[selinux-policy/f18] - Allow bluetooth to read machine-info - Allow obex to request a kernel module - Allow mozilla_plugi
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 12 13:23:08 UTC 2013
commit 2f59b96a03ca8419fa39750bad2e49a2176f278c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 12 14:21:59 2013 +0100
- Allow bluetooth to read machine-info
- Allow obex to request a kernel module
- Allow mozilla_plugins to list apache modules, for use with gxine
- Fix labels for POkemon in the users homedir
- Allow xguest to read mdstat
- Dontaudit virt_domains getattr on /dev/*
- Allow boinc domain to send signal to itself
- Add tcp/8891 as milter port
- Allow nsswitch domains to read sssd_var_lib_t files
- Allow ping to read network state.
- Fix typo
- Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them
- Add labeling for pstorefs_t
policy-f18-base.patch | 236 +++++++++++++++++++++++++++++++---------------
policy-f18-contrib.patch | 179 +++++++++++++++++++++++++----------
selinux-policy.spec | 17 +++-
3 files changed, 305 insertions(+), 127 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 36bfede..927a711 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -111050,7 +111050,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..db9ddf7 100644
+index e0791b9..4338afb 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.0)
@@ -111140,7 +111140,11 @@ index e0791b9..db9ddf7 100644
domain_use_interactive_fds(ping_t)
-@@ -130,11 +136,9 @@ kernel_read_system_state(ping_t)
+@@ -127,14 +133,13 @@ files_read_etc_files(ping_t)
+ files_dontaudit_search_var(ping_t)
+
+ kernel_read_system_state(ping_t)
++kernel_read_network_state(ping_t)
auth_use_nsswitch(ping_t)
@@ -111154,7 +111158,7 @@ index e0791b9..db9ddf7 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -145,11 +149,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -111180,7 +111184,7 @@ index e0791b9..db9ddf7 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +175,15 @@ optional_policy(`
+@@ -157,6 +176,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -111196,7 +111200,7 @@ index e0791b9..db9ddf7 100644
########################################
#
# Traceroute local policy
-@@ -170,7 +197,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -170,7 +198,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -111204,7 +111208,7 @@ index e0791b9..db9ddf7 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -194,6 +220,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +221,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -111212,7 +111216,7 @@ index e0791b9..db9ddf7 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -202,11 +229,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -202,11 +230,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -114459,7 +114463,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..d13e61a 100644
+index fe2ee5e..94f11f1 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
@@ -114652,7 +114656,8 @@ index fe2ee5e..d13e61a 100644
network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
- network_port(milter) # no defined portcon
+-network_port(milter) # no defined portcon
++network_port(milter, tcp, 8891, s0) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mongod, tcp,27017,s0)
network_port(monopd, tcp,1234,s0)
@@ -121693,7 +121698,7 @@ index 7c6b791..6ceb348 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 376bae8..9764e00 100644
+index 376bae8..1b6da2c 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -121742,7 +121747,18 @@ index 376bae8..9764e00 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -144,11 +153,6 @@ fs_type(spufs_t)
+@@ -124,6 +133,10 @@ type oprofilefs_t;
+ fs_type(oprofilefs_t)
+ genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
+
++type pstorefs_t;
++fs_type(pstorefs_t)
++genfscon pstore / gen_context(system_u:object_r:pstorefs_t,s0)
++
+ type ramfs_t;
+ fs_type(ramfs_t)
+ files_mountpoint(ramfs_t)
+@@ -144,11 +157,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -121754,7 +121770,7 @@ index 376bae8..9764e00 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -166,6 +170,8 @@ type vxfs_t;
+@@ -166,6 +174,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -121763,7 +121779,7 @@ index 376bae8..9764e00 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -175,6 +181,7 @@ fs_type(tmpfs_t)
+@@ -175,6 +185,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -121771,7 +121787,7 @@ index 376bae8..9764e00 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +261,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +265,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -121780,7 +121796,7 @@ index 376bae8..9764e00 100644
files_mountpoint(removable_t)
#
-@@ -273,6 +282,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +286,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -128550,7 +128566,7 @@ index b17e27a..7bf776d 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..ea115aa 100644
+index fc86b7c..c65935b 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -128589,10 +128605,11 @@ index fc86b7c..ea115aa 100644
