[selinux-policy] * Wed Jan 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-9 - boinc_cliean wants also execmem as b
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 30 11:42:46 UTC 2013
commit f125066d3cea127878da28756076e8bd9f5a9a19
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jan 30 12:41:36 2013 +0100
* Wed Jan 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-9
- boinc_cliean wants also execmem as boinc projecs have
- Allow sa-update to search admin home for /root/.spamassassin
- Allow sa-update to search admin home for /root/.spamassassin
- Allow antivirus domain to read net sysctl
- Dontaudit attempts from thumb_t to connect to ssd
- Dontaudit attempts by readahead to read sock_files
- Dontaudit attempts by readahead to read sock_files
- Create tmpfs file while running as wine as user_tmpfs_t
- Dontaudit attempts by readahead to read sock_files
- libmpg ships badly created librarie
policy-rawhide-base.patch | 341 ++++++++++++++++++++++-------------------
policy-rawhide-contrib.patch | 129 ++++++++++++----
selinux-policy.spec | 14 ++-
3 files changed, 296 insertions(+), 188 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 3ca93a0..a8ed505 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -210991,7 +210991,7 @@ index c2c6e05..d0e6d1c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..6e07122 100644
+index 64ff4d7..cb04ef9 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -211184,7 +211184,33 @@ index 64ff4d7..6e07122 100644
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
-@@ -1073,10 +1220,8 @@ interface(`files_relabel_all_files',`
+@@ -991,6 +1138,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to read
++## of all named sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_read_all_sockets',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:sock_file read;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the attributes
+ ## of non security named sockets.
+ ## </summary>
+@@ -1073,10 +1239,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -211197,7 +211223,7 @@ index 64ff4d7..6e07122 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1327,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1346,6 @@ interface(`files_list_all',`
########################################
## <summary>
@@ -211222,7 +211248,7 @@ index 64ff4d7..6e07122 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1570,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1589,6 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -211232,7 +211258,7 @@ index 64ff4d7..6e07122 100644
')
#############################################
-@@ -1673,6 +1797,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +1816,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -211257,7 +211283,7 @@ index 64ff4d7..6e07122 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1691,6 +1833,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +1852,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -211282,7 +211308,7 @@ index 64ff4d7..6e07122 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1874,25 +2034,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2053,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -211314,7 +211340,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2065,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2084,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -211323,7 +211349,7 @@ index 64ff4d7..6e07122 100644
')
########################################
-@@ -1928,6 +2088,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2107,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -211348,7 +211374,7 @@ index 64ff4d7..6e07122 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2627,6 +2805,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +2824,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -211373,7 +211399,7 @@ index 64ff4d7..6e07122 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +2894,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +2913,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -211381,7 +211407,7 @@ index 64ff4d7..6e07122 100644
')
########################################
-@@ -2706,7 +2903,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +2922,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -211390,7 +211416,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## </param>
#
-@@ -2762,6 +2959,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +2978,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -211416,7 +211442,7 @@ index 64ff4d7..6e07122 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +2996,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3015,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -211441,7 +211467,7 @@ index 64ff4d7..6e07122 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3179,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,26 +3198,8 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -211463,10 +211489,14 @@ index 64ff4d7..6e07122 100644
-
-########################################
-## <summary>
- ## Read files in /etc that are dynamically
- ## created on boot, such as mtab.
+-## Read files in /etc that are dynamically
+-## created on boot, such as mtab.
++## Read files in /etc that are dynamically
++## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3219,7 @@ interface(`files_read_etc_runtime_files',`
+ ## <desc>
+ ## <p>
+@@ -3003,9 +3238,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -211477,7 +211507,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3227,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3246,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -211499,11 +211529,10 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,7 +3255,27 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3274,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
--## Read and write files in /etc that are dynamically
+## Do not audit attempts to read files
+## in /etc that are dynamically
+## created on boot, such as mtab.
