[selinux-policy] - Dontaudit attempts by sosreport to read shadow_t - Allow browser sandbox plugins to connect to cup
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Sep 19 08:07:10 UTC 2013
commit 3d49b2727970f64b600f347f9c5e9c9f5ddfc6e8
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Sep 19 09:53:57 2013 +0200
- Dontaudit attempts by sosreport to read shadow_t
- Allow browser sandbox plugins to connect to cups to print
- Add new label mpd_home_t
- Label /srv/www/logs as httpd_log_t
- Add support for /var/lib/php/wsdlcache
- Add zarafa_setrlimit boolean
- Allow fetchmail to send mails
- Add labels for apache logs under miq package
- Allow irc_t to use tcp sockets
- fix labels in puppet.if
- Allow tcsd to read utmp file
- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to
- Define svirt_socket_t as a domain_type
- Take away transition from init_t to initrc_t when executing
- Fix label on pam_krb5 helper apps
policy-rawhide-base.patch | 110 +++++++++-----------
policy-rawhide-contrib.patch | 235 ++++++++++++++++++++++++++----------------
selinux-policy.spec | 19 +++-
3 files changed, 215 insertions(+), 149 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 32c7dd4..5dab7e5 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3239,7 +3239,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..f9bcd44 100644
+index 644d4d7..6e7dd83 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3423,7 +3423,7 @@ index 644d4d7..f9bcd44 100644
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/tumbler-[^/]*/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/security/pam_krb5(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -27646,7 +27646,7 @@ index 24e7804..c4155c7 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..729cc4f 100644
+index dd3be8d..c56175f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27735,16 +27735,7 @@ index dd3be8d..729cc4f 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -66,6 +99,8 @@ role system_r types initrc_t;
- # of the below init_upstart tunable
- # but this has a typeattribute in it
- corecmd_shell_entry_type(initrc_t)
-+corecmd_bin_entry_type(initrc_t)
-+corecmd_bin_domtrans(init_t, initrc_t)
-
- type initrc_devpts_t;
- term_pty(initrc_devpts_t)
-@@ -98,7 +133,8 @@ ifdef(`enable_mls',`
+@@ -98,7 +131,8 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -27754,7 +27745,7 @@ index dd3be8d..729cc4f 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -110,12 +146,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +144,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -27794,7 +27785,7 @@ index dd3be8d..729cc4f 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +182,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +180,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -27813,7 +27804,7 @@ index dd3be8d..729cc4f 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +200,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +198,20 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -27834,7 +27825,7 @@ index dd3be8d..729cc4f 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +223,49 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +221,49 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -27887,7 +27878,7 @@ index dd3be8d..729cc4f 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +274,186 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +272,187 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -28051,6 +28042,7 @@ index dd3be8d..729cc4f 100644
+
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
++auth_domtrans_chk_passwd(init_t)
+
+optional_policy(`
+ lvm_rw_pipes(init_t)
@@ -28082,7 +28074,7 @@ index dd3be8d..729cc4f 100644
')
optional_policy(`
-@@ -216,7 +461,29 @@ optional_policy(`
+@@ -216,7 +460,29 @@ optional_policy(`
')
optional_policy(`
@@ -28112,7 +28104,7 @@ index dd3be8d..729cc4f 100644
')
########################################
-@@ -225,8 +492,9 @@ optional_policy(`