#
# /dev
-@@ -24,11 +46,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -24,11 +46,19 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/etc/X11/xorg\.conf\.d(/.*)? gen_context(system_u:object_r:xserver_etc_t,s0)
+/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
+/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
+/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
@@ -128608,7 +128625,7 @@ index fc86b7c..ea115aa 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,25 +75,28 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,25 +76,28 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -128643,7 +128660,7 @@ index fc86b7c..ea115aa 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -90,24 +122,47 @@ ifndef(`distro_debian',`
+@@ -90,24 +123,47 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -128698,7 +128715,7 @@ index fc86b7c..ea115aa 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..309681b 100644
+index 130ced9..f6c7a38 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -129138,7 +129155,7 @@ index 130ced9..309681b 100644
')
########################################
-@@ -724,11 +838,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +838,71 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -129169,10 +129186,50 @@ index 130ced9..309681b 100644
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdm_home_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Read xserver configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_read_config',`
++ gen_require(`
++ type xserver_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, xserver_etc_t, xserver_etc_t)
++ read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
++')
++
++########################################
++## <summary>
++## Manage xserver configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_manage_config',`
++ gen_require(`
++ type xserver_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern($1, xserver_etc_t, xserver_etc_t)
++ manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
')
########################################
-@@ -752,6 +886,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +926,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -129198,7 +129255,7 @@ index 130ced9..309681b 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -765,7 +918,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +958,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -129225,7 +129282,7 @@ index 130ced9..309681b 100644
')
########################################
-@@ -805,7 +976,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +1016,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -129253,7 +129310,7 @@ index 130ced9..309681b 100644
')
########################################
-@@ -828,6 +1018,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +1058,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -129278,7 +129335,7 @@ index 130ced9..309681b 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -897,7 +1105,26 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1145,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -129306,7 +129363,7 @@ index 130ced9..309681b 100644
')
########################################
-@@ -916,7 +1143,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1183,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -129315,7 +129372,7 @@ index 130ced9..309681b 100644
')
########################################
-@@ -963,6 +1190,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1230,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -129361,7 +129418,7 @@ index 130ced9..309681b 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1242,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1282,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -129370,7 +129427,7 @@ index 130ced9..309681b 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1304,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1344,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -129413,7 +129470,7 @@ index 130ced9..309681b 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1354,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1394,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -129422,7 +129479,7 @@ index 130ced9..309681b 100644
')
########################################
-@@ -1070,8 +1372,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1412,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -129434,7 +129491,7 @@ index 130ced9..309681b 100644
')
########################################
-@@ -1185,6 +1489,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1529,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -129461,7 +129518,7 @@ index 130ced9..309681b 100644
')
########################################
-@@ -1210,7 +1534,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1574,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -129470,7 +129527,7 @@ index 130ced9..309681b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1544,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1584,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -129495,7 +129552,7 @@ index 130ced9..309681b 100644
