[selinux-policy/f18] - Fix ipsec_manage_key_file() - Fix ipsec_filetrans_key_file() - Label /usr/bin/razor-lightdm-greete
Miroslav Grepl
mgrepl at fedoraproject.org
Tue May 28 14:17:32 UTC 2013
commit ea624fb00352ca3c1d539652c91d55e0c4e2d61d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue May 28 16:16:06 2013 +0200
- Fix ipsec_manage_key_file()
- Fix ipsec_filetrans_key_file()
- Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_ex
- Fix labeling for ipsec.secrets
- Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.p
- Allow l2tpd to create ipsec key files with correct labeling and manage
- Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk
- Add labeling for /usr/sbin/unbound-checkconf
- Allow l2tpd to read ipse-mgmt pid files
- more fixes for l2tpd, NM and pppd from #967072
- Allow NM to send signals to l2tpd
- Allow devicekit_disk_t to sys_config_tty
- Make printing from vmware working
- Allow mozilla-plugin to connect to jboss port
- Add chronyd support for #965457
- Fix labeling for HOMEDIR/.icedtea
policy-f18-base.patch | 99 ++++++++++++--
policy-f18-contrib.patch | 335 ++++++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 20 +++-
3 files changed, 374 insertions(+), 80 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index d9fcece..44edbb3 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -128718,7 +128718,7 @@ index b17e27a..e700e11 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..c65935b 100644
+index fc86b7c..71fd2e9 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -128777,7 +128777,7 @@ index fc86b7c..c65935b 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,25 +76,28 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,25 +76,29 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -128803,6 +128803,7 @@ index fc86b7c..c65935b 100644
+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
++/usr/bin/razor-lightdm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -128812,7 +128813,7 @@ index fc86b7c..c65935b 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -90,24 +123,47 @@ ifndef(`distro_debian',`
+@@ -90,24 +124,47 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -136067,9 +136068,18 @@ index 4a88fa1..9c0b2c0 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index ec85acb..d4da3bd 100644
+index ec85acb..3451447 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
+@@ -1,7 +1,7 @@
+ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+
+-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+ /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+ /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
@@ -26,11 +26,7 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
@@ -136083,11 +136093,80 @@ index ec85acb..d4da3bd 100644
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
+@@ -44,3 +40,5 @@
+
+ /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+ /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
++/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..5a61cd7 100644
+index 0d4c8d3..0c32fb4 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
-@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',`
+@@ -55,6 +55,62 @@ interface(`ipsec_domtrans_mgmt',`
+ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+ ')
+
++#######################################
++## <summary>
++## Allow to create OBJECT in /etc with ipsec_key_file_t.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipsec_filetrans_key_file',`
++ gen_require(`
++ type ipsec_key_file_t;
++ ')
++
++ files_etc_filetrans($1, ipsec_key_file_t, file)
++')
++
++#######################################
++## <summary>
++## Allow to manage ipsec key files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipsec_manage_key_file',`
++ gen_require(`
++ type ipsec_key_file_t;
++ ')
++
++ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t)
++')
++
++########################################
++## <summary>
++## Read the ipsec_mgmt_var_run_t files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipsec_mgmt_read_pid',`
++ gen_require(`
++ type ipsec_mgmt_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t)
++')
++
++
+ ########################################
+ ## <summary>
+ ## Connect to racoon using a unix domain stream socket.
