[selinux-policy/f19] * Tue Oct 15 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.10 - Add kill capability in glusterfs
Lukas Vrabec
lvrabec at fedoraproject.org
Tue Oct 15 11:59:21 UTC 2013
commit e50074f19c92134b760b8e24a8fc1a7dd1518686
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue Oct 15 13:58:25 2013 +0200
* Tue Oct 15 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.10
- Add kill capability in glusterfs policy
- Add postfix_rw_spool_maildrop_files interface
- Update httpd_can_sendmail boolean to allow read/write postfix spool
maildrop
- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to
eally need it.
- Allow init_t to read gnome home data
- Allow svirt sandbox domains to setattr on chr_file and blk_file
virt_sandbox_file_t, so sshd will work within
- Allow httpd_t to read also git sys content symlinks
- Remove httpd_cobbler_content * from cobbler_admin interface
- allow openshift_cgroup_t to read/write inherited openshift file types
- fix gnome_read_generic_data_home_files interface
- Make sure if systemd_logind creates nologin file with the correct
label
- Allow syslog to bind to tls ports
- Clean up ipsec.te
- Allow init_t to read gnome home data
- Allow to su_domain to read init states
- Update labeling for /dev/cdc-wdm
policy-f19-base.patch | 166 ++++++++++++++++++++++++++++---------------
policy-f19-contrib.patch | 176 +++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 20 +++++-
3 files changed, 238 insertions(+), 124 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 2ea30e4..b91046c 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -1986,10 +1986,10 @@ index 03ec5ca..025c177 100644
#######################################
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
-index 85bb77e..0df3b43 100644
+index 85bb77e..5f38282 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
-@@ -9,3 +9,81 @@ attribute su_domain_type;
+@@ -9,3 +9,82 @@ attribute su_domain_type;
type su_exec_t;
corecmd_executable_file(su_exec_t)
@@ -2026,6 +2026,7 @@ index 85bb77e..0df3b43 100644
+init_dontaudit_use_fds(su_domain_type)
+# Write to utmp.
+init_rw_utmp(su_domain_type)
++init_read_state(su_domain_type)
+
+userdom_use_user_terminals(su_domain_type)
+userdom_search_user_home_dirs(su_domain_type)
@@ -5824,7 +5825,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..17e11e0 100644
+index b31c054..e4d61f5 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -5880,7 +5881,7 @@ index b31c054..17e11e0 100644
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
-+/dev/cdc-wdm[0-1] -c gen_context(system_u:object_r:modem_device_t,s0)
++/dev/cdc-wdm[0-9] -c gen_context(system_u:object_r:modem_device_t,s0)
/dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -27682,7 +27683,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..5fc4cd6 100644
+index dd3be8d..478d262 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27922,7 +27923,7 @@ index dd3be8d..5fc4cd6 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +273,188 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +273,189 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -27956,6 +27957,7 @@ index dd3be8d..5fc4cd6 100644
+
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
++ gnome_manage_data(init_t)
+')
+
+optional_policy(`
@@ -28119,7 +28121,7 @@ index dd3be8d..5fc4cd6 100644
')
optional_policy(`
-@@ -216,6 +462,27 @@ optional_policy(`
+@@ -216,6 +463,27 @@ optional_policy(`
')
optional_policy(`
@@ -28147,7 +28149,7 @@ index dd3be8d..5fc4cd6 100644
unconfined_domain(init_t)
')
-@@ -225,8 +492,9 @@ optional_policy(`
+@@ -225,8 +493,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28159,7 +28161,7 @@ index dd3be8d..5fc4cd6 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +525,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +526,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28176,7 +28178,7 @@ index dd3be8d..5fc4cd6 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +550,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +551,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28219,7 +28221,7 @@ index dd3be8d..5fc4cd6 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +587,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +588,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28231,7 +28233,7 @@ index dd3be8d..5fc4cd6 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +599,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +600,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28242,7 +28244,7 @@ index dd3be8d..5fc4cd6 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +610,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +611,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28252,7 +28254,7 @@ index dd3be8d..5fc4cd6 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +619,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +620,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28260,7 +28262,7 @@ index dd3be8d..5fc4cd6 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +626,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +627,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28268,7 +28270,7 @@ index dd3be8d..5fc4cd6 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +634,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +635,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28286,7 +28288,7 @@ index dd3be8d..5fc4cd6 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +652,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +653,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28300,7 +28302,7 @@ index dd3be8d..5fc4cd6 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +667,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +668,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28314,7 +28316,7 @@ index dd3be8d..5fc4cd6 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +680,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +681,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28322,7 +28324,7 @@ index dd3be8d..5fc4cd6 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +692,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +693,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28330,7 +28332,7 @@ index dd3be8d..5fc4cd6 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +711,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +712,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28354,7 +28356,7 @@ index dd3be8d..5fc4cd6 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +744,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +745,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28362,7 +28364,7 @@ index dd3be8d..5fc4cd6 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +778,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +779,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28373,7 +28375,7 @@ index dd3be8d..5fc4cd6 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +802,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +803,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28382,7 +28384,7 @@ index dd3be8d..5fc4cd6 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +817,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +818,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28390,7 +28392,7 @@ index dd3be8d..5fc4cd6 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +838,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +839,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28398,7 +28400,7 @@ index dd3be8d..5fc4cd6 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +848,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +849,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28443,7 +28445,7 @@ index dd3be8d..5fc4cd6 100644
')
optional_policy(`
-@@ -558,14 +893,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +894,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28475,7 +28477,7 @@ index dd3be8d..5fc4cd6 100644
')
')
-@@ -576,6 +928,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +929,39 @@ ifdef(`distro_suse',`
')
')
@@ -28515,7 +28517,7 @@ index dd3be8d..5fc4cd6 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +973,8 @@ optional_policy(`
+@@ -588,6 +974,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28524,7 +28526,7 @@ index dd3be8d..5fc4cd6 100644
')
optional_policy(`
-@@ -609,6 +996,7 @@ optional_policy(`
+@@ -609,6 +997,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28532,7 +28534,7 @@ index dd3be8d..5fc4cd6 100644
')
optional_policy(`
-@@ -625,6 +1013,17 @@ optional_policy(`
+@@ -625,6 +1014,17 @@ optional_policy(`
')
optional_policy(`
@@ -28550,7 +28552,7 @@ index dd3be8d..5fc4cd6 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1040,13 @@ optional_policy(`
+@@ -641,9 +1041,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28564,7 +28566,7 @@ index dd3be8d..5fc4cd6 100644
')
optional_policy(`
-@@ -656,15 +1059,11 @@ optional_policy(`
+@@ -656,15 +1060,11 @@ optional_policy(`
')
optional_policy(`
@@ -28582,7 +28584,7 @@ index dd3be8d..5fc4cd6 100644
')
optional_policy(`
-@@ -685,6 +1084,15 @@ optional_policy(`
+@@ -685,6 +1085,15 @@ optional_policy(`
')
optional_policy(`
@@ -28598,7 +28600,7 @@ index dd3be8d..5fc4cd6 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1133,7 @@ optional_policy(`
+@@ -725,6 +1134,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28606,7 +28608,7 @@ index dd3be8d..5fc4cd6 100644
')
optional_policy(`
-@@ -742,7 +1151,14 @@ optional_policy(`
+@@ -742,7 +1152,14 @@ optional_policy(`
')
optional_policy(`
@@ -28621,7 +28623,7 @@ index dd3be8d..5fc4cd6 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1181,10 @@ optional_policy(`
+@@ -765,6 +1182,10 @@ optional_policy(`
')
optional_policy(`
@@ -28632,7 +28634,7 @@ index dd3be8d..5fc4cd6 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1194,20 @@ optional_policy(`
+@@ -774,10 +1195,20 @@ optional_policy(`
')
optional_policy(`
@@ -28653,7 +28655,7 @@ index dd3be8d..5fc4cd6 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1216,10 @@ optional_policy(`
+@@ -786,6 +1217,10 @@ optional_policy(`
')
optional_policy(`
