[selinux-policy/f19] - Fix mozilla specification of homedir content - Allow certmonger to read network state - Allow tmpw
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Apr 18 12:59:20 UTC 2013
commit 3ce9159d60fc2081308158d1ca6e49793c95bc31
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Apr 18 14:59:02 2013 +0200
- Fix mozilla specification of homedir content
- Allow certmonger to read network state
- Allow tmpwatch to read tmp in /var/spool/{cups,lpd}
- Label all nagios plugin as unconfined by default
- Add httpd_serve_cobbler_files()
- Allow mdadm to read /dev/sr0 and create tmp files
- Allow certwatch to send mails
- Fix labeling for nagios plugins
- label shared libraries in /opt/google/chrome as testrel_shlib_t
policy-rawhide-base.patch | 27 ++-
policy-rawhide-contrib.patch | 556 ++++++++++++++++++++++++------------------
selinux-policy.spec | 13 +-
3 files changed, 347 insertions(+), 249 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a403f1c..574a67c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3021,7 +3021,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..d2dbf35 100644
+index 644d4d7..4debbf2 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3179,7 +3179,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +246,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +246,30 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3189,7 +3189,9 @@ index 644d4d7..d2dbf35 100644
-/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
@@ -3215,7 +3217,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +282,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +284,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3231,7 +3233,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +303,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +305,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3252,7 +3254,7 @@ index 644d4d7..d2dbf35 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +329,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +331,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3268,7 +3270,7 @@ index 644d4d7..d2dbf35 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +352,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +354,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3293,7 +3295,7 @@ index 644d4d7..d2dbf35 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +385,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +387,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3322,7 +3324,7 @@ index 644d4d7..d2dbf35 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +454,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +456,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3339,7 +3341,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +472,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +474,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -30065,7 +30067,7 @@ index 5dfa44b..aa4d8fc 100644
optional_policy(`
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..aadfba0 100644
+index 73bb3c0..46439b4 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -30227,7 +30229,7 @@ index 73bb3c0..aadfba0 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +310,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +310,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -30383,6 +30385,7 @@ index 73bb3c0..aadfba0 100644
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 366b5d3..e1e56d7 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4426,10 +4426,10 @@ index 83e899c..c0ece1b 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..25bd127 100644
+index 1a82e29..c2a14a5 100644
--- a/apache.te
+++ b/apache.te
-@@ -1,297 +1,353 @@
+@@ -1,297 +1,360 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
@@ -4544,11 +4544,11 @@ index 1a82e29..25bd127 100644
-## connect to databases over the network.
-## </p>
+## <p>
-+## Allow HTTPD to connect to port 80 for graceful shutdown
++## Allow HTTPD scripts and modules to server cobbler files.
+## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_db, false)
-+gen_tunable(httpd_graceful_shutdown, false)
++gen_tunable(httpd_serve_cobbler_files, false)
## <desc>
-## <p>
@@ -4556,11 +4556,11 @@ index 1a82e29..25bd127 100644
-## ldap over the network.
-## </p>
+## <p>
-+## Allow HTTPD scripts and modules to connect to databases over the network.
++## Allow HTTPD to connect to port 80 for graceful shutdown
+## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_ldap, false)
-+gen_tunable(httpd_can_network_connect_db, false)
++gen_tunable(httpd_graceful_shutdown, false)
## <desc>
-## <p>
@@ -4568,17 +4568,24 @@ index 1a82e29..25bd127 100644
-## to memcache server over the network.
-## </p>
+## <p>
-+## Allow httpd to connect to memcache server
++## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_memcache, false)
-+gen_tunable(httpd_can_network_memcache, false)
++gen_tunable(httpd_can_network_connect_db, false)
## <desc>
-## <p>
-## Determine whether httpd can act as a relay.
