[selinux-policy/f18] - Add basic rules for pegasus_openlmi_domain - Add pegasus_openlmi_domain_template() interface for o
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Feb 11 18:49:49 UTC 2013
commit fec766630e433a28156657df08ec1e314421bdfc
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Feb 11 19:48:42 2013 +0100
- Add basic rules for pegasus_openlmi_domain
- Add pegasus_openlmi_domain_template() interface for openlmi-*
- Allow pppd to send signull
- Allow tuned to execute ldconfig
- Fix use_ecryptfs_home_dirs boolean for chrome_sandbox_t
- Add additional fixes for ecrypts
- Allow keystone getsched and setsched
- ALlow nova-cert to connect to postgresql
- Allow keystone to connect to postgresql
- Allow glance domain to stream connect to databases
- Allow all cups domains to getattr on filesystems
- Fix pacemaker_use_execmem boolean
- Allow gpg to read fips_enabled
- FIXME: Add realmd_tmp_t until we get /var/cache/realmd
- Add support for /var/cache/realmd
- Add labeling for fenced_sanlock and allow sanclok transition to fen
- Allow glance domain to send a signal itself
- Allow xend_t to request that the kernel load a kernel module
- Add additional interface for ecryptfs
policy-f18-base.patch | 81 ++++++----
policy-f18-contrib.patch | 396 ++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 23 +++-
3 files changed, 370 insertions(+), 130 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index d1cefd3..7615496 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -120369,7 +120369,7 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..12947fe 100644
+index 7c6b791..c6ddff0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -120677,7 +120677,7 @@ index 7c6b791..12947fe 100644
## Search dosfs filesystem.
## </summary>
## <param name="domain">
-@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,6 +1973,205 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -120801,6 +120801,23 @@ index 7c6b791..12947fe 100644
+ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+')
+
++#######################################
++## <summary>
++## Dontaudit append files on ecrypt filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_append_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++ dontaudit $1 ecryptfs_t:file append;
++')
++
+########################################
+## <summary>
+## Manage symbolic links on a FUSEFS filesystem.
@@ -120866,7 +120883,7 @@ index 7c6b791..12947fe 100644
########################################
## <summary>
## Mount a FUSE filesystem.
-@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2025,6 +2404,87 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -120954,7 +120971,7 @@ index 7c6b791..12947fe 100644
## Get the attributes of an hugetlbfs
## filesystem.
## </summary>
-@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2540,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -120979,7 +120996,7 @@ index 7c6b791..12947fe 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -120993,7 +121010,7 @@ index 7c6b791..12947fe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +2964,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -121001,7 +121018,7 @@ index 7c6b791..12947fe 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2523,6 +2986,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3003,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -121009,7 +121026,7 @@ index 7c6b791..12947fe 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2549,42 +3013,97 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,42 +3030,97 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -121118,7 +121135,7 @@ index 7c6b791..12947fe 100644
')
########################################
-@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3139,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -121127,7 +121144,7 @@ index 7c6b791..12947fe 100644
')
########################################
-@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3163,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -121136,7 +121153,7 @@ index 7c6b791..12947fe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3277,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -121145,7 +121162,7 @@ index 7c6b791..12947fe 100644
## </summary>
## </param>
#
-@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3313,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -121154,7 +121171,7 @@ index 7c6b791..12947fe 100644