@@ -28664,7 +28666,7 @@ index dd3be8d..5fc4cd6 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1241,6 @@ optional_policy(`
+@@ -807,8 +1242,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28673,7 +28675,7 @@ index dd3be8d..5fc4cd6 100644
')
optional_policy(`
-@@ -817,6 +1249,10 @@ optional_policy(`
+@@ -817,6 +1250,10 @@ optional_policy(`
')
optional_policy(`
@@ -28684,7 +28686,7 @@ index dd3be8d..5fc4cd6 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1262,12 @@ optional_policy(`
+@@ -826,10 +1263,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28697,7 +28699,7 @@ index dd3be8d..5fc4cd6 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1294,27 @@ optional_policy(`
+@@ -856,12 +1295,27 @@ optional_policy(`
')
optional_policy(`
@@ -28726,7 +28728,7 @@ index dd3be8d..5fc4cd6 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1324,18 @@ optional_policy(`
+@@ -871,6 +1325,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28745,7 +28747,7 @@ index dd3be8d..5fc4cd6 100644
')
optional_policy(`
-@@ -886,6 +1351,10 @@ optional_policy(`
+@@ -886,6 +1352,10 @@ optional_policy(`
')
optional_policy(`
@@ -28756,7 +28758,7 @@ index dd3be8d..5fc4cd6 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1365,196 @@ optional_policy(`
+@@ -896,3 +1366,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29193,7 +29195,7 @@ index 0d4c8d3..e6ffda3 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..bb933df 100644
+index 9e54bf9..c537cf9 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -29227,6 +29229,16 @@ index 9e54bf9..bb933df 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
+@@ -88,8 +95,8 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+ read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+
+ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
+-manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+ read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
++manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+
+ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+ manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
@@ -113,7 +120,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
@@ -31049,7 +31061,7 @@ index 4e94884..9b82ed0 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..a55b140 100644
+index 39ea221..0c383ca 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -31265,7 +31277,7 @@ index 39ea221..a55b140 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,22 +426,34 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,28 +426,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -31303,7 +31315,22 @@ index 39ea221..a55b140 100644
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,9 +479,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+ corenet_udp_sendrecv_all_ports(syslogd_t)
+ corenet_udp_bind_generic_node(syslogd_t)
+ corenet_udp_bind_syslogd_port(syslogd_t)
++corenet_udp_bind_syslog_tls_port(syslogd_t)
+ # syslog-ng can listen and connect on tcp port 514 (rsh)
+ corenet_tcp_sendrecv_generic_if(syslogd_t)
+ corenet_tcp_sendrecv_generic_node(syslogd_t)
+@@ -417,6 +470,7 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+ corenet_tcp_connect_rsh_port(syslogd_t)
+ # Allow users to define additional syslog ports to connect to
+ corenet_tcp_bind_syslogd_port(syslogd_t)
++corenet_tcp_bind_syslog_tls_port(syslogd_t)
+ corenet_tcp_connect_syslogd_port(syslogd_t)
+ corenet_tcp_connect_postgresql_port(syslogd_t)
+ corenet_tcp_connect_mysqld_port(syslogd_t)
+@@ -427,9 +481,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -31331,7 +31358,7 @@ index 39ea221..a55b140 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -442,14 +511,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +513,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@@ -31351,7 +31378,7 @@ index 39ea221..a55b140 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +535,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +537,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -31366,7 +31393,7 @@ index 39ea221..a55b140 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +576,40 @@ optional_policy(`
+@@ -502,15 +578,40 @@ optional_policy(`
')
optional_policy(`
@@ -31407,7 +31434,7 @@ index 39ea221..a55b140 100644
')
optional_policy(`
-@@ -521,3 +620,26 @@ optional_policy(`
+@@ -521,3 +622,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -35781,10 +35808,10 @@ index 0000000..431619e
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..f3fed12
+index 0000000..ba2e887
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1291 @@
+@@ -0,0 +1,1311 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -36045,6 +36072,26 @@ index 0000000..f3fed12
+## </summary>
+## </param>
+#
++interface(`systemd_login_manage_pid_files',`
++ gen_require(`
++ type systemd_logind_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
++ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
++')
++
++######################################
++## <summary>
++## Read systemd_login PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`systemd_login_list_pid_dirs',`
+ gen_require(`