+@@ -225,8 +491,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28124,7 +28116,7 @@ index dd3be8d..729cc4f 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +525,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +524,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28141,7 +28133,7 @@ index dd3be8d..729cc4f 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +550,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +549,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28184,7 +28176,7 @@ index dd3be8d..729cc4f 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +587,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +586,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28196,7 +28188,7 @@ index dd3be8d..729cc4f 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +599,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +598,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28207,7 +28199,7 @@ index dd3be8d..729cc4f 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +610,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +609,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28217,7 +28209,7 @@ index dd3be8d..729cc4f 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +619,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +618,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28225,7 +28217,7 @@ index dd3be8d..729cc4f 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +626,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +625,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28233,7 +28225,7 @@ index dd3be8d..729cc4f 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +634,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +633,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28251,7 +28243,7 @@ index dd3be8d..729cc4f 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +652,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +651,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28265,7 +28257,7 @@ index dd3be8d..729cc4f 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +667,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +666,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28279,7 +28271,7 @@ index dd3be8d..729cc4f 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +680,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +679,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28287,7 +28279,7 @@ index dd3be8d..729cc4f 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +692,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +691,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28295,7 +28287,7 @@ index dd3be8d..729cc4f 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +711,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +710,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28319,7 +28311,7 @@ index dd3be8d..729cc4f 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +744,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +743,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28327,7 +28319,7 @@ index dd3be8d..729cc4f 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +778,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +777,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28338,7 +28330,7 @@ index dd3be8d..729cc4f 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +802,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +801,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28347,7 +28339,7 @@ index dd3be8d..729cc4f 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +817,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +816,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28355,7 +28347,7 @@ index dd3be8d..729cc4f 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +838,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +837,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28363,7 +28355,7 @@ index dd3be8d..729cc4f 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +848,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +847,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28408,7 +28400,7 @@ index dd3be8d..729cc4f 100644
')
optional_policy(`
-@@ -558,14 +893,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +892,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28440,7 +28432,7 @@ index dd3be8d..729cc4f 100644
')
')
-@@ -576,6 +928,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +927,39 @@ ifdef(`distro_suse',`
')
')
@@ -28480,7 +28472,7 @@ index dd3be8d..729cc4f 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +973,8 @@ optional_policy(`
+@@ -588,6 +972,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28489,7 +28481,7 @@ index dd3be8d..729cc4f 100644
')
optional_policy(`
-@@ -609,6 +996,7 @@ optional_policy(`
+@@ -609,6 +995,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28497,7 +28489,7 @@ index dd3be8d..729cc4f 100644