## </summary>
## </param>
#
-@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3506,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -121162,7 +121179,7 @@ index 7c6b791..12947fe 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3547,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -121170,7 +121187,7 @@ index 7c6b791..12947fe 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3588,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -121178,7 +121195,7 @@ index 7c6b791..12947fe 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3802,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -121203,7 +121220,7 @@ index 7c6b791..12947fe 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3840,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -121228,7 +121245,7 @@ index 7c6b791..12947fe 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3967,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -121237,7 +121254,7 @@ index 7c6b791..12947fe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4004,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -121246,7 +121263,7 @@ index 7c6b791..12947fe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4022,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -121255,7 +121272,7 @@ index 7c6b791..12947fe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4390,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -121280,7 +121297,7 @@ index 7c6b791..12947fe 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3963,6 +4539,60 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3963,6 +4556,60 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -121341,7 +121358,7 @@ index 7c6b791..12947fe 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4069,7 +4699,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4069,7 +4716,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -121350,7 +121367,7 @@ index 7c6b791..12947fe 100644
')
########################################
-@@ -4129,6 +4759,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4129,6 +4776,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -121375,7 +121392,7 @@ index 7c6b791..12947fe 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4166,7 +4814,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4166,7 +4831,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -121384,7 +121401,7 @@ index 7c6b791..12947fe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4185,6 +4833,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4185,6 +4850,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -121445,7 +121462,7 @@ index 7c6b791..12947fe 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4242,6 +4944,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4242,6 +4961,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -121490,7 +121507,7 @@ index 7c6b791..12947fe 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4261,6 +5001,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4261,6 +5018,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -121516,7 +121533,7 @@ index 7c6b791..12947fe 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4467,6 +5226,8 @@ interface(`fs_mount_all_fs',`
+@@ -4467,6 +5243,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -121525,7 +121542,7 @@ index 7c6b791..12947fe 100644
')
########################################
-@@ -4513,7 +5274,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4513,7 +5291,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -121534,7 +121551,7 @@ index 7c6b791..12947fe 100644
## Example attributes:
## </p>
## <ul>
-@@ -4560,6 +5321,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4560,6 +5338,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -121561,7 +121578,7 @@ index 7c6b791..12947fe 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4876,3 +5657,43 @@ interface(`fs_unconfined',`
+@@ -4876,3 +5674,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 5959f6a..7f70a27 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -8961,10 +8961,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..22ef64d
+index 0000000..351cd63
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,202 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -9105,6 +9105,12 @@ index 0000000..22ef64d
+ fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(chrome_sandbox_t)
++ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
++ fs_read_ecryptfs_symlinks(chrome_sandbox_t)
++')
++
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
@@ -12258,7 +12264,7 @@ index 3a6d7eb..1bb208a 100644
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/corosync.if b/corosync.if
-index 5220c9d..33df583 100644
+index 5220c9d..af2d3bc 100644
--- a/corosync.if
+++ b/corosync.if
@@ -20,6 +20,43 @@ interface(`corosync_domtrans',`
@@ -12305,7 +12311,33 @@ index 5220c9d..33df583 100644