')
########################################
-@@ -1243,10 +1577,598 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1617,598 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -130097,7 +130154,7 @@ index 130ced9..309681b 100644
+ allow $1 xdm_t:lnk_file read_lnk_file_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..b3577da 100644
+index d40f750..7e08b92 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -130276,7 +130333,7 @@ index d40f750..b3577da 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -193,14 +249,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -193,14 +249,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -130284,7 +130341,9 @@ index d40f750..b3577da 100644
-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-userdom_user_tmp_file(xserver_tmp_t)
--
++type xserver_etc_t;
++files_config_file(xserver_etc_t)
+
type xserver_tmpfs_t;
-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
-typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
@@ -130293,7 +130352,7 @@ index d40f750..b3577da 100644
userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
-@@ -229,17 +280,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -229,17 +283,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -130332,7 +130391,7 @@ index d40f750..b3577da 100644
')
########################################
-@@ -247,45 +311,81 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,45 +314,81 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -130424,7 +130483,7 @@ index d40f750..b3577da 100644
')
optional_policy(`
-@@ -299,64 +399,108 @@ optional_policy(`
+@@ -299,64 +402,108 @@ optional_policy(`
# XDM Local policy
#
@@ -130543,7 +130602,7 @@ index d40f750..b3577da 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +509,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +512,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -130573,7 +130632,7 @@ index d40f750..b3577da 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +539,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +542,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -130626,7 +130685,7 @@ index d40f750..b3577da 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +591,26 @@ files_list_mnt(xdm_t)
+@@ -430,9 +594,27 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -130637,6 +130696,7 @@ index d40f750..b3577da 100644
+files_dontaudit_getattr_all_symlinks(xdm_t)
+files_dontaudit_getattr_all_tmp_sockets(xdm_t)
+files_dontaudit_all_access_check(xdm_t)
++files_dontaudit_list_non_security(xdm_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
@@ -130653,7 +130713,7 @@ index d40f750..b3577da 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +619,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +623,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -130699,7 +130759,7 @@ index d40f750..b3577da 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +667,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -130749,7 +130809,7 @@ index d40f750..b3577da 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +717,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -130776,7 +130836,7 @@ index d40f750..b3577da 100644
')
optional_policy(`
-@@ -514,12 +740,72 @@ optional_policy(`
+@@ -514,12 +744,72 @@ optional_policy(`
')
optional_policy(`
@@ -130849,7 +130909,7 @@ index d40f750..b3577da 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +823,78 @@ optional_policy(`
+@@ -537,28 +827,78 @@ optional_policy(`
')
optional_policy(`
@@ -130906,29 +130966,29 @@ index d40f750..b3577da 100644
optional_policy(`
- udev_read_db(xdm_t)
+ ssh_signull(xdm_t)
-+')
-+
-+optional_policy(`
-+ shutdown_domtrans(xdm_t)
')
optional_policy(`
- unconfined_domain(xdm_t)
- unconfined_domtrans(xdm_t)
-+ telepathy_exec(xdm_t)
++ shutdown_domtrans(xdm_t)
+')
- ifndef(`distro_redhat',`
- allow xdm_t self:process { execheap execmem };
- ')
+optional_policy(`
-+ udev_read_db(xdm_t)
++ telepathy_exec(xdm_t)
+')
- ifdef(`distro_rhel4',`
- allow xdm_t self:process { execheap execmem };
- ')
+optional_policy(`
++ udev_read_db(xdm_t)
++')
++
++optional_policy(`
+ unconfined_signal(xdm_t)
+')
+
@@ -130937,7 +130997,7 @@ index d40f750..b3577da 100644
')
optional_policy(`
-@@ -570,6 +906,14 @@ optional_policy(`
+@@ -570,6 +910,14 @@ optional_policy(`
')
optional_policy(`
@@ -130952,7 +131012,7 @@ index d40f750..b3577da 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +938,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +942,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -130965,7 +131025,7 @@ index d40f750..b3577da 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +955,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +959,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -130981,7 +131041,18 @@ index d40f750..b3577da 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +982,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -617,6 +975,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+
+ filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
+
++allow xserver_t xserver_etc_t:dir list_dir_perms;
++read_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t)
++read_lnk_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t)
++
+ manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+@@ -628,12 +990,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -131003,7 +131074,7 @@ index d40f750..b3577da 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1002,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1010,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -131017,7 +131088,7 @@ index d40f750..b3577da 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1028,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1036,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -131049,7 +131120,7 @@ index d40f750..b3577da 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1060,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1068,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -131063,7 +131134,7 @@ index d40f750..b3577da 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1079,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1087,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -131087,7 +131158,7 @@ index d40f750..b3577da 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1144,40 @@ optional_policy(`
+@@ -775,16 +1152,40 @@ optional_policy(`
')
optional_policy(`
@@ -131129,7 +131200,7 @@ index d40f750..b3577da 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1186,10 @@ optional_policy(`
+@@ -793,6 +1194,10 @@ optional_policy(`
')
optional_policy(`
@@ -131140,7 +131211,7 @@ index d40f750..b3577da 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1205,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1213,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -131154,7 +131225,7 @@ index d40f750..b3577da 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1216,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1224,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -131163,7 +131234,7 @@ index d40f750..b3577da 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1229,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1237,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -131198,7 +131269,7 @@ index d40f750..b3577da 100644
')
optional_policy(`
-@@ -859,6 +1251,10 @@ optional_policy(`
+@@ -859,6 +1259,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -131209,7 +131280,7 @@ index d40f750..b3577da 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1298,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1306,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -131218,7 +131289,7 @@ index d40f750..b3577da 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1352,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1360,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -131250,7 +131321,7 @@ index d40f750..b3577da 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1398,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1406,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -132288,7 +132359,7 @@ index f416ce9..80df5a7 100644
+')
+
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f145ccb..499ee40 100644
+index f145ccb..1ab77d1 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.0)
@@ -132583,15 +132654,16 @@ index f145ccb..499ee40 100644
')
optional_policy(`
-@@ -456,6 +494,7 @@ optional_policy(`
+@@ -456,6 +494,8 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
+ sssd_read_public_files(nsswitch_domain)
++ sssd_read_lib_files(nsswitch_domain)
')
optional_policy(`
-@@ -463,3 +502,132 @@ optional_policy(`
+@@ -463,3 +503,132 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -143041,10 +143113,10 @@ index 0000000..63dba69
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..957dd67
+index 0000000..b221824
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,653 @@
+@@ -0,0 +1,661 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -143577,6 +143649,10 @@ index 0000000..957dd67
+ dbus_connect_system_bus(systemd_hostnamed_t)
+')
+
++optional_policy(`
++ unconfined_domain(systemd_hostnamed_t)
++')
++
+#######################################
+#
+# Timedated policy
@@ -143659,6 +143735,10 @@ index 0000000..957dd67
+ policykit_read_reload(systemd_timedated_t)
+')
+
++optional_policy(`
++ xserver_manage_config(systemd_timedated_t)
++')
++
+########################################
+#
+# systemd_sysctl domains local policy
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index e35d55d..d689a2a 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -6616,7 +6616,7 @@ index 3e45431..758bd64 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index d3019b3..aed14bb 100644
+index d3019b3..9064d96 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.4.0)
@@ -6668,18 +6668,21 @@ index d3019b3..aed14bb 100644
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