-## </p>
+## <p>
++## Allow httpd to connect to memcache server
++## </p>
++## </desc>
++gen_tunable(httpd_can_network_memcache, false)
++
++## <desc>
++## <p>
+## Allow httpd to act as a relay
+## </p>
## </desc>
@@ -4932,7 +4939,7 @@ index 1a82e29..25bd127 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +355,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +362,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -4945,7 +4952,7 @@ index 1a82e29..25bd127 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +365,19 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +372,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -4967,7 +4974,7 @@ index 1a82e29..25bd127 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -323,12 +387,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +394,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -4987,7 +4994,7 @@ index 1a82e29..25bd127 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +414,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +421,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5038,7 +5045,7 @@ index 1a82e29..25bd127 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +456,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +463,36 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5080,7 +5087,7 @@ index 1a82e29..25bd127 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +493,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,6 +500,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5089,7 +5096,7 @@ index 1a82e29..25bd127 100644
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +503,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+@@ -415,6 +510,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -5100,7 +5107,7 @@ index 1a82e29..25bd127 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +537,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +544,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5328,7 +5335,7 @@ index 1a82e29..25bd127 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +703,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +710,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5384,7 +5391,7 @@ index 1a82e29..25bd127 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +751,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +758,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5469,7 +5476,7 @@ index 1a82e29..25bd127 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +792,29 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +799,42 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5512,18 +5519,27 @@ index 1a82e29..25bd127 100644
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
--
+
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_t)
-')
--
++optional_policy(`
++ cobbler_list_config(httpd_t)
++ cobbler_read_config(httpd_t)
+
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
--')
--
++ tunable_policy(`httpd_serve_cobbler_files',`
++ cobbler_manage_lib_files(httpd_t)
++',`
++ cobbler_read_lib_files(httpd_t)
++ cobbler_search_lib(httpd_t)
++ ')
+ ')
+
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
+optional_policy(`
@@ -5535,22 +5551,22 @@ index 1a82e29..25bd127 100644
')
optional_policy(`
-@@ -744,12 +826,10 @@ optional_policy(`
+@@ -743,14 +845,6 @@ optional_policy(`
+ ccs_read_config(httpd_t)
')
- optional_policy(`
+-optional_policy(`
- clamav_domtrans_clamscan(httpd_t)
-')
-
-optional_policy(`
-+ cobbler_list_config(httpd_t)
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
-+ cobbler_search_lib(httpd_t)
- ')
+- cobbler_read_config(httpd_t)
+- cobbler_read_lib_files(httpd_t)
+-')
optional_policy(`
-@@ -765,6 +845,23 @@ optional_policy(`
+ cron_system_entry(httpd_t, httpd_exec_t)
+@@ -765,6 +859,23 @@ optional_policy(`
')
optional_policy(`
@@ -5574,7 +5590,7 @@ index 1a82e29..25bd127 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +878,42 @@ optional_policy(`
+@@ -781,34 +892,42 @@ optional_policy(`
')
optional_policy(`
@@ -5628,7 +5644,7 @@ index 1a82e29..25bd127 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +921,18 @@ optional_policy(`
+@@ -816,8 +935,18 @@ optional_policy(`
')
optional_policy(`
@@ -5647,7 +5663,7 @@ index 1a82e29..25bd127 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +941,7 @@ optional_policy(`
+@@ -826,6 +955,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5655,7 +5671,7 @@ index 1a82e29..25bd127 100644
')
optional_policy(`
-@@ -836,20 +952,38 @@ optional_policy(`
+@@ -836,20 +966,38 @@ optional_policy(`
')
optional_policy(`
@@ -5700,7 +5716,7 @@ index 1a82e29..25bd127 100644
')
optional_policy(`
-@@ -857,6 +991,16 @@ optional_policy(`
+@@ -857,6 +1005,16 @@ optional_policy(`
')
optional_policy(`
@@ -5717,7 +5733,7 @@ index 1a82e29..25bd127 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,6 +1009,7 @@ optional_policy(`
+@@ -865,6 +1023,7 @@ optional_policy(`
')
optional_policy(`
@@ -5725,7 +5741,7 @@ index 1a82e29..25bd127 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -877,65 +1022,166 @@ optional_policy(`
