[selinux-policy/f18] - Fix pegasus_openlmi_domain_template() - Remove pulseaudio filetrans pulseaudio_manage_home_dirs wh
Miroslav Grepl
mgrepl at fedoraproject.org
Fri May 17 10:19:09 UTC 2013
commit f9394662e687c3a069e24edc604096c4e1b9cf4c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri May 17 12:18:55 2013 +0200
- Fix pegasus_openlmi_domain_template()
- Remove pulseaudio filetrans pulseaudio_manage_home_dirs wh
- Change cupsd_t to be allowed to manage own log files
- Allow sge_execd_t to also connect to sge ports
- Make gnome-abrt wokring with staff_t
- Allow sge_execd to bind sge ports. Allow kill capability a
- Add web browser plugins to connect to aol ports
- Update antivirus_can_scan_system boolean
- Allow mozilla_plugin_t to create pulseaudit_home_t directo
- mdadm runs ps command which seems to getattr on random log
- Allow cobblerd to read network state
- Add port definition for sge ports
- Allow useradd_t to r/w var_lib_t
policy-f18-base.patch | 66 +++++----
policy-f18-contrib.patch | 387 ++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 17 ++-
3 files changed, 322 insertions(+), 148 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index aebdb30..5dc1518 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -111808,7 +111808,7 @@ index 98b8b2d..41f4994 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 673180c..6340f3d 100644
+index 673180c..85607d5 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0)
@@ -112170,7 +112170,7 @@ index 673180c..6340f3d 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -465,36 +513,35 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +513,36 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -112186,6 +112186,7 @@ index 673180c..6340f3d 100644
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
+files_manage_etc_files(useradd_t)
++files_rw_var_lib_dirs(useradd_t)
fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
@@ -112218,7 +112219,7 @@ index 673180c..6340f3d 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +552,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +553,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -112269,7 +112270,7 @@ index 673180c..6340f3d 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +592,8 @@ optional_policy(`
+@@ -542,7 +593,8 @@ optional_policy(`
')
optional_policy(`
@@ -112279,7 +112280,7 @@ index 673180c..6340f3d 100644
')
optional_policy(`
-@@ -550,6 +601,11 @@ optional_policy(`
+@@ -550,6 +602,11 @@ optional_policy(`
')
optional_policy(`
@@ -112291,7 +112292,7 @@ index 673180c..6340f3d 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +615,7 @@ optional_policy(`
+@@ -559,3 +616,7 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -112462,7 +112463,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..1d870e2 100644
+index db981df..1429bf9 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -112544,7 +112545,7 @@ index db981df..1d870e2 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -174,53 +185,82 @@ ifdef(`distro_gentoo',`
+@@ -174,53 +185,83 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -112622,6 +112623,7 @@ index db981df..1d870e2 100644
+/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/utils.pm -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
@@ -112647,7 +112649,7 @@ index db981df..1d870e2 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +275,15 @@ ifdef(`distro_gentoo',`
+@@ -235,10 +276,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -112663,7 +112665,7 @@ index db981df..1d870e2 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +296,17 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +297,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -112685,7 +112687,7 @@ index db981df..1d870e2 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,10 +322,15 @@ ifdef(`distro_gentoo',`
+@@ -271,10 +323,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -112701,7 +112703,7 @@ index db981df..1d870e2 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -289,16 +345,22 @@ ifdef(`distro_gentoo',`
+@@ -289,16 +346,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -112726,7 +112728,7 @@ index db981df..1d870e2 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,20 +376,27 @@ ifdef(`distro_redhat', `
+@@ -314,20 +377,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -112755,7 +112757,7 @@ index db981df..1d870e2 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +445,15 @@ ifdef(`distro_suse', `
+@@ -376,11 +446,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -112772,7 +112774,7 @@ index db981df..1d870e2 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +463,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +464,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -114484,7 +114486,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..e73cf13 100644
+index fe2ee5e..719e7b9 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
@@ -114623,7 +114625,7 @@ index fe2ee5e..e73cf13 100644
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
-@@ -123,104 +164,140 @@ network_port(hadoop_datanode, tcp,50010,s0)
+@@ -123,104 +164,141 @@ network_port(hadoop_datanode, tcp,50010,s0)
network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
@@ -114751,6 +114753,7 @@ index fe2ee5e..e73cf13 100644
network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
+network_port(sametime, tcp,1533,s0, udp,1533,s0)
++network_port(sge, tcp,6444,s0, tcp,6445,s0)
network_port(sieve, tcp,4190,s0)
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
@@ -114786,7 +114789,7 @@ index fe2ee5e..e73cf13 100644