## Allow the specified domain to read corosync's log files.
## </summary>
## <param name="domain">
-@@ -52,14 +89,58 @@ interface(`corosync_read_log',`
+@@ -38,6 +75,25 @@ interface(`corosync_read_log',`
+ read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+ ')
+
++#######################################
++## <summary>
++## Setattr corosync log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corosync_setattr_log',`
++ gen_require(`
++ type corosync_var_log_t;
++ ')
++
++ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
++')
++
++
+ #####################################
+ ## <summary>
+ ## Connect to corosync over a unix domain
+@@ -52,14 +108,58 @@ interface(`corosync_read_log',`
interface(`corosync_stream_connect',`
gen_require(`
type corosync_t, corosync_var_run_t;
@@ -12364,7 +12396,7 @@ index 5220c9d..33df583 100644
## All of the rules required to administrate
## an corosync environment
## </summary>
-@@ -80,11 +161,16 @@ interface(`corosyncd_admin',`
+@@ -80,11 +180,16 @@ interface(`corosyncd_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
@@ -12382,7 +12414,7 @@ index 5220c9d..33df583 100644
init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
-@@ -103,4 +189,8 @@ interface(`corosyncd_admin',`
+@@ -103,4 +208,8 @@ interface(`corosyncd_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
@@ -14986,7 +15018,7 @@ index 305ddf4..a682e21 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index e5a8924..e12c890 100644
+index e5a8924..ac29949 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -15286,15 +15318,17 @@ index e5a8924..e12c890 100644
miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
cups_stream_connect(cupsd_lpd_t)
-@@ -577,7 +608,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
+@@ -577,33 +608,32 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
-files_read_etc_files(cups_pdf_t)
files_read_usr_files(cups_pdf_t)
++fs_getattr_xattr_fs(cups_pdf_t)
++
corecmd_exec_shell(cups_pdf_t)
-@@ -585,25 +615,23 @@ corecmd_exec_bin(cups_pdf_t)
+ corecmd_exec_bin(cups_pdf_t)
auth_use_nsswitch(cups_pdf_t)
@@ -15329,7 +15363,7 @@ index e5a8924..e12c890 100644
')
########################################
-@@ -635,9 +663,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+@@ -635,9 +665,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -15346,7 +15380,7 @@ index e5a8924..e12c890 100644
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -647,7 +682,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -647,7 +684,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
@@ -15357,7 +15391,7 @@ index e5a8924..e12c890 100644
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +698,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +700,10 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -15371,7 +15405,7 @@ index e5a8924..e12c890 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -673,31 +710,34 @@ dev_read_rand(hplip_t)
+@@ -673,31 +712,34 @@ dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
dev_rw_usbfs(hplip_t)
@@ -15417,7 +15451,7 @@ index e5a8924..e12c890 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -743,7 +783,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,7 +785,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -15425,7 +15459,7 @@ index e5a8924..e12c890 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +799,10 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -760,13 +801,10 @@ fs_search_auto_mountpoints(ptal_t)
domain_use_interactive_fds(ptal_t)
@@ -23327,7 +23361,7 @@ index 7ff9d6d..b1c97f2 100644
allow $1 glance_api_t:process signal_perms;
ps_process_pattern($1, glance_api_t)
diff --git a/glance.te b/glance.te
-index 4afb81f..efff577 100644
+index 4afb81f..8dca97a 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.0)
@@ -23353,7 +23387,15 @@ index 4afb81f..efff577 100644
init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
-@@ -54,16 +55,18 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
+ # glance general domain local policy
+ #
+
++allow glance_domain self:process signal_perms;
+ allow glance_domain self:fifo_file rw_fifo_file_perms;
+ allow glance_domain self:unix_stream_socket create_stream_socket_perms;
+ allow glance_domain self:tcp_socket create_stream_socket_perms;
+@@ -54,16 +56,25 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -23372,10 +23414,17 @@ index 4afb81f..efff577 100644
+
+libs_exec_ldconfig(glance_domain)
+
++optional_policy(`
++ mysql_stream_connect(glance_domain)
++')
++
++optional_policy(`
++ postgresql_stream_connect(glance_domain)
++')
optional_policy(`
sysnet_dns_name_resolve(glance_domain)
-@@ -78,8 +81,20 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -78,8 +89,17 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