+@@ -877,65 +1036,166 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5914,7 +5930,7 @@ index 1a82e29..25bd127 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1190,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1204,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6069,7 +6085,7 @@ index 1a82e29..25bd127 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1274,104 @@ optional_policy(`
+@@ -1077,172 +1288,104 @@ optional_policy(`
')
')
@@ -6089,7 +6105,8 @@ index 1a82e29..25bd127 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
--
++allow httpd_sys_script_t self:process getsched;
+
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
@@ -6097,8 +6114,7 @@ index 1a82e29..25bd127 100644
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@@ -6240,8 +6256,7 @@ index 1a82e29..25bd127 100644
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -6267,7 +6282,8 @@ index 1a82e29..25bd127 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6305,7 +6321,7 @@ index 1a82e29..25bd127 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1379,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1393,70 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6399,7 +6415,7 @@ index 1a82e29..25bd127 100644
########################################
#
-@@ -1315,8 +1450,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1464,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6416,7 +6432,7 @@ index 1a82e29..25bd127 100644
')
########################################
-@@ -1324,49 +1466,36 @@ optional_policy(`
+@@ -1324,49 +1480,36 @@ optional_policy(`
# User content local policy
#
@@ -6480,7 +6496,7 @@ index 1a82e29..25bd127 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1505,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1519,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -6502,29 +6518,20 @@ index 1a82e29..25bd127 100644
-allow httpd_gpg_t self:process setrlimit;
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
-
--allow httpd_gpg_t httpd_t:fd use;
--allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
--allow httpd_gpg_t httpd_t:process sigchld;
++
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
-
--dev_read_rand(httpd_gpg_t)
--dev_read_urand(httpd_gpg_t)
++
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
-
--files_read_usr_files(httpd_gpg_t)
++
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
-
--miscfiles_read_localization(httpd_gpg_t)
++
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
-
--tunable_policy(`httpd_gpg_anon_write',`
-- miscfiles_manage_public_files(httpd_gpg_t)
++
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
@@ -6544,21 +6551,30 @@ index 1a82e29..25bd127 100644
+miscfiles_read_public_files(httpd_script_type)
+
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-+
+
+-allow httpd_gpg_t httpd_t:fd use;
+-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
+-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-+
+
+-dev_read_rand(httpd_gpg_t)
+-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
-+
+
+-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
-+
+
+-miscfiles_read_localization(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
-+
+
+-tunable_policy(`httpd_gpg_anon_write',`
+- miscfiles_manage_public_files(httpd_gpg_t)
+fs_getattr_xattr_fs(httpd_script_type)
+
+files_read_etc_runtime_files(httpd_script_type)
@@ -9734,7 +9750,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..03e12b7 100644
+index 2354e21..fb8c9ed 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -9763,7 +9779,15 @@ index 2354e21..03e12b7 100644
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-@@ -49,16 +54,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(certmonger_t)
+ kernel_read_system_state(certmonger_t)
++kernel_read_network_state(certmonger_t)
+
+ corenet_all_recvfrom_unlabeled(certmonger_t)
+ corenet_all_recvfrom_netlabel(certmonger_t)
+@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -9786,7 +9810,7 @@ index 2354e21..03e12b7 100644
files_list_tmp(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +80,17 @@ init_getattr_all_script_files(certmonger_t)
+@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t)
logging_send_syslog_msg(certmonger_t)
@@ -9806,7 +9830,7 @@ index 2354e21..03e12b7 100644
')
optional_policy(`
-@@ -92,11 +103,47 @@ optional_policy(`
+@@ -92,11 +104,47 @@ optional_policy(`
')
optional_policy(`
@@ -9856,10 +9880,10 @@ index 2354e21..03e12b7 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..48acf72 100644
+index 403af41..8f201ca 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -21,27 +21,31 @@ role certwatch_roles types certwatch_t;
+@@ -21,32 +21,40 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
@@ -9896,6 +9920,15 @@ index 403af41..48acf72 100644
apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
+
+ optional_policy(`
++ mta_send_mail(certwatch_t)
++')
++
++optional_policy(`
+ cron_system_entry(certwatch_t, certwatch_exec_t)
+ ')
+
diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644
--- a/cfengine.if