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
network_port(utcpserver) # no defined portcon
-@@ -228,9 +305,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -228,9 +306,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -114800,7 +114803,7 @@ index fe2ee5e..e73cf13 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -242,17 +322,22 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -242,17 +323,22 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -114825,7 +114828,7 @@ index fe2ee5e..e73cf13 100644
########################################
#
-@@ -285,6 +370,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -285,6 +371,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -114834,7 +114837,7 @@ index fe2ee5e..e73cf13 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -297,9 +384,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -297,9 +385,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -117174,7 +117177,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..7219a2a 100644
+index cf04cb5..7d9575d 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -117207,11 +117210,13 @@ index cf04cb5..7219a2a 100644
## <desc>
## <p>
-@@ -86,23 +109,43 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +109,45 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
+allow domain self:fifo_file rw_fifo_file_perms;
++allow domain self:sem create_sem_perms;
++allow domain self:shm create_shm_perms;
+
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
@@ -117252,7 +117257,7 @@ index cf04cb5..7219a2a 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +164,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +166,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -117271,7 +117276,7 @@ index cf04cb5..7219a2a 100644
')
optional_policy(`
-@@ -133,6 +186,8 @@ optional_policy(`
+@@ -133,6 +188,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -117280,7 +117285,7 @@ index cf04cb5..7219a2a 100644
')
########################################
-@@ -147,12 +202,18 @@ optional_policy(`
+@@ -147,12 +204,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -117300,7 +117305,7 @@ index cf04cb5..7219a2a 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -124640,7 +124645,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..8425d4b 100644
+index e5aee97..56fed3b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,67 @@ policy_module(staff, 2.3.0)
@@ -124966,7 +124971,7 @@ index e5aee97..8425d4b 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +372,21 @@ ifndef(`distro_redhat',`
+@@ -176,3 +372,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -124985,7 +124990,8 @@ index e5aee97..8425d4b 100644
+ allow staff_t self:fifo_file relabelfrom;
+ dev_rw_kvm(staff_t)
+ virt_manage_images(staff_t)
-+ virt_stream_connect_svirt(staff_t)
++ virt_stream_connect_svirt(staff_t)
++ virt_exec(staff_t)
+ ')
+')
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index b04d97d..0816c95 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -367,7 +367,7 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..338c342 100644
+index 30861ec..d9c83c2 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
@@ -406,7 +406,7 @@ index 30861ec..338c342 100644
# etc files
type abrt_etc_t;
files_config_file(abrt_etc_t)
-@@ -20,22 +40,32 @@ files_config_file(abrt_etc_t)
+@@ -20,22 +40,33 @@ files_config_file(abrt_etc_t)
type abrt_var_log_t;
logging_log_file(abrt_var_log_t)
@@ -418,6 +418,7 @@ index 30861ec..338c342 100644
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
++userdom_user_tmp_file(abrt_var_cache_t)
# pid files
type abrt_var_run_t;
@@ -442,7 +443,7 @@ index 30861ec..338c342 100644
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,14 +73,36 @@ ifdef(`enable_mcs',`
+@@ -43,14 +74,36 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -481,7 +482,7 @@ index 30861ec..338c342 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +111,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +112,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -489,7 +490,7 @@ index 30861ec..338c342 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -68,7 +121,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +122,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -499,7 +500,7 @@ index 30861ec..338c342 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -76,16 +131,18 @@ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -76,16 +132,18 @@ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
@@ -520,7 +521,7 @@ index 30861ec..338c342 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -93,7 +150,6 @@ corecmd_exec_shell(abrt_t)
+@@ -93,7 +151,6 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -528,7 +529,7 @@ index 30861ec..338c342 100644
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
corenet_tcp_sendrecv_generic_port(abrt_t)
-@@ -104,6 +160,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +161,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -537,7 +538,7 @@ index 30861ec..338c342 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +172,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -547,7 +548,7 @@ index 30861ec..338c342 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +180,9 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +181,9 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -557,7 +558,7 @@ index 30861ec..338c342 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +193,39 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +194,39 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -601,7 +602,7 @@ index 30861ec..338c342 100644