')
optional_policy(`
-@@ -625,6 +1013,17 @@ optional_policy(`
+@@ -625,6 +1012,17 @@ optional_policy(`
')
optional_policy(`
@@ -28515,7 +28507,7 @@ index dd3be8d..729cc4f 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1040,13 @@ optional_policy(`
+@@ -641,9 +1039,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28529,7 +28521,7 @@ index dd3be8d..729cc4f 100644
')
optional_policy(`
-@@ -656,15 +1059,11 @@ optional_policy(`
+@@ -656,15 +1058,11 @@ optional_policy(`
')
optional_policy(`
@@ -28547,7 +28539,7 @@ index dd3be8d..729cc4f 100644
')
optional_policy(`
-@@ -685,6 +1084,15 @@ optional_policy(`
+@@ -685,6 +1083,15 @@ optional_policy(`
')
optional_policy(`
@@ -28563,7 +28555,7 @@ index dd3be8d..729cc4f 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1133,7 @@ optional_policy(`
+@@ -725,6 +1132,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28571,7 +28563,7 @@ index dd3be8d..729cc4f 100644
')
optional_policy(`
-@@ -742,7 +1151,13 @@ optional_policy(`
+@@ -742,7 +1150,13 @@ optional_policy(`
')
optional_policy(`
@@ -28586,7 +28578,7 @@ index dd3be8d..729cc4f 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1180,10 @@ optional_policy(`
+@@ -765,6 +1179,10 @@ optional_policy(`
')
optional_policy(`
@@ -28597,7 +28589,7 @@ index dd3be8d..729cc4f 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1193,20 @@ optional_policy(`
+@@ -774,10 +1192,20 @@ optional_policy(`
')
optional_policy(`
@@ -28618,7 +28610,7 @@ index dd3be8d..729cc4f 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1215,10 @@ optional_policy(`
+@@ -786,6 +1214,10 @@ optional_policy(`
')
optional_policy(`
@@ -28629,7 +28621,7 @@ index dd3be8d..729cc4f 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1240,6 @@ optional_policy(`
+@@ -807,8 +1239,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28638,7 +28630,7 @@ index dd3be8d..729cc4f 100644
')
optional_policy(`
-@@ -817,6 +1248,10 @@ optional_policy(`
+@@ -817,6 +1247,10 @@ optional_policy(`
')
optional_policy(`
@@ -28649,7 +28641,7 @@ index dd3be8d..729cc4f 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1261,12 @@ optional_policy(`
+@@ -826,10 +1260,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28662,7 +28654,7 @@ index dd3be8d..729cc4f 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1293,28 @@ optional_policy(`
+@@ -856,12 +1292,28 @@ optional_policy(`
')
optional_policy(`
@@ -28692,7 +28684,7 @@ index dd3be8d..729cc4f 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1324,18 @@ optional_policy(`
+@@ -871,6 +1323,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28711,7 +28703,7 @@ index dd3be8d..729cc4f 100644
')
optional_policy(`
-@@ -886,6 +1351,10 @@ optional_policy(`
+@@ -886,6 +1350,10 @@ optional_policy(`
')
optional_policy(`
@@ -28722,7 +28714,7 @@ index dd3be8d..729cc4f 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1365,196 @@ optional_policy(`
+@@ -896,3 +1364,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index bcccef1..f479fe8 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2957,10 +2957,10 @@ index 0000000..fd48ed9
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..53e5708 100644
+index 550a69e..842225c 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,196 @@
+@@ -1,161 +1,199 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3024,6 +3024,7 @@ index 550a69e..53e5708 100644
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
@@ -3166,6 +3167,8 @@ index 550a69e..53e5708 100644
+/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3230,6 +3233,7 @@ index 550a69e..53e5708 100644
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -3292,7 +3296,6 @@ index 550a69e..53e5708 100644
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
@@ -10778,10 +10781,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..25f2d55
+index 0000000..406f3a0
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,238 @@
+@@ -0,0 +1,242 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10958,6 +10961,10 @@ index 0000000..25f2d55
+')
+
+optional_policy(`
++ cups_stream_connect(chrome_sandbox_t)
++')
++
++optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
+
@@ -23744,7 +23751,7 @@ index c3f7916..cab3954 100644
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..8e7f99e 100644
+index f0388cb..2e94f0e 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
@@ -23786,7 +23793,7 @@ index f0388cb..8e7f99e 100644