+ type systemd_logind_var_run_t;
@@ -37078,10 +37125,10 @@ index 0000000..f3fed12
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..0753891
+index 0000000..c617553
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,663 @@
+@@ -0,0 +1,664 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37196,6 +37243,7 @@ index 0000000..0753891
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
++files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin")
+
+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 767302a..26085ce 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -4677,7 +4677,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..217ba9e 100644
+index 1a82e29..19bd545 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5656,7 +5656,7 @@ index 1a82e29..217ba9e 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +772,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +772,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5701,6 +5701,7 @@ index 1a82e29..217ba9e 100644
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
mta_signal_system_mail(httpd_t)
++ postfix_rw_spool_maildrop_files(httpd_t)
')
-optional_policy(`
@@ -5746,7 +5747,7 @@ index 1a82e29..217ba9e 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +818,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +819,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5827,7 +5828,7 @@ index 1a82e29..217ba9e 100644
')
optional_policy(`
-@@ -743,14 +870,6 @@ optional_policy(`
+@@ -743,14 +871,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5842,7 +5843,7 @@ index 1a82e29..217ba9e 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +884,23 @@ optional_policy(`
+@@ -765,6 +885,23 @@ optional_policy(`
')
optional_policy(`
@@ -5866,7 +5867,7 @@ index 1a82e29..217ba9e 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +917,46 @@ optional_policy(`
+@@ -781,34 +918,46 @@ optional_policy(`
')
optional_policy(`
@@ -5924,7 +5925,7 @@ index 1a82e29..217ba9e 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +964,18 @@ optional_policy(`
+@@ -816,8 +965,18 @@ optional_policy(`
')
optional_policy(`
@@ -5943,7 +5944,7 @@ index 1a82e29..217ba9e 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +984,7 @@ optional_policy(`
+@@ -826,6 +985,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5951,7 +5952,7 @@ index 1a82e29..217ba9e 100644
')
optional_policy(`
-@@ -836,20 +995,39 @@ optional_policy(`
+@@ -836,20 +996,39 @@ optional_policy(`
')
optional_policy(`
@@ -5997,7 +5998,7 @@ index 1a82e29..217ba9e 100644
')
optional_policy(`
-@@ -857,19 +1035,35 @@ optional_policy(`
+@@ -857,19 +1036,35 @@ optional_policy(`
')
optional_policy(`
@@ -6033,7 +6034,7 @@ index 1a82e29..217ba9e 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1071,170 @@ optional_policy(`
+@@ -877,65 +1072,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6226,7 +6227,7 @@ index 1a82e29..217ba9e 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1244,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6381,7 +6382,7 @@ index 1a82e29..217ba9e 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1327,104 @@ optional_policy(`
+@@ -1077,172 +1328,104 @@ optional_policy(`
')
')
@@ -6617,7 +6618,7 @@ index 1a82e29..217ba9e 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1432,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1433,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6714,7 +6715,7 @@ index 1a82e29..217ba9e 100644
########################################
#
-@@ -1315,8 +1507,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1508,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6731,7 +6732,7 @@ index 1a82e29..217ba9e 100644
')
########################################
-@@ -1324,49 +1523,38 @@ optional_policy(`
+@@ -1324,49 +1524,38 @@ optional_policy(`
# User content local policy
#
@@ -6796,7 +6797,7 @@ index 1a82e29..217ba9e 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1564,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1565,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -12244,7 +12245,7 @@ index 973d208..2b650a7 100644
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
-index c223f81..3bcdf6a 100644
+index c223f81..8b567c1 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
@@ -12293,6 +12294,17 @@ index c223f81..3bcdf6a 100644
')
########################################
+@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
+ interface(`cobbler_admin',`
+ gen_require(`
+ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
+- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
++ type cobbler_etc_t, cobblerd_initrc_exec_t;
++ type cobbler_tmp_t;
+ ')
+
+ allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
logging_search_logs($1)
@@ -25076,7 +25088,7 @@ index 395238e..af76abb 100644
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
diff --git a/git.if b/git.if
-index 1e29af1..c67e44e 100644
+index 1e29af1..6c64f55 100644
--- a/git.if
+++ b/git.if
@@ -37,7 +37,10 @@ template(`git_role',`
@@ -25091,7 +25103,15 @@ index 1e29af1..c67e44e 100644
