[selinux-policy/f19] - Add support for cmpiLMI_Service-cimprovagt - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Sof
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jul 26 13:38:39 UTC 2013
commit 4828218b9e38c33dbd022c0734c47ce5eead724e
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jul 26 15:38:16 2013 +0200
- Add support for cmpiLMI_Service-cimprovagt
- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt run
- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t
- Add support for pycmpiLMI_Storage-cimprovagt
- Add support for cmpiLMI_Networking-cimprovagt
- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working
- Allow virtual machines and containers to run as user doains, needed for v
- Allow buglist.cgi to read cpu info
policy-f19-base.patch | 137 +++++++++++++++-----------
policy-f19-contrib.patch | 237 ++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 12 ++-
3 files changed, 256 insertions(+), 130 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 4497b28..930ffa4 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -8419,7 +8419,7 @@ index 6a1e4d1..c691385 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..e8e2506 100644
+index cf04cb5..29e6b5c 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8518,16 +8518,17 @@ index cf04cb5..e8e2506 100644
')
optional_policy(`
-@@ -133,6 +188,8 @@ optional_policy(`
+@@ -133,6 +188,9 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
+ xserver_dontaudit_append_xdm_home_files(domain)
+ xserver_dontaudit_write_log(domain)
++ xserver_dontaudit_xdm_rw_stream_sockets(domain)
')
########################################
-@@ -147,12 +204,18 @@ optional_policy(`
+@@ -147,12 +205,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -8547,7 +8548,7 @@ index cf04cb5..e8e2506 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +230,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -20153,7 +20154,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..994eec2 100644
+index 5fc0391..3448145 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20263,11 +20264,13 @@ index 5fc0391..994eec2 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -107,33 +120,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -107,33 +120,41 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
-userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file)
++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh")
+userdom_read_all_users_keys(ssh_t)
+userdom_stream_connect(ssh_t)
+userdom_search_admin_dir(sshd_t)
@@ -20308,7 +20311,7 @@ index 5fc0391..994eec2 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t)
+@@ -156,38 +177,42 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
@@ -20370,7 +20373,7 @@ index 5fc0391..994eec2 100644
')
optional_policy(`
-@@ -195,6 +218,7 @@ optional_policy(`
+@@ -195,6 +220,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -20378,7 +20381,7 @@ index 5fc0391..994eec2 100644
##############################
#
# ssh_keysign_t local policy
-@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +232,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -20386,7 +20389,7 @@ index 5fc0391..994eec2 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +248,53 @@ optional_policy(`
+@@ -223,33 +250,54 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -20413,6 +20416,7 @@ index 5fc0391..994eec2 100644
# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
++corenet_tcp_bind_vnc_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+auth_exec_login_program(sshd_t)
@@ -20449,7 +20453,7 @@ index 5fc0391..994eec2 100644
')
optional_policy(`
-@@ -257,11 +302,24 @@ optional_policy(`
+@@ -257,11 +305,24 @@ optional_policy(`
')
optional_policy(`
@@ -20475,7 +20479,7 @@ index 5fc0391..994eec2 100644
')
optional_policy(`
-@@ -269,6 +327,10 @@ optional_policy(`
+@@ -269,6 +330,10 @@ optional_policy(`
')
optional_policy(`
@@ -20486,7 +20490,7 @@ index 5fc0391..994eec2 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +341,69 @@ optional_policy(`
+@@ -279,13 +344,69 @@ optional_policy(`
')
optional_policy(`
@@ -20556,7 +20560,7 @@ index 5fc0391..994eec2 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +412,26 @@ optional_policy(`
+@@ -294,19 +415,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -20584,7 +20588,7 @@ index 5fc0391..994eec2 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +448,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +451,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -20597,7 +20601,7 @@ index 5fc0391..994eec2 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +462,138 @@ optional_policy(`
+@@ -331,3 +465,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -31454,7 +31458,7 @@ index e8c59a5..d2df072 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..a70c055 100644
+index 9fe8e01..83acb32 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@@ -31473,7 +31477,7 @@ index 9fe8e01..a70c055 100644
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,14 +39,10 @@ ifdef(`distro_redhat',`
+@@ -37,24 +39,20 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -31485,19 +31489,25 @@ index 9fe8e01..a70c055 100644
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+-/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-@@ -53,6 +51,7 @@ ifdef(`distro_redhat',`
- /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
- /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
-
-+/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+ /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+-/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+-/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+-
++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
++/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
++/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
+ /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
+@@ -77,7 +75,7 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -31506,7 +31516,7 @@ index 9fe8e01..a70c055 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +88,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -31741,10 +31751,10 @@ index d6293de..8f8d80d 100644