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_tcp_sendrecv_generic_node(fetchmail_t)
-@@ -84,15 +86,19 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -84,15 +86,23 @@ fs_search_auto_mountpoints(fetchmail_t)
domain_use_interactive_fds(fetchmail_t)
@@ -23804,6 +23811,10 @@ index f0388cb..8e7f99e 100644
-userdom_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
++ mta_send_mail(fetchmail_t)
++')
++
++optional_policy(`
+ kerberos_use(fetchmail_t)
+')
@@ -30375,7 +30386,7 @@ index ac00fb0..36ef2e5 100644
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index ecad9c7..86d790f 100644
+index ecad9c7..e413e5a 100644
--- a/irc.te
+++ b/irc.te
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
@@ -30449,7 +30460,7 @@ index ecad9c7..86d790f 100644
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
-@@ -106,13 +120,15 @@ auth_use_nsswitch(irc_t)
+@@ -106,15 +120,18 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
@@ -30466,8 +30477,11 @@ index ecad9c7..86d790f 100644
+userdom_use_inherited_user_terminals(irc_t)
tunable_policy(`irc_use_any_tcp_ports',`
++ allow irc_t self:tcp_socket create_stream_socket_perms;
corenet_sendrecv_all_server_packets(irc_t)
-@@ -122,18 +138,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+ corenet_tcp_bind_all_unreserved_ports(irc_t)
+ corenet_sendrecv_all_client_packets(irc_t)
+@@ -122,18 +139,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
@@ -39971,7 +39985,7 @@ index 6194b80..bb32d40 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..2108bc7 100644
+index 6a306ee..a74ab9d 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -40242,11 +40256,11 @@ index 6a306ee..2108bc7 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
@@ -40415,7 +40429,7 @@ index 6a306ee..2108bc7 100644
')
optional_policy(`
-@@ -300,221 +324,184 @@ optional_policy(`
+@@ -300,259 +324,234 @@ optional_policy(`
########################################
#
@@ -40498,12 +40512,12 @@ index 6a306ee..2108bc7 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
--
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -40673,12 +40687,12 @@ index 6a306ee..2108bc7 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -40702,14 +40716,22 @@ index 6a306ee..2108bc7 100644
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
--
++userdom_read_user_home_content_files(mozilla_plugin_t)
++userdom_read_user_home_content_symlinks(mozilla_plugin_t)
++userdom_read_home_certs(mozilla_plugin_t)
++userdom_read_home_audio_files(mozilla_plugin_t)
++userdom_exec_user_tmp_files(mozilla_plugin_t)
+
- fs_search_removable(mozilla_plugin_t)
- fs_read_removable_files(mozilla_plugin_t)
- fs_read_removable_symlinks(mozilla_plugin_t)
--
++userdom_home_manager(mozilla_plugin_t)
+
- fs_read_iso9660_files(mozilla_plugin_t)
--')
--
++tunable_policy(`mozilla_plugin_can_network_connect',`
++ corenet_tcp_connect_all_ports(mozilla_plugin_t)
+ ')
+
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process execmem;
-')
@@ -40717,43 +40739,46 @@ index 6a306ee..2108bc7 100644
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
-')
-+userdom_read_user_home_content_files(mozilla_plugin_t)
-+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
-+userdom_read_home_certs(mozilla_plugin_t)
-+userdom_read_home_audio_files(mozilla_plugin_t)
-+userdom_exec_user_tmp_files(mozilla_plugin_t)
-
+-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
--')
-+userdom_home_manager(mozilla_plugin_t)
++optional_policy(`
++ alsa_read_rw_config(mozilla_plugin_t)
++ alsa_read_home_files(mozilla_plugin_t)
+ ')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
-+tunable_policy(`mozilla_plugin_can_network_connect',`
-+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
++optional_policy(`
++ apache_list_modules(mozilla_plugin_t)
')
optional_policy(`
-@@ -523,36 +510,44 @@ optional_policy(`
+- alsa_read_rw_config(mozilla_plugin_t)
+- alsa_read_home_files(mozilla_plugin_t)
++ cups_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
-+ apache_list_modules(mozilla_plugin_t)
++ dbus_system_bus_client(mozilla_plugin_t)
++ dbus_session_bus_client(mozilla_plugin_t)
++ dbus_connect_session_bus(mozilla_plugin_t)
++ dbus_read_lib_files(mozilla_plugin_t)
')
optional_policy(`
- dbus_all_session_bus_client(mozilla_plugin_t)
- dbus_connect_all_session_bus(mozilla_plugin_t)
- dbus_system_bus_client(mozilla_plugin_t)
-+ dbus_session_bus_client(mozilla_plugin_t)
-+ dbus_connect_session_bus(mozilla_plugin_t)