')
optional_policy(`
-@@ -167,6 +246,7 @@ optional_policy(`
+@@ -167,6 +247,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -609,7 +610,7 @@ index 30861ec..338c342 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,9 +258,36 @@ optional_policy(`
+@@ -178,9 +259,36 @@ optional_policy(`
')
optional_policy(`
@@ -646,7 +647,7 @@ index 30861ec..338c342 100644
########################################
#
# abrt--helper local policy
-@@ -196,13 +303,16 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -196,13 +304,16 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -664,7 +665,7 @@ index 30861ec..338c342 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -211,12 +321,11 @@ auth_use_nsswitch(abrt_helper_t)
+@@ -211,12 +322,11 @@ auth_use_nsswitch(abrt_helper_t)
logging_send_syslog_msg(abrt_helper_t)
@@ -679,7 +680,7 @@ index 30861ec..338c342 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +333,151 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +334,151 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -2148,10 +2149,10 @@ index 0000000..fe0cdf0
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..adcd6f4
+index 0000000..5fe8447
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,40 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2189,6 +2190,8 @@ index 0000000..adcd6f4
+ files_read_non_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
++ dev_getattr_all_chr_files(antivirus_domain)
++ dev_getattr_all_blk_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
index fd9fa07..3f948ab 100644
@@ -7081,10 +7084,10 @@ index 0000000..fbcef10
+')
diff --git a/boinc.te b/boinc.te
new file mode 100644
-index 0000000..23abf6f
+index 0000000..3cf5a74
--- /dev/null
+++ b/boinc.te
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,203 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -7198,6 +7201,8 @@ index 0000000..23abf6f
+kernel_read_system_state(boinc_t)
+kernel_search_vm_sysctl(boinc_t)
+
++dev_getattr_mouse_dev(boinc_t)
++
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
@@ -9008,7 +9013,7 @@ index 0000000..88107d7
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
-index 0000000..36bd6be
+index 0000000..5977d96
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,134 @@
@@ -9098,9 +9103,9 @@ index 0000000..36bd6be
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+ allow chrome_sandbox_t $2:unix_stream_socket { append getattr read write };
++ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
-+ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
++ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
@@ -9148,10 +9153,10 @@ index 0000000..36bd6be
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..a2b1c20
+index 0000000..701862d
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,203 @@
+@@ -0,0 +1,204 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -9213,6 +9218,7 @@ index 0000000..a2b1c20
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
++corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
+corenet_tcp_connect_streaming_port(chrome_sandbox_t)
@@ -10725,7 +10731,7 @@ index 116d60f..83d5104 100644
- allow $2 system_r;
')
diff --git a/cobbler.te b/cobbler.te
-index 0258b48..260d23d 100644
+index 0258b48..926d517 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -1,18 +1,43 @@
@@ -10836,7 +10842,7 @@ index 0258b48..260d23d 100644
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
kernel_read_system_state(cobblerd_t)
-+kernel_dontaudit_search_network_state(cobblerd_t)
++kernel_read_network_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -11168,10 +11174,10 @@ index 0000000..40415f8
+
diff --git a/collectd.te b/collectd.te
new file mode 100644
-index 0000000..62f1fd5
+index 0000000..c8ee976
--- /dev/null
+++ b/collectd.te
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,105 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -11231,6 +11237,8 @@ index 0000000..62f1fd5
+
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
++kernel_list_all_proc(collectd_t)
++domain_read_all_domains_state(collectd_t)
+
+dev_read_sysfs(collectd_t)
+dev_read_urand(collectd_t)
@@ -15310,7 +15318,7 @@ index 305ddf4..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index e5a8924..49e2699 100644
+index e5a8924..00478fb 100644
--- a/cups.te
+++ b/cups.te
@@ -1,22 +1,28 @@
@@ -15403,7 +15411,7 @@ index e5a8924..49e2699 100644
type ptal_t;
type ptal_exec_t;
-@@ -96,77 +93,103 @@ ifdef(`enable_mls',`
+@@ -96,77 +93,100 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -15484,13 +15492,9 @@ index e5a8924..49e2699 100644
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
--manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
--allow cupsd_t cupsd_log_t:dir setattr;
+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-+append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-+create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-+read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-+setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
@@ -15533,7 +15537,7 @@ index e5a8924..49e2699 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -178,6 +201,9 @@ corenet_tcp_sendrecv_all_ports(cupsd_t)
+@@ -178,6 +198,9 @@ corenet_tcp_sendrecv_all_ports(cupsd_t)
corenet_udp_sendrecv_all_ports(cupsd_t)
corenet_tcp_bind_generic_node(cupsd_t)
corenet_udp_bind_generic_node(cupsd_t)
@@ -15543,7 +15547,7 @@ index e5a8924..49e2699 100644
corenet_tcp_bind_ipp_port(cupsd_t)
corenet_udp_bind_ipp_port(cupsd_t)
