[selinux-policy/f19] - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind - Fix
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Sep 25 14:12:01 UTC 2013
commit a48162f97499a9ed4a0deb8fb34e32f2572ba2cb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Sep 25 16:11:41 2013 +0200
- Allow setroubleshoot to look at /proc
- Allow telepathy domains to dbus with systemd logind
- Fix handling of fifo files of rpm
- Allow certwatch to write to cert_t directories
- New abrt application
- Allow mozilla_plugin to transition to itself
- Allow mdadm_t to read images labeled svirt_image_t
- Allow NetworkManager to set the kernel scheduler
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- More handling of ther kernel keyring required by kerberos
policy-f19-base.patch | 294 +++++++++++++++++++++++++++-------------------
policy-f19-contrib.patch | 148 ++++++++++++++---------
selinux-policy.spec | 15 ++-
3 files changed, 277 insertions(+), 180 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index a7f173d..e8c0f81 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -17369,7 +17369,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..3cfc3dd 100644
+index 88d0028..85b1f4c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -17464,7 +17464,7 @@ index 88d0028..3cfc3dd 100644
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(sysadm_t)
-+ ssh_filetrans_keys(sysadm_t)
++ ssh_filetrans_keys(sysadm_t)
+')
ifdef(`direct_sysadm_daemon',`
@@ -20448,7 +20448,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..007ac2e 100644
+index 5fc0391..337d97e 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20537,7 +20537,7 @@ index 5fc0391..007ac2e 100644
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
-+allow ssh_t self:key read;
++allow ssh_t self:key manage_key_perms;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
@@ -26355,7 +26355,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..c4155c7 100644
+index 24e7804..76da5dd 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -26874,7 +26874,50 @@ index 24e7804..c4155c7 100644
files_search_etc($1)
')
-@@ -1026,7 +1235,9 @@ interface(`init_ptrace',`
+@@ -1012,6 +1221,42 @@ interface(`init_read_state',`
+
+ ########################################
+ ## <summary>
++## Read the process keyring of init.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_read_key',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:key read;
++')
++
++########################################
++## <summary>
++## Write the process keyring of init.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_write_key',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:key read;
++')
++
++########################################
++## <summary>
+ ## Ptrace init
+ ## </summary>
+ ## <param name="domain">
+@@ -1026,7 +1271,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -26885,7 +26928,7 @@ index 24e7804..c4155c7 100644
')
########################################
-@@ -1125,6 +1336,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1372,25 @@ interface(`init_getattr_all_script_files',`
########################################
## <summary>
@@ -26911,7 +26954,7 @@ index 24e7804..c4155c7 100644
## Read all init script files.
## </summary>
## <param name="domain">
-@@ -1144,6 +1374,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1410,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -26936,7 +26979,7 @@ index 24e7804..c4155c7 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1195,12 +1443,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1479,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -26950,35 +26993,69 @@ index 24e7804..c4155c7 100644
')
########################################
-@@ -1440,6 +1683,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,7 +1719,7 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
+-## init scripts over dbus.
+## init over dbus.
-+## </summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1448,23 +1727,44 @@ interface(`init_dbus_send_script',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`init_dbus_chat_script',`
++interface(`init_dbus_chat',`
+ gen_require(`
+- type initrc_t;
++ type init_t;
+ class dbus send_msg;
+ ')
+
+- allow $1 initrc_t:dbus send_msg;
+- allow initrc_t $1:dbus send_msg;
++ allow $1 init_t:dbus send_msg;
++ allow init_t $1:dbus send_msg;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write the init script pty.
++## Send and receive messages from
++## init scripts over dbus.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Read and write the init script pty. This
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`init_dbus_chat',`
++interface(`init_dbus_chat_script',`
+ gen_require(`
-+ type init_t;
++ type initrc_t;
+ class dbus send_msg;
+ ')
+
-+ allow $1 init_t:dbus send_msg;
-+ allow init_t $1:dbus send_msg;
++ allow $1 initrc_t:dbus send_msg;
++ allow initrc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
-+## Send and receive messages from
- ## init scripts over dbus.
- ## </summary>
- ## <param name="domain">
-@@ -1526,6 +1790,25 @@ interface(`init_getattr_script_status_files',`
++## Read and write the init script pty.