-+ dbus_read_lib_files(mozilla_plugin_t)
+- dbus_system_bus_client(mozilla_plugin_t)
++ gnome_manage_config(mozilla_plugin_t)
++ gnome_read_usr_config(mozilla_plugin_t)
++ gnome_filetrans_home_content(mozilla_plugin_t)
++ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
@@ -40761,13 +40786,6 @@ index 6a306ee..2108bc7 100644
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
-+ gnome_manage_config(mozilla_plugin_t)
-+ gnome_read_usr_config(mozilla_plugin_t)
-+ gnome_filetrans_home_content(mozilla_plugin_t)
-+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
@@ -40797,7 +40815,7 @@ index 6a306ee..2108bc7 100644
')
optional_policy(`
-@@ -560,7 +555,7 @@ optional_policy(`
+@@ -560,7 +559,7 @@ optional_policy(`
')
optional_policy(`
@@ -40806,7 +40824,7 @@ index 6a306ee..2108bc7 100644
')
optional_policy(`
-@@ -568,108 +563,128 @@ optional_policy(`
+@@ -568,108 +567,128 @@ optional_policy(`
')
optional_policy(`
@@ -40993,10 +41011,16 @@ index 6a306ee..2108bc7 100644
+ fs_manage_dos_files(mozilla_plugin_t)
')
diff --git a/mpd.fc b/mpd.fc
-index 313ce52..6aa46d2 100644
+index 313ce52..ae93e07 100644
--- a/mpd.fc
+++ b/mpd.fc
-@@ -9,3 +9,5 @@
+@@ -1,3 +1,5 @@
++HOME_DIR/\.mpd(/.*)? gen_context(system_u:object_r:mpd_home_t,s0)
++
+ /etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
+
+ /etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
+@@ -9,3 +11,5 @@
/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
@@ -41048,13 +41072,16 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..29d8881 100644
+index 7c8afcc..41f4352 100644
--- a/mpd.te
+++ b/mpd.te
-@@ -62,18 +62,22 @@ files_type(mpd_var_lib_t)
+@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
type mpd_user_data_t;
userdom_user_home_content(mpd_user_data_t) # customizable
++type mpd_home_t;
++userdom_user_home_content(mpd_home_t)
++
+type mpd_var_run_t;
+files_pid_file(mpd_var_run_t)
+
@@ -41075,7 +41102,7 @@ index 7c8afcc..29d8881 100644
allow mpd_t mpd_data_t:dir manage_dir_perms;
allow mpd_t mpd_data_t:file manage_file_perms;
-@@ -104,13 +108,18 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
@@ -41085,6 +41112,10 @@ index 7c8afcc..29d8881 100644
+manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file })
+
++manage_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
++manage_dirs_pattern(mpd_t, mpd_home_t, mpd_home_t)
++manage_lnk_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
++
kernel_getattr_proc(mpd_t)
kernel_read_system_state(mpd_t)
kernel_read_kernel_sysctls(mpd_t)
@@ -41095,7 +41126,7 @@ index 7c8afcc..29d8881 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -139,9 +148,9 @@ dev_read_sound(mpd_t)
+@@ -139,9 +155,9 @@ dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
@@ -41106,7 +41137,7 @@ index 7c8afcc..29d8881 100644
fs_list_inotifyfs(mpd_t)
fs_rw_anon_inodefs_files(mpd_t)
fs_search_auto_mountpoints(mpd_t)
-@@ -150,7 +159,9 @@ auth_use_nsswitch(mpd_t)
+@@ -150,7 +166,9 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
@@ -41117,7 +41148,7 @@ index 7c8afcc..29d8881 100644
tunable_policy(`mpd_enable_homedirs',`
userdom_search_user_home_dirs(mpd_t)
-@@ -191,7 +202,7 @@ optional_policy(`
+@@ -191,7 +209,7 @@ optional_policy(`
')
optional_policy(`
@@ -41126,7 +41157,7 @@ index 7c8afcc..29d8881 100644
')
optional_policy(`
-@@ -199,6 +210,16 @@ optional_policy(`
+@@ -199,6 +217,16 @@ optional_policy(`
')
optional_policy(`
@@ -51833,7 +51864,7 @@ index 0000000..fdc4a03
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..9724884
+index 0000000..55c843c
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,549 @@
@@ -52383,7 +52414,7 @@ index 0000000..9724884
+')
+
+optional_policy(`
-+ ssh_exec_keygen(openshift_cron_t)
++ ssh_domtrans_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
diff --git a/openvpn.fc b/openvpn.fc
@@ -53732,7 +53763,7 @@ index bf59ef7..c050b37 100644
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
')
diff --git a/passenger.te b/passenger.te
-index 4e114ff..6691677 100644
+index 4e114ff..1b1cb71 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
@@ -53783,7 +53814,7 @@ index 4e114ff..6691677 100644
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
-@@ -45,19 +50,20 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+@@ -45,19 +50,22 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
@@ -53796,6 +53827,8 @@ index 4e114ff..6691677 100644