@@ -211524,11 +211553,10 @@ index 64ff4d7..6e07122 100644
+
+########################################
+## <summary>
-+## Read and write files in /etc that are dynamically
+ ## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
- ## <param name="domain">
-@@ -3059,6 +3292,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3311,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -211536,7 +211564,7 @@ index 64ff4d7..6e07122 100644
')
########################################
-@@ -3080,6 +3314,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3333,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -211544,7 +211572,7 @@ index 64ff4d7..6e07122 100644
')
########################################
-@@ -3132,6 +3367,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3386,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -211570,7 +211598,7 @@ index 64ff4d7..6e07122 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3208,6 +3462,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3481,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -211596,7 +211624,7 @@ index 64ff4d7..6e07122 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3455,6 +3728,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3747,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -211622,7 +211650,7 @@ index 64ff4d7..6e07122 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4088,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4107,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -211666,7 +211694,7 @@ index 64ff4d7..6e07122 100644
')
########################################
-@@ -4199,6 +4509,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +4528,133 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -211800,7 +211828,7 @@ index 64ff4d7..6e07122 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4221,6 +4658,26 @@ interface(`files_associate_tmp',`
+@@ -4221,6 +4677,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -211827,7 +211855,7 @@ index 64ff4d7..6e07122 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4234,17 +4691,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4234,17 +4710,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -211866,7 +211894,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## </param>
#
-@@ -4271,6 +4748,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +4767,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -211874,7 +211902,7 @@ index 64ff4d7..6e07122 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +4785,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +4804,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -211882,7 +211910,7 @@ index 64ff4d7..6e07122 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +4795,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +4814,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -211891,7 +211919,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## </param>
#
-@@ -4328,6 +4807,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +4826,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -211917,7 +211945,7 @@ index 64ff4d7..6e07122 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4343,6 +4841,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +4860,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -211925,7 +211953,7 @@ index 64ff4d7..6e07122 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,6 +4883,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +4902,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -211958,7 +211986,7 @@ index 64ff4d7..6e07122 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4438,7 +4963,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,7 +4982,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -211967,7 +211995,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4446,17 +4971,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4446,17 +4990,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -211989,7 +212017,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4464,59 +4989,53 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4464,59 +5008,53 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -212060,7 +212088,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4524,54 +5043,132 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4524,18 +5062,96 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
## </summary>
## </param>
#
@@ -212079,50 +212107,39 @@ index 64ff4d7..6e07122 100644
-## Relabel to and from all temporary
-## file types.
+## List all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_tmp_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_list_all_tmp',`
- gen_require(`
- attribute tmpfile;
-- type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_files_pattern($1, tmpfile, tmpfile)
++ gen_require(`
++ attribute tmpfile;
++ ')
++
+ allow $1 tmpfile:dir list_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
++')
++
++########################################
++## <summary>
+## Relabel to and from all temporary
+## directory types.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
++#
+interface(`files_relabel_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
++ gen_require(`
++ attribute tmpfile;
+ type var_t;
- ')
-
-- dontaudit $1 tmpfile:sock_file getattr;
--')
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
+')
@@ -212169,46 +212186,19 @@ index 64ff4d7..6e07122 100644
+## <summary>
+## Relabel to and from all temporary
+## file types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_relabel_all_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ type var_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4561,7 +5177,7 @@ interface(`files_relabel_all_tmp_files',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ dontaudit $1 tmpfile:sock_file getattr;
-+')
-
- ########################################
- ## <summary>
-@@ -4646,6 +5243,16 @@ interface(`files_purge_tmp',`
+ ## </summary>
+ ## </param>
+ #
+@@ -4646,6 +5262,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -212225,7 +212215,7 @@ index 64ff4d7..6e07122 100644
')
########################################
-@@ -5223,6 +5830,24 @@ interface(`files_list_var',`
+@@ -5223,6 +5849,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -212250,7 +212240,7 @@ index 64ff4d7..6e07122 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5578,6 +6203,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6222,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -212276,7 +212266,7 @@ index 64ff4d7..6e07122 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6267,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6286,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -212285,7 +212275,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6275,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6294,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -212301,7 +212291,7 @@ index 64ff4d7..6e07122 100644
')
########################################
-@@ -5654,6 +6299,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6318,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -212309,7 +212299,7 @@ index 64ff4d7..6e07122 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6326,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6345,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -212337,7 +212327,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6353,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6372,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -212354,7 +212344,7 @@ index 64ff4d7..6e07122 100644
')
########################################
-@@ -5713,7 +6377,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6396,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -212363,7 +212353,7 @@ index 64ff4d7..6e07122 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6410,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6429,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -212371,7 +212361,7 @@ index 64ff4d7..6e07122 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5774,8 +6437,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5774,8 +6456,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -212381,7 +212371,7 @@ index 64ff4d7..6e07122 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6453,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6472,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -212399,7 +212389,7 @@ index 64ff4d7..6e07122 100644
')
########################################
-@@ -5816,9 +6477,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6496,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -212410,7 +212400,7 @@ index 64ff4d7..6e07122 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6519,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6538,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -212420,7 +212410,7 @@ index 64ff4d7..6e07122 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6541,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6560,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -212430,7 +212420,7 @@ index 64ff4d7..6e07122 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6578,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6597,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -212440,7 +212430,7 @@ index 64ff4d7..6e07122 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5985,6 +6641,43 @@ interface(`files_search_pids',`
+@@ -5985,6 +6660,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -212484,7 +212474,7 @@ index 64ff4d7..6e07122 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6007,6 +6700,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +6719,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -212510,7 +212500,7 @@ index 64ff4d7..6e07122 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6122,7 +6834,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +6853,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -212518,7 +212508,7 @@ index 64ff4d7..6e07122 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6231,55 +6942,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +6961,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -212581,7 +212571,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6287,42 +6986,35 @@ interface(`files_delete_all_pids',`
+@@ -6287,42 +7005,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -212631,7 +212621,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,18 +7022,18 @@ interface(`files_manage_all_pids',`
+@@ -6330,18 +7041,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -212655,7 +212645,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6349,37 +7041,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6349,37 +7060,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@@ -212707,7 +212697,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6387,18 +7082,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6387,18 +7101,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
@@ -212730,7 +212720,7 @@ index 64ff4d7..6e07122 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6406,18 +7100,284 @@ interface(`files_list_spool',`
+@@ -6406,18 +7119,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -212751,13 +212741,14 @@ index 64ff4d7..6e07122 100644
-## Read generic spool files.
