[selinux-policy/f20] - Add snapperd_home_t for HOME_DIR/.snapshots directory - Make sosreport as unconfined domain - Allo
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 25 21:37:00 UTC 2014
commit 69949766eaaa2041958b52f5eaf0509672149233
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Feb 25 22:37:40 2014 +0100
- Add snapperd_home_t for HOME_DIR/.snapshots directory
- Make sosreport as unconfined domain
- Allow sosreport to execute grub2-probe
- Allow NM to manage hostname config file
- Allow systemd_timedated_t to dbus chat with rpm_script_t
- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
- Add lsmd_plugin_connect_any boolean
- Allow mozilla_plugin to attempt to set capabilities
- Allow lsdm_plugins to use tcp_socket
- Dontaudit mozilla plugin from getattr on /proc or /sys
- Dontaudit use of the keyring by the services in a sandbox
- Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t
- Allow rabbitmq_beam to connect to jabber_interserver_port
- Allow logwatch_mail_t to transition to qmail_inject and queueu
- Added new rules to pcp policy
- Allow vmtools_helper_t to change role to system_r
- Allow NM to dbus chat with vmtools
- Fix couchdb_manage_files() to allow manage couchdb conf files
- Add support for /var/run/redis.sock
- dontaudit gpg trying to use audit
- Allow consolekit to create log directories and files
- Fix vmtools policy to allow user roles to access vmtools_helper_t
- Allow block_suspend cap2 for ipa-otpd
- Allow pkcsslotd to read users state
- Add ioctl to init_dontaudit_rw_stream_socket
- Add systemd_hostnamed_manage_config() interface
- Remove transition for temp dirs created by init_t
- gdm-simple-slave uses use setsockopt
- sddm-greater is a xdm type program
policy-f20-base.patch | 56 +++++++++--
policy-f20-contrib.patch | 246 +++++++++++++++++++++++++++++----------------
selinux-policy.spec | 33 ++++++-
3 files changed, 235 insertions(+), 100 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 67411f3..f921776 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -22051,7 +22051,7 @@ index 5fc0391..3b3225a 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..3fe692c 100644
+index d1f64a0..8773437 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -22113,7 +22113,7 @@ index d1f64a0..3fe692c 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +76,32 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +76,33 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -22142,6 +22142,7 @@ index d1f64a0..3fe692c 100644
+/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
++/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -22155,7 +22156,7 @@ index d1f64a0..3fe692c 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,25 +128,49 @@ ifndef(`distro_debian',`
+@@ -92,25 +129,49 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -23823,7 +23824,7 @@ index 6bf0ecc..115c533 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..40660b1 100644
+index 2696452..a2c6981 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -24181,7 +24182,7 @@ index 2696452..40660b1 100644
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
-+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability2 { block_suspend };
+dontaudit xdm_t self:capability sys_admin;
+tunable_policy(`deny_ptrace',`',`
@@ -27278,6 +27279,18 @@ index 9dfecf7..6d00f5c 100644
/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+
+/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
+index 187f04f..cf0af09 100644
+--- a/policy/modules/system/hostname.if
++++ b/policy/modules/system/hostname.if
+@@ -53,7 +53,6 @@ interface(`hostname_run',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`hostname_exec',`
+ gen_require(`
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index f6cbda9..51e9aef 100644
--- a/policy/modules/system/hostname.te
@@ -27479,7 +27492,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..e28a0ca 100644
+index 24e7804..50a981b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -27862,7 +27875,7 @@ index 24e7804..e28a0ca 100644
+ type init_t;
+ ')
+
-+ dontaudit $1 init_t:unix_stream_socket { getattr read write };
++ dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl };
')
########################################
@@ -28913,7 +28926,7 @@ index 24e7804..e28a0ca 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..381903f 100644
+index dd3be8d..28c790f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -29052,7 +29065,7 @@ index dd3be8d..381903f 100644
+manage_files_pattern(init_t, init_tmp_t, init_tmp_t)
+manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t)
+manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t)
-+files_tmp_filetrans(init_t, init_tmp_t, { file dir })
++files_tmp_filetrans(init_t, init_tmp_t, { file })
+
+manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
+manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
@@ -37412,10 +37425,10 @@ index 0000000..e9f1096
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..1d9bdfd
+index 0000000..8bca1d7
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1419 @@