-@@ -144,6 +145,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+@@ -143,6 +144,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
- optional_policy(`
++# machine-info
++systemd_hostnamed_read_config(bluetooth_t)
++
++optional_policy(`
+ devicekit_dbus_chat_power(bluetooth_t)
+')
+
-+optional_policy(`
+ optional_policy(`
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
-
-@@ -212,17 +217,16 @@ corecmd_exec_shell(bluetooth_helper_t)
+@@ -212,17 +220,16 @@ corecmd_exec_shell(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
@@ -6931,10 +6934,10 @@ index 0000000..fbcef10
+')
diff --git a/boinc.te b/boinc.te
new file mode 100644
-index 0000000..a88fbf8
+index 0000000..23abf6f
--- /dev/null
+++ b/boinc.te
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,201 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -6982,6 +6985,7 @@ index 0000000..a88fbf8
+#
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
++allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
+allow boinc_domain self:process execmem;
+
@@ -21050,6 +21054,20 @@ index b6ac808..6235eb0 100644
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t)
+diff --git a/evolution.fc b/evolution.fc
+index c011277..2dd31e5 100644
+--- a/evolution.fc
++++ b/evolution.fc
+@@ -1,6 +1,6 @@
+-#
+-# HOME_DIR/
+-#
++HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
++HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
++HOME_DIR/\.cache/evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+
+ HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+ HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
diff --git a/evolution.te b/evolution.te
index 73cb712..2c6f3bc 100644
--- a/evolution.te
@@ -24347,12 +24365,13 @@ index 0000000..63aa5b0
+ files_manage_non_security_files(glusterd_t)
+')
diff --git a/gnome.fc b/gnome.fc
-index 00a19e3..52e5a3a 100644
+index 00a19e3..5818f74 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,9 +1,57 @@
+@@ -1,9 +1,58 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
++HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
@@ -24411,7 +24430,7 @@ index 00a19e3..52e5a3a 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..f73c152 100644
+index f5afe78..7c84b94 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,44 +1,1067 @@
@@ -25763,7 +25782,7 @@ index f5afe78..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1306,280 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1306,281 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -25976,6 +25995,7 @@ index f5afe78..f73c152 100644
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
++ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+ gnome_filetrans_gstreamer_home_content($1)
+')
+
@@ -35426,14 +35446,16 @@ index 6647a35..f3b35e1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 3a73e74..751640c 100644
+index 3a73e74..fe0815d 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -2,8 +2,21 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
+@@ -2,8 +2,23 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.cache\mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -35451,7 +35473,7 @@ index 3a73e74..751640c 100644
#
# /bin
-@@ -16,6 +29,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -16,6 +31,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -35464,7 +35486,7 @@ index 3a73e74..751640c 100644
ifdef(`distro_debian',`
/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
')
-@@ -23,11 +42,20 @@ ifdef(`distro_debian',`
+@@ -23,11 +44,20 @@ ifdef(`distro_debian',`
#
# /lib
#
@@ -35492,7 +35514,7 @@ index 3a73e74..751640c 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index b397fde..a566425 100644
+index b397fde..aaf4cdf 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -18,10 +18,11 @@
@@ -35642,7 +35664,7 @@ index b397fde..a566425 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -275,28 +361,121 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -275,28 +361,123 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -35768,11 +35790,13 @@ index b397fde..a566425 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
++ #userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "POkemon Advanced Adventure")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
++ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..b788245 100644
+index d4fcb75..4c03ada 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -36118,8 +36142,7 @@ index d4fcb75..b788245 100644
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process { execmem execstack };
-')
-+userdom_home_manager(mozilla_plugin_t)
-
+-
-tunable_policy(`allow_execstack',`
- allow mozilla_plugin_t self:process { execstack };
-')
@@ -36129,7 +36152,8 @@ index d4fcb75..b788245 100644
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
-')
--
++userdom_home_manager(mozilla_plugin_t)
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
@@ -36139,8 +36163,14 @@ index d4fcb75..b788245 100644
')
optional_policy(`
-@@ -422,24 +487,39 @@ optional_policy(`