@@ -11525,6 +11558,18 @@ index d8e9958..0046a69 100644
optional_policy(`
corosync_stream_connect(cmirrord_t)
')
+diff --git a/cobbler.fc b/cobbler.fc
+index 973d208..2b650a7 100644
+--- a/cobbler.fc
++++ b/cobbler.fc
+@@ -4,6 +4,7 @@
+
+ /usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
++/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+ /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+ /var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
index c223f81..b2efe4b 100644
--- a/cobbler.if
@@ -11567,10 +11612,18 @@ index c223f81..b2efe4b 100644
########################################
diff --git a/cobbler.te b/cobbler.te
-index 2a71346..7b64dc9 100644
+index 2a71346..bf24fca 100644
--- a/cobbler.te
+++ b/cobbler.te
-@@ -117,9 +117,7 @@ dev_read_urand(cobblerd_t)
+@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
++files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
+
+ append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -117,9 +118,7 @@ dev_read_urand(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
files_read_boot_files(cobblerd_t)
@@ -11580,7 +11633,7 @@ index 2a71346..7b64dc9 100644
fs_getattr_all_fs(cobblerd_t)
fs_read_iso9660_files(cobblerd_t)
-@@ -193,12 +191,11 @@ optional_policy(`
+@@ -193,12 +192,11 @@ optional_policy(`
optional_policy(`
rsync_read_config(cobblerd_t)
@@ -19308,7 +19361,7 @@ index b3b2188..5f91705 100644
miscfiles_read_localization(dirmngr_t)
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
-index 0000000..fdf5675
+index 0000000..8c44697
--- /dev/null
+++ b/dirsrv-admin.fc
@@ -0,0 +1,15 @@
@@ -19326,13 +19379,13 @@ index 0000000..fdf5675
+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+
-+/var/lock/subsys/dirsrv -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
++/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
-index 0000000..332a1c9
+index 0000000..30416f2
--- /dev/null
+++ b/dirsrv-admin.if
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,133 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
@@ -19465,14 +19518,13 @@ index 0000000..332a1c9
+
+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
-+
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..35455bf
+index 0000000..021c5ae
--- /dev/null
+++ b/dirsrv-admin.te
-@@ -0,0 +1,156 @@
+@@ -0,0 +1,157 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -19629,6 +19681,7 @@ index 0000000..35455bf
+ unconfined_domain(dirsrvadmin_unconfined_script_t)
+')
+
++
diff --git a/dirsrv.fc b/dirsrv.fc
new file mode 100644
index 0000000..0ea1ebb
@@ -19874,10 +19927,10 @@ index 0000000..b214253
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 0000000..8cf8ddd
+index 0000000..1a57396
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,193 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -20008,7 +20061,6 @@ index 0000000..8cf8ddd
+ dirsrvadmin_read_tmp(dirsrv_t)
+')
+
-+
+optional_policy(`
+ kerberos_use(dirsrv_t)
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
@@ -30494,7 +30546,7 @@ index 4fe75fd..8c702c9 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f9de9fc..138e1e2 100644
+index f9de9fc..11e6268 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -30571,7 +30623,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -69,45 +69,43 @@ interface(`kerberos_domtrans_kpropd',`
+@@ -69,45 +69,44 @@ interface(`kerberos_domtrans_kpropd',`
#
interface(`kerberos_use',`
gen_require(`
@@ -30594,6 +30646,7 @@ index f9de9fc..138e1e2 100644
-
selinux_dontaudit_validate_context($1)
- seutil_dontaudit_read_file_contexts($1)
++ seutil_read_file_contexts($1)
- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
@@ -30631,7 +30684,7 @@ index f9de9fc..138e1e2 100644
pcscd_stream_connect($1)
')
')
-@@ -119,7 +117,7 @@ interface(`kerberos_use',`
+@@ -119,7 +118,7 @@ interface(`kerberos_use',`
########################################
## <summary>
@@ -30640,7 +30693,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -135,15 +133,13 @@ interface(`kerberos_read_config',`
+@@ -135,15 +134,13 @@ interface(`kerberos_read_config',`
files_search_etc($1)
allow $1 krb5_conf_t:file read_file_perms;
@@ -30658,7 +30711,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -156,13 +152,12 @@ interface(`kerberos_dontaudit_write_config',`
+@@ -156,13 +153,12 @@ interface(`kerberos_dontaudit_write_config',`
type krb5_conf_t;
')
@@ -30674,7 +30727,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -182,75 +177,7 @@ interface(`kerberos_rw_config',`
+@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',`
########################################
## <summary>
@@ -30751,7 +30804,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -270,7 +197,7 @@ interface(`kerberos_read_keytab',`
+@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',`
########################################
## <summary>
@@ -30760,7 +30813,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -289,40 +216,13 @@ interface(`kerberos_rw_keytab',`
+@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',`
########################################