+@@ -0,0 +1,1440 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -38362,6 +38375,27 @@ index 0000000..1d9bdfd
+ allow $1 hostname_etc_t:file read_file_perms;
+')
+
++########################################
++## <summary>
++## Allow process to manage hostname config file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`systemd_hostnamed_manage_config',`
++ gen_require(`
++ type hostname_etc_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 hostname_etc_t:file manage_file_perms;
++ files_etc_filetrans($1, hostname_etc_t, file, "hostname")
++')
++
+#######################################
+## <summary>
+## Create objects in /run/systemd/generator directory
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 7461ae5..57f52be 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -14409,10 +14409,10 @@ index 5b830ec..0647a3b 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index 5f0c793..62ae9b2 100644
+index 5f0c793..580dff0 100644
--- a/consolekit.te
+++ b/consolekit.te
-@@ -19,12 +19,16 @@ type consolekit_var_run_t;
+@@ -19,21 +19,23 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
@@ -14429,16 +14429,19 @@ index 5f0c793..62ae9b2 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
-@@ -33,7 +37,7 @@ create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
- append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
- read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
- setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+
+-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
++manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
++manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-@@ -54,37 +58,36 @@ dev_read_sysfs(consolekit_t)
+@@ -54,37 +56,36 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -14485,7 +14488,7 @@ index 5f0c793..62ae9b2 100644
')
ifdef(`distro_debian',`
-@@ -112,13 +115,6 @@ optional_policy(`
+@@ -112,13 +113,6 @@ optional_policy(`
')
')
@@ -14715,7 +14718,7 @@ index c086302..4f33119 100644
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 83d6744..36d5a7d 100644
+index 83d6744..3f0c0dc 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,6 +2,44 @@
@@ -14763,7 +14766,7 @@ index 83d6744..36d5a7d 100644
## All of the rules required to
## administrate an couchdb environment.
## </summary>
-@@ -10,6 +48,149 @@
+@@ -10,6 +48,151 @@
## Domain allowed access.
## </summary>
## </param>
@@ -14868,11 +14871,13 @@ index 83d6744..36d5a7d 100644
+ type couchdb_var_run_t;
+ type couchdb_log_t;
+ type couchdb_var_lib_t;
++ type couchdb_conf_t;
+ ')
+
+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
++ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
+')
+
+########################################
@@ -14913,7 +14918,7 @@ index 83d6744..36d5a7d 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -19,14 +200,19 @@
+@@ -19,14 +202,19 @@
#
interface(`couchdb_admin',`
gen_require(`
@@ -14934,7 +14939,7 @@ index 83d6744..36d5a7d 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +232,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +234,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -30944,7 +30949,7 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 44cf341..52ce110 100644
+index 44cf341..4af1ba0 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
@@ -31068,7 +31073,7 @@ index 44cf341..52ce110 100644
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
-+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
++dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
@@ -32691,10 +32696,10 @@ index 0000000..deb738f
+
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..589066e
+index 0000000..0fd2678
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,40 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -32716,6 +32721,8 @@ index 0000000..589066e
+# ipa_otpd local policy
+#
+
++allow ipa_otpd_t self:capability2 block_suspend;
++
+allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
+allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -38681,7 +38688,7 @@ index 7bab8e5..f8c5464 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..81fec37 100644
+index 4256a4c..7569cd9 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
@@ -38768,7 +38775,7 @@ index 4256a4c..81fec37 100644
########################################
#
# Mail local policy
-@@ -164,6 +186,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +186,17 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -38781,6 +38788,11 @@ index 4256a4c..81fec37 100644
+optional_policy(`
+ courier_stream_connect_authdaemon(logwatch_mail_t)
+')
++
++optional_policy(`
++ qmail_domtrans_inject(logwatch_mail_t)
++ qmail_domtrans_queue(logwatch_mail_t)
++')
diff --git a/lpd.fc b/lpd.fc
index 2fb9b2e..08974e3 100644
--- a/lpd.fc
@@ -39242,16 +39254,23 @@ index 0000000..da30c5d
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
-index 0000000..5a9d09d
+index 0000000..7e8fde0
--- /dev/null
+++ b/lsm.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,90 @@
+policy_module(lsm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
++## <desc>
++## <p>
++## Determine whether lsmd_plugin can
++## connect to all TCP ports.