+@@ -420,26 +485,45 @@ optional_policy(`
+ ')
+
optional_policy(`
++ apache_list_modules(mozilla_plugin_t)
++')
++
++optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
+ dbus_connect_session_bus(mozilla_plugin_t)
@@ -36183,7 +36213,7 @@ index d4fcb75..b788245 100644
')
optional_policy(`
-@@ -447,10 +527,121 @@ optional_policy(`
+@@ -447,10 +531,121 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -43224,10 +43254,10 @@ index 0000000..d3b9544
+')
diff --git a/obex.te b/obex.te
new file mode 100644
-index 0000000..e9f259e
+index 0000000..1100023
--- /dev/null
+++ b/obex.te
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,38 @@
+policy_module(obex,1.0.0)
+
+########################################
@@ -43248,13 +43278,14 @@ index 0000000..e9f259e
+allow obex_t self:fifo_file rw_fifo_file_perms;
+allow obex_t self:socket create_stream_socket_perms;
+
++kernel_request_load_module(obex_t)
++
+dev_read_urand(obex_t)
+
+files_read_etc_files(obex_t)
+
+logging_send_syslog_msg(obex_t)
+
-+
+userdom_search_user_home_content(obex_t)
+
+optional_policy(`
@@ -44538,10 +44569,10 @@ index 0000000..6e20e72
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..901198d
+index 0000000..4a02808
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,482 @@
+@@ -0,0 +1,527 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -44880,12 +44911,57 @@ index 0000000..901198d
+
+allow openshift_user_domain openshift_domain:process ptrace;
+
++mta_signal_user_agent(openshift_user_domain)
++
+optional_policy(`
+ ssh_rw_tcp_sockets(openshift_user_domain)
+')
+
+############################################################################
+#
++# Rules specific to openshift_net_domains
++#
++allow openshift_net_domain openshift_port_t:tcp_socket { name_connect name_bind };
++allow openshift_net_domain openshift_port_t:udp_socket name_bind;
++
++corenet_tcp_connect_mssql_port(openshift_net_domain)
++corenet_tcp_connect_mysqld_port(openshift_net_domain)
++corenet_tcp_connect_postgresql_port(openshift_net_domain)
++corenet_tcp_connect_git_port(openshift_net_domain)
++corenet_tcp_connect_oracle_port(openshift_net_domain)
++corenet_tcp_connect_flash_port(openshift_net_domain)
++corenet_tcp_connect_http_port(openshift_net_domain)
++corenet_tcp_connect_ftp_port(openshift_net_domain)
++#/* These ports are the ephemeral ports needed for ftp */
++corenet_tcp_connect_virt_migration_port(openshift_net_domain)
++corenet_tcp_connect_ssh_port(openshift_net_domain)
++corenet_tcp_connect_jacorb_port(openshift_net_domain)
++corenet_tcp_connect_jboss_management_port(openshift_net_domain)
++corenet_tcp_connect_jboss_debug_port(openshift_net_domain)
++corenet_tcp_connect_jboss_messaging_port(openshift_net_domain)
++corenet_tcp_connect_memcache_port(openshift_net_domain)
++corenet_tcp_connect_http_cache_port(openshift_net_domain)
++corenet_tcp_connect_amqp_port(openshift_net_domain)
++corenet_tcp_connect_generic_port(openshift_net_domain)
++corenet_tcp_connect_mongod_port(openshift_net_domain)
++corenet_tcp_connect_munin_port(openshift_net_domain)
++corenet_tcp_connect_pop_port(openshift_net_domain)
++corenet_tcp_connect_pulseaudio_port(openshift_net_domain)
++corenet_tcp_connect_smtp_port(openshift_net_domain)
++corenet_tcp_connect_whois_port(openshift_net_domain)
++corenet_udp_bind_generic_port(openshift_net_domain)
++corenet_tcp_bind_http_cache_port(openshift_domain)
++corenet_tcp_bind_jacorb_port(openshift_net_domain)
++corenet_tcp_bind_jboss_management_port(openshift_net_domain)
++corenet_tcp_bind_jboss_messaging_port(openshift_net_domain)
++corenet_tcp_bind_jboss_debug_port(openshift_net_domain)
++corenet_tcp_bind_mongod_port(openshift_net_domain)
++corenet_tcp_bind_mysqld_port(openshift_domain)
++corenet_tcp_bind_pulseaudio_port(openshift_net_domain)
++corenet_tcp_bind_postgresql_port(openshift_net_domain)
++
++############################################################################
++#
+# Rules specific to openshift and openshift_app_t
+#
+
@@ -51589,7 +51665,7 @@ index 93ec175..e6605c1 100644
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
-index af55369..9f1d1b5 100644
+index af55369..8a4d719 100644
--- a/prelink.te
+++ b/prelink.te
@@ -18,6 +18,7 @@ type prelink_cron_system_t;
@@ -51682,7 +51758,7 @@ index af55369..9f1d1b5 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -144,21 +166,38 @@ optional_policy(`
+@@ -144,21 +166,39 @@ optional_policy(`
corecmd_exec_bin(prelink_cron_system_t)
corecmd_exec_shell(prelink_cron_system_t)
@@ -51692,11 +51768,12 @@ index af55369..9f1d1b5 100644
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
-
++ files_dontaudit_list_non_security(prelink_cron_system_t)
++
+ fs_search_cgroup_dirs(prelink_cron_system_t)
+
+ auth_use_nsswitch(prelink_cron_system_t)
-+
+
+ init_telinit(prelink_cron_system_t)
init_exec(prelink_cron_system_t)
@@ -69609,10 +69686,10 @@ index 0000000..601aea3
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
-index 0000000..5fc93a3
+index 0000000..c5e890b
--- /dev/null
+++ b/thumb.if