#
# Base type for the tests directory.
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 9933677..b155a0d 100644
+index 9933677..ca14c17 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
-@@ -23,3 +23,13 @@ ifdef(`distro_gentoo',`
+@@ -23,3 +23,15 @@ ifdef(`distro_gentoo',`
/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
@@ -31758,6 +31768,8 @@ index 9933677..b155a0d 100644
+/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+
+/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
++
++/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 7449974..6375786 100644
--- a/policy/modules/system/modutils.if
@@ -31864,7 +31876,7 @@ index 7449974..6375786 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a49e28..de1dcdd 100644
+index 7a49e28..82004c9 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
@@ -31876,13 +31888,16 @@ index 7a49e28..de1dcdd 100644
type depmod_t;
type depmod_exec_t;
-@@ -16,11 +16,12 @@ type insmod_t;
+@@ -16,11 +16,15 @@ type insmod_t;
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
mls_file_write_all_levels(insmod_t)
+mls_process_write_down(insmod_t)
role system_r types insmod_t;
++type insmod_var_run_t;
++files_pid_file(insmod_var_run_t)
++
# module loading config
type modules_conf_t;
-files_type(modules_conf_t)
@@ -31890,7 +31905,7 @@ index 7a49e28..de1dcdd 100644
# module dependencies
type modules_dep_t;
-@@ -29,12 +30,16 @@ files_type(modules_dep_t)
+@@ -29,12 +33,16 @@ files_type(modules_dep_t)
type update_modules_t;
type update_modules_exec_t;
init_system_domain(update_modules_t, update_modules_exec_t)
@@ -31909,7 +31924,7 @@ index 7a49e28..de1dcdd 100644
########################################
#
# depmod local policy
-@@ -54,12 +59,15 @@ corecmd_search_bin(depmod_t)
+@@ -54,12 +62,15 @@ corecmd_search_bin(depmod_t)
domain_use_interactive_fds(depmod_t)
@@ -31925,7 +31940,7 @@ index 7a49e28..de1dcdd 100644
fs_getattr_xattr_fs(depmod_t)
-@@ -69,10 +77,12 @@ init_use_fds(depmod_t)
+@@ -69,10 +80,12 @@ init_use_fds(depmod_t)
init_use_script_fds(depmod_t)
init_use_script_ptys(depmod_t)
@@ -31939,7 +31954,7 @@ index 7a49e28..de1dcdd 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -80,12 +90,8 @@ ifdef(`distro_ubuntu',`
+@@ -80,12 +93,8 @@ ifdef(`distro_ubuntu',`
')
')
@@ -31954,7 +31969,7 @@ index 7a49e28..de1dcdd 100644
')
optional_policy(`
-@@ -94,7 +100,6 @@ optional_policy(`
+@@ -94,7 +103,6 @@ optional_policy(`
')
optional_policy(`
@@ -31962,7 +31977,7 @@ index 7a49e28..de1dcdd 100644
unconfined_domain(depmod_t)
')
-@@ -103,11 +108,12 @@ optional_policy(`
+@@ -103,11 +111,12 @@ optional_policy(`
# insmod local policy
#
@@ -31976,8 +31991,14 @@ index 7a49e28..de1dcdd 100644
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -117,14 +123,18 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -115,16 +124,24 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
+ list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
+ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
++manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
++manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
++files_pid_filetrans(insmod_t, insmod_var_run_t, {dir file })
++
can_exec(insmod_t, insmod_exec_t)
+manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
@@ -31996,7 +32017,7 @@ index 7a49e28..de1dcdd 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +159,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -32004,7 +32025,7 @@ index 7a49e28..de1dcdd 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -151,30 +162,38 @@ files_read_etc_runtime_files(insmod_t)
+@@ -151,30 +169,38 @@ files_read_etc_runtime_files(insmod_t)
files_read_etc_files(insmod_t)
files_read_usr_files(insmod_t)
files_exec_etc_files(insmod_t)
@@ -32047,7 +32068,7 @@ index 7a49e28..de1dcdd 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +203,33 @@ optional_policy(`
+@@ -184,28 +210,33 @@ optional_policy(`
')
optional_policy(`
@@ -32071,24 +32092,24 @@ index 7a49e28..de1dcdd 100644
optional_policy(`
- mount_domtrans(insmod_t)
+ hal_write_log(insmod_t)
++')
++
++optional_policy(`
++ hotplug_search_config(insmod_t)
')
optional_policy(`
- nis_use_ypbind(insmod_t)
-+ hotplug_search_config(insmod_t)
++ kdump_manage_kdumpctl_tmp_files(insmod_t)
')
optional_policy(`
- nscd_use(insmod_t)
-+ kdump_manage_kdumpctl_tmp_files(insmod_t)
-+')
-+
-+optional_policy(`
+ mount_domtrans(insmod_t)
')
optional_policy(`
-@@ -225,6 +249,7 @@ optional_policy(`
+@@ -225,6 +256,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -32096,7 +32117,7 @@ index 7a49e28..de1dcdd 100644
')
optional_policy(`
-@@ -233,6 +258,10 @@ optional_policy(`
+@@ -233,6 +265,10 @@ optional_policy(`
')
optional_policy(`
@@ -32107,7 +32128,7 @@ index 7a49e28..de1dcdd 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +327,10 @@ init_use_script_ptys(update_modules_t)