+@@ -120,7 +176,6 @@ interface(`ipsec_exec_mgmt',`
## </summary>
## </param>
#
@@ -136095,7 +136174,7 @@ index 0d4c8d3..5a61cd7 100644
interface(`ipsec_signal_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -139,7 +138,6 @@ interface(`ipsec_signal_mgmt',`
+@@ -139,7 +194,6 @@ interface(`ipsec_signal_mgmt',`
## </summary>
## </param>
#
@@ -136103,7 +136182,7 @@ index 0d4c8d3..5a61cd7 100644
interface(`ipsec_signull_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -158,7 +156,6 @@ interface(`ipsec_signull_mgmt',`
+@@ -158,7 +212,6 @@ interface(`ipsec_signull_mgmt',`
## </summary>
## </param>
#
@@ -136111,7 +136190,7 @@ index 0d4c8d3..5a61cd7 100644
interface(`ipsec_kill_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -167,6 +164,60 @@ interface(`ipsec_kill_mgmt',`
+@@ -167,6 +220,60 @@ interface(`ipsec_kill_mgmt',`
allow $1 ipsec_mgmt_t:process sigkill;
')
@@ -136172,7 +136251,7 @@ index 0d4c8d3..5a61cd7 100644
######################################
## <summary>
## Send and receive messages from
-@@ -225,6 +276,7 @@ interface(`ipsec_match_default_spd',`
+@@ -225,6 +332,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 18eeb05..f709429 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -1733,11 +1733,83 @@ index dc1b088..2845757 100644
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
+diff --git a/amanda.fc b/amanda.fc
+index 967c1ef..9b88925 100644
+--- a/amanda.fc
++++ b/amanda.fc
+@@ -7,6 +7,8 @@
+
+ /root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+
++/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0)
++
+ /usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+ /usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
+ /usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+@@ -14,6 +16,7 @@
+ /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
+ /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
++/usr/sbin/amandad -- gen_context(system_u:object_r:amanda_exec_t,s0)
+
+ /var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
+ /var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+diff --git a/amanda.if b/amanda.if
+index 8498e97..74143e9 100644
+--- a/amanda.if
++++ b/amanda.if
+@@ -159,3 +159,28 @@ interface(`amanda_search_var_lib',`
+ files_search_var_lib($1)
+ allow $1 amanda_var_lib_t:dir search_dir_perms;
+ ')
++
++#######################################
++## <summary>
++## Execute amanda server in the amanda domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`amanda_systemctl',`
++ gen_require(`
++ type amanda_t;
++ type amanda_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 amanda_unit_file_t:file read_file_perms;
++ allow $1 amanda_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, amanda_t)
++')
++
diff --git a/amanda.te b/amanda.te
-index d8b5abe..a4f5d3a 100644
+index d8b5abe..fda7f3a 100644
--- a/amanda.te
+++ b/amanda.te
-@@ -58,7 +58,7 @@ optional_policy(`
+@@ -6,12 +6,15 @@ policy_module(amanda, 1.14.0)
+ #
+
+ type amanda_t;
++type amanda_exec_t;
+ type amanda_inetd_exec_t;
+ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
++init_daemon_domain(amanda_t, amanda_exec_t)
+ role system_r types amanda_t;
+
+-type amanda_exec_t;
+-domain_entry_file(amanda_t, amanda_exec_t)
++type amanda_unit_file_t;
++systemd_unit_file(amanda_unit_file_t)
++
+
+ type amanda_log_t;
+ logging_log_file(amanda_log_t)
+@@ -58,7 +61,7 @@ optional_policy(`
#
allow amanda_t self:capability { chown dac_override setuid kill };
@@ -1746,7 +1818,7 @@ index d8b5abe..a4f5d3a 100644
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket create_stream_socket_perms;
allow amanda_t self:unix_dgram_socket create_socket_perms;
-@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
@@ -1754,7 +1826,7 @@ index d8b5abe..a4f5d3a 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -101,7 +102,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -101,7 +105,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -1762,7 +1834,7 @@ index d8b5abe..a4f5d3a 100644
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_udp_sendrecv_generic_if(amanda_t)
-@@ -120,7 +120,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+@@ -120,7 +123,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
@@ -1770,7 +1842,7 @@ index d8b5abe..a4f5d3a 100644
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
files_read_all_files(amanda_t)
-@@ -177,7 +176,6 @@ kernel_read_kernel_sysctls(amanda_recover_t)