++## </summary>
++## <desc>
++## <p>
++## Read and write the init script pty. This
+ ## pty is generally opened by the open_init_pty
+ ## portion of the run_init program so that the
+ ## daemon does not require direct access to
+@@ -1526,6 +1826,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -27004,26 +27081,17 @@ index 24e7804..c4155c7 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1584,21 +1867,39 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,6 +1903,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
--## Create files in a init script
--## temporary data directory.
+## Read and write init script inherited temporary data.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="file_type">
--## <summary>
--## The type of the object to be created
--## </summary>
--## </param>
--## <param name="object_class">
--## <summary>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
+interface(`init_rw_inherited_script_tmp_files',`
+ gen_require(`
@@ -27035,25 +27103,10 @@ index 24e7804..c4155c7 100644
+
+########################################
+## <summary>
-+## Create files in a init script
-+## temporary data directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="file_type">
-+## <summary>
-+## The type of the object to be created
-+## </summary>
-+## </param>
-+## <param name="object_class">
-+## <summary>
- ## The object class.
- ## </summary>
- ## </param>
-@@ -1656,6 +1957,43 @@ interface(`init_read_utmp',`
+ ## Create files in a init script
+ ## temporary data directory.
+ ## </summary>
+@@ -1656,6 +1993,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -27097,7 +27150,7 @@ index 24e7804..c4155c7 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1744,7 +2082,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1744,7 +2118,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -27106,7 +27159,7 @@ index 24e7804..c4155c7 100644
')
########################################
-@@ -1785,6 +2123,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2159,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -27240,7 +27293,7 @@ index 24e7804..c4155c7 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2284,360 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2320,360 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -39029,7 +39082,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..991cb36 100644
+index 3c5dba7..bce11fd 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39961,7 +40014,7 @@ index 3c5dba7..991cb36 100644
userdom_change_password_template($1)
-@@ -761,82 +946,99 @@ template(`userdom_login_user_template', `
+@@ -761,82 +946,100 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -40064,6 +40117,7 @@ index 3c5dba7..991cb36 100644
- seutil_read_config($1_t)
+ optional_policy(`
+ kerberos_use($1_usertype)
++ init_write_key($1_usertype)
+ ')
optional_policy(`
@@ -40097,7 +40151,7 @@ index 3c5dba7..991cb36 100644
')
')
-@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -40110,7 +40164,7 @@ index 3c5dba7..991cb36 100644
##############################
#
# Local policy
-@@ -907,42 +1115,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1116,99 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -40223,7 +40277,7 @@ index 3c5dba7..991cb36 100644
')
optional_policy(`
-@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1217,29 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -40254,7 +40308,7 @@ index 3c5dba7..991cb36 100644
')
#######################################
-@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1273,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -40292,7 +40346,7 @@ index 3c5dba7..991cb36 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1310,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -40363,7 +40417,7 @@ index 3c5dba7..991cb36 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1372,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -40374,7 +40428,7 @@ index 3c5dba7..991cb36 100644
')
')
-@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1410,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -40383,7 +40437,7 @@ index 3c5dba7..991cb36 100644
')
##############################
-@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1437,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40391,7 +40445,7 @@ index 3c5dba7..991cb36 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1446,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -40401,7 +40455,7 @@ index 3c5dba7..991cb36 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1463,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -40409,7 +40463,7 @@ index 3c5dba7..991cb36 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1481,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -40424,7 +40478,7 @@ index 3c5dba7..991cb36 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1499,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -40467,7 +40521,7 @@ index 3c5dba7..991cb36 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1540,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -40476,7 +40530,7 @@ index 3c5dba7..991cb36 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1549,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -40495,7 +40549,7 @@ index 3c5dba7..991cb36 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1605,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -40504,7 +40558,7 @@ index 3c5dba7..991cb36 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1619,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -40516,7 +40570,7 @@ index 3c5dba7..991cb36 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1633,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -40559,7 +40613,7 @@ index 3c5dba7..991cb36 100644
')
optional_policy(`