corenet_udp_bind_howl_port(cupsd_t)
-@@ -185,60 +211,63 @@ corenet_tcp_bind_reserved_port(cupsd_t)
+@@ -185,60 +208,63 @@ corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -15639,7 +15643,7 @@ index e5a8924..49e2699 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -251,30 +280,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -251,30 +277,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -15675,7 +15679,7 @@ index e5a8924..49e2699 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
-@@ -287,6 +307,8 @@ optional_policy(`
+@@ -287,6 +304,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -15684,7 +15688,7 @@ index e5a8924..49e2699 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -297,8 +319,10 @@ optional_policy(`
+@@ -297,8 +316,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -15695,7 +15699,7 @@ index e5a8924..49e2699 100644
')
')
-@@ -311,17 +335,28 @@ optional_policy(`
+@@ -311,17 +332,28 @@ optional_policy(`
')
optional_policy(`
@@ -15725,7 +15729,7 @@ index e5a8924..49e2699 100644
')
optional_policy(`
-@@ -336,19 +371,20 @@ optional_policy(`
+@@ -336,19 +368,20 @@ optional_policy(`
udev_read_db(cupsd_t)
')
@@ -15752,7 +15756,7 @@ index e5a8924..49e2699 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -360,9 +396,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+@@ -360,9 +393,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
@@ -15763,7 +15767,7 @@ index e5a8924..49e2699 100644
manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
-@@ -371,70 +405,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,70 +402,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -15847,7 +15851,7 @@ index e5a8924..49e2699 100644
optional_policy(`
term_use_generic_ptys(cupsd_config_t)
-@@ -450,12 +463,19 @@ optional_policy(`
+@@ -450,12 +460,19 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(cupsd_config_t)
')
@@ -15868,7 +15872,7 @@ index e5a8924..49e2699 100644
')
optional_policy(`
-@@ -467,8 +487,7 @@ optional_policy(`
+@@ -467,8 +484,7 @@ optional_policy(`
')
optional_policy(`
@@ -15878,7 +15882,7 @@ index e5a8924..49e2699 100644
')
optional_policy(`
-@@ -489,231 +508,84 @@ optional_policy(`
+@@ -489,231 +505,84 @@ optional_policy(`
########################################
#
@@ -16131,7 +16135,7 @@ index e5a8924..49e2699 100644
########################################
#
-@@ -723,14 +595,12 @@ optional_policy(`
+@@ -723,14 +592,12 @@ optional_policy(`
allow ptal_t self:capability { chown sys_rawio };
dontaudit ptal_t self:capability sys_tty_config;
allow ptal_t self:fifo_file rw_fifo_file_perms;
@@ -16147,7 +16151,7 @@ index e5a8924..49e2699 100644
manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
-@@ -743,29 +613,26 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,29 +610,26 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -36047,7 +36051,7 @@ index b397fde..aaf4cdf 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..af07b52 100644
+index d4fcb75..3b09e66 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -36220,7 +36224,7 @@ index d4fcb75..af07b52 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,65 +318,106 @@ optional_policy(`
+@@ -297,65 +318,107 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -36294,6 +36298,7 @@ index d4fcb75..af07b52 100644
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
++corenet_tcp_connect_aol_port(mozilla_plugin_t)
+corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
corenet_tcp_connect_generic_port(mozilla_plugin_t)
-corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
@@ -36342,7 +36347,7 @@ index d4fcb75..af07b52 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +425,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +426,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -36426,7 +36431,7 @@ index d4fcb75..af07b52 100644
')
optional_policy(`
-@@ -420,26 +489,45 @@ optional_policy(`
+@@ -420,37 +490,169 @@ optional_policy(`
')
optional_policy(`
@@ -36476,9 +36481,10 @@ index d4fcb75..af07b52 100644
')
optional_policy(`
-@@ -447,10 +535,122 @@ optional_policy(`
+ pulseaudio_exec(mozilla_plugin_t)
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
++ pulseaudio_manage_home_dirs(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
+')
@@ -39605,7 +39611,7 @@ index 8581040..d7d9a79 100644
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/nagios.te b/nagios.te
-index c3e2a2d..dcc9cc6 100644
+index c3e2a2d..9366991 100644
--- a/nagios.te
+++ b/nagios.te
@@ -5,6 +5,8 @@ policy_module(nagios, 1.12.0)
@@ -39824,7 +39830,7 @@ index c3e2a2d..dcc9cc6 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -342,6 +350,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -342,10 +350,13 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -39833,7 +39839,12 @@ index c3e2a2d..dcc9cc6 100644
')
optional_policy(`
-@@ -365,6 +375,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+ mysql_stream_connect(nagios_services_plugin_t)
++ mysql_read_config(nagios_services_plugin_t)
+ ')
+
+ optional_policy(`
+@@ -365,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -39842,7 +39853,7 @@ index c3e2a2d..dcc9cc6 100644
kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
-@@ -372,11 +384,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
+@@ -372,11 +385,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
corecmd_exec_shell(nagios_system_plugin_t)
dev_read_sysfs(nagios_system_plugin_t)
@@ -39858,7 +39869,7 @@ index c3e2a2d..dcc9cc6 100644
# needed by check_users plugin
optional_policy(`
-@@ -391,3 +405,48 @@ optional_policy(`