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
++kernel_read_network_state(passenger_t)
++kernel_read_net_sysctls(passenger_t)
corenet_all_recvfrom_netlabel(passenger_t)
-corenet_all_recvfrom_unlabeled(passenger_t)
@@ -53809,7 +53842,7 @@ index 4e114ff..6691677 100644
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
-@@ -66,8 +72,6 @@ dev_read_urand(passenger_t)
+@@ -66,14 +74,14 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
@@ -53818,7 +53851,15 @@ index 4e114ff..6691677 100644
auth_use_nsswitch(passenger_t)
logging_send_syslog_msg(passenger_t)
-@@ -90,14 +94,21 @@ optional_policy(`
+
+ miscfiles_read_localization(passenger_t)
+
++sysnet_exec_ifconfig(passenger_t)
++
+ userdom_dontaudit_use_user_terminals(passenger_t)
+
+ optional_policy(`
+@@ -90,14 +98,21 @@ optional_policy(`
')
optional_policy(`
@@ -63265,7 +63306,7 @@ index 4ecda09..8c0b242 100644
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
-index 7cb8b1f..46650f0 100644
+index 7cb8b1f..9422c90 100644
--- a/puppet.if
+++ b/puppet.if
@@ -1,4 +1,32 @@
@@ -63293,11 +63334,11 @@ index 7cb8b1f..46650f0 100644
+#
+interface(`puppet_domtrans_master',`
+ gen_require(`
-+ type puppetmaster_t, puppetmaster_t_exec_t;
++ type puppetmaster_t, puppetmaster_exec_t;
+ ')
+
+ corecmd_search_bin($1)
-+ domtrans_pattern($1, puppetmaster_t_exec_t, puppetmaster_t)
++ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t)
+')
########################################
@@ -63576,7 +63617,7 @@ index 7cb8b1f..46650f0 100644
- files_search_var_lib($1)
- admin_pattern($1, puppet_var_lib_t)
-+ logging_search_logs($1)
++ files_search_etc($1)
+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
+ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
+')
@@ -82749,7 +82790,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..f9d6ed6 100644
+index 703efa3..9610be1 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -82814,7 +82855,7 @@ index 703efa3..f9d6ed6 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,27 +95,41 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,27 +95,42 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -82833,6 +82874,7 @@ index 703efa3..f9d6ed6 100644
+files_read_non_security_files(sosreport_t)
+
auth_use_nsswitch(sosreport_t)
++auth_dontaudit_read_shadow(sosreport_t)
init_domtrans_script(sosreport_t)
+init_getattr_initctl(sosreport_t)
@@ -82858,7 +82900,7 @@ index 703efa3..f9d6ed6 100644
')
optional_policy(`
-@@ -111,6 +141,11 @@ optional_policy(`
+@@ -111,6 +142,11 @@ optional_policy(`
')
optional_policy(`
@@ -86063,10 +86105,10 @@ index b42ec1d..91b8f71 100644
tcsd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/tcsd.te b/tcsd.te
-index ac8213a..20fa71f 100644
+index ac8213a..14da480 100644
--- a/tcsd.te
+++ b/tcsd.te
-@@ -41,10 +41,6 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
+@@ -41,10 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
dev_read_urand(tcsd_t)
dev_rw_tpm(tcsd_t)
@@ -86074,9 +86116,11 @@ index ac8213a..20fa71f 100644
-
auth_use_nsswitch(tcsd_t)
- logging_send_syslog_msg(tcsd_t)
--
+-logging_send_syslog_msg(tcsd_t)
++init_read_utmp(tcsd_t)
+
-miscfiles_read_localization(tcsd_t)
++logging_send_syslog_msg(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
index c7de0cf..03fc880 100644
--- a/telepathy.fc
@@ -92543,7 +92587,7 @@ index 9dec06c..4e31afe 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..348df8f 100644
+index 1f22fba..50f7cf9 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -94302,7 +94346,7 @@ index 1f22fba..348df8f 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1352,122 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1352,123 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -94419,6 +94463,7 @@ index 1f22fba..348df8f 100644
+#
+
+type svirt_socket_t;
++domain_type(svirt_socket_t)
+role system_r types svirt_socket_t;
+allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
@@ -97518,25 +97563,32 @@ index 36e32df..3d08962 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
')
diff --git a/zarafa.te b/zarafa.te
-index a4479b1..7a9f1b6 100644
+index a4479b1..a40d580 100644
--- a/zarafa.te
+++ b/zarafa.te
-@@ -1,4 +1,4 @@
+@@ -1,13 +1,18 @@
-policy_module(zarafa, 1.1.4)
+policy_module(zarafa, 1.1.0)
########################################
#
-@@ -6,8 +6,6 @@ policy_module(zarafa, 1.1.4)
+ # Declarations
#
++## <desc>
++## <p>
++## Allow zarafa domains to setrlimit/sys_rouserce.