+## manage all pidfiles
+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6425,7 +7138,273 @@ interface(`files_manage_generic_spool_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_manage_all_pids',`
+ gen_require(`
+ attribute pidfile;
@@ -213017,10 +213008,18 @@ index 64ff4d7..6e07122 100644
+########################################
+## <summary>
+## Read generic spool files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6562,3 +7522,459 @@ interface(`files_unconfined',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+@@ -6562,3 +7541,459 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -220309,7 +220308,7 @@ index 76d9f66..c61ed66 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..2b21421 100644
+index fe0c682..da12170 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -220938,7 +220937,7 @@ index fe0c682..2b21421 100644
+ type sshd_devpts_t;
+ ')
+
-+ allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
++ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5fc0391..f0a738c 100644
@@ -224328,10 +224327,10 @@ index 1b6619e..be02b96 100644
+ allow $1 application_domain_type:socket_class_set getattr;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..fc63d59 100644
+index c6fdab7..cd80b96 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
-@@ -6,7 +6,27 @@ attribute application_domain_type;
+@@ -6,12 +6,33 @@ attribute application_domain_type;
# Executables to be run by user
attribute application_exec_type;
@@ -224346,6 +224345,8 @@ index c6fdab7..fc63d59 100644
+
+files_dontaudit_search_non_security_dirs(application_domain_type)
+
++auth_login_pgm_sigchld(application_domain_type)
++
+optional_policy(`
+ afs_rw_udp_sockets(application_domain_type)
+')
@@ -224359,6 +224360,11 @@ index c6fdab7..fc63d59 100644
cron_sigchld(application_domain_type)
')
+ optional_policy(`
+- ssh_sigchld(application_domain_type)
+ ssh_rw_stream_sockets(application_domain_type)
+ ')
+
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 28ad538..ebe81bf 100644
--- a/policy/modules/system/authlogin.fc
@@ -224451,7 +224457,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..de75e59 100644
+index 3efd5b6..792df83 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -224969,7 +224975,7 @@ index 3efd5b6..de75e59 100644
')
########################################
-@@ -1805,3 +1975,200 @@ interface(`auth_unconfined',`
+@@ -1805,3 +1975,219 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -225170,6 +225176,25 @@ index 3efd5b6..de75e59 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+')
++
++########################################
++## <summary>
++## Send a SIGCHLD signal to login programs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_login_pgm_sigchld',`
++ gen_require(`
++ attribute login_pgm;
++ ')
++
++ allow $1 login_pgm:process sigchld;
++')
++
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 104037e..d10bb17 100644
--- a/policy/modules/system/authlogin.te
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 972f2b9..fe2816c 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2432,10 +2432,10 @@ index 0000000..3929b7e
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..fa4edf1
+index 0000000..bd752cd
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,243 @@
+@@ -0,0 +1,244 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2531,6 +2531,7 @@ index 0000000..fa4edf1
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
++kernel_read_net_sysctls(antivirus_t)
+kernel_read_kernel_sysctls(antivirus_domain)
+kernel_read_sysctl(antivirus_domain)
+kernel_read_system_state(antivirus_t)
@@ -8600,7 +8601,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..69f0a40 100644
+index 7c92aa1..1dc00c7 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,13 @@
@@ -8619,7 +8620,7 @@ index 7c92aa1..69f0a40 100644
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -21,31 +23,64 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,31 +23,65 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
@@ -8650,6 +8651,7 @@ index 7c92aa1..69f0a40 100644
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:sem create_sem_perms;
++allow boinc_domain self:process execmem;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
@@ -8693,7 +8695,7 @@ index 7c92aa1..69f0a40 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +89,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +90,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -8787,7 +8789,7 @@ index 7c92aa1..69f0a40 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +136,61 @@ init_read_utmp(boinc_t)