+@@ -391,3 +406,48 @@ optional_policy(`
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -46796,10 +46807,10 @@ index ceafba6..e438490 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.if b/pegasus.if
-index 920b13f..22b745a 100644
+index 920b13f..ded726f 100644
--- a/pegasus.if
+++ b/pegasus.if
-@@ -1 +1,37 @@
+@@ -1 +1,59 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
+######################################
@@ -46816,6 +46827,7 @@ index 920b13f..22b745a 100644
+template(`pegasus_openlmi_domain_template',`
+ gen_require(`
+ attribute pegasus_openlmi_domain;
++ type pegasus_t;
+ ')
+
+ ##############################
@@ -46824,7 +46836,7 @@ index 920b13f..22b745a 100644
+ #
+
+ type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
-+ type $1_exec_t;
++ type pegasus_openlmi_$1_exec_t;
+ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
+
+ ##############################
@@ -46837,8 +46849,29 @@ index 920b13f..22b745a 100644
+ kernel_read_system_state(pegasus_openlmi_$1_t)
+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
+')
++
++########################################
++## <summary>
++## Connect to pegasus over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pegasus_stream_connect',`
++ gen_require(`
++ type pegasus_t, pegasus_var_run_t, pegasus_tmp_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t)
++ stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t)
++')
++
diff --git a/pegasus.te b/pegasus.te
-index 3185114..319c43b 100644
+index 3185114..120b3d1 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,10 +5,15 @@ policy_module(pegasus, 1.8.0)
@@ -46866,22 +46899,62 @@ index 3185114..319c43b 100644
type pegasus_mof_t;
files_type(pegasus_mof_t)
-@@ -24,23 +29,40 @@ files_type(pegasus_mof_t)
+@@ -24,23 +29,80 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
-+#pegasus_openlmi_domain_template(account)
++pegasus_openlmi_domain_template(account)
+
+#######################################
+#
+# pegasus openlmi providers local policy
+#
+
++allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
++
++list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++read_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++
+corecmd_exec_bin(pegasus_openlmi_domain)
+
+sysnet_read_config(pegasus_openlmi_domain)
+
++optional_policy(`
++ pegasus_stream_connect(pegasus_openlmi_domain)
++')
++
++######################################
++#
++# pegasus openlmi account local policy
++#
++
++allow pegasus_openlmi_account_t self:capability { setuid chown setgid dac_override };
++allow pegasus_openlmi_account_t self:process setfscreate;
++
++auth_manage_passwd(pegasus_openlmi_account_t)
++auth_manage_shadow(pegasus_openlmi_account_t)
++auth_relabel_shadow(pegasus_openlmi_account_t)
++auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
++
++init_rw_utmp(pegasus_openlmi_account_t)
++
++logging_send_syslog_msg(pegasus_openlmi_account_t)
++
++seutil_read_config(pegasus_openlmi_account_t)
++seutil_read_file_contexts(pegasus_openlmi_account_t)
++seutil_read_default_contexts(pegasus_openlmi_account_t)
++
++# Add/remove user home directories
++userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t)
++userdom_manage_home_role(system_r, pegasus_openlmi_account_t)
++userdom_delete_all_user_home_content(pegasus_openlmi_account_t)
++
++optional_policy(`
++ # run userdel
++ usermanage_domtrans_useradd(pegasus_openlmi_account_t)
++')
++
########################################
#
-# Local policy
@@ -46911,7 +46984,7 @@ index 3185114..319c43b 100644
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
-@@ -56,17 +78,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+@@ -56,17 +118,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
@@ -46935,7 +47008,7 @@ index 3185114..319c43b 100644
corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_generic_if(pegasus_t)
corenet_tcp_sendrecv_generic_node(pegasus_t)
-@@ -86,7 +111,7 @@ corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+@@ -86,7 +151,7 @@ corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
@@ -46944,7 +47017,7 @@ index 3185114..319c43b 100644
dev_read_urand(pegasus_t)
fs_getattr_all_fs(pegasus_t)
-@@ -95,11 +120,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -95,11 +160,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -46957,7 +47030,7 @@ index 3185114..319c43b 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
-@@ -112,7 +137,7 @@ init_stream_connect_script(pegasus_t)
+@@ -112,7 +177,7 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -46966,7 +47039,7 @@ index 3185114..319c43b 100644
sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
-@@ -121,12 +146,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+@@ -121,12 +186,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
@@ -47016,7 +47089,7 @@ index 3185114..319c43b 100644
')
optional_policy(`
-@@ -136,3 +197,14 @@ optional_policy(`
+@@ -136,3 +237,14 @@ optional_policy(`
optional_policy(`
unconfined_signull(pegasus_t)
')
@@ -52896,7 +52969,7 @@ index 84f23dc..0e7d875 100644
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
-index f40c64d..191600b 100644
+index f40c64d..0e0cc71 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -35,6 +35,9 @@ interface(`pulseaudio_role',`
@@ -52924,7 +52997,34 @@ index f40c64d..191600b 100644
')
########################################
-@@ -257,4 +262,106 @@ interface(`pulseaudio_manage_home_files',`
+@@ -241,6 +246,26 @@ interface(`pulseaudio_rw_home_files',`
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete pulseaudio
++## home directories.