+@@ -177,7 +179,6 @@ kernel_read_kernel_sysctls(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -1778,7 +1850,7 @@ index d8b5abe..a4f5d3a 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -193,7 +191,6 @@ corenet_sendrecv_amanda_client_packets(amanda_recover_t)
+@@ -193,7 +194,6 @@ corenet_sendrecv_amanda_client_packets(amanda_recover_t)
domain_use_interactive_fds(amanda_recover_t)
@@ -1786,7 +1858,7 @@ index d8b5abe..a4f5d3a 100644
files_read_etc_runtime_files(amanda_recover_t)
files_search_tmp(amanda_recover_t)
files_search_pids(amanda_recover_t)
-@@ -205,7 +202,11 @@ fstools_signal(amanda_t)
+@@ -205,7 +205,11 @@ fstools_signal(amanda_t)
logging_search_logs(amanda_recover_t)
@@ -5995,10 +6067,10 @@ index cf8e59f..ad57d4a 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 59aa54f..b5dadee 100644
+index 59aa54f..422a03d 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -4,12 +4,19 @@
+@@ -4,12 +4,20 @@
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
@@ -6015,10 +6087,11 @@ index 59aa54f..b5dadee 100644
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-chkconf -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0)
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-@@ -40,6 +47,7 @@ ifdef(`distro_redhat',`
+@@ -40,6 +48,7 @@ ifdef(`distro_redhat',`
/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
@@ -9583,7 +9656,7 @@ index 9a0da94..113eae2 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index fa82327..ab88d78 100644
+index fa82327..bdd79af 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
@@ -9599,17 +9672,22 @@ index fa82327..ab88d78 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -30,13 +36,18 @@ files_pid_file(chronyd_var_run_t)
+@@ -29,14 +35,22 @@ files_pid_file(chronyd_var_run_t)
+ # Local policy
#
- allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-allow chronyd_t self:process { getcap setcap setrlimit };
++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_resource sys_time };
+allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:udp_socket create_socket_perms;
allow chronyd_t self:unix_dgram_socket create_socket_perms;
+allow chronyd_t self:fifo_file rw_fifo_file_perms;
++
++allow chronyd_t chronyd_keys_t:file append_file_perms;
++allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -9619,24 +9697,31 @@ index fa82327..ab88d78 100644
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -48,8 +59,15 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+@@ -48,20 +62,29 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
-files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
-+
+
+kernel_read_system_state(chronyd_t)
+kernel_read_network_state(chronyd_t)
+
+corecmd_exec_shell(chronyd_t)
-
++
+corenet_udp_bind_generic_node(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
-@@ -61,7 +79,7 @@ auth_use_nsswitch(chronyd_t)
+
+-# real time clock option
++dev_read_rand(chronyd_t)
++dev_read_urand(chronyd_t)
++
+ dev_rw_realtime_clock(chronyd_t)
+
+ auth_use_nsswitch(chronyd_t)
logging_send_syslog_msg(chronyd_t)
@@ -10530,7 +10615,7 @@ index 1cf6c4e..972b1b0 100644
+
+/var/www/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
-index 116d60f..83d5104 100644
+index 116d60f..3bcdf6a 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -1,14 +1,4 @@
@@ -10631,13 +10716,14 @@ index 116d60f..83d5104 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -118,13 +132,14 @@ interface(`cobbler_read_lib_files',`
+@@ -118,13 +132,15 @@ interface(`cobbler_read_lib_files',`
type cobbler_var_lib_t;
')
- read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
@@ -10648,13 +10734,14 @@ index 116d60f..83d5104 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -137,14 +152,15 @@ interface(`cobbler_manage_lib_files',`
+@@ -137,14 +153,16 @@ interface(`cobbler_manage_lib_files',`
type cobbler_var_lib_t;
')
- manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
@@ -10667,7 +10754,7 @@ index 116d60f..83d5104 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -159,27 +175,51 @@ interface(`cobbler_manage_lib_files',`
+@@ -159,27 +177,51 @@ interface(`cobbler_manage_lib_files',`
## <rolecap/>
#
interface(`cobblerd_admin',`
@@ -15318,7 +15405,7 @@ index 305ddf4..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index e5a8924..00478fb 100644
+index e5a8924..7f7e8e2 100644
--- a/cups.te
+++ b/cups.te
@@ -1,22 +1,28 @@
@@ -15513,13 +15600,13 @@ index e5a8924..00478fb 100644
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
-files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
--
--allow cupsd_t hplip_t:process { signal sigkill };