logging_send_syslog_msg(update_modules_t)
@@ -35200,10 +35221,10 @@ index 0000000..2cd29ba
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..1a254f8
+index 0000000..78eb081
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1286 @@
+@@ -0,0 +1,1287 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -36104,6 +36125,7 @@ index 0000000..1a254f8
+ allow $1 hostname_etc_t:file read_file_perms;
+')
+
++
+#######################################
+## <summary>
+## Create objects in /run/systemd/generator directory
@@ -36492,7 +36514,7 @@ index 0000000..1a254f8
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..13712f9
+index 0000000..6379489
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,661 @@
@@ -36785,8 +36807,8 @@ index 0000000..13712f9
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
+dev_relabel_cpu_online(systemd_tmpfiles_t)
+dev_read_cpu_online(systemd_tmpfiles_t)
-+dev_manage_printer(systemd_tmpfiles_t)
-+dev_relabel_printer(systemd_tmpfiles_t)
++dev_manage_all_dev_nodes(systemd_tmpfiles_t)
++dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
+
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
+
@@ -38537,7 +38559,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..33a39dc 100644
+index 3c5dba7..89012c2 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -41221,7 +41243,7 @@ index 3c5dba7..33a39dc 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4214,1455 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4214,1454 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -42582,9 +42604,8 @@ index 3c5dba7..33a39dc 100644
+ gen_require(`
+ attribute userdom_home_manager_type;
+ ')
-+ typeattribute $1 userdom_home_manager_type;
+
-+ userdom_filetrans_home_content($1)
++ typeattribute $1 userdom_home_manager_type;
+')
+
+########################################
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index da225f8..40fdab0 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -9350,7 +9350,7 @@ index 1b22262..bf0cefa 100644
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
-index 41f8251..464107b 100644
+index 41f8251..57f094e 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4)
@@ -9371,7 +9371,7 @@ index 41f8251..464107b 100644
corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
-@@ -27,11 +29,19 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
+@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
@@ -9384,6 +9384,8 @@ index 41f8251..464107b 100644
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
+auth_read_passwd(httpd_bugzilla_script_t)
+
++dev_read_sysfs(httpd_bugzilla_script_t)
++
+sysnet_read_config(httpd_bugzilla_script_t)
sysnet_use_ldap(httpd_bugzilla_script_t)
@@ -13076,7 +13078,7 @@ index 3fe3cb8..b8e08c6 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index 3f2b672..c0501e0 100644
+index 3f2b672..49efe00 100644
--- a/condor.te
+++ b/condor.te
@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
@@ -13089,7 +13091,7 @@ index 3f2b672..c0501e0 100644
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
-@@ -57,10 +60,14 @@ condor_domain_template(startd)
+@@ -57,10 +60,15 @@ condor_domain_template(startd)
# Global local policy
#
@@ -13103,10 +13105,11 @@ index 3f2b672..c0501e0 100644
+allow condor_domain self:tcp_socket create_stream_socket_perms;
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
++allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-@@ -86,13 +93,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+@@ -86,13 +94,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
@@ -13120,7 +13123,7 @@ index 3f2b672..c0501e0 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -106,9 +110,7 @@ dev_read_rand(condor_domain)
+@@ -106,9 +111,7 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
@@ -13131,7 +13134,7 @@ index 3f2b672..c0501e0 100644
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +127,7 @@ optional_policy(`
+@@ -125,7 +128,7 @@ optional_policy(`
# Master local policy
#
@@ -13140,7 +13143,7 @@ index 3f2b672..c0501e0 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -133,6 +135,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -133,6 +136,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@@ -13151,7 +13154,7 @@ index 3f2b672..c0501e0 100644
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -150,7 +156,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
+@@ -150,7 +157,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
domain_read_all_domains_state(condor_master_t)
@@ -13160,7 +13163,7 @@ index 3f2b672..c0501e0 100644
optional_policy(`
mta_send_mail(condor_master_t)
-@@ -169,6 +175,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -169,6 +176,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -13169,7 +13172,7 @@ index 3f2b672..c0501e0 100644
#####################################