## <summary>
@@ -30802,7 +30855,7 @@ index f9de9fc..138e1e2 100644
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
-@@ -334,13 +234,13 @@ interface(`kerberos_etc_filetrans_keytab',`
+@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',`
type krb5_keytab_t;
')
@@ -30819,7 +30872,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="prefix">
## <summary>
-@@ -354,21 +254,15 @@ interface(`kerberos_etc_filetrans_keytab',`
+@@ -354,21 +255,15 @@ interface(`kerberos_etc_filetrans_keytab',`
## </param>
#
template(`kerberos_keytab_template',`
@@ -30846,7 +30899,7 @@ index f9de9fc..138e1e2 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -376,7 +270,7 @@ template(`kerberos_keytab_template',`
+@@ -376,7 +271,7 @@ template(`kerberos_keytab_template',`
########################################
## <summary>
@@ -30855,7 +30908,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -396,8 +290,7 @@ interface(`kerberos_read_kdc_config',`
+@@ -396,8 +291,7 @@ interface(`kerberos_read_kdc_config',`
########################################
## <summary>
@@ -30865,7 +30918,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -411,34 +304,99 @@ interface(`kerberos_manage_host_rcache',`
+@@ -411,34 +305,99 @@ interface(`kerberos_manage_host_rcache',`
type krb5_host_rcache_t;
')
@@ -30973,7 +31026,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -452,12 +410,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -452,12 +411,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
type krb5_host_rcache_t;
')
@@ -30989,7 +31042,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -465,82 +424,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -465,82 +425,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
## </summary>
## </param>
#
@@ -32947,7 +33000,7 @@ index e354181..c6b2383 100644
########################################
diff --git a/livecd.te b/livecd.te
-index 33f64b5..dcffc00 100644
+index 33f64b5..a920c08 100644
--- a/livecd.te
+++ b/livecd.te
@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
@@ -32964,14 +33017,18 @@ index 33f64b5..dcffc00 100644
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
-@@ -35,12 +37,13 @@ sysnet_etc_filetrans_config(livecd_t)
+@@ -35,12 +37,17 @@ sysnet_etc_filetrans_config(livecd_t)
optional_policy(`
hal_dbus_chat(livecd_t)
')
+
++optional_policy(`
++ mount_run(livecd_t, livecd_roles)
++')
++
optional_policy(`
- mount_run(livecd_t, livecd_roles)
-+ mount_run(livecd_t, livecd_roles)
++ rpm_transition_script(livecd_t)
')
optional_policy(`
@@ -36354,7 +36411,7 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..18e3a70 100644
+index 6ffaba2..90fd526 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,38 +1,63 @@
@@ -36380,7 +36437,7 @@ index 6ffaba2..18e3a70 100644
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.cache\mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -37171,7 +37228,7 @@ index 6194b80..116d9d2 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..c2bf3d9 100644
+index 6a306ee..3ac5d92 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37602,7 +37659,7 @@ index 6a306ee..c2bf3d9 100644
')
optional_policy(`
-@@ -300,221 +309,173 @@ optional_policy(`
+@@ -300,221 +309,174 @@ optional_policy(`
########################################
#
@@ -37777,6 +37834,7 @@ index 6a306ee..c2bf3d9 100644
+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_monopd_port(mozilla_plugin_t)
++corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
@@ -37918,7 +37976,7 @@ index 6a306ee..c2bf3d9 100644
')
optional_policy(`
-@@ -523,36 +484,47 @@ optional_policy(`
+@@ -523,36 +485,47 @@ optional_policy(`
')
optional_policy(`
@@ -37979,7 +38037,7 @@ index 6a306ee..c2bf3d9 100644
')
optional_policy(`
-@@ -560,7 +532,7 @@ optional_policy(`
+@@ -560,7 +533,7 @@ optional_policy(`
')
optional_policy(`
@@ -37988,7 +38046,7 @@ index 6a306ee..c2bf3d9 100644
')
optional_policy(`
-@@ -568,108 +540,109 @@ optional_policy(`
+@@ -568,108 +541,109 @@ optional_policy(`
')
optional_policy(`
@@ -41796,7 +41854,7 @@ index 0000000..90129ac
+ mysql_tcp_connect(httpd_mythtv_script_t)
+')
diff --git a/nagios.fc b/nagios.fc
-index d78dfc3..d80b4db 100644
+index d78dfc3..9590368 100644
--- a/nagios.fc
+++ b/nagios.fc
@@ -1,88 +1,93 @@
@@ -41926,14 +41984,15 @@ index d78dfc3..d80b4db 100644
/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-
+-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+# unconfined plugins
- /usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
--
++# label all nagios plugin as unconfined by default
++/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-
@@ -62916,10 +62975,20 @@ index 951db7f..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..fd31eb5 100644
+index 2c1730b..d75003d 100644
--- a/raid.te
+++ b/raid.te
-@@ -25,8 +25,8 @@ dev_associate(mdadm_var_run_t)
+@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
+ type mdadm_initrc_exec_t;
+ init_script_file(mdadm_initrc_exec_t)
+
++type mdadm_tmp_t;
++files_tmpfs_file(mdadm_tmp_t)
++
+ type mdadm_var_run_t alias mdadm_map_t;
+ files_pid_file(mdadm_var_run_t)