ps_process_pattern($2, git_session_t)
tunable_policy(`git_session_users',`
-@@ -79,3 +82,21 @@ interface(`git_read_generic_sys_content_files',`
+@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',`
+
+ list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
+ read_files_pattern($1, git_sys_content_t, git_sys_content_t)
++ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
+
+ files_search_var_lib($1)
+
+@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',`
fs_read_nfs_files($1)
')
')
@@ -25561,7 +25581,7 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..aacc157
+index 0000000..930cbee
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,171 @@
@@ -25622,7 +25642,7 @@ index 0000000..aacc157
+# Local policy
+#
+
-+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid net_admin };
++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search kill fowner setuid net_admin };
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
@@ -26016,7 +26036,7 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..e814f72 100644
+index d03fd43..fdf1f36 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,157 @@
@@ -26841,7 +26861,7 @@ index d03fd43..e814f72 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -557,52 +594,76 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -557,52 +594,77 @@ interface(`gnome_home_filetrans_gconf_home',`
## </summary>
## </param>
#
@@ -26885,6 +26905,7 @@ index d03fd43..e814f72 100644
+ ')
+
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
++ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+')
+
+######################################
@@ -26926,10 +26947,10 @@ index d03fd43..e814f72 100644
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
-+ allow $1 gconf_home_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, data_home_t, data_home_t)
-+ manage_files_pattern($1, data_home_t, data_home_t)
-+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
++ allow $1 gconf_home_t:dir search_dir_perms;
++ manage_dirs_pattern($1, data_home_t, data_home_t)
++ manage_files_pattern($1, data_home_t, data_home_t)
++ manage_lnk_files_pattern($1, data_home_t, data_home_t)
')
########################################
@@ -26939,7 +26960,7 @@ index d03fd43..e814f72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -610,93 +671,126 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -610,93 +672,126 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
#
@@ -27100,7 +27121,7 @@ index d03fd43..e814f72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -704,12 +798,851 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +799,851 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -51804,10 +51825,10 @@ index 0000000..fdc4a03
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..1911441
+index 0000000..cd25e8e
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,551 @@
+@@ -0,0 +1,555 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -51819,6 +51840,7 @@ index 0000000..1911441
+# Declarations
+#
+
++
+# openshift applications that can use the network.
+attribute openshift_net_domain;
+# Attribute representing all openshift user processes (excludes apache processes)
@@ -52243,6 +52265,8 @@ index 0000000..1911441
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
++allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
++
+manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
+manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
+files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
@@ -52359,6 +52383,7 @@ index 0000000..1911441
+ ssh_domtrans_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
++
diff --git a/openvpn.fc b/openvpn.fc
index 300213f..4cdfe09 100644
--- a/openvpn.fc
@@ -57959,7 +57984,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index 2e23946..e9ac366 100644
+index 2e23946..0b76d72 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -58299,8 +58324,10 @@ index 2e23946..e9ac366 100644
')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Execute the master postfix program
+-## in the caller domain.
+## Execute the master postfix in the postfix master domain.
+## </summary>
+## <param name="domain">
@@ -58317,10 +58344,8 @@ index 2e23946..e9ac366 100644
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
- ########################################
- ## <summary>
--## Execute the master postfix program
--## in the caller domain.
++########################################
++## <summary>
+## Execute the master postfix program in the
+## caller domain.
## </summary>
@@ -58418,15 +58443,18 @@ index 2e23946..e9ac366 100644
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <rolecap/>
-+#
+ #
+-interface(`posftix_exec_postqueue',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- postfix_exec_postqueue($1)
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
@@ -58436,8 +58464,8 @@ index 2e23946..e9ac366 100644
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
-+')
-+
+ ')
+
+########################################
+## <summary>
+## Execute postfix_postgqueue in the postfix_postgqueue domain.