++## </p>
++## </desc>
++gen_tunable(lsmd_plugin_connect_any, false)
+
+type lsmd_t;
+type lsmd_exec_t;
@@ -39295,6 +39314,7 @@ index 0000000..5a9d09d
+#
+
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
++allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
@@ -39306,12 +39326,22 @@ index 0000000..5a9d09d
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
+
++tunable_policy(`lsmd_plugin_connect_any',`
++ corenet_tcp_connect_all_ports(lsmd_plugin_t)
++ corenet_sendrecv_all_packets(lsmd_plugin_t)
++ corenet_tcp_sendrecv_all_ports(lsmd_plugin_t)
++')
++
+kernel_read_system_state(lsmd_plugin_t)
+
+dev_read_urand(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
+
++corenet_tcp_connect_http_port(lsmd_plugin_t)
++corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
++corenet_tcp_connect_ssh_port(lsmd_plugin_t)
++
+init_stream_connect(lsmd_plugin_t)
+init_dontaudit_rw_stream_socket(lsmd_plugin_t)
+
@@ -43699,7 +43729,7 @@ index 6194b80..03c6414 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..055286f 100644
+index 6a306ee..405e285 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -44145,7 +44175,7 @@ index 6a306ee..055286f 100644
')
optional_policy(`
-@@ -300,259 +326,241 @@ optional_policy(`
+@@ -300,259 +326,243 @@ optional_policy(`
########################################
#
@@ -44159,7 +44189,7 @@ index 6a306ee..055286f 100644
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
++allow mozilla_plugin_t self:process { setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -44244,6 +44274,8 @@ index 6a306ee..055286f 100644
kernel_request_load_module(mozilla_plugin_t)
kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+files_dontaudit_read_root_files(mozilla_plugin_t)
++kernel_dontaudit_list_all_proc(mozilla_plugin_t)
++kernel_dontaudit_list_all_sysctls(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -44536,7 +44568,7 @@ index 6a306ee..055286f 100644
')
optional_policy(`
-@@ -560,7 +568,11 @@ optional_policy(`
+@@ -560,7 +570,11 @@ optional_policy(`
')
optional_policy(`
@@ -44549,7 +44581,7 @@ index 6a306ee..055286f 100644
')
optional_policy(`
-@@ -568,108 +580,131 @@ optional_policy(`
+@@ -568,108 +582,131 @@ optional_policy(`
')
optional_policy(`
@@ -48076,7 +48108,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..c75403e 100644
+index 9f6179e..699587e 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -48249,7 +48281,7 @@ index 9f6179e..c75403e 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +160,24 @@ optional_policy(`
+@@ -153,29 +160,25 @@ optional_policy(`
#######################################
#
@@ -48259,6 +48291,7 @@ index 9f6179e..c75403e 100644
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
++dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -48287,7 +48320,7 @@ index 9f6179e..c75403e 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +185,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -48323,7 +48356,7 @@ index 9f6179e..c75403e 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +215,7 @@ optional_policy(`
+@@ -205,7 +216,7 @@ optional_policy(`
########################################
#
@@ -48332,7 +48365,7 @@ index 9f6179e..c75403e 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +224,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -48350,7 +48383,7 @@ index 9f6179e..c75403e 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +237,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -50027,7 +50060,7 @@ index 0e8508c..647712a 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..a732e30 100644
+index 0b48a30..f031bc6 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -50395,7 +50428,7 @@ index 0b48a30..a732e30 100644
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
-+ systemd_hostnamed_read_config(NetworkManager_t)
++ systemd_hostnamed_manage_config(NetworkManager_t)
+')
+
+optional_policy(`
@@ -58853,10 +58886,10 @@ index 0000000..ba24b40
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..d21c5d7
+index 0000000..3bd4aa3
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,192 @@
+@@ -0,0 +1,196 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -58963,6 +58996,7 @@ index 0000000..d21c5d7
+fs_getattr_all_fs(pcp_pmcd_t)
+fs_getattr_all_dirs(pcp_pmcd_t)
+fs_list_cgroup_dirs(pcp_pmcd_t)
++fs_read_cgroup_files(pcp_pmcd_t)
+
+logging_send_syslog_msg(pcp_pmcd_t)
+
@@ -59031,11 +59065,14 @@ index 0000000..d21c5d7
+#
+
+allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
+
++logging_send_syslog_msg(pcp_pmie_t)
++