++## </p>
++## </desc>
++gen_tunable(zarafa_setrlimit, false)
++
attribute zarafa_domain;
-attribute zarafa_logfile;
-attribute zarafa_pidfile;
zarafa_domain_template(deliver)
-@@ -17,9 +15,6 @@ files_tmp_file(zarafa_deliver_tmp_t)
+@@ -17,9 +22,6 @@ files_tmp_file(zarafa_deliver_tmp_t)
type zarafa_etc_t;
files_config_file(zarafa_etc_t)
@@ -97546,7 +97598,7 @@ index a4479b1..7a9f1b6 100644
zarafa_domain_template(gateway)
zarafa_domain_template(ical)
zarafa_domain_template(indexer)
-@@ -43,61 +38,74 @@ files_tmp_file(zarafa_var_lib_t)
+@@ -43,61 +45,74 @@ files_tmp_file(zarafa_var_lib_t)
########################################
#
@@ -97641,7 +97693,7 @@ index a4479b1..7a9f1b6 100644
manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
-@@ -109,70 +117,80 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
+@@ -109,70 +124,85 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
@@ -97703,14 +97755,14 @@ index a4479b1..7a9f1b6 100644
#
-# Zarafa domain local policy
+# zarafa_gateway local policy
-+#
+ #
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
-+
+
+#######################################
+#
+# zarafa-ical local policy
- #
-
++#
++
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+
+######################################
@@ -97727,12 +97779,17 @@ index a4479b1..7a9f1b6 100644
+# bad permission on /etc/zarafa
allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
-allow zarafa_domain self:process { setrlimit signal };
-+allow zarafa_domain self:process { signal_perms setrlimit };
++allow zarafa_domain self:process { signal_perms };
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
-allow zarafa_domain self:tcp_socket { accept listen };
-allow zarafa_domain self:unix_stream_socket { accept listen };
+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
++
++tunable_policy(`zarafa_setrlimit',`
++ allow zarafa_domain self:capability sys_resource;
++ allow zarafa_domain self:process setrlimit;
++')
stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b4b14da..8239e16 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 80%{?dist}
+Release: 81%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -570,6 +570,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Sep 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-81
+- Dontaudit attempts by sosreport to read shadow_t
+- Allow browser sandbox plugins to connect to cups to print
+- Add new label mpd_home_t
+- Label /srv/www/logs as httpd_log_t
+- Add support for /var/lib/php/wsdlcache
+- Add zarafa_setrlimit boolean
+- Allow fetchmail to send mails
+- Add labels for apache logs under miq package
+- Allow irc_t to use tcp sockets
+- fix labels in puppet.if
+- Allow tcsd to read utmp file
+- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys
+- Define svirt_socket_t as a domain_type
+- Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t
+- Fix label on pam_krb5 helper apps
+
* Thu Sep 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-80
- Allow ldconfig to write to kdumpctl fifo files
- allow neutron to connect to amqp ports
More information about the scm-commits
mailing list