739,7 +238813,7 @@ index 3c5dba7..0bb7b4d 100644
##############################
#
# Local policy
-@@ -908,41 +1119,91 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1120,91 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -238844,7 +238918,7 @@ index 3c5dba7..0bb7b4d 100644
')
optional_policy(`
-@@ -951,12 +1212,26 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1213,26 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -238872,7 +238946,7 @@ index 3c5dba7..0bb7b4d 100644
')
#######################################
-@@ -990,27 +1265,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1266,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -238910,7 +238984,7 @@ index 3c5dba7..0bb7b4d 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1302,57 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1303,57 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -238978,7 +239052,7 @@ index 3c5dba7..0bb7b4d 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1361,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1362,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -238989,7 +239063,7 @@ index 3c5dba7..0bb7b4d 100644
')
')
-@@ -1082,7 +1399,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1400,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -238998,7 +239072,7 @@ index 3c5dba7..0bb7b4d 100644
')
##############################
-@@ -1109,6 +1426,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1427,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -239006,7 +239080,7 @@ index 3c5dba7..0bb7b4d 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1435,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1436,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -239016,7 +239090,7 @@ index 3c5dba7..0bb7b4d 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1452,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1453,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -239024,7 +239098,7 @@ index 3c5dba7..0bb7b4d 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1470,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1471,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -239039,7 +239113,7 @@ index 3c5dba7..0bb7b4d 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1488,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1489,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -239082,7 +239156,7 @@ index 3c5dba7..0bb7b4d 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1529,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1530,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -239091,7 +239165,7 @@ index 3c5dba7..0bb7b4d 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1538,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1539,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -239110,7 +239184,7 @@ index 3c5dba7..0bb7b4d 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1594,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1595,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -239119,7 +239193,7 @@ index 3c5dba7..0bb7b4d 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1608,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1609,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -239131,7 +239205,7 @@ index 3c5dba7..0bb7b4d 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,35 +1622,37 @@ template(`userdom_security_admin_template',`
+@@ -1277,35 +1623,37 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -239182,7 +239256,7 @@ index 3c5dba7..0bb7b4d 100644
########################################
## <summary>
-@@ -1360,14 +1707,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1708,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -239201,7 +239275,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -1408,6 +1758,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1759,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -239253,7 +239327,7 @@ index 3c5dba7..0bb7b4d 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1907,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1908,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -239285,7 +239359,7 @@ index 3c5dba7..0bb7b4d 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1973,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1974,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -239300,7 +239374,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -1573,9 +1996,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +1997,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -239312,7 +239386,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -1632,6 +2057,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2058,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -239355,7 +239429,7 @@ index 3c5dba7..0bb7b4d 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2172,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2173,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -239364,7 +239438,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -1744,10 +2207,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2208,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -239379,7 +239453,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -1772,7 +2237,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2238,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -239388,7 +239462,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,19 +2245,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2246,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -239412,7 +239486,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1800,31 +2263,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2264,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -239452,7 +239526,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -1848,6 +2311,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2312,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -239478,7 +239552,7 @@ index 3c5dba7..0bb7b4d 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2360,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2361,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -239516,7 +239590,7 @@ index 3c5dba7..0bb7b4d 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2400,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2401,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -239534,7 +239608,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -1941,7 +2448,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2449,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -239561,7 +239635,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2476,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2477,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -239582,7 +239656,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2492,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2493,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -239633,7 +239707,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -2010,8 +2569,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2570,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -239643,7 +239717,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -2027,20 +2585,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2586,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -239668,7 +239742,7 @@ index 3c5dba7..0bb7b4d 100644
########################################
## <summary>
-@@ -2123,7 +2675,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2676,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -239677,7 +239751,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2683,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2684,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -239701,7 +239775,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2701,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2702,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -239717,7 +239791,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -2393,11 +2943,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2944,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -239732,7 +239806,7 @@ index 3c5dba7..0bb7b4d 100644