+@@ -130,55 +137,61 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -8816,7 +8818,7 @@ index 7c92aa1..69f0a40 100644
+allow boinc_t boinc_project_t:process noatsecure;
+
+allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
-+allow boinc_project_t self:process { execmem execstack };
++allow boinc_project_t self:process { execstack };
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@@ -27273,7 +27275,7 @@ index 1a5ed62..9762e4a 100644
optional_policy(`
unconfined_domain(inetd_child_t)
diff --git a/inn.if b/inn.if
-index eb87f23..8e11e4b 100644
+index eb87f23..d3d32c3 100644
--- a/inn.if
+++ b/inn.if
@@ -124,6 +124,7 @@ interface(`inn_read_config',`
@@ -27284,7 +27286,7 @@ index eb87f23..8e11e4b 100644
allow $1 innd_etc_t:dir list_dir_perms;
allow $1 innd_etc_t:file read_file_perms;
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
-@@ -144,6 +145,7 @@ interface(`inn_read_news_lib',`
+@@ -144,12 +145,31 @@ interface(`inn_read_news_lib',`
type innd_var_lib_t;
')
@@ -27292,7 +27294,31 @@ index eb87f23..8e11e4b 100644
allow $1 innd_var_lib_t:dir list_dir_perms;
allow $1 innd_var_lib_t:file read_file_perms;
')
-@@ -163,6 +165,7 @@ interface(`inn_read_news_spool',`
+
+ ########################################
+ ## <summary>
++## Write innd inherited news library content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`inn_write_inherited_news_lib',`
++ gen_require(`
++ type innd_var_lib_t;
++ ')
++
++ allow $1 innd_var_lib_t:file write_inherited_file_perms;
++')
++
++########################################
++## <summary>
+ ## Read innd news spool content.
+ ## </summary>
+ ## <param name="domain">
+@@ -163,6 +183,7 @@ interface(`inn_read_news_spool',`
type news_spool_t;
')
@@ -27300,7 +27326,7 @@ index eb87f23..8e11e4b 100644
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
-@@ -226,8 +229,15 @@ interface(`inn_domtrans',`
+@@ -226,8 +247,15 @@ interface(`inn_domtrans',`
interface(`inn_admin',`
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
@@ -61608,7 +61634,7 @@ index 661bb88..06f69c4 100644
+')
+
diff --git a/readahead.te b/readahead.te
-index f1512d6..ba3b9b2 100644
+index f1512d6..93f1ee6 100644
--- a/readahead.te
+++ b/readahead.te
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -61638,7 +61664,7 @@ index f1512d6..ba3b9b2 100644
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
-@@ -51,12 +56,21 @@ domain_use_interactive_fds(readahead_t)
+@@ -51,12 +56,22 @@ domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
files_create_boot_flag(readahead_t)
@@ -61651,6 +61677,7 @@ index f1512d6..ba3b9b2 100644
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_dontaudit_all_access_check(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
++files_dontaudit_read_all_sockets(readahead_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_write_all_files(readahead_t)
@@ -61660,7 +61687,7 @@ index f1512d6..ba3b9b2 100644
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-@@ -66,13 +80,12 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,13 +81,12 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -61675,7 +61702,7 @@ index f1512d6..ba3b9b2 100644
mls_file_read_all_levels(readahead_t)
storage_raw_read_fixed_disk(readahead_t)
-@@ -84,13 +97,13 @@ auth_dontaudit_read_shadow(readahead_t)
+@@ -84,13 +98,13 @@ auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
@@ -71923,7 +71950,7 @@ index 88e753f..ca74cd9 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 5f35d78..7bffa0b 100644
+index 5f35d78..d4003d0 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -1,18 +1,10 @@
@@ -72090,7 +72117,18 @@ index 5f35d78..7bffa0b 100644
')
optional_policy(`
-@@ -166,6 +159,11 @@ optional_policy(`
+@@ -158,6 +151,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ inn_write_inherited_news_lib(sendmail_t)
++')
++
++optional_policy(`
+ milter_stream_connect_all(sendmail_t)
+ ')
+
+@@ -166,6 +163,11 @@ optional_policy(`
')
optional_policy(`
@@ -72102,7 +72140,7 @@ index 5f35d78..7bffa0b 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -187,21 +185,13 @@ optional_policy(`
+@@ -187,21 +189,13 @@ optional_policy(`
')
optional_policy(`
@@ -74691,7 +74729,7 @@ index 1499b0b..82fc7f6 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..258b449 100644
+index 4faa7e0..9e4d192 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -1,4 +1,4 @@
@@ -75394,7 +75432,7 @@ index 4faa7e0..258b449 100644