+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
--read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+-allow cupsd_t hplip_t:process { signal sigkill };
+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
+-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+-
-allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -15729,7 +15816,7 @@ index e5a8924..00478fb 100644
')
optional_policy(`
-@@ -336,19 +368,20 @@ optional_policy(`
+@@ -336,19 +368,24 @@ optional_policy(`
udev_read_db(cupsd_t)
')
@@ -15737,6 +15824,10 @@ index e5a8924..00478fb 100644
+ virt_rw_chr_files(cupsd_t)
+')
+
++optional_policy(`
++ vmware_read_system_config(cupsd_t)
++')
++
########################################
#
-# Cups configuration daemon local policy
@@ -15756,7 +15847,7 @@ index e5a8924..00478fb 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -360,9 +393,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+@@ -360,9 +397,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
@@ -15767,7 +15858,7 @@ index e5a8924..00478fb 100644
manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
-@@ -371,70 +402,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,70 +406,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -15851,7 +15942,7 @@ index e5a8924..00478fb 100644
optional_policy(`
term_use_generic_ptys(cupsd_config_t)
-@@ -450,12 +460,19 @@ optional_policy(`
+@@ -450,12 +464,19 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(cupsd_config_t)
')
@@ -15872,7 +15963,7 @@ index e5a8924..00478fb 100644
')
optional_policy(`
-@@ -467,8 +484,7 @@ optional_policy(`
+@@ -467,8 +488,7 @@ optional_policy(`
')
optional_policy(`
@@ -15882,7 +15973,7 @@ index e5a8924..00478fb 100644
')
optional_policy(`
-@@ -489,231 +505,84 @@ optional_policy(`
+@@ -489,231 +509,84 @@ optional_policy(`
########################################
#
@@ -15941,10 +16032,10 @@ index e5a8924..00478fb 100644
-corenet_tcp_bind_generic_node(cupsd_lpd_t)
-corenet_udp_bind_generic_node(cupsd_lpd_t)
-corenet_tcp_connect_ipp_port(cupsd_lpd_t)
--
+
-dev_read_urand(cupsd_lpd_t)
-dev_read_rand(cupsd_lpd_t)
-
+-
-fs_getattr_xattr_fs(cupsd_lpd_t)
+corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
+corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -16114,18 +16205,18 @@ index e5a8924..00478fb 100644
-
-lpd_read_config(hplip_t)
-lpd_manage_spool(hplip_t)
+-
+-optional_policy(`
+- dbus_system_bus_client(hplip_t)
+-')
+userdom_home_manager(cups_pdf_t)
optional_policy(`
-- dbus_system_bus_client(hplip_t)
+- seutil_sigchld_newrole(hplip_t)
+ gnome_read_config(cups_pdf_t)
')
-optional_policy(`
-- seutil_sigchld_newrole(hplip_t)
--')
--
--optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-')
-
@@ -16135,7 +16226,7 @@ index e5a8924..00478fb 100644
########################################
#
-@@ -723,14 +592,12 @@ optional_policy(`
+@@ -723,14 +596,12 @@ optional_policy(`
allow ptal_t self:capability { chown sys_rawio };
dontaudit ptal_t self:capability sys_tty_config;
allow ptal_t self:fifo_file rw_fifo_file_perms;
@@ -16151,7 +16242,7 @@ index e5a8924..00478fb 100644
manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
-@@ -743,29 +610,26 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,29 +614,26 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16187,6 +16278,11 @@ index e5a8924..00478fb 100644
sysnet_read_config(ptal_t)
+@@ -779,3 +647,4 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(ptal_t)
+ ')
++
diff --git a/cvs.if b/cvs.if
index c43ff4c..5da88b5 100644
--- a/cvs.if
@@ -17990,7 +18086,7 @@ index f706b99..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index 1819518..81022af 100644
+index 1819518..539cb21 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0)
@@ -18040,7 +18136,7 @@ index 1819518..81022af 100644
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
@@ -31672,10 +31768,10 @@ index 0000000..6602bce
+/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tpd.if b/l2tpd.if
new file mode 100644
-index 0000000..562d25b
+index 0000000..2fc7570
--- /dev/null
+++ b/l2tpd.if
-@@ -0,0 +1,178 @@
+@@ -0,0 +1,253 @@
+## <summary>Layer 2 Tunneling Protocol daemons.</summary>
+
+########################################
@@ -31812,6 +31908,81 @@ index 0000000..562d25b
+
+########################################
+## <summary>
++## Allow send a signal to l2tpd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_signal',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process signal;
++')
++