files_search_tmp($1)
')
-@@ -2417,7 +2967,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2968,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -239741,7 +239815,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -2664,6 +3214,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3215,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -239767,7 +239841,7 @@ index 3c5dba7..0bb7b4d 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3249,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3250,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -239783,7 +239857,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3277,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3278,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -239792,7 +239866,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,19 +3285,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3286,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -239815,7 +239889,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2735,35 +3303,53 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2735,35 +3304,53 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -239877,7 +239951,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2817,6 +3403,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3404,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -239902,7 +239976,7 @@ index 3c5dba7..0bb7b4d 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3439,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3440,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -239945,7 +240019,7 @@ index 3c5dba7..0bb7b4d 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3475,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3476,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -239983,7 +240057,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -2885,8 +3520,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3521,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -240013,7 +240087,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -2958,69 +3612,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3613,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -240114,7 +240188,7 @@ index 3c5dba7..0bb7b4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3681,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3682,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -240129,7 +240203,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -3097,7 +3750,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3751,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -240138,7 +240212,7 @@ index 3c5dba7..0bb7b4d 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3766,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3767,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -240172,7 +240246,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -3217,7 +3854,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3855,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -240181,7 +240255,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -3272,7 +3909,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3910,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -240247,7 +240321,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -3290,7 +3984,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +3985,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -240256,7 +240330,7 @@ index 3c5dba7..0bb7b4d 100644
')
########################################
-@@ -3309,6 +4003,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4004,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -240264,7 +240338,7 @@ index 3c5dba7..0bb7b4d 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4080,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4081,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -240307,7 +240381,7 @@ index 3c5dba7..0bb7b4d 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4136,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4137,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -240332,7 +240406,7 @@ index 3c5dba7..0bb7b4d 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3439,3 +4188,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3439,3 +4189,1365 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 99f1306..972f2b9 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -31146,10 +31146,10 @@ index 73e2803..562d25b 100644
files_search_pids($1)
admin_pattern($1, l2tpd_var_run_t)
diff --git a/l2tp.te b/l2tp.te
-index 19f2b97..134b150 100644
+index 19f2b97..17f1883 100644
--- a/l2tp.te
+++ b/l2tp.te
-@@ -75,16 +75,12 @@ corecmd_exec_bin(l2tpd_t)
+@@ -75,19 +75,19 @@ corecmd_exec_bin(l2tpd_t)
dev_read_urand(l2tpd_t)
@@ -31166,6 +31166,13 @@ index 19f2b97..134b150 100644
sysnet_dns_name_resolve(l2tpd_t)
optional_policy(`
++ networkmanager_read_pid_files(l2tpd_t)
++')
++
++optional_policy(`
+ ppp_domtrans(l2tpd_t)
+ ppp_signal(l2tpd_t)
+ ppp_kill(l2tpd_t)
diff --git a/ldap.fc b/ldap.fc
index bc25c95..dcdbe9b 100644
--- a/ldap.fc
@@ -35097,10 +35104,10 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..4cecf11 100644
+index 6ffaba2..ce28024 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,59 @@
+@@ -1,38 +1,60 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -35129,7 +35136,8 @@ index 6ffaba2..4cecf11 100644
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -35195,7 +35203,7 @@ index 6ffaba2..4cecf11 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..84438b1 100644
+index 6194b80..60bb004 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -35816,7 +35824,7 @@ index 6194b80..84438b1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +430,46 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +430,47 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -35878,6 +35886,7 @@ index 6194b80..84438b1 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
@@ -67032,7 +67041,7 @@ index f1140ef..6bde558 100644
- rsync_run($1, $2)
-')
diff --git a/rsync.te b/rsync.te
-index e3e7c96..f3932af 100644
+index e3e7c96..ad3e416 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
@@ -67136,7 +67145,7 @@ index e3e7c96..f3932af 100644
files_type(rsync_data_t)
type rsync_log_t;
-@@ -86,15 +79,22 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +79,23 @@ files_pid_file(rsync_var_run_t)
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -67158,13 +67167,14 @@ index e3e7c96..f3932af 100644
-allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms;
+read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++allow rsync_t rsync_data_t:dir_file_class_set getattr;
-allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +108,76 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +109,76 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e73d261..6a0ecae 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-8
+- Change ssh_use_pts to use macro and only inherited sshd_devpts_t
+- Allow confined users to read systemd_logind seat information
+- libmpg ships badly created libraries
+- Add support for strongswan.service
+- Add labeling for strongswan
+- Allow l2tpd_t to read network manager content in /run directory
+- Allow rsync to getattr any file in rsync_data_t
+- Add labeling and filename transition for .grl-podcasts
+
* Fri Jan 25 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-7
- mount.glusterfs executes glusterfsd binary
- Allow systemd_hostnamed_t to stream connect to systemd
More information about the scm-commits
mailing list