#
# Negotiator local policy
-@@ -178,6 +186,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +187,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -13178,7 +13181,7 @@ index 3f2b672..c0501e0 100644
######################################
#
# Procd local policy
-@@ -201,6 +211,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -201,6 +212,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -13187,7 +13190,7 @@ index 3f2b672..c0501e0 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -209,6 +221,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +222,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -13196,7 +13199,7 @@ index 3f2b672..c0501e0 100644
#####################################
#
# Startd local policy
-@@ -233,11 +247,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +248,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -13209,7 +13212,7 @@ index 3f2b672..c0501e0 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -249,3 +262,7 @@ optional_policy(`
+@@ -249,3 +263,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -15272,7 +15275,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..0c0f4f2 100644
+index 28e1b86..bf91ba9 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -15887,7 +15890,7 @@ index 28e1b86..0c0f4f2 100644
init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +489,23 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +489,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -15895,6 +15898,9 @@ index 28e1b86..0c0f4f2 100644
-
seutil_read_config(system_cronjob_t)
++userdom_manage_tmpfs_files(system_cronjob_t, file)
++userdom_tmpfs_filetrans(system_cronjob_t, file)
++
ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
@@ -15914,7 +15920,7 @@ index 28e1b86..0c0f4f2 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +515,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +518,17 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -15932,7 +15938,7 @@ index 28e1b86..0c0f4f2 100644
')
optional_policy(`
-@@ -546,10 +534,6 @@ optional_policy(`
+@@ -546,10 +537,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -15943,7 +15949,7 @@ index 28e1b86..0c0f4f2 100644
')
optional_policy(`
-@@ -581,6 +565,7 @@ optional_policy(`
+@@ -581,6 +568,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -15951,7 +15957,7 @@ index 28e1b86..0c0f4f2 100644
')
optional_policy(`
-@@ -588,15 +573,19 @@ optional_policy(`
+@@ -588,15 +576,19 @@ optional_policy(`
')
optional_policy(`
@@ -15973,7 +15979,7 @@ index 28e1b86..0c0f4f2 100644
')
optional_policy(`
-@@ -606,6 +595,7 @@ optional_policy(`
+@@ -606,6 +598,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -15981,7 +15987,7 @@ index 28e1b86..0c0f4f2 100644
')
optional_policy(`
-@@ -613,12 +603,24 @@ optional_policy(`
+@@ -613,12 +606,24 @@ optional_policy(`
')
optional_policy(`
@@ -16008,7 +16014,7 @@ index 28e1b86..0c0f4f2 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +628,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +631,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -16042,7 +16048,7 @@ index 28e1b86..0c0f4f2 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +661,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +664,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -21639,7 +21645,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..fe94a6c 100644
+index a7bfaf0..4ebb0ad 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21892,7 +21898,7 @@ index a7bfaf0..fe94a6c 100644
sendmail_domtrans(dovecot_t)
')
-@@ -221,46 +213,61 @@ optional_policy(`
+@@ -221,46 +213,63 @@ optional_policy(`
########################################
#
@@ -21941,14 +21947,16 @@ index a7bfaf0..fe94a6c 100644
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
-+
-+fs_getattr_xattr_fs(dovecot_auth_t)
-seutil_dontaudit_search_config(dovecot_auth_t)
++fs_getattr_xattr_fs(dovecot_auth_t)
++
+init_rw_utmp(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
++userdom_getattr_user_home_dirs(dovecot_auth_t)
++
optional_policy(`
+ kerberos_use(dovecot_auth_t)
+
@@ -21963,7 +21971,7 @@ index a7bfaf0..fe94a6c 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -271,15 +278,30 @@ optional_policy(`
+@@ -271,15 +280,30 @@ optional_policy(`
')
optional_policy(`
@@ -21995,7 +22003,7 @@ index a7bfaf0..fe94a6c 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +311,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +313,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22055,7 +22063,7 @@ index a7bfaf0..fe94a6c 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +355,6 @@ optional_policy(`
+@@ -326,5 +357,6 @@ optional_policy(`
')
optional_policy(`
@@ -38112,7 +38120,7 @@ index 6ffaba2..154cade 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..97e35b2 100644
+index 6194b80..35b2b47 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -38279,10 +38287,10 @@ index 6194b80..97e35b2 100644