@@ -23390,13 +23439,10 @@ index 4afb81f..efff577 100644
+
+logging_send_syslog_msg(glance_registry_t)
+
-+optional_policy(`
-+ mysql_stream_connect(glance_registry_t)
-+')
########################################
#
-@@ -94,11 +109,15 @@ can_exec(glance_api_t, glance_tmp_t)
+@@ -94,11 +114,11 @@ can_exec(glance_api_t, glance_tmp_t)
corecmd_exec_shell(glance_api_t)
corenet_tcp_bind_generic_node(glance_api_t)
@@ -23408,11 +23454,8 @@ index 4afb81f..efff577 100644
dev_read_urand(glance_api_t)
fs_getattr_xattr_fs(glance_api_t)
-
+-
-libs_exec_ldconfig(glance_api_t)
-+optional_policy(`
-+ mysql_stream_connect(glance_api_t)
-+')
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
index 0000000..6418e39
@@ -25950,7 +25993,7 @@ index 6d50300..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 72a113e..4a17541 100644
+index 72a113e..9711129 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0)
@@ -26053,7 +26096,7 @@ index 72a113e..4a17541 100644
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-@@ -77,16 +100,17 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+@@ -77,16 +100,18 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
allow gpg_t gpg_secret_t:dir create_dir_perms;
@@ -26064,6 +26107,7 @@ index 72a113e..4a17541 100644
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
kernel_read_sysctl(gpg_t)
++kernel_read_system_state(gpg_t)
+kernel_getattr_core_if(gpg_t)
corecmd_exec_shell(gpg_t)
@@ -26073,7 +26117,7 @@ index 72a113e..4a17541 100644
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
corenet_udp_sendrecv_generic_if(gpg_t)
-@@ -100,38 +124,43 @@ corenet_sendrecv_all_client_packets(gpg_t)
+@@ -100,38 +125,43 @@ corenet_sendrecv_all_client_packets(gpg_t)
dev_read_rand(gpg_t)
dev_read_urand(gpg_t)
dev_read_generic_usb_dev(gpg_t)
@@ -26129,7 +26173,7 @@ index 72a113e..4a17541 100644
')
optional_policy(`
-@@ -140,15 +169,19 @@ optional_policy(`
+@@ -140,15 +170,19 @@ optional_policy(`
')
optional_policy(`
@@ -26153,7 +26197,7 @@ index 72a113e..4a17541 100644
########################################
#
# GPG helper local policy
-@@ -166,7 +199,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+@@ -166,7 +200,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
dontaudit gpg_helper_t gpg_secret_t:file read;
@@ -26161,7 +26205,7 @@ index 72a113e..4a17541 100644
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
corenet_raw_sendrecv_generic_if(gpg_helper_t)
-@@ -180,11 +212,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
+@@ -180,11 +213,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
@@ -26174,7 +26218,7 @@ index 72a113e..4a17541 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -198,15 +229,17 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -198,15 +230,17 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -26193,7 +26237,7 @@ index 72a113e..4a17541 100644
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
-@@ -223,43 +256,34 @@ corecmd_read_bin_symlinks(gpg_agent_t)
+@@ -223,43 +257,34 @@ corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
@@ -26242,7 +26286,7 @@ index 72a113e..4a17541 100644
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -294,10 +318,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+@@ -294,10 +319,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
@@ -26254,7 +26298,7 @@ index 72a113e..4a17541 100644
corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
corenet_tcp_bind_generic_node(gpg_pinentry_t)
corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
-@@ -310,7 +334,6 @@ dev_read_rand(gpg_pinentry_t)
+@@ -310,7 +335,6 @@ dev_read_rand(gpg_pinentry_t)
files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
@@ -26262,7 +26306,7 @@ index 72a113e..4a17541 100644
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
fs_getattr_tmpfs(gpg_pinentry_t)
-@@ -320,18 +343,19 @@ auth_use_nsswitch(gpg_pinentry_t)
+@@ -320,18 +344,19 @@ auth_use_nsswitch(gpg_pinentry_t)
logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
@@ -26288,7 +26332,7 @@ index 72a113e..4a17541 100644
')
optional_policy(`
-@@ -340,6 +364,12 @@ optional_policy(`
+@@ -340,6 +365,12 @@ optional_policy(`
')
optional_policy(`
@@ -26301,7 +26345,7 @@ index 72a113e..4a17541 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -349,4 +379,27 @@ optional_policy(`
+@@ -349,4 +380,27 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -30359,10 +30403,10 @@ index 0000000..f20248c
+')
diff --git a/keystone.te b/keystone.te
new file mode 100644
-index 0000000..a6606f3
+index 0000000..ff9f684
--- /dev/null
+++ b/keystone.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,73 @@
