[selinux-policy] * Thu Mar 05 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-115 - Allow glusterd_t exec glusterd_var_
Lukas Vrabec
lvrabec at fedoraproject.org
Thu Mar 5 19:22:28 UTC 2015
commit f6c1168684e38f13c6febb64c796099d24500fd9
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Thu Mar 5 20:22:19 2015 +0100
* Thu Mar 05 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-115
- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406)
- Add gluster_exec_lib interface.
- Allow l2tpd to manage NetworkManager pid files
- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327)
- Allow cyrus bind tcp berknet port. BZ(1198347)
- Add nsswitch domain for more serviecs.
- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190)
- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
- Make munin yum plugin as unconfined by default.
- Allow bitlbee connections to the system DBUS.
- Allow system apache scripts to send log messages.
- Allow denyhosts execute iptables. BZ(1197371)
- Allow brltty rw event device. BZ(1190349)
- Allow cupsd config to execute ldconfig. BZ(1196608)
- xdm_t now needs to manage user ttys
- Allow ping_t read urand. BZ(1181831)
- Add support for tcp/2005 port.
- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
- In F23 we are running xserver as the user, need this to allow confined users to us X
policy-rawhide-base.patch | 103 +++++++++--------
policy-rawhide-contrib.patch | 267 +++++++++++++++++++++++++++----------------
selinux-policy.spec | 23 +++-
3 files changed, 247 insertions(+), 146 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index aa9ab98..12f8a66 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1802,7 +1802,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..ec441aa 100644
+index c44c359..bb78970 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -1883,15 +1883,17 @@ index c44c359..ec441aa 100644
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +126,9 @@ corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
+fs_dontaudit_rw_anon_inodefs_files(ping_t)
++
++dev_read_urand(ping_t)
domain_use_interactive_fds(ping_t)
-@@ -131,14 +134,13 @@ files_read_etc_files(ping_t)
+@@ -131,14 +136,13 @@ files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t)
@@ -1909,7 +1911,7 @@ index c44c359..ec441aa 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -149,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -149,11 +153,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -1935,7 +1937,7 @@ index c44c359..ec441aa 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -161,6 +177,15 @@ optional_policy(`
+@@ -161,6 +179,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -1951,7 +1953,7 @@ index c44c359..ec441aa 100644
########################################
#
# Traceroute local policy
-@@ -174,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +201,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -1959,7 +1961,7 @@ index c44c359..ec441aa 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +224,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -1967,7 +1969,7 @@ index c44c359..ec441aa 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -206,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +233,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -5527,7 +5529,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..87b5aa1 100644
+index b191055..a60bc60 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5601,7 +5603,7 @@ index b191055..87b5aa1 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -83,56 +106,70 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
+@@ -83,56 +106,71 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
@@ -5644,6 +5646,7 @@ index b191055..87b5aa1 100644
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
++network_port(cyrus_imapd, tcp,2005,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
@@ -5681,7 +5684,7 @@ index b191055..87b5aa1 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +177,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +178,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5752,7 +5755,7 @@ index b191055..87b5aa1 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,95 +233,116 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,95 +234,116 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5887,7 +5890,7 @@ index b191055..87b5aa1 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +356,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +357,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5914,7 +5917,7 @@ index b191055..87b5aa1 100644
########################################
#
-@@ -333,6 +405,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +406,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5923,7 +5926,7 @@ index b191055..87b5aa1 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +419,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +420,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -19590,7 +19593,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..43bc4f2 100644
+index 0fef1fc..405687c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
@@ -19817,7 +19820,7 @@ index 0fef1fc..43bc4f2 100644
')
optional_policy(`
-@@ -52,10 +232,60 @@ optional_policy(`
+@@ -52,11 +232,61 @@ optional_policy(`
')
optional_policy(`
@@ -19862,6 +19865,7 @@ index 0fef1fc..43bc4f2 100644
')
optional_policy(`
+- xserver_role(staff_r, staff_t)
+ vmtools_run_helper(staff_t, staff_r)
+')
+
@@ -19875,9 +19879,10 @@ index 0fef1fc..43bc4f2 100644
+
+optional_policy(`
+ xserver_read_log(staff_t)
- xserver_role(staff_r, staff_t)
++ xserver_run(staff_t, staff_r)
')
+ ifndef(`distro_redhat',`
@@ -65,10 +295,6 @@ ifndef(`distro_redhat',`
')
@@ -21676,7 +21681,7 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81..ee93201 100644
+index 6d77e81..656a8c4 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@@ -21839,7 +21844,7 @@ index 6d77e81..ee93201 100644
')
+
+ optional_policy(`
-+ xserver_role(user_r, user_t)
++ xserver_run(user_t, user_r)
+ ')
+')
+
@@ -25765,7 +25770,7 @@ index 6bf0ecc..b036584 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..415f8be 100644
+index 8b40377..07ff17c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -26357,17 +26362,16 @@ index 8b40377..415f8be 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +641,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +641,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