+########################################
+#
+# pcp_pmlogger local policy
@@ -60819,10 +60856,10 @@ index 0000000..848ddc9
+')
diff --git a/pkcsslotd.te b/pkcsslotd.te
new file mode 100644
-index 0000000..2ce92e0
+index 0000000..a82ca85
--- /dev/null
+++ b/pkcsslotd.te
-@@ -0,0 +1,67 @@
+@@ -0,0 +1,69 @@
+policy_module(pkcsslotd, 1.0.0)
+
+########################################
@@ -60890,6 +60927,8 @@ index 0000000..2ce92e0
+auth_read_passwd(pkcsslotd_t)
+
+logging_send_syslog_msg(pkcsslotd_t)
++
++userdom_read_all_users_state(pkcsslotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
index 0000000..726d992
@@ -72601,7 +72640,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..b475e72 100644
+index 3698b51..5240406 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -72623,7 +72662,7 @@ index 3698b51..b475e72 100644
allow rabbitmq_beam_t self:process { setsched signal signull };
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,50 +43,88 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,50 +43,84 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -72661,35 +72700,35 @@ index 3698b51..b475e72 100644
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
- corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-+corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
- corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
++corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
++corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
++corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
++corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
++corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
++corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
++corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-dev_read_sysfs(rabbitmq_beam_t)
-+corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-+
-+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
-+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
-+
+domain_read_all_domains_state(rabbitmq_beam_t)
-+
+
+-files_read_etc_files(rabbitmq_beam_t)
+auth_read_passwd(rabbitmq_beam_t)
+auth_use_pam(rabbitmq_beam_t)
-+
-+files_getattr_all_mountpoints(rabbitmq_beam_t)
--files_read_etc_files(rabbitmq_beam_t)
+-miscfiles_read_localization(rabbitmq_beam_t)
++files_getattr_all_mountpoints(rabbitmq_beam_t)
++
+fs_getattr_all_fs(rabbitmq_beam_t)
+fs_getattr_all_dirs(rabbitmq_beam_t)
+fs_getattr_cgroup(rabbitmq_beam_t)
+fs_search_cgroup_dirs(rabbitmq_beam_t)
-
--miscfiles_read_localization(rabbitmq_beam_t)
-+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
+
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
@@ -72702,8 +72741,6 @@ index 3698b51..b475e72 100644
+
+optional_policy(`
+ couchdb_manage_files(rabbitmq_beam_t)
-+ couchdb_manage_lib_files(rabbitmq_beam_t)
-+ couchdb_read_conf_files(rabbitmq_beam_t)
+')
+
+optional_policy(`
@@ -72719,7 +72756,7 @@ index 3698b51..b475e72 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -89,6 +132,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+@@ -89,6 +128,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
@@ -72728,7 +72765,7 @@ index 3698b51..b475e72 100644
corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-@@ -99,8 +144,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +140,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -74619,10 +74656,10 @@ index 9a8f052..3baa71a 100644
')
diff --git a/redis.fc b/redis.fc
new file mode 100644
-index 0000000..638d6b4
+index 0000000..741b785
--- /dev/null
+++ b/redis.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
@@ -74634,6 +74671,7 @@ index 0000000..638d6b4
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
++/var/run/redis\.sock -- gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
new file mode 100644
index 0000000..2640ab5
@@ -74908,10 +74946,10 @@ index 0000000..2640ab5
+')
diff --git a/redis.te b/redis.te
new file mode 100644
-index 0000000..e5e9cf7
+index 0000000..51cd1fe
--- /dev/null
+++ b/redis.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,64 @@
+policy_module(redis, 1.0.0)
+
+########################################
@@ -74959,6 +74997,8 @@ index 0000000..e5e9cf7
+manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++files_pid_filetrans(redis_t, redis_var_run_t, { sock_file })
+
+kernel_read_system_state(redis_t)
+
@@ -80451,7 +80491,7 @@ index 0628d50..e9dbd7e 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..ce45f0c 100644