+policy_module(keystone, 1.0.0)
+
+########################################
@@ -30390,6 +30434,8 @@ index 0000000..a6606f3
+#
+# keystone local policy
+#
++allow keystone_t self:process { getsched setsched };
++
+allow keystone_t self:fifo_file rw_fifo_file_perms;
+allow keystone_t self:unix_stream_socket create_stream_socket_perms;
+allow keystone_t self:tcp_socket create_stream_socket_perms;
@@ -30427,10 +30473,13 @@ index 0000000..a6606f3
+
+libs_exec_ldconfig(keystone_t)
+
-+
+optional_policy(`
+ mysql_stream_connect(keystone_t)
+')
++
++optional_policy(`
++ postgresql_stream_connect(keystone_t)
++')
diff --git a/kismet.if b/kismet.if
index c18c920..582f7f3 100644
--- a/kismet.if
@@ -35070,7 +35119,7 @@ index b397fde..eda9218 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..212475e 100644
+index d4fcb75..50d47bb 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -35415,7 +35464,8 @@ index d4fcb75..212475e 100644
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process { execmem execstack };
-')
--
++userdom_home_manager(mozilla_plugin_t)
+
-tunable_policy(`allow_execstack',`
- allow mozilla_plugin_t self:process { execstack };
-')
@@ -35425,8 +35475,7 @@ index d4fcb75..212475e 100644
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
-')
-+userdom_home_manager(mozilla_plugin_t)
-
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
@@ -35480,7 +35529,7 @@ index d4fcb75..212475e 100644
')
optional_policy(`
-@@ -447,10 +526,117 @@ optional_policy(`
+@@ -447,10 +526,121 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -35493,13 +35542,13 @@ index d4fcb75..212475e 100644
+
+optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
- ')
-
- optional_policy(`
-+ udev_read_db(mozilla_plugin_t)
+')
+
+optional_policy(`
++ udev_read_db(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
xserver_read_xdm_pid(mozilla_plugin_t)
@@ -35573,6 +35622,10 @@ index d4fcb75..212475e 100644
+
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(mozilla_plugin_config_t)
++')
++
+optional_policy(`
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
+')
@@ -39915,10 +39968,10 @@ index 0000000..7d11148
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..f0aaecf
+index 0000000..34762bb
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,328 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -40067,6 +40120,10 @@ index 0000000..f0aaecf
+ mysql_stream_connect(nova_cert_t)
+')
+
++optional_policy(`
++ postgresql_stream_connect(nova_cert_t)
++')
++
+#######################################
+#
+# nova compute local policy
@@ -43542,7 +43599,7 @@ index 0000000..6e20e72
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..8d6a35b
+index 0000000..ec227d2
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,468 @@
@@ -43947,7 +44004,7 @@ index 0000000..8d6a35b
+#
+# openshift_cron local policy
+#
-+allow openshift_cron_t self:capability net_admin;
++allow openshift_cron_t self:capability { net_admin sys_admin };
+allow openshift_cron_t self:process signal_perms;
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
+allow openshift_cron_t self:udp_socket create_socket_perms;
@@ -44762,10 +44819,10 @@ index 0000000..e05c78f
+')
diff --git a/pacemaker.te b/pacemaker.te
new file mode 100644
-index 0000000..3a97ac3
+index 0000000..418433e
--- /dev/null
+++ b/pacemaker.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,114 @@
+policy_module(pacemaker, 1.0.0)
+
+########################################
@@ -44773,6 +44830,13 @@ index 0000000..3a97ac3
+# Declarations
+#
+
++## <desc>
++## <p>
++## Allow pacemaker memcheck-amd64- to use executable memory
++## </p>
++## </desc>
++gen_tunable(pacemaker_use_execmem, false)
++
+type pacemaker_t;
+type pacemaker_exec_t;
+init_daemon_domain(pacemaker_t, pacemaker_exec_t)
@@ -44801,9 +44865,19 @@ index 0000000..3a97ac3
+#
+
+allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
-+allow pacemaker_t self:process { fork setrlimit signal setpgid };
++allow pacemaker_t self:capability2 block_suspend;
++allow pacemaker_t self:process { setrlimit signal setpgid };
+allow pacemaker_t self:fifo_file rw_fifo_file_perms;
-+allow pacemaker_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow pacemaker_t self:unix_stream_socket { connectto accept listen };
++
++manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
++manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
++manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
++files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir })
++
++manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
++manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
++fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file })
+
+manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
+manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
@@ -44846,12 +44920,23 @@ index 0000000..3a97ac3
+
+logging_send_syslog_msg(pacemaker_t)
+
++sysnet_domtrans_ifconfig(pacemaker_t)
++
++tunable_policy(`pacemaker_use_execmem',`
++ allow pacemaker_t self:process { execmem };
++')
++
+optional_policy(`
+ corosync_read_log(pacemaker_t)
++ corosync_setattr_log(pacemaker_t)
+ corosync_stream_connect(pacemaker_t)
+ corosync_rw_tmpfs(pacemaker_t)
+')
+
++optional_policy(`
++ #executes heartbeat lib files
++ rgmanager_execute_lib(pacemaker_t)
++')
diff --git a/pads.fc b/pads.fc
index 0870c56..6d5fb1d 100644
--- a/pads.fc
@@ -45325,11 +45410,59 @@ index ceafba6..47b690d 100644
+optional_policy(`
+ udev_read_db(pcscd_t)
+')
+diff --git a/pegasus.if b/pegasus.if
+index 920b13f..22b745a 100644
+--- a/pegasus.if
++++ b/pegasus.if
+@@ -1 +1,37 @@
+ ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
++
++######################################
++## <summary>
++## Creates types and rules for a basic
++## openlmi init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`pegasus_openlmi_domain_template',`
++ gen_require(`
++ attribute pegasus_openlmi_domain;
++ ')
++
++ ##############################
++ #
++ # Declarations
++ #
++
++ type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
++ type $1_exec_t;
++ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
++
++ ##############################
++ #
++ # Local policy
++ #
++
++ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
++
++ kernel_read_system_state(pegasus_openlmi_$1_t)
++ logging_send_syslog_msg(pegasus_openlmi_$1_t)
++')
diff --git a/pegasus.te b/pegasus.te
-index 3185114..d459c82 100644
+index 3185114..2d917be 100644
--- a/pegasus.te
+++ b/pegasus.te
-@@ -9,6 +9,9 @@ type pegasus_t;
+@@ -5,10 +5,15 @@ policy_module(pegasus, 1.8.0)
+ # Declarations
+ #
+
++attribute pegasus_openlmi_domain;
++
+ type pegasus_t;
type pegasus_exec_t;
init_daemon_domain(pegasus_t, pegasus_exec_t)
@@ -45339,7 +45472,7 @@ index 3185114..d459c82 100644
type pegasus_data_t;
files_type(pegasus_data_t)
-@@ -16,7 +19,7 @@ type pegasus_tmp_t;
+@@ -16,7 +21,7 @@ type pegasus_tmp_t;
files_tmp_file(pegasus_tmp_t)
type pegasus_conf_t;
@@ -45348,8 +45481,26 @@ index 3185114..d459c82 100644
type pegasus_mof_t;
files_type(pegasus_mof_t)
-@@ -29,18 +32,23 @@ files_pid_file(pegasus_var_run_t)
- # Local policy
+@@ -24,23 +29,40 @@ files_type(pegasus_mof_t)
+ type pegasus_var_run_t;
+ files_pid_file(pegasus_var_run_t)
+
++# pegasus openlmi providers
++#pegasus_openlmi_domain_template(account)
++
++#######################################
++#
++# pegasus openlmi providers local policy
++#
++
++corecmd_exec_bin(pegasus_openlmi_domain)
++
++sysnet_read_config(pegasus_openlmi_domain)
++
+ ########################################
+ #
+-# Local policy
++# pegasus local policy
#
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
@@ -45375,7 +45526,7 @@ index 3185114..d459c82 100644
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
-@@ -56,17 +64,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+@@ -56,17 +78,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
@@ -45399,7 +45550,7 @@ index 3185114..d459c82 100644
corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_generic_if(pegasus_t)
corenet_tcp_sendrecv_generic_node(pegasus_t)
-@@ -86,7 +97,7 @@ corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+@@ -86,7 +111,7 @@ corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
@@ -45408,7 +45559,7 @@ index 3185114..d459c82 100644
dev_read_urand(pegasus_t)
fs_getattr_all_fs(pegasus_t)
-@@ -95,11 +106,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -95,11 +120,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -45421,7 +45572,7 @@ index 3185114..d459c82 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
-@@ -112,8 +123,6 @@ init_stream_connect_script(pegasus_t)
+@@ -112,8 +137,6 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -45430,7 +45581,7 @@ index 3185114..d459c82 100644
sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
-@@ -121,12 +130,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+@@ -121,12 +144,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
@@ -45480,7 +45631,7 @@ index 3185114..d459c82 100644
')
optional_policy(`
-@@ -136,3 +181,14 @@ optional_policy(`
+@@ -136,3 +195,14 @@ optional_policy(`
optional_policy(`
unconfined_signull(pegasus_t)
')
@@ -50224,7 +50375,7 @@ index de4bdb7..a4cad0b 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index bcbf9ac..5a550bb 100644