-@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1718,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -40578,7 +40632,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1769,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -40630,7 +40684,7 @@ index 3c5dba7..991cb36 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1918,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -40662,7 +40716,7 @@ index 3c5dba7..991cb36 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1984,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -40677,7 +40731,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2007,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -40689,7 +40743,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2068,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -40732,7 +40786,7 @@ index 3c5dba7..991cb36 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2183,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40741,7 +40795,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2218,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -40756,7 +40810,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -1772,7 +2247,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2248,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -40783,7 +40837,7 @@ index 3c5dba7..991cb36 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1782,49 +2275,67 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,49 +2276,67 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -40863,7 +40917,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -1848,6 +2359,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2360,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -40889,7 +40943,7 @@ index 3c5dba7..991cb36 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2408,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2409,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -40927,7 +40981,7 @@ index 3c5dba7..991cb36 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2448,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2449,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -40945,7 +40999,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -1941,7 +2496,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2497,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -40972,7 +41026,7 @@ index 3c5dba7..991cb36 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2524,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2525,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -40993,7 +41047,7 @@ index 3c5dba7..991cb36 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2540,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2541,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -41044,7 +41098,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -2010,8 +2617,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2618,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -41054,7 +41108,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -2027,20 +2633,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2634,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -41079,7 +41133,7 @@ index 3c5dba7..991cb36 100644
########################################
## <summary>
-@@ -2123,7 +2723,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2724,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -41088,7 +41142,7 @@ index 3c5dba7..991cb36 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2731,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2732,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -41112,7 +41166,7 @@ index 3c5dba7..991cb36 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2749,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2750,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -41128,7 +41182,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -2393,11 +2991,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2992,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -41143,7 +41197,7 @@ index 3c5dba7..991cb36 100644
files_search_tmp($1)
')
-@@ -2417,7 +3015,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3016,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -41152,7 +41206,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -2664,6 +3262,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3263,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -41178,7 +41232,7 @@ index 3c5dba7..991cb36 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3297,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3298,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -41194,7 +41248,7 @@ index 3c5dba7..991cb36 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3325,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3326,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -41203,7 +41257,7 @@ index 3c5dba7..991cb36 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3333,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3334,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -41238,7 +41292,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -2817,6 +3451,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3452,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -41263,7 +41317,7 @@ index 3c5dba7..991cb36 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3487,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3488,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -41306,7 +41360,7 @@ index 3c5dba7..991cb36 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3523,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3524,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -41344,7 +41398,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -2885,8 +3568,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3569,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -41374,7 +41428,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -2958,69 +3660,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3661,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -41475,7 +41529,7 @@ index 3c5dba7..991cb36 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3729,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3730,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -41490,7 +41544,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -3097,7 +3798,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3799,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -41499,7 +41553,7 @@ index 3c5dba7..991cb36 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3814,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3815,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41533,7 +41587,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -3217,7 +3902,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3903,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41560,7 +41614,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -3272,7 +3975,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3976,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -41626,7 +41680,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -3290,7 +4050,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4051,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -41635,7 +41689,7 @@ index 3c5dba7..991cb36 100644
')
########################################
-@@ -3309,6 +4069,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4070,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -41643,7 +41697,7 @@ index 3c5dba7..991cb36 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4146,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4147,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -41686,7 +41740,7 @@ index 3c5dba7..991cb36 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,7 +4202,7 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,7 +4203,7 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -41695,7 +41749,7 @@ index 3c5dba7..991cb36 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3413,17 +4210,17 @@ interface(`userdom_sigchld_all_users',`