+index 5cbe81c..be4fc7f 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -80856,7 +80896,7 @@ index 5cbe81c..ce45f0c 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +385,69 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,70 @@ ifdef(`distro_redhat',`
')
')
@@ -80894,6 +80934,7 @@ index 5cbe81c..ce45f0c 100644
- ')
+ optional_policy(`
+ systemd_dbus_chat_logind(rpm_script_t)
++ systemd_dbus_chat_timedated(rpm_script_t)
+ ')
+')
+
@@ -80936,7 +80977,7 @@ index 5cbe81c..ce45f0c 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +459,6 @@ optional_policy(`
+@@ -409,6 +460,6 @@ optional_policy(`
')
optional_policy(`
@@ -84233,10 +84274,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..8a6ad19
+index 0000000..89bc443
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,57 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -84267,6 +84308,7 @@ index 0000000..8a6ad19
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_domain $1:process signal;
++ dontaudit sandbox_domain $1:key { link read search view };
+ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+')
+
@@ -84371,10 +84413,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..e30b346
+index 0000000..3258f45
--- /dev/null
+++ b/sandboxX.if
-@@ -0,0 +1,393 @@
+@@ -0,0 +1,394 @@
+
+## <summary>policy for sandboxX </summary>
+
@@ -84416,6 +84458,7 @@ index 0000000..e30b346
+ dontaudit sandbox_xserver_t $1:file read;
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
++ dontaudit sandbox_x_domain $1:key { link read search view };
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
@@ -88967,10 +89010,12 @@ index cbfe369..6594af3 100644
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
-index 0000000..1cb1360
+index 0000000..77ae4f3
--- /dev/null
+++ b/snapper.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
++HOME_DIR/\.snapshots -d gen_context(system_u:object_r:snapperd_home_t,s0)
++
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
+
+/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
@@ -89026,10 +89071,10 @@ index 0000000..94105ee
+')
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..a299f53
+index 0000000..5fad225
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,73 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -89050,6 +89095,9 @@ index 0000000..a299f53
+type snapperd_data_t;
+files_type(snapperd_data_t)
+
++type snapperd_home_t;
++userdom_user_home_content(snapperd_home_t)
++
+########################################
+#
+# snapperd local policy
@@ -89069,6 +89117,10 @@ index 0000000..a299f53
+manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+
++manage_files_pattern(snapperd_t, snapperd_home_t, snapperd_home_t)
++manage_dirs_pattern(snapperd_t, snapperd_home_t, snapperd_home_t)
++manage_lnk_files_pattern(snapperd_t, snapperd_home_t, snapperd_home_t)
++
+domain_read_all_domains_state(snapperd_t)
+
+corecmd_exec_shell(snapperd_t)
@@ -89423,7 +89475,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..1a35702 100644
+index 703efa3..08a6332 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -89485,17 +89537,18 @@ index 703efa3..1a35702 100644
corecmd_exec_all_executables(sosreport_t)
-@@ -58,6 +82,9 @@ dev_read_rand(sosreport_t)
+@@ -58,6 +82,10 @@ dev_read_rand(sosreport_t)
dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
+dev_rw_generic_usb_dev(sosreport_t)
++dev_rw_lvm_control(sosreport_t)
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -65,12 +92,13 @@ domain_getattr_all_sockets(sosreport_t)
+@@ -65,12 +93,13 @@ domain_getattr_all_sockets(sosreport_t)
domain_getattr_all_pipes(sosreport_t)
files_getattr_all_sockets(sosreport_t)
@@ -89510,7 +89563,7 @@ index 703efa3..1a35702 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,27 +107,45 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,27 +108,49 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -89555,14 +89608,19 @@ index 703efa3..1a35702 100644
+')
+
+optional_policy(`
++ bootloader_exec(sosreport_t)
++')
++
++optional_policy(`
+ brctl_domtrans(sosreport_t)
')
optional_policy(`
-@@ -111,6 +157,15 @@ optional_policy(`
+@@ -111,6 +162,16 @@ optional_policy(`
')
optional_policy(`
++ lvm_read_config(sosreport_t)
+ lvm_dontaudit_access_check_lock(sosreport_t)
+')
+
@@ -89575,7 +89633,7 @@ index 703efa3..1a35702 100644
fstools_domtrans(sosreport_t)
')
-@@ -120,6 +175,10 @@ optional_policy(`
+@@ -120,6 +181,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(sosreport_t)
')
@@ -89586,7 +89644,7 @@ index 703efa3..1a35702 100644
')
optional_policy(`
-@@ -131,13 +190,34 @@ optional_policy(`
+@@ -131,15 +196,40 @@ optional_policy(`