')
optional_policy(`
-@@ -474,32 +552,29 @@ optional_policy(`
+@@ -474,32 +552,30 @@ optional_policy(`
########################################
#
@@ -75418,6 +75456,7 @@ index 4faa7e0..258b449 100644
manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
-kernel_read_system_state(spamd_update_t)
++allow spamd_update_t spamc_home_t:dir search_dir_perms;
+allow spamd_update_t spamd_tmp_t:file read_file_perms;
-corenet_all_recvfrom_unlabeled(spamd_update_t)
@@ -75434,7 +75473,7 @@ index 4faa7e0..258b449 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +583,20 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +584,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -75447,6 +75486,7 @@ index 4faa7e0..258b449 100644
+mta_read_config(spamd_update_t)
-userdom_use_user_terminals(spamd_update_t)
++userdom_search_admin_dir(spamd_update_t)
+userdom_use_inherited_user_ptys(spamd_update_t)
optional_policy(`
@@ -75723,7 +75763,7 @@ index dbb005a..45291bb 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..54c45f6 100644
+index a240455..6c2da43 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -75978,18 +76018,36 @@ index a240455..54c45f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -317,8 +352,8 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +352,26 @@ interface(`sssd_stream_connect',`
########################################
## <summary>
-## All of the rules required to
-## administrate an sssd environment.
++## Dontaudit attempts to connect to sssd over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_dontaudit_stream_connect',`
++ gen_require(`
++ type sssd_t;
++ ')
++
++ dontaudit $1 sssd_t:unix_stream_socket connectto;
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an sssd environment
## </summary>
## <param name="domain">
## <summary>
-@@ -327,7 +362,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +380,7 @@ interface(`sssd_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -75998,7 +76056,7 @@ index a240455..54c45f6 100644
## </summary>
## </param>
## <rolecap/>
-@@ -335,27 +370,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +388,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -78828,10 +78886,10 @@ index 0000000..72c42ad
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..4f8e329
+index 0000000..aaf768a
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,137 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -78949,6 +79007,7 @@ index 0000000..4f8e329
+ gnome_dontaudit_search_config(thumb_t)
+ gnome_append_generic_cache_files(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t)
++ gnome_dontaudit_rw_generic_cache_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t)
+ gnome_exec_gstreamer_home_files(thumb_t)
@@ -78957,6 +79016,10 @@ index 0000000..4f8e329
+')
+
+optional_policy(`
++ sssd_dontaudit_stream_connect(thumb_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_write_sock_file(thumb_t)
+')
+
@@ -85603,10 +85666,18 @@ index fd2b6cc..4b83bb0 100644
########################################
diff --git a/wine.te b/wine.te
-index b51923c..22e9047 100644
+index b51923c..bdbac3a 100644
--- a/wine.te
+++ b/wine.te
-@@ -48,7 +48,7 @@ domain_mmap_low(wine_t)
+@@ -39,6 +39,7 @@ allow wine_t self:fifo_file manage_fifo_file_perms;
+ can_exec(wine_t, wine_exec_t)
+
+ userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
++userdom_tmpfs_filetrans(wine_t, file)
+
+ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+ manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+@@ -48,7 +49,7 @@ domain_mmap_low(wine_t)
files_execmod_all_files(wine_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d24a3c2..00cba9a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-9
+- boinc_cliean wants also execmem as boinc projecs have
+- Allow sa-update to search admin home for /root/.spamassassin
+- Allow sa-update to search admin home for /root/.spamassassin
+- Allow antivirus domain to read net sysctl
+- Dontaudit attempts from thumb_t to connect to ssd
+- Dontaudit attempts by readahead to read sock_files
+- Dontaudit attempts by readahead to read sock_files
+- Create tmpfs file while running as wine as user_tmpfs_t
+- Dontaudit attempts by readahead to read sock_files
+- libmpg ships badly created librarie
+
* Mon Jan 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-8
- Change ssh_use_pts to use macro and only inherited sshd_devpts_t
- Allow confined users to read systemd_logind seat information
More information about the scm-commits
mailing list