++########################################
++## <summary>
++## Allow send signull to l2tpd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_signull',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process signull;
++')
++
++########################################
++## <summary>
++## Allow send sigkill to l2tpd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_sigkill',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process sigkill;
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## l2tpd over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_dbus_chat',`
++ gen_require(`
++ type l2tpd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 l2tpd_t:dbus send_msg;
++ allow l2tpd_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an l2tpd environment
+## </summary>
@@ -31856,10 +32027,10 @@ index 0000000..562d25b
+')
diff --git a/l2tpd.te b/l2tpd.te
new file mode 100644
-index 0000000..1f9b8d2
+index 0000000..f4b2cfe
--- /dev/null
+++ b/l2tpd.te
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,121 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -31909,6 +32080,8 @@ index 0000000..1f9b8d2
+manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
+files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
+
++can_exec(l2tpd_t, l2tpd_exec_t)
++
+corenet_all_recvfrom_netlabel(l2tpd_t)
+corenet_raw_sendrecv_generic_if(l2tpd_t)
+corenet_tcp_sendrecv_generic_if(l2tpd_t)
@@ -31955,6 +32128,22 @@ index 0000000..1f9b8d2
+sysnet_dns_name_resolve(l2tpd_t)
+
+optional_policy(`
++ dbus_system_bus_client(l2tpd_t)
++ dbus_connect_system_bus(l2tpd_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(l2tpd_t)
++ ')
++')
++
++optional_policy(`
++ ipsec_domtrans_mgmt(l2tpd_t)
++ ipsec_mgmt_read_pid(l2tpd_t)
++ ipsec_filetrans_key_file(l2tpd_t)
++ ipsec_manage_key_file(l2tpd_t)
++')
++
++optional_policy(`
+ networkmanager_read_pid_files(l2tpd_t)
+')
+
@@ -35701,10 +35890,10 @@ index 6647a35..f3b35e1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 3a73e74..fe0815d 100644
+index 3a73e74..c5b8df7 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -2,8 +2,23 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
+@@ -2,8 +2,24 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -35720,6 +35909,7 @@ index 3a73e74..fe0815d 100644
+HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -35728,7 +35918,7 @@ index 3a73e74..fe0815d 100644
#
# /bin
-@@ -16,6 +31,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -16,6 +32,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -35741,7 +35931,7 @@ index 3a73e74..fe0815d 100644
ifdef(`distro_debian',`
/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
')
-@@ -23,11 +44,20 @@ ifdef(`distro_debian',`
+@@ -23,11 +45,20 @@ ifdef(`distro_debian',`
#
# /lib
#
@@ -35769,7 +35959,7 @@ index 3a73e74..fe0815d 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index b397fde..aaf4cdf 100644
+index b397fde..791639c 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -18,10 +18,11 @@
@@ -35919,7 +36109,7 @@ index b397fde..aaf4cdf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -275,28 +361,123 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -275,28 +361,124 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -36039,6 +36229,7 @@ index b397fde..aaf4cdf 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
@@ -36051,7 +36242,7 @@ index b397fde..aaf4cdf 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..3b09e66 100644
+index d4fcb75..900cca4 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -36224,7 +36415,7 @@ index d4fcb75..3b09e66 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,65 +318,107 @@ optional_policy(`
+@@ -297,65 +318,108 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -36323,6 +36514,7 @@ index d4fcb75..3b09e66 100644
+corenet_tcp_connect_vnc_port(mozilla_plugin_t)
+corenet_tcp_connect_commplex_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
++corenet_tcp_connect_jboss_management_port(mozilla_plugin_t)
+corenet_tcp_connect_monopd_port(mozilla_plugin_t)
+corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
@@ -36347,7 +36539,7 @@ index d4fcb75..3b09e66 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +426,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +427,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -36431,7 +36623,7 @@ index d4fcb75..3b09e66 100644
')
optional_policy(`
-@@ -420,37 +490,169 @@ optional_policy(`
+@@ -420,37 +491,169 @@ optional_policy(`
')
optional_policy(`