')
optional_policy(`
@@ -89624,6 +89682,12 @@ index 703efa3..1a35702 100644
')
optional_policy(`
+ xserver_stream_connect(sosreport_t)
+ ')
++
++optional_policy(`
++ unconfined_domain(sosreport_t)
++')
diff --git a/soundserver.if b/soundserver.if
index a5abc5a..b9eff74 100644
--- a/soundserver.if
@@ -97377,7 +97441,7 @@ index af9acc0..cdaf82e 100644
admin_pattern($1, uucpd_log_t)
diff --git a/uucp.te b/uucp.te
-index 380902c..75545d6 100644
+index 380902c..c09534e 100644
--- a/uucp.te
+++ b/uucp.te
@@ -31,7 +31,7 @@ type uucpd_ro_t;
@@ -97389,7 +97453,7 @@ index 380902c..75545d6 100644
type uucpd_log_t;
logging_log_file(uucpd_log_t)
-@@ -84,15 +84,19 @@ kernel_read_kernel_sysctls(uucpd_t)
+@@ -84,15 +84,20 @@ kernel_read_kernel_sysctls(uucpd_t)
kernel_read_system_state(uucpd_t)
kernel_read_network_state(uucpd_t)
@@ -97405,12 +97469,13 @@ index 380902c..75545d6 100644
corenet_tcp_connect_ssh_port(uucpd_t)
corenet_tcp_sendrecv_ssh_port(uucpd_t)
++corenet_tcp_bind_uucpd_port(uucpd_t)
+corenet_tcp_connect_uucpd_port(uucpd_t)
+
corecmd_exec_bin(uucpd_t)
corecmd_exec_shell(uucpd_t)
-@@ -110,7 +114,7 @@ auth_use_nsswitch(uucpd_t)
+@@ -110,7 +115,7 @@ auth_use_nsswitch(uucpd_t)
logging_send_syslog_msg(uucpd_t)
@@ -97419,7 +97484,7 @@ index 380902c..75545d6 100644
optional_policy(`
cron_system_entry(uucpd_t, uucpd_exec_t)
-@@ -125,10 +129,6 @@ optional_policy(`
+@@ -125,10 +130,6 @@ optional_policy(`
')
optional_policy(`
@@ -97430,7 +97495,7 @@ index 380902c..75545d6 100644
ssh_exec(uucpd_t)
')
-@@ -160,10 +160,15 @@ auth_use_nsswitch(uux_t)
+@@ -160,10 +161,15 @@ auth_use_nsswitch(uux_t)
logging_search_logs(uux_t)
logging_send_syslog_msg(uux_t)
@@ -101953,10 +102018,10 @@ index 0000000..7933d80
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
-index 0000000..b881c53
+index 0000000..ab589a9
--- /dev/null
+++ b/vmtools.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,87 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@@ -101976,7 +102041,8 @@ index 0000000..b881c53
+type vmtools_helper_t;
+type vmtools_helper_exec_t;
+application_domain(vmtools_helper_t, vmtools_helper_exec_t)
-+role vmtools_helper_roles types vmtools_t;
++domain_system_change_exemption(vmtools_helper_t)
++role vmtools_helper_roles types vmtools_helper_t;
+
+type vmtools_unit_file_t;
+systemd_unit_file(vmtools_unit_file_t)
@@ -102027,6 +102093,10 @@ index 0000000..b881c53
+xserver_stream_connect(vmtools_t)
+
+optional_policy(`
++ networkmanager_dbus_chat(vmtools_t)
++')
++
++optional_policy(`
+ unconfined_domain(vmtools_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 17b87f4..91ea267 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 126%{?dist}
+Release: 127%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,37 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Feb 25 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-127
+- Add snapperd_home_t for HOME_DIR/.snapshots directory
+- Make sosreport as unconfined domain
+- Allow sosreport to execute grub2-probe
+- Allow NM to manage hostname config file
+- Allow systemd_timedated_t to dbus chat with rpm_script_t
+- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
+- Add lsmd_plugin_connect_any boolean
+- Allow mozilla_plugin to attempt to set capabilities
+- Allow lsdm_plugins to use tcp_socket
+- Dontaudit mozilla plugin from getattr on /proc or /sys
+- Dontaudit use of the keyring by the services in a sandbox
+- Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t
+- Allow rabbitmq_beam to connect to jabber_interserver_port
+- Allow logwatch_mail_t to transition to qmail_inject and queueu
+- Added new rules to pcp policy
+- Allow vmtools_helper_t to change role to system_r
+- Allow NM to dbus chat with vmtools
+- Fix couchdb_manage_files() to allow manage couchdb conf files
+- Add support for /var/run/redis.sock
+- dontaudit gpg trying to use audit
+- Allow consolekit to create log directories and files
+- Fix vmtools policy to allow user roles to access vmtools_helper_t
+- Allow block_suspend cap2 for ipa-otpd
+- Allow pkcsslotd to read users state
+- Add ioctl to init_dontaudit_rw_stream_socket
+- Add systemd_hostnamed_manage_config() interface
+- Remove transition for temp dirs created by init_t
+- gdm-simple-slave uses use setsockopt
+- sddm-greater is a xdm type program
+
* Tue Feb 18 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-126
- Add lvm_read_metadata()
- Allow auditadm to search /var/log/audit dir
More information about the scm-commits
mailing list