+@@ -3413,17 +4211,17 @@ interface(`userdom_sigchld_all_users',`
## </summary>
## </param>
#
@@ -41716,7 +41770,7 @@ index 3c5dba7..991cb36 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3431,11 +4228,1516 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4229,1516 @@ interface(`userdom_create_all_users_keys',`
## </summary>
## </param>
#
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 7657ec9..735d1d7 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..2fe1152 100644
+index e4f84de..2ed712d 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,41 @@
+@@ -1,30 +1,42 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -22,6 +22,7 @@ index e4f84de..2fe1152 100644
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
@@ -519,7 +520,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..9782064 100644
+index cc43d25..2b3de55 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -704,7 +705,7 @@ index cc43d25..9782064 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +138,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -726,14 +727,17 @@ index cc43d25..9782064 100644
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
-can_exec(abrt_t, abrt_tmp_t)
--
++manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +165,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -752,7 +756,7 @@ index cc43d25..9782064 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +189,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -793,7 +797,7 @@ index cc43d25..9782064 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +227,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -810,7 +814,7 @@ index cc43d25..9782064 100644
')
optional_policy(`
-@@ -209,6 +239,16 @@ optional_policy(`
+@@ -209,6 +243,16 @@ optional_policy(`
')
optional_policy(`
@@ -827,7 +831,7 @@ index cc43d25..9782064 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +260,7 @@ optional_policy(`
+@@ -220,6 +264,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -835,7 +839,7 @@ index cc43d25..9782064 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +271,7 @@ optional_policy(`
+@@ -230,6 +275,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -843,7 +847,7 @@ index cc43d25..9782064 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +282,17 @@ optional_policy(`
+@@ -240,9 +286,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -862,7 +866,7 @@ index cc43d25..9782064 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +303,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +307,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -877,7 +881,7 @@ index cc43d25..9782064 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +322,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -885,7 +889,7 @@ index cc43d25..9782064 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +331,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -906,7 +910,7 @@ index cc43d25..9782064 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +352,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +356,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -933,7 +937,7 @@ index cc43d25..9782064 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +388,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -947,7 +951,7 @@ index cc43d25..9782064 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +406,11 @@ optional_policy(`
+@@ -330,10 +410,11 @@ optional_policy(`
#######################################
#
@@ -961,7 +965,7 @@ index cc43d25..9782064 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +429,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +433,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1023,7 +1027,7 @@ index cc43d25..9782064 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +487,47 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +491,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1045,16 +1049,19 @@ index cc43d25..9782064 100644
-files_read_etc_files(abrt_domain)
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
+
-+manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t)
++manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
+
+corecmd_exec_bin(abrt_upload_watch_t)
+
+dev_read_urand(abrt_upload_watch_t)
+
++files_search_spool(abrt_upload_watch_t)
++
+auth_read_passwd(abrt_upload_watch_t)
-logging_send_syslog_msg(abrt_domain)
@@ -2023,7 +2030,7 @@ index 7f4dfbc..4d750fa 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index ed45974..d4df671 100644
+index ed45974..ec7bb41 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2077,7 +2084,15 @@ index ed45974..d4df671 100644
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
-@@ -170,7 +175,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+
+ dev_getattr_all_blk_files(amanda_t)
+ dev_getattr_all_chr_files(amanda_t)
++dev_read_urand(amanda_t)
+
+ files_read_etc_runtime_files(amanda_t)
+ files_list_all(amanda_t)
+@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -2085,7 +2100,7 @@ index ed45974..d4df671 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +199,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -10347,10 +10362,10 @@ index 2354e21..fb8c9ed 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..84b41e6 100644
+index 403af41..1a4bd9c 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -20,33 +20,44 @@ role certwatch_roles types certwatch_t;
+@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
@@ -10378,11 +10393,12 @@ index 403af41..84b41e6 100644
miscfiles_read_all_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
++miscfiles_manage_generic_cert_dirs(certwatch_t)
++
++sysnet_read_config(certwatch_t)
-userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
-+sysnet_read_config(certwatch_t)
-+
+userdom_use_inherited_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
@@ -39804,7 +39820,7 @@ index 6194b80..f1a5676 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..2108bc7 100644
+index 6a306ee..bcecbbd 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -40262,7 +40278,7 @@ index 6a306ee..2108bc7 100644
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -45964,7 +45980,7 @@ index 0e8508c..f8893f8 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..2b6c69a 100644
+index 0b48a30..b5c140b 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -46057,7 +46073,7 @@ index 0b48a30..2b6c69a 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,9 +104,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +104,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -46067,15 +46083,16 @@ index 0b48a30..2b6c69a 100644