+index bcbf9ac..cb7604d 100644
--- a/ppp.te
+++ b/ppp.te
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
@@ -50273,7 +50424,7 @@ index bcbf9ac..5a550bb 100644
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched signal };
-+allow pppd_t self:process { getsched setsched signal };
++allow pppd_t self:process { getsched setsched signal_perms };
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
@@ -55142,11 +55293,13 @@ index b4ac57e..7b76aa2 100644
diff --git a/realmd.fc b/realmd.fc
new file mode 100644
-index 0000000..3c24ce4
+index 0000000..02a1f34
--- /dev/null
+++ b/realmd.fc
-@@ -0,0 +1 @@
+@@ -0,0 +1,3 @@
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
++
++/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
diff --git a/realmd.if b/realmd.if
new file mode 100644
index 0000000..e38693b
@@ -55197,10 +55350,10 @@ index 0000000..e38693b
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..c994751
+index 0000000..da585cb
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,118 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -55213,6 +55366,14 @@ index 0000000..c994751
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
+
++type realmd_var_cache_t;
++files_type(realmd_var_cache_t)
++
++#FIXME
++type realmd_tmp_t;
++files_tmp_file(realmd_tmp_t)
++
++
+########################################
+#
+# realmd local policy
@@ -55221,6 +55382,13 @@ index 0000000..c994751
+allow realmd_t self:capability sys_nice;
+allow realmd_t self:process setsched;
+
++manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
++manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
++files_tmp_filetrans(realmd_t, realmd_tmp_t, { file dir })
++
++manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
++manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
++
+kernel_read_system_state(realmd_t)
+
+corecmd_exec_bin(realmd_t)
@@ -55467,7 +55635,7 @@ index 3c97ef0..91e69b8 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
-index 7dc38d1..5bd6fdb 100644
+index 7dc38d1..7d70a46 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -5,9 +5,9 @@
@@ -55491,7 +55659,7 @@ index 7dc38d1..5bd6fdb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -75,3 +75,91 @@ interface(`rgmanager_manage_tmpfs_files',`
+@@ -75,3 +75,111 @@ interface(`rgmanager_manage_tmpfs_files',`
fs_search_tmpfs($1)
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')
@@ -55583,6 +55751,26 @@ index 7dc38d1..5bd6fdb 100644
+ files_list_pids($1)
+ admin_pattern($1, rgmanager_var_run_t)
+')
++
++######################################
++## <summary>
++## Allow the specified domain to execute rgmanager's lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rgmanager_execute_lib',`
++ gen_require(`
++ type rgmanager_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
++ can_exec($1, rgmanager_var_lib_t)
++')
diff --git a/rgmanager.te b/rgmanager.te
index 3786c45..1ad9c12 100644
--- a/rgmanager.te
@@ -55741,13 +55929,14 @@ index 3786c45..1ad9c12 100644
rpc_domtrans_nfsd(rgmanager_t)
rpc_domtrans_rpcd(rgmanager_t)
diff --git a/rhcs.fc b/rhcs.fc
-index c2ba53b..977f2eb 100644
+index c2ba53b..d022603 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,22 +1,30 @@
+@@ -1,22 +1,31 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
@@ -61741,7 +61930,7 @@ index cfe3172..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..4f4eaf4 100644
+index e02eb6c..114c9d2 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -61803,7 +61992,7 @@ index e02eb6c..4f4eaf4 100644
allow sanlock_t self:fifo_file rw_fifo_file_perms;
allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
-@@ -58,36 +69,51 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+@@ -58,36 +69,55 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
@@ -61857,6 +62046,10 @@ index e02eb6c..4f4eaf4 100644
+')
+
+optional_policy(`
++ rhcs_domtrans_fenced(sanlock_t)
++')
++
++optional_policy(`
+ wdmd_stream_connect(sanlock_t)
')
@@ -69578,7 +69771,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..edfe6ba 100644
+index db9d2a5..1231e44 100644
--- a/tuned.te
+++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -69594,7 +69787,7 @@ index db9d2a5..edfe6ba 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -22,43 +28,85 @@ files_pid_file(tuned_var_run_t)
+@@ -22,43 +28,89 @@ files_pid_file(tuned_var_run_t)
#
# tuned local policy
#
@@ -69676,6 +69869,10 @@ index db9d2a5..edfe6ba 100644
+')
+
+optional_policy(`
++ libs_exec_ldconfig(tuned_t)
++')
++
++optional_policy(`
+ mount_domtrans(tuned_t)
+')
+
@@ -74411,7 +74608,7 @@ index 77d41b6..cc73c96 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index 07033bb..8358a63 100644