@@ -40457,7 +40649,7 @@ index 2324d9e..b9c69d2 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0619395..ac3caa3 100644
+index 0619395..6943a2c 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -40648,7 +40840,7 @@ index 0619395..ac3caa3 100644
')
optional_policy(`
-@@ -202,23 +260,53 @@ optional_policy(`
+@@ -202,23 +260,56 @@ optional_policy(`
')
optional_policy(`
@@ -40672,6 +40864,9 @@ index 0619395..ac3caa3 100644
optional_policy(`
+ l2tpd_domtrans(NetworkManager_t)
++ l2tpd_sigkill(NetworkManager_t)
++ l2tpd_signal(NetworkManager_t)
++ l2tpd_signull(NetworkManager_t)
+')
+
+optional_policy(`
@@ -40702,7 +40897,7 @@ index 0619395..ac3caa3 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +322,10 @@ optional_policy(`
+@@ -234,6 +325,10 @@ optional_policy(`
')
optional_policy(`
@@ -40713,7 +40908,7 @@ index 0619395..ac3caa3 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +333,7 @@ optional_policy(`
+@@ -241,6 +336,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -40721,7 +40916,7 @@ index 0619395..ac3caa3 100644
')
optional_policy(`
-@@ -254,6 +347,13 @@ optional_policy(`
+@@ -254,6 +350,13 @@ optional_policy(`
')
optional_policy(`
@@ -40735,7 +40930,7 @@ index 0619395..ac3caa3 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +363,7 @@ optional_policy(`
+@@ -263,6 +366,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -40743,7 +40938,7 @@ index 0619395..ac3caa3 100644
')
########################################
-@@ -284,6 +385,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -284,6 +388,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -51871,7 +52066,7 @@ index de4bdb7..a4cad0b 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index bcbf9ac..cb7604d 100644
+index bcbf9ac..e5a4252 100644
--- a/ppp.te
+++ b/ppp.te
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
@@ -51981,7 +52176,7 @@ index bcbf9ac..cb7604d 100644
# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
-@@ -161,43 +168,54 @@ domain_use_interactive_fds(pppd_t)
+@@ -161,43 +168,56 @@ domain_use_interactive_fds(pppd_t)
files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
@@ -52026,6 +52221,8 @@ index bcbf9ac..cb7604d 100644
+ l2tpd_dgram_send(pppd_t)
+ l2tpd_rw_socket(pppd_t)
+ l2tpd_stream_connect(pppd_t)
++ l2tpd_read_pid_files(pppd_t)
++ l2tpd_dbus_chat(pppd_t)
')
optional_policy(`
@@ -52042,7 +52239,7 @@ index bcbf9ac..cb7604d 100644
')
optional_policy(`
-@@ -247,21 +265,24 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -247,21 +267,24 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -52069,7 +52266,7 @@ index bcbf9ac..cb7604d 100644
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_generic_if(pptp_t)
corenet_raw_sendrecv_generic_if(pptp_t)
-@@ -272,8 +293,7 @@ corenet_tcp_bind_generic_node(pptp_t)
+@@ -272,8 +295,7 @@ corenet_tcp_bind_generic_node(pptp_t)
corenet_tcp_connect_generic_port(pptp_t)
corenet_tcp_connect_all_reserved_ports(pptp_t)
corenet_sendrecv_generic_client_packets(pptp_t)
@@ -52079,7 +52276,7 @@ index bcbf9ac..cb7604d 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -288,8 +308,6 @@ auth_use_nsswitch(pptp_t)
+@@ -288,8 +310,6 @@ auth_use_nsswitch(pptp_t)
logging_send_syslog_msg(pptp_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 17a171e..5bd51a0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 96%{?dist}
+Release: 97%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,24 @@ SELinux Reference policy mls base module.
%endif
%Changelog
+* Tue May 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-97
+- Fix ipsec_manage_key_file()
+- Fix ipsec_filetrans_key_file()
+- Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t
+- Fix labeling for ipsec.secrets
+- Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid
+- Allow l2tpd to create ipsec key files with correct labeling and manage them
+- Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files
+- Add labeling for /usr/sbin/unbound-checkconf
+- Allow l2tpd to read ipse-mgmt pid files
+- more fixes for l2tpd, NM and pppd from #967072
+- Allow NM to send signals to l2tpd
+- Allow devicekit_disk_t to sys_config_tty
+- Make printing from vmware working
+- Allow mozilla-plugin to connect to jboss port
+- Add chronyd support for #965457
+- Fix labeling for HOMEDIR/.icedtea
+
* Mon May 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-96
- Allow also sealert to read the policy from the kernel
- Dontaudit listing of users homedir by sendmail Seems like a leak
More information about the scm-commits
mailing list