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
--
-- can_exec($2, mozilla_plugin_rw_t)
+ mozilla_filetrans_home_content($2)
+- can_exec($2, mozilla_plugin_rw_t)
+-
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
@@ -38428,7 +38436,7 @@ index 6194b80..97e35b2 100644
')
########################################
-@@ -303,102 +195,99 @@ interface(`mozilla_domtrans',`
+@@ -303,102 +195,103 @@ interface(`mozilla_domtrans',`
type mozilla_t, mozilla_exec_t;
')
@@ -38516,8 +38524,8 @@ index 6194b80..97e35b2 100644
mozilla_domtrans_plugin($1)
roleattribute $2 mozilla_plugin_roles;
+-')
+ roleattribute $2 mozilla_plugin_config_roles;
- ')
-########################################
-## <summary>
@@ -38533,12 +38541,14 @@ index 6194b80..97e35b2 100644
-interface(`mozilla_domtrans_plugin_config',`
- gen_require(`
- type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
-- ')
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mozilla_plugin_t:process ptrace;
+ ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
--')
--
+ ')
+
-########################################
+#######################################
## <summary>
@@ -38579,7 +38589,7 @@ index 6194b80..97e35b2 100644
')
########################################
-@@ -424,8 +313,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',`
########################################
## <summary>
@@ -38589,7 +38599,7 @@ index 6194b80..97e35b2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -433,76 +321,108 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +325,108 @@ interface(`mozilla_dbus_chat',`
## </summary>
## </param>
#
@@ -38727,7 +38737,7 @@ index 6194b80..97e35b2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -510,19 +430,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +434,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -38752,7 +38762,7 @@ index 6194b80..97e35b2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +449,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +453,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -52539,35 +52549,38 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..2f407d6 100644
+index dfd46e4..6667b8a 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,16 @@
+@@ -1,15 +1,20 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
--/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
--
++
++/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+ /etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
++/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
++/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
-+/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
-+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-
- /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-+
+#openlmi agents
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_networking_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_service_exec_t,s0)
++/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
+
+-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644
--- a/pegasus.if
@@ -52669,7 +52682,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..04b62f4 100644
+index 7bcf327..71ab12b 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -52693,13 +52706,20 @@ index 7bcf327..04b62f4 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,115 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,196 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
+pegasus_openlmi_domain_template(account)
+pegasus_openlmi_domain_template(logicalfile)
++pegasus_openlmi_domain_template(networking)
++pegasus_openlmi_domain_template(service)
++
++pegasus_openlmi_domain_template(storage)
++type pegasus_openlmi_storage_tmp_t;
++files_tmp_file(pegasus_openlmi_storage_tmp_t)
++
+pegasus_openlmi_domain_template(unconfined)
+
+#######################################
@@ -52707,12 +52727,17 @@ index 7bcf327..04b62f4 100644
+# pegasus openlmi providers local policy
+#
+
++allow pegasus_openlmi_domain self:capability { setuid setgid };
++
+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
+
+list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
-+read_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+
+corecmd_exec_bin(pegasus_openlmi_domain)
++corecmd_exec_shell(pegasus_openlmi_domain)
++
++auth_read_passwd(pegasus_openlmi_domain)
+
+sysnet_read_config(pegasus_openlmi_domain)
+
@@ -52725,7 +52750,7 @@ index 7bcf327..04b62f4 100644
+# pegasus openlmi account local policy
+#
+
-+allow pegasus_openlmi_account_t self:capability { setuid chown setgid dac_override };
++allow pegasus_openlmi_account_t self:capability { chown dac_override };
+allow pegasus_openlmi_account_t self:process setfscreate;
+
+auth_manage_passwd(pegasus_openlmi_account_t)
@@ -52756,7 +52781,7 @@ index 7bcf327..04b62f4 100644
+# pegasus openlmi logicalfile local policy
+#
+