++## </summary>
++## <param name="user_domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pulseaudio_manage_home_dirs',`
++ gen_require(`
++ type pulseaudio_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete pulseaudio
+ ## home directory files.
+ ## </summary>
+ ## <param name="user_domain">
+@@ -257,4 +282,106 @@ interface(`pulseaudio_manage_home_files',`
userdom_search_user_home_dirs($1)
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
@@ -56148,7 +56248,7 @@ index b1a85b5..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
+')
diff --git a/raid.te b/raid.te
-index a8a12b7..8b27779 100644
+index a8a12b7..7773000 100644
--- a/raid.te
+++ b/raid.te
@@ -10,11 +10,12 @@ type mdadm_exec_t;
@@ -56224,7 +56324,7 @@ index a8a12b7..8b27779 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -69,16 +80,18 @@ mls_file_write_all_levels(mdadm_t)
+@@ -69,16 +80,19 @@ mls_file_write_all_levels(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
@@ -56238,6 +56338,7 @@ index a8a12b7..8b27779 100644
+
init_dontaudit_getattr_initctl(mdadm_t)
++logging_dontaudit_getattr_all_logs(mdadm_t)
logging_send_syslog_msg(mdadm_t)
-miscfiles_read_localization(mdadm_t)
@@ -56245,7 +56346,7 @@ index a8a12b7..8b27779 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
userdom_dontaudit_use_user_terminals(mdadm_t)
-@@ -86,6 +99,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
+@@ -86,6 +100,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
mta_send_mail(mdadm_t)
optional_policy(`
@@ -65034,10 +65135,10 @@ index 0000000..c9d2d9c
+
diff --git a/sge.te b/sge.te
new file mode 100644
-index 0000000..d43336f
+index 0000000..e378f1c
--- /dev/null
+++ b/sge.te
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,197 @@
+policy_module(sge, 1.0.0)
+
+########################################
@@ -65084,19 +65185,23 @@ index 0000000..d43336f
+# sge_execd local policy
+#
+
-+allow sge_execd_t self:capability { dac_override setuid chown setgid };
++allow sge_execd_t self:capability { dac_override kill setuid chown setgid };
+allow sge_execd_t self:process { setsched signal setpgid };
+
+allow sge_execd_t sge_shepherd_t:process signal;
+
+kernel_read_kernel_sysctls(sge_execd_t)
+
++corenet_tcp_bind_sge_port(sge_execd_t)
++corenet_tcp_connect_sge_port(sge_execd_t)
++
+dev_read_sysfs(sge_execd_t)
+
+files_exec_usr_files(sge_execd_t)
+files_search_spool(sge_execd_t)
+
+fs_getattr_xattr_fs(sge_execd_t)
++fs_read_cgroup_files(sge_execd_t)
+
+auth_use_nsswitch(sge_execd_t)
+
@@ -68670,10 +68775,10 @@ index f646c66..a399168 100644
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/svnserve.fc b/svnserve.fc
new file mode 100644
-index 0000000..5ab0840
+index 0000000..12ca090
--- /dev/null
+++ b/svnserve.fc
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,13 @@
+/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
+
+/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
@@ -68684,6 +68789,7 @@ index 0000000..5ab0840
+/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
+/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
+
++/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
diff --git a/svnserve.if b/svnserve.if
@@ -68812,10 +68918,10 @@ index 0000000..dd2ac36
+
diff --git a/svnserve.te b/svnserve.te
new file mode 100644
-index 0000000..1a2e9f1
+index 0000000..3944234
--- /dev/null
+++ b/svnserve.te
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,62 @@
+policy_module(svnserve, 1.0.0)
+
+########################################
@@ -68839,6 +68945,9 @@ index 0000000..1a2e9f1
+type svnserve_unit_file_t;
+systemd_unit_file(svnserve_unit_file_t)
+
++type svnserve_tmp_t;
++files_tmp_file(svnserve_tmp_t)
++
+########################################
+#
+# svnserve local policy
@@ -68848,6 +68957,11 @@ index 0000000..1a2e9f1
+allow svnserve_t self:tcp_socket create_stream_socket_perms;
+allow svnserve_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_dirs_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
++manage_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
++manage_lnk_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
++files_tmp_filetrans(svnserve_t, svnserve_tmp_t, { file dir })
++
+manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
+manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
+
@@ -68856,6 +68970,7 @@ index 0000000..1a2e9f1
+files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
+
+corenet_udp_bind_generic_node(svnserve_t)
++corenet_tcp_bind_generic_node(svnserve_t)
+corenet_tcp_connect_svn_port(svnserve_t)
+corenet_tcp_bind_svn_port(svnserve_t)
+corenet_udp_bind_svn_port(svnserve_t)
@@ -73096,7 +73211,7 @@ index 2124b6a..d60e3e4 100644
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..bb1421c 100644
+index 6f0736b..b6aaf56 100644
--- a/virt.if
+++ b/virt.if
@@ -13,67 +13,30 @@
@@ -73214,12 +73329,30 @@ index 6f0736b..bb1421c 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -116,9 +97,45 @@ interface(`virt_domtrans',`
+@@ -116,9 +97,63 @@ interface(`virt_domtrans',`
domtrans_pattern($1, virtd_exec_t, virtd_t)
')
+########################################
+## <summary>
++## Execute virtd in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_exec',`
++ gen_require(`
++ type virtd_exec_t;
++ ')
++
++ can_exec($1, virtd_exec_t)
++')
++
++########################################
++## <summary>
+## Transition to virt_qmf.