+ dev_associate(mdadm_var_run_t)
+@@ -25,23 +28,28 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -62930,7 +62999,11 @@ index 2c1730b..fd31eb5 100644
allow mdadm_t self:fifo_file rw_fifo_file_perms;
allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -34,14 +34,15 @@ manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
++manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
++manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
++files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
++
+ manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
@@ -62948,7 +63021,7 @@ index 2c1730b..fd31eb5 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -51,17 +52,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
+@@ -51,17 +59,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
@@ -62970,7 +63043,12 @@ index 2c1730b..fd31eb5 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -74,12 +77,12 @@ storage_write_scsi_generic(mdadm_t)
+@@ -70,16 +80,17 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+ storage_manage_fixed_disk(mdadm_t)
+ storage_read_scsi_generic(mdadm_t)
+ storage_write_scsi_generic(mdadm_t)
++storage_raw_read_removable_device(mdadm_t)
+
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
@@ -82259,7 +82337,7 @@ index 67ca5c5..a1ef2d2 100644
fs_search_auto_mountpoints(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index a4a949c..a0b1618 100644
+index a4a949c..0ac90ac 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
@@ -82327,11 +82405,15 @@ index a4a949c..a0b1618 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -69,7 +78,15 @@ optional_policy(`
+@@ -69,7 +78,19 @@ optional_policy(`
')
optional_policy(`
- lpd_manage_spool(tmpreaper_t)
++ lpd_read_spool(tmpreaper_t)
++')
++
++optional_policy(`
+ mandb_delete_cache(tmpreaper_t)
+')
+
@@ -83072,7 +83154,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..a6bd365 100644
+index 7116181..ef6133e 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -83100,11 +83182,15 @@ index 7116181..a6bd365 100644
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -44,7 +49,11 @@ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
- append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
- create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
- setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+@@ -41,10 +46,12 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
+ files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
+
+ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+-append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+-create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+-setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-logging_log_filetrans(tuned_t, tuned_log_t, file)
++manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
+
+manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
@@ -83113,7 +83199,7 @@ index 7116181..a6bd365 100644
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
-@@ -57,6 +66,7 @@ kernel_request_load_module(tuned_t)
+@@ -57,6 +64,7 @@ kernel_request_load_module(tuned_t)
kernel_rw_kernel_sysctl(tuned_t)
kernel_rw_hotplug_sysctls(tuned_t)
kernel_rw_vm_sysctls(tuned_t)
@@ -83121,7 +83207,7 @@ index 7116181..a6bd365 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +74,52 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +72,52 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -86454,7 +86540,7 @@ index 9dec06c..a202ead 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..f42e134 100644
+index 1f22fba..d0747ff 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -86660,62 +86746,50 @@ index 1f22fba..f42e134 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +165,125 @@ type virt_qmf_exec_t;
+@@ -155,290 +165,121 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
-type virt_bridgehelper_exec_t;
domain_type(virt_bridgehelper_t)
-+
-+type virt_bridgehelper_exec_t;
- domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
+-domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-role virt_bridgehelper_roles types virt_bridgehelper_t;
+-
+-type virtd_lxc_t;
+-type virtd_lxc_exec_t;
+-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
+-type virtd_lxc_var_run_t;
+-files_pid_file(virtd_lxc_var_run_t)
++type virt_bridgehelper_exec_t;
++domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
+role system_r types virt_bridgehelper_t;
-+
+
+-type svirt_lxc_file_t;
+-files_mountpoint(svirt_lxc_file_t)
+-fs_noxattr_type(svirt_lxc_file_t)
+-term_pty(svirt_lxc_file_t)
+# policy for qemu_ga
+type virt_qemu_ga_t;
+type virt_qemu_ga_exec_t;
+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
-+
+
+-virt_lxc_domain_template(svirt_lxc_net)
+type virt_qemu_ga_var_run_t;
+files_pid_file(virt_qemu_ga_var_run_t)
-+
-+type virt_qemu_ga_log_t;
-+logging_log_file(virt_qemu_ga_log_t)
-+
-+########################################
-+#
-+# Declarations
-+#
-+attribute svirt_lxc_domain;
- type virtd_lxc_t;
- type virtd_lxc_exec_t;
- init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-