@@ -58464,18 +58492,15 @@ index 2e23946..e9ac366 100644
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
- #
--interface(`posftix_exec_postqueue',`
-- refpolicywarn(`$0($*) has been deprecated.')
-- postfix_exec_postqueue($1)
++#
+interface(`postfix_run_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
@@ -58483,8 +58508,8 @@ index 2e23946..e9ac366 100644
+
+ postfix_domtrans_postgqueue($1)
+ role $2 types postfix_postgqueue_t;
- ')
-
++')
++
+
#######################################
## <summary>
@@ -58616,7 +58641,7 @@ index 2e23946..e9ac366 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -665,11 +718,31 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -58631,6 +58656,25 @@ index 2e23946..e9ac366 100644
+
+#######################################
+## <summary>
++## Read, write, and delete postfix maildrop spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_rw_spool_maildrop_files',`
++ gen_require(`
++ type postfix_spool_maildrop_t;
++ ')
++
++ files_search_spool($1)
++ rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++')
++
++#######################################
++## <summary>
+## Create, read, write, and delete postfix maildrop spool files.
+## </summary>
+## <param name="domain">
@@ -58650,7 +58694,7 @@ index 2e23946..e9ac366 100644
')
########################################
-@@ -693,8 +766,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
## <summary>
@@ -58661,7 +58705,7 @@ index 2e23946..e9ac366 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -710,37 +783,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,37 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -80211,7 +80255,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..2505921 100644
+index 49b12ae..75791eb 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -80364,7 +80408,7 @@ index 49b12ae..2505921 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -148,15 +158,17 @@ optional_policy(`
+@@ -148,15 +158,18 @@ optional_policy(`
########################################
#
@@ -80374,6 +80418,7 @@ index 49b12ae..2505921 100644
allow setroubleshoot_fixit_t self:capability sys_nice;
allow setroubleshoot_fixit_t self:process { setsched getsched };
++dontaudit setroubleshoot_fixit_t self:process execmem;
allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
@@ -80383,7 +80428,7 @@ index 49b12ae..2505921 100644
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +177,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +178,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
@@ -80400,7 +80445,7 @@ index 49b12ae..2505921 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +193,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +194,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -92044,7 +92089,7 @@ index 9dec06c..73549fd 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..4c14ed6 100644
+index 1f22fba..43fdcbe 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,166 @@
@@ -93437,7 +93482,7 @@ index 1f22fba..4c14ed6 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1070,251 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1070,254 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -93506,7 +93551,10 @@ index 1f22fba..4c14ed6 100644
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++
++allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
@@ -93819,7 +93867,7 @@ index 1f22fba..4c14ed6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1327,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1330,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -93834,7 +93882,7 @@ index 1f22fba..4c14ed6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1345,8 @@ optional_policy(`
+@@ -1183,9 +1348,8 @@ optional_policy(`
########################################
#
@@ -93845,7 +93893,7 @@ index 1f22fba..4c14ed6 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1359,124 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1362,124 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7313cdc..2e6b511 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.9%{?dist}
+Release: 74.10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,24 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Oct 15 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.10
+- Add kill capability in glusterfs policy
+- Add postfix_rw_spool_maildrop_files interface
+- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop
+- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it.
+- Allow init_t to read gnome home data
+- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within
+- Allow httpd_t to read also git sys content symlinks
+- Remove httpd_cobbler_content * from cobbler_admin interface
+- allow openshift_cgroup_t to read/write inherited openshift file types
+- fix gnome_read_generic_data_home_files interface
+- Make sure if systemd_logind creates nologin file with the correct label
+- Allow syslog to bind to tls ports
+- Clean up ipsec.te
+- Allow init_t to read gnome home data
+- Allow to su_domain to read init states
+- Update labeling for /dev/cdc-wdm
+
* Thu Oct 08 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.9
- Allow systemd domains to read /dev/urand
- Remove duplicated interfaces
More information about the scm-commits
mailing list