+## </summary>
+## <param name="domain">
@@ -73261,7 +73394,7 @@ index 6f0736b..bb1421c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -135,6 +152,24 @@ interface(`virt_stream_connect',`
+@@ -135,6 +170,24 @@ interface(`virt_stream_connect',`
stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
@@ -73286,7 +73419,7 @@ index 6f0736b..bb1421c 100644
########################################
## <summary>
## Allow domain to attach to virt TUN devices
-@@ -166,13 +201,13 @@ interface(`virt_attach_tun_iface',`
+@@ -166,13 +219,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -73302,7 +73435,7 @@ index 6f0736b..bb1421c 100644
')
########################################
-@@ -187,13 +222,13 @@ interface(`virt_read_config',`
+@@ -187,13 +240,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -73318,7 +73451,7 @@ index 6f0736b..bb1421c 100644
')
########################################
-@@ -233,6 +268,24 @@ interface(`virt_read_content',`
+@@ -233,6 +286,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -73343,7 +73476,7 @@ index 6f0736b..bb1421c 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -252,6 +305,28 @@ interface(`virt_read_pid_files',`
+@@ -252,6 +323,28 @@ interface(`virt_read_pid_files',`
########################################
## <summary>
@@ -73372,7 +73505,7 @@ index 6f0736b..bb1421c 100644
## Manage virt pid files.
## </summary>
## <param name="domain">
-@@ -263,10 +338,47 @@ interface(`virt_read_pid_files',`
+@@ -263,10 +356,47 @@ interface(`virt_read_pid_files',`
interface(`virt_manage_pid_files',`
gen_require(`
type virt_var_run_t;
@@ -73420,7 +73553,7 @@ index 6f0736b..bb1421c 100644
')
########################################
-@@ -310,6 +422,24 @@ interface(`virt_read_lib_files',`
+@@ -310,6 +440,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -73445,7 +73578,7 @@ index 6f0736b..bb1421c 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -354,9 +484,9 @@ interface(`virt_read_log',`
+@@ -354,9 +502,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -73457,7 +73590,7 @@ index 6f0736b..bb1421c 100644
## </param>
#
interface(`virt_append_log',`
-@@ -390,6 +520,25 @@ interface(`virt_manage_log',`
+@@ -390,6 +538,25 @@ interface(`virt_manage_log',`
########################################
## <summary>
@@ -73483,7 +73616,7 @@ index 6f0736b..bb1421c 100644
## Allow domain to read virt image files
## </summary>
## <param name="domain">
-@@ -410,6 +559,7 @@ interface(`virt_read_images',`
+@@ -410,6 +577,7 @@ interface(`virt_read_images',`
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -73491,7 +73624,7 @@ index 6f0736b..bb1421c 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -426,6 +576,42 @@ interface(`virt_read_images',`
+@@ -426,6 +594,42 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -73534,7 +73667,7 @@ index 6f0736b..bb1421c 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -435,15 +621,15 @@ interface(`virt_read_images',`
+@@ -435,15 +639,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -73555,7 +73688,7 @@ index 6f0736b..bb1421c 100644
')
########################################
-@@ -468,20 +654,94 @@ interface(`virt_manage_images',`
+@@ -468,20 +672,94 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -73628,11 +73761,11 @@ index 6f0736b..bb1421c 100644
+interface(`virt_ptrace',`
+ gen_require(`
+ attribute virt_domain;
-+ ')
+ ')
+
+ allow $1 virt_domain:process ptrace;
-+')
-+
+ ')
+
+#######################################
+## <summary>
+## Connect to virt over a unix domain stream socket.