-@@ -0,0 +1,128 @@
+@@ -0,0 +1,129 @@
+
+## <summary>policy for thumb</summary>
+
@@ -69740,6 +69817,7 @@ index 0000000..5fc93a3
+
+ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
+ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
++ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
@@ -72333,7 +72411,7 @@ index 2124b6a..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..2fbc418 100644
+index 6f0736b..b83424b 100644
--- a/virt.if
+++ b/virt.if
@@ -13,67 +13,30 @@
@@ -72767,7 +72845,7 @@ index 6f0736b..2fbc418 100644
')
########################################
-@@ -468,20 +636,93 @@ interface(`virt_manage_images',`
+@@ -468,20 +636,94 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -72863,13 +72941,14 @@ index 6f0736b..2fbc418 100644
+
+ files_search_pids($1)
+ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
++ ps_process_pattern(svirt_lxc_domain, $1)
')
+
########################################
## <summary>
## All of the rules required to administrate
-@@ -502,10 +743,20 @@ interface(`virt_manage_images',`
+@@ -502,10 +744,20 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -72891,7 +72970,7 @@ index 6f0736b..2fbc418 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +768,305 @@ interface(`virt_admin',`
+@@ -517,4 +769,306 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -73194,11 +73273,12 @@ index 6f0736b..2fbc418 100644
+
+ allow $1 svirt_lxc_domain:process transition;
+ role $2 types svirt_lxc_domain;
++ allow $1 svirt_lxc_domain:unix_dgram_socket sendto;
+
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..4c3ba2d 100644
+index 947bbc6..3708791 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0)
@@ -73797,7 +73877,7 @@ index 947bbc6..4c3ba2d 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +578,86 @@ optional_policy(`
+@@ -402,35 +578,87 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -73889,11 +73969,12 @@ index 947bbc6..4c3ba2d 100644
+dev_list_sysfs(virt_domain)
+dev_getattr_fs(virt_domain)
++dev_dontaudit_getattr_all(virt_domain)
+dev_read_generic_symlinks(virt_domain)
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +665,646 @@ dev_write_sound(virt_domain)
+@@ -438,34 +666,647 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -74019,8 +74100,8 @@ index 947bbc6..4c3ba2d 100644
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
+
-+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config };
-+allow virsh_t self:process { getcap getsched setsched setcap signal };
++allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
++allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
@@ -74354,6 +74435,7 @@ index 947bbc6..4c3ba2d 100644
+
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+miscfiles_read_fonts(svirt_lxc_domain)
++miscfiles_read_hwdata(svirt_lxc_domain)
+
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
@@ -76119,7 +76201,7 @@ index 11c1b12..fc5d128 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index e88b95f..c0a8979 100644
+index e88b95f..e733ae5 100644
--- a/xguest.te
+++ b/xguest.te
@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
@@ -76151,7 +76233,7 @@ index e88b95f..c0a8979 100644
fs_manage_noxattr_fs_files(xguest_t)
fs_manage_noxattr_fs_dirs(xguest_t)
# Write floppies
-@@ -49,11 +53,22 @@ ifndef(`enable_mls',`
+@@ -49,11 +53,23 @@ ifndef(`enable_mls',`
')
')
@@ -76161,6 +76243,7 @@ index e88b95f..c0a8979 100644
+')
+
+kernel_dontaudit_request_load_module(xguest_t)
++kernel_read_software_raid_state(xguest_t)
+
+tunable_policy(`selinuxuser_execstack',`
+ allow xguest_t self:process execstack;
@@ -76175,7 +76258,7 @@ index e88b95f..c0a8979 100644
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -62,10 +77,9 @@ optional_policy(`
+@@ -62,10 +78,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
@@ -76187,7 +76270,7 @@ index e88b95f..c0a8979 100644
')
')
-@@ -76,23 +90,105 @@ optional_policy(`
+@@ -76,23 +91,105 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ab902e0..d18f4fc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 84%{?dist}
+Release: 85%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,21 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Mar 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-85
+- Allow bluetooth to read machine-info
+- Allow obex to request a kernel module
+- Allow mozilla_plugins to list apache modules, for use with gxine
+- Fix labels for POkemon in the users homedir
+- Allow xguest to read mdstat
+- Dontaudit virt_domains getattr on /dev/*
+- Allow boinc domain to send signal to itself
+- Add tcp/8891 as milter port
+- Allow nsswitch domains to read sssd_var_lib_t files
+- Allow ping to read network state.
+- Fix typo
+- Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them
+- Add labeling for pstorefs_t
+
* Fri Mar 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-84
- Make systemd_hostnamed_t as unconfined domain in F18
- Call rhcs_manage_cluster_pid_files() instead of rgmanger_manage_pid_files() interface
More information about the scm-commits
mailing list