--type virtd_lxc_var_run_t;
--files_pid_file(virtd_lxc_var_run_t)
-+type virt_lxc_var_run_t;
-+files_pid_file(virt_lxc_var_run_t)
-+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-
-+# virt lxc container files
- type svirt_lxc_file_t;
- files_mountpoint(svirt_lxc_file_t)
--fs_noxattr_type(svirt_lxc_file_t)
--term_pty(svirt_lxc_file_t)
--
--virt_lxc_domain_template(svirt_lxc_net)
--
-type virsh_t;
-type virsh_exec_t;
-init_system_domain(virsh_t, virsh_exec_t)
++type virt_qemu_ga_log_t;
++logging_log_file(virt_qemu_ga_log_t)
########################################
#
-# Common virt domain local policy
-+# svirt local policy
++# Declarations
#
++attribute svirt_lxc_domain;
-allow virt_domain self:process { signal getsched signull };
-allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -86868,47 +86942,42 @@ index 1f22fba..f42e134 100644
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-optional_policy(`
- tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain)
- xserver_stream_connect(virt_domain)
- ')
-')
-+corenet_udp_sendrecv_generic_if(svirt_t)
-+corenet_udp_sendrecv_generic_node(svirt_t)
-+corenet_udp_sendrecv_all_ports(svirt_t)
-+corenet_udp_bind_generic_node(svirt_t)
-+corenet_udp_bind_all_ports(svirt_t)
-+corenet_tcp_bind_all_ports(svirt_t)
-+corenet_tcp_connect_all_ports(svirt_t)
-
+-
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
-+miscfiles_read_generic_certs(svirt_t)
-
- optional_policy(`
+-
+-optional_policy(`
- nscd_use(virt_domain)
-+ xen_rw_image_files(svirt_t)
- ')
+-')
++type virtd_lxc_t;
++type virtd_lxc_exec_t;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
- optional_policy(`
+-optional_policy(`
- samba_domtrans_smbd(virt_domain)
-+ nscd_use(svirt_t)
- ')
+-')
++type virt_lxc_var_run_t;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-optional_policy(`
- xen_rw_image_files(virt_domain)
-')
--
--########################################
-+#######################################
++# virt lxc container files
++type svirt_lxc_file_t;
++files_mountpoint(svirt_lxc_file_t)
+
+ ########################################
#
--# svirt local policy
-+# svirt_prot_exec local policy
+ # svirt local policy
#
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -86921,9 +86990,7 @@ index 1f22fba..f42e134 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
@@ -86932,24 +86999,41 @@ index 1f22fba..f42e134 100644
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
--corenet_udp_bind_all_ports(svirt_t)
--corenet_tcp_bind_all_ports(svirt_t)
+ corenet_udp_bind_all_ports(svirt_t)
+ corenet_tcp_bind_all_ports(svirt_t)
-
-corenet_sendrecv_all_client_packets(svirt_t)
--corenet_tcp_connect_all_ports(svirt_t)
+ corenet_tcp_connect_all_ports(svirt_t)
+
++miscfiles_read_generic_certs(svirt_t)
++
++optional_policy(`
++ nscd_use(svirt_t)
++')
++
++#######################################
++#
++# svirt_prot_exec local policy
++#
++
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
++
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
@@ -86957,7 +87041,7 @@ index 1f22fba..f42e134 100644
+corenet_udp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_connect_all_ports(svirt_tcg_t)
-
++
########################################
#
# virtd local policy
@@ -87023,7 +87107,7 @@ index 1f22fba..f42e134 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +293,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +289,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -87069,28 +87153,28 @@ index 1f22fba..f42e134 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +327,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +323,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
--
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +339,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +335,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -87098,7 +87182,7 @@ index 1f22fba..f42e134 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,22 +347,12 @@ corecmd_exec_shell(virtd_t)
+@@ -520,22 +343,12 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -87122,7 +87206,7 @@ index 1f22fba..f42e134 100644
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
-@@ -548,22 +365,22 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +361,22 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -87150,7 +87234,7 @@ index 1f22fba..f42e134 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +411,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +407,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -87170,7 +87254,7 @@ index 1f22fba..f42e134 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +433,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +429,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -87205,7 +87289,7 @@ index 1f22fba..f42e134 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +459,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +455,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -87214,7 +87298,7 @@ index 1f22fba..f42e134 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -646,107 +472,327 @@ optional_policy(`