@@ -73647,18 +73780,18 @@ index 6f0736b..bb1421c 100644
+ gen_require(`
+ attribute svirt_lxc_domain;
+ type svirt_lxc_file_t;
- ')
++ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
+ ps_process_pattern(svirt_lxc_domain, $1)
- ')
-
++')
++
+
########################################
## <summary>
## All of the rules required to administrate
-@@ -502,10 +762,20 @@ interface(`virt_manage_images',`
+@@ -502,10 +780,20 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -73680,7 +73813,7 @@ index 6f0736b..bb1421c 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +787,342 @@ interface(`virt_admin',`
+@@ -517,4 +805,342 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -74024,7 +74157,7 @@ index 6f0736b..bb1421c 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..7763a39 100644
+index 947bbc6..8bbc3d0 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0)
@@ -74717,7 +74850,7 @@ index 947bbc6..7763a39 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +662,654 @@ dev_write_sound(virt_domain)
+@@ -438,34 +662,655 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -74951,6 +75084,7 @@ index 947bbc6..7763a39 100644
+optional_policy(`
+ xen_manage_image_dirs(virsh_t)
+ xen_read_image_files(virsh_t)
++ xen_read_lib_files(virsh_t)
+ xen_append_log(virsh_t)
+ xen_domtrans(virsh_t)
+ xen_read_pid_files_xenstored(virsh_t)
@@ -76429,7 +76563,7 @@ index 1a1b374..7977c2c 100644
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
diff --git a/xen.if b/xen.if
-index 77d41b6..cc73c96 100644
+index 77d41b6..16e29c1 100644
--- a/xen.if
+++ b/xen.if
@@ -20,6 +20,25 @@ interface(`xen_domtrans',`
@@ -76458,7 +76592,7 @@ index 77d41b6..cc73c96 100644
## Inherit and use xen file descriptors.
## </summary>
## <param name="domain">
-@@ -55,6 +74,26 @@ interface(`xen_dontaudit_use_fds',`
+@@ -55,6 +74,45 @@ interface(`xen_dontaudit_use_fds',`
dontaudit $1 xend_t:fd use;
')
@@ -76482,10 +76616,29 @@ index 77d41b6..cc73c96 100644
+ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
+')
+
++########################################
++## <summary>
++## Read xend lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xen_read_lib_files',`
++ gen_require(`
++ type xend_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ read_files_pattern($1, xend_var_lib_t, xend_var_lib_t)
++')
++
########################################
## <summary>
## Read xend image files.
-@@ -87,6 +126,26 @@ interface(`xen_read_image_files',`
+@@ -87,6 +145,26 @@ interface(`xen_read_image_files',`
## </summary>
## </param>
#
@@ -76512,7 +76665,7 @@ index 77d41b6..cc73c96 100644
interface(`xen_rw_image_files',`
gen_require(`
type xen_image_t, xend_var_lib_t;
-@@ -161,7 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+@@ -161,7 +239,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
########################################
## <summary>
@@ -76521,7 +76674,7 @@ index 77d41b6..cc73c96 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -180,7 +239,7 @@ interface(`xen_stream_connect_xenstore',`
+@@ -180,7 +258,7 @@ interface(`xen_stream_connect_xenstore',`
########################################
## <summary>
@@ -76530,7 +76683,7 @@ index 77d41b6..cc73c96 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -213,14 +272,15 @@ interface(`xen_stream_connect',`
+@@ -213,14 +291,15 @@ interface(`xen_stream_connect',`
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
@@ -76548,7 +76701,7 @@ index 77d41b6..cc73c96 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -230,7 +290,7 @@ interface(`xen_domtrans_xm',`
+@@ -230,7 +309,7 @@ interface(`xen_domtrans_xm',`
#
interface(`xen_stream_connect_xm',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 74fd685..e201775 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 94%{?dist}
+Release: 95%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,21 @@ SELinux Reference policy mls base module.
%endif
%Changelog
+* Fri May 17 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-95
+- Fix pegasus_openlmi_domain_template()
+- Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files
+- Change cupsd_t to be allowed to manage own log files
+- Allow sge_execd_t to also connect to sge ports
+- Make gnome-abrt wokring with staff_t
+- Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files
+- Add web browser plugins to connect to aol ports
+- Update antivirus_can_scan_system boolean
+- Allow mozilla_plugin_t to create pulseaudit_home_t directories
+- mdadm runs ps command which seems to getattr on random log files
+- Allow cobblerd to read network state
+- Add port definition for sge ports
+- Allow useradd_t to r/w var_lib_t
+
* Tue May 7 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-94
- Fix allow rules for postfix_var_run
- Allow cobblerd to read /etc/passwd
More information about the scm-commits
mailing list