+index 07033bb..ac1d395 100644
--- a/xen.te
+++ b/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.12.0)
@@ -74519,7 +74716,12 @@ index 07033bb..8358a63 100644
allow xend_t xen_image_t:dir list_dir_perms;
manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
-@@ -275,7 +278,6 @@ kernel_read_network_state(xend_t)
+@@ -271,11 +274,11 @@ kernel_write_xen_state(xend_t)
+ kernel_read_xen_state(xend_t)
+ kernel_rw_net_sysctls(xend_t)
+ kernel_read_network_state(xend_t)
++kernel_request_load_module(xend_t)
+
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
@@ -74527,7 +74729,7 @@ index 07033bb..8358a63 100644
corenet_all_recvfrom_netlabel(xend_t)
corenet_tcp_sendrecv_generic_if(xend_t)
corenet_tcp_sendrecv_generic_node(xend_t)
-@@ -294,12 +296,13 @@ corenet_sendrecv_soundd_server_packets(xend_t)
+@@ -294,12 +297,13 @@ corenet_sendrecv_soundd_server_packets(xend_t)
corenet_rw_tun_tap_dev(xend_t)
dev_read_urand(xend_t)
@@ -74542,7 +74744,7 @@ index 07033bb..8358a63 100644
files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
-@@ -309,7 +312,13 @@ files_etc_filetrans_etc_runtime(xend_t, file)
+@@ -309,7 +313,13 @@ files_etc_filetrans_etc_runtime(xend_t, file)
files_read_usr_files(xend_t)
files_read_default_symlinks(xend_t)
@@ -74556,7 +74758,7 @@ index 07033bb..8358a63 100644
term_use_generic_ptys(xend_t)
term_use_ptmx(xend_t)
term_getattr_pty_fs(xend_t)
-@@ -320,13 +329,10 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -320,13 +330,10 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
@@ -74571,7 +74773,7 @@ index 07033bb..8358a63 100644
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -339,8 +346,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
@@ -74580,7 +74782,7 @@ index 07033bb..8358a63 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +353,28 @@ optional_policy(`
+@@ -349,6 +354,28 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -74609,7 +74811,7 @@ index 07033bb..8358a63 100644
########################################
#
# Xen console local policy
-@@ -359,7 +385,7 @@ allow xenconsoled_t self:process setrlimit;
+@@ -359,7 +386,7 @@ allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
@@ -74618,7 +74820,7 @@ index 07033bb..8358a63 100644
# pid file
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
-@@ -374,8 +400,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +401,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -74627,7 +74829,7 @@ index 07033bb..8358a63 100644
files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
-@@ -390,7 +414,7 @@ term_use_console(xenconsoled_t)
+@@ -390,7 +415,7 @@ term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
init_use_script_ptys(xenconsoled_t)
@@ -74636,7 +74838,7 @@ index 07033bb..8358a63 100644
xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
-@@ -413,9 +437,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +438,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -74648,7 +74850,7 @@ index 07033bb..8358a63 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,111 +467,24 @@ files_read_etc_files(xenstored_t)
+@@ -442,111 +468,24 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -74762,7 +74964,7 @@ index 07033bb..8358a63 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +497,4 @@ optional_policy(`
+@@ -559,8 +498,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6f25e5a..1750472 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 76%{?dist}
+Release: 77%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Feb 11 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-77
+- Add basic rules for pegasus_openlmi_domain
+- Add pegasus_openlmi_domain_template() interface for openlmi-*
+- Allow pppd to send signull
+- Allow tuned to execute ldconfig
+- Fix use_ecryptfs_home_dirs boolean for chrome_sandbox_t
+- Add additional fixes for ecrypts
+- Allow keystone getsched and setsched
+- ALlow nova-cert to connect to postgresql
+- Allow keystone to connect to postgresql
+- Allow glance domain to stream connect to databases
+- Allow all cups domains to getattr on filesystems
+- Fix pacemaker_use_execmem boolean
+- Allow gpg to read fips_enabled
+- FIXME: Add realmd_tmp_t until we get /var/cache/realmd
+- Add support for /var/cache/realmd
+- Add labeling for fenced_sanlock and allow sanclok transition to fenced_t
+- Allow glance domain to send a signal itself
+- Allow xend_t to request that the kernel load a kernel module
+- Add additional interface for ecryptfs
+
* Tue Feb 5 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-76
- More access required for openshift_cron_t
- Fix init_status calling
More information about the scm-commits
mailing list