-+allow pegasus_openlmi_logicalfile_t self:capability { setuid setgid dac_override };
++allow pegasus_openlmi_logicalfile_t self:capability { dac_override };
+files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t)
+files_manage_non_security_files(pegasus_openlmi_logicalfile_t)
+
@@ -52784,6 +52809,75 @@ index 7bcf327..04b62f4 100644
+
+######################################
+#
++# pegasus openlmi networking local policy
++#
++
++allow pegasus_openlmi_networking_t self:capability { net_admin };
++
++allow pegasus_openlmi_networking_t self:netlink_route_socket r_netlink_socket_perms;;
++allow pegasus_openlmi_networking_t self:udp_socket create_socket_perms;
++
++dev_rw_sysfs(pegasus_openlmi_networking_t)
++dev_read_urand(pegasus_openlmi_networking_t)
++
++optional_policy(`
++ dbus_system_bus_client(pegasus_openlmi_networking_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(pegasus_openlmi_networking_t)
++ ')
++')
++
++######################################
++#
++# pegasus openlmi service local policy
++#
++
++
++init_disable_services(pegasus_openlmi_service_t)
++init_enable_services(pegasus_openlmi_service_t)
++init_reload_services(pegasus_openlmi_service_t)
++init_exec(pegasus_openlmi_service_t)
++
++systemd_config_all_services(pegasus_openlmi_service_t)
++systemd_manage_all_unit_files(pegasus_openlmi_service_t)
++systemd_manage_all_unit_lnk_files(pegasus_openlmi_service_t)
++
++allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
++
++optional_policy(`
++ dbus_system_bus_client(pegasus_openlmi_service_t)
++')
++
++######################################
++#
++# pegasus openlmi storage local policy
++#
++
++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
++files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
++
++storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_networking_t)
++
++modutils_domtrans_insmod(pegasus_openlmi_storage_t)
++
++udev_domtrans(pegasus_openlmi_storage_t)
++
++optional_policy(`
++ lvm_domtrans(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
++ mount_domtrans(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
++ raid_domtrans_mdadm(pegasus_openlmi_storage_t)
++')
++
++######################################
++#
+# pegasus openlmi unconfined local policy
+#
+
@@ -52814,7 +52908,7 @@ index 7bcf327..04b62f4 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +148,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +229,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -52845,7 +52939,7 @@ index 7bcf327..04b62f4 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +174,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +255,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -52878,7 +52972,7 @@ index 7bcf327..04b62f4 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +202,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +283,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -52886,7 +52980,7 @@ index 7bcf327..04b62f4 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +217,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +298,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -52918,7 +53012,7 @@ index 7bcf327..04b62f4 100644
')
optional_policy(`
-@@ -151,16 +247,24 @@ optional_policy(`
+@@ -151,16 +328,24 @@ optional_policy(`
')
optional_policy(`
@@ -52939,7 +53033,7 @@ index 7bcf327..04b62f4 100644
+')
+
+optional_policy(`
-+ rpm_exec(pegasus_t)
++ rpm_domtrans(pegasus_t)
+')
+
+optional_policy(`
@@ -52947,7 +53041,7 @@ index 7bcf327..04b62f4 100644
')
optional_policy(`
-@@ -168,7 +272,7 @@ optional_policy(`
+@@ -168,7 +353,7 @@ optional_policy(`
')
optional_policy(`
@@ -71478,10 +71572,10 @@ index c49828c..a323332 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..1609333 100644
+index ebe91fc..6392cad 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,71 @@
+@@ -1,61 +1,72 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -71510,6 +71604,7 @@ index ebe91fc..1609333 100644
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 100ca13..0ef0be5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 66%{?dist}
+Release: 67%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jul 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-67
+- Add support for cmpiLMI_Service-cimprovagt
+- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t
+- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t
+- Add support for pycmpiLMI_Storage-cimprovagt
+- Add support for cmpiLMI_Networking-cimprovagt
+- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working
+- Allow virtual machines and containers to run as user doains, needed for virt-sandbox
+- Allow buglist.cgi to read cpu info
+
* Wed Jul 24 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-66
- Allow systemd-tmpfile to handle tmp content in print spool dir
- Allow systemd-sysctl to send system log messages
More information about the scm-commits
mailing list