+@@ -646,107 +468,327 @@ optional_policy(`
consoletype_exec(virtd_t)
')
@@ -87428,7 +87512,7 @@ index 1f22fba..f42e134 100644
+fs_getattr_xattr_fs(virt_domain)
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
-+fs_rw_tmpfs_files(virt_domain)
++fs_rw_inherited_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
@@ -87600,7 +87684,7 @@ index 1f22fba..f42e134 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +804,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +800,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -87630,7 +87714,7 @@ index 1f22fba..f42e134 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +823,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +819,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -87657,7 +87741,7 @@ index 1f22fba..f42e134 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +843,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +839,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -87689,7 +87773,7 @@ index 1f22fba..f42e134 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,6 +876,10 @@ optional_policy(`
+@@ -847,6 +872,10 @@ optional_policy(`
')
optional_policy(`
@@ -87700,7 +87784,7 @@ index 1f22fba..f42e134 100644
rpm_exec(virsh_t)
')
-@@ -854,7 +887,7 @@ optional_policy(`
+@@ -854,7 +883,7 @@ optional_policy(`
xen_manage_image_dirs(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
@@ -87709,7 +87793,7 @@ index 1f22fba..f42e134 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +912,44 @@ optional_policy(`
+@@ -879,34 +908,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -87763,7 +87847,7 @@ index 1f22fba..f42e134 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +959,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +955,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -87781,7 +87865,7 @@ index 1f22fba..f42e134 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +981,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +977,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -87792,7 +87876,7 @@ index 1f22fba..f42e134 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +990,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +986,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -87800,7 +87884,7 @@ index 1f22fba..f42e134 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1002,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +998,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -87819,7 +87903,7 @@ index 1f22fba..f42e134 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1016,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1012,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -87864,7 +87948,7 @@ index 1f22fba..f42e134 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1053,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1049,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -87891,7 +87975,7 @@ index 1f22fba..f42e134 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1071,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1067,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -87910,7 +87994,7 @@ index 1f22fba..f42e134 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1090,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1086,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -87937,7 +88021,7 @@ index 1f22fba..f42e134 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1115,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1111,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -88073,7 +88157,7 @@ index 1f22fba..f42e134 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1211,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1207,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -88088,7 +88172,7 @@ index 1f22fba..f42e134 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1229,8 @@ optional_policy(`
+@@ -1183,9 +1225,8 @@ optional_policy(`
########################################
#
@@ -88099,7 +88183,7 @@ index 1f22fba..f42e134 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1243,70 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1239,70 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b2df46e..f1dfb42 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 32%{?dist}
+Release: 33%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Apr 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-33
+- Fix mozilla specification of homedir content
+- Allow certmonger to read network state
+- Allow tmpwatch to read tmp in /var/spool/{cups,lpd}
+- Label all nagios plugin as unconfined by default
+- Add httpd_serve_cobbler_files()
+- Allow mdadm to read /dev/sr0 and create tmp files
+- Allow certwatch to send mails
+- Fix labeling for nagios plugins
+- label shared libraries in /opt/google/chrome as testrel_shlib_t
+
* Wed Apr 17 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-32
- Allow realmd to run ipa, really needs to be an unconfined_domain
- Allow sandbox domains to use inherted terminals
More information about the scm-commits
mailing list