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
-@@ -91,7 +111,6 @@ kernel_request_load_module(NetworkManager_t)
+ kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
++kernel_setsched(NetworkManager_t)
-corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +121,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +122,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -46101,7 +46118,7 @@ index 0b48a30..2b6c69a 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +137,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +138,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -46115,7 +46132,7 @@ index 0b48a30..2b6c69a 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +145,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +146,17 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -46133,7 +46150,7 @@ index 0b48a30..2b6c69a 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +164,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +165,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -46146,7 +46163,7 @@ index 0b48a30..2b6c69a 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +183,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +184,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -46183,7 +46200,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -196,10 +224,6 @@ optional_policy(`
+@@ -196,10 +225,6 @@ optional_policy(`
')
optional_policy(`
@@ -46194,7 +46211,7 @@ index 0b48a30..2b6c69a 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +234,11 @@ optional_policy(`
+@@ -210,16 +235,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -46213,7 +46230,7 @@ index 0b48a30..2b6c69a 100644
')
')
-@@ -231,18 +250,19 @@ optional_policy(`
+@@ -231,18 +251,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -46236,7 +46253,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -250,6 +270,10 @@ optional_policy(`
+@@ -250,6 +271,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -46247,7 +46264,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -257,11 +281,10 @@ optional_policy(`
+@@ -257,11 +282,10 @@ optional_policy(`
')
optional_policy(`
@@ -46263,7 +46280,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -274,10 +297,17 @@ optional_policy(`
+@@ -274,10 +298,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -46281,7 +46298,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -289,6 +319,7 @@ optional_policy(`
+@@ -289,6 +320,7 @@ optional_policy(`
')
optional_policy(`
@@ -46289,7 +46306,7 @@ index 0b48a30..2b6c69a 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +327,7 @@ optional_policy(`
+@@ -296,7 +328,7 @@ optional_policy(`
')
optional_policy(`
@@ -46298,7 +46315,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -307,6 +338,7 @@ optional_policy(`
+@@ -307,6 +339,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -46306,7 +46323,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -320,13 +352,19 @@ optional_policy(`
+@@ -320,13 +353,19 @@ optional_policy(`
')
optional_policy(`
@@ -46330,7 +46347,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -356,6 +394,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +395,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -67429,7 +67446,7 @@ index 951db7f..7736755 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..6f60d73 100644
+index 2c1730b..13e6b9c 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -67534,7 +67551,7 @@ index 2c1730b..6f60d73 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +125,17 @@ optional_policy(`
+@@ -97,9 +125,21 @@ optional_policy(`
')
optional_policy(`
@@ -67550,6 +67567,10 @@ index 2c1730b..6f60d73 100644
')
+
+optional_policy(`
++ virt_read_blk_images(mdadm_t)
++')
++
++optional_policy(`
+ xserver_dontaudit_search_log(mdadm_t)
+')
diff --git a/razor.fc b/razor.fc
@@ -73142,7 +73163,7 @@ index ebe91fc..6392cad 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..39e36fb 100644
+index 0628d50..cafc027 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -73291,10 +73312,10 @@ index 0628d50..39e36fb 100644
+#
+interface(`rpm_rw_script_inherited_pipes',`
+ gen_require(`
-+ type rpm_script_t;
++ type rpm_script_tmp_t;
+ ')
+
-+ allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
@@ -80063,7 +80084,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..46356db 100644
+index 49b12ae..2505921 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -80152,8 +80173,12 @@ index 49b12ae..46356db 100644
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
-@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
- domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
+ dev_getattr_all_chr_files(setroubleshootd_t)
+ dev_getattr_mtrr_dev(setroubleshootd_t)
+
+-domain_dontaudit_search_all_domains_state(setroubleshootd_t)
++domain_read_all_domains_state(setroubleshootd_t)
domain_signull_all_domains(setroubleshootd_t)
-files_read_usr_files(setroubleshootd_t)
@@ -85905,7 +85930,7 @@ index 42946bc..741f2f4 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..ff77783 100644
+index e9c0964..ed2f217 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -86406,7 +86431,7 @@ index e9c0964..ff77783 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,43 @@ optional_policy(`
+@@ -452,31 +382,48 @@ optional_policy(`
#######################################
#
@@ -86451,12 +86476,17 @@ index e9c0964..ff77783 100644
+')
+
+optional_policy(`
++ systemd_dbus_chat_logind(telepathy_domain)
++')
++
++optional_policy(`
+ telepathy_dbus_chat(telepathy_domain)
+')
+
+optional_policy(`
xserver_rw_xdm_pipes(telepathy_domain)
')
++
diff --git a/telnet.te b/telnet.te
index 9f89916..1bdef51 100644
--- a/telnet.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 24f563c..1bdd0c2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.6%{?dist}
+Release: 74.7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Sep 25 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.7
+- Allow setroubleshoot to look at /proc
+- Allow telepathy domains to dbus with systemd logind
+- Fix handling of fifo files of rpm
+- Allow certwatch to write to cert_t directories
+- New abrt application
+- Allow mozilla_plugin to transition to itself
+- Allow mdadm_t to read images labeled svirt_image_t
+- Allow NetworkManager to set the kernel scheduler
+- Allow abrt daemon to manage abrt-watch tmp files
+- Allow abrt-upload-watcher to search /var/spool directory
+- More handling of ther kernel keyring required by kerberos
+
* Fri Sep 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.6
- Keep initrc_domain if init_t executes bin_t
More information about the scm-commits
mailing list