+storage_dontaudit_rw_fuse(xdm_t)
term_setattr_console(xdm_t)
-+term_use_console(xdm_t)
-+term_use_virtio_console(xdm_t)
- term_use_unallocated_ttys(xdm_t)
+-term_use_unallocated_ttys(xdm_t)
term_setattr_unallocated_ttys(xdm_t)
++term_use_all_terms(xdm_t)
+term_relabel_all_ttys(xdm_t)
+term_relabel_unallocated_ttys(xdm_t)
@@ -26407,7 +26411,7 @@ index 8b40377..415f8be 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +689,155 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +687,155 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -26569,7 +26573,7 @@ index 8b40377..415f8be 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +850,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +848,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -26601,7 +26605,7 @@ index 8b40377..415f8be 100644
')
optional_policy(`
-@@ -517,9 +884,34 @@ optional_policy(`
+@@ -517,9 +882,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -26637,7 +26641,7 @@ index 8b40377..415f8be 100644
')
')
-@@ -530,6 +922,20 @@ optional_policy(`
+@@ -530,6 +920,20 @@ optional_policy(`
')
optional_policy(`
@@ -26658,7 +26662,7 @@ index 8b40377..415f8be 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +953,78 @@ optional_policy(`
+@@ -547,28 +951,78 @@ optional_policy(`
')
optional_policy(`
@@ -26746,7 +26750,7 @@ index 8b40377..415f8be 100644
')
optional_policy(`
-@@ -580,6 +1036,14 @@ optional_policy(`
+@@ -580,6 +1034,14 @@ optional_policy(`
')
optional_policy(`
@@ -26761,7 +26765,7 @@ index 8b40377..415f8be 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1058,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1056,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -26770,7 +26774,7 @@ index 8b40377..415f8be 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1068,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1066,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -26783,7 +26787,7 @@ index 8b40377..415f8be 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1085,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1083,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -26799,7 +26803,7 @@ index 8b40377..415f8be 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1101,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1099,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -26810,7 +26814,7 @@ index 8b40377..415f8be 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1116,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1114,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -26847,7 +26851,7 @@ index 8b40377..415f8be 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1162,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1160,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -26879,7 +26883,7 @@ index 8b40377..415f8be 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1195,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1193,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -26894,7 +26898,7 @@ index 8b40377..415f8be 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1216,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1214,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -26918,7 +26922,7 @@ index 8b40377..415f8be 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1235,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1233,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -26927,7 +26931,7 @@ index 8b40377..415f8be 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1279,50 @@ optional_policy(`
+@@ -785,17 +1277,50 @@ optional_policy(`
')
optional_policy(`
@@ -26980,7 +26984,7 @@ index 8b40377..415f8be 100644
')
optional_policy(`
-@@ -803,6 +1330,10 @@ optional_policy(`
+@@ -803,6 +1328,10 @@ optional_policy(`
')
optional_policy(`
@@ -26991,7 +26995,7 @@ index 8b40377..415f8be 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1349,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1347,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -27016,7 +27020,7 @@ index 8b40377..415f8be 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1372,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1370,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27051,7 +27055,7 @@ index 8b40377..415f8be 100644
')
optional_policy(`
-@@ -912,7 +1437,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1435,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -27060,7 +27064,7 @@ index 8b40377..415f8be 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1491,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1489,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -27092,7 +27096,7 @@ index 8b40377..415f8be 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1537,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1535,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -38400,7 +38404,7 @@ index 3822072..8a23b62 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..fa0e220 100644
+index dc46420..90ff61b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -38932,7 +38936,7 @@ index dc46420..fa0e220 100644
')
########################################
-@@ -522,111 +602,196 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +602,197 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -39111,6 +39115,7 @@ index dc46420..fa0e220 100644
# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
+userdom_read_user_home_content_files(setfiles_domain)
++userdom_read_admin_home_files(setfiles_domain)
+userdom_rw_inherited_user_home_content_files(setfiles_domain)
ifdef(`distro_debian',`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 3a05f2a..266027e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -546,7 +546,7 @@ index 058d908..1e92177 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..d77f4a6 100644
+index eb50f07..2e7633c 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -984,7 +984,7 @@ index eb50f07..d77f4a6 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +451,58 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +451,60 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1030,6 +1030,8 @@ index eb50f07..d77f4a6 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
++auth_read_passwd(abrt_dump_oops_t)
++
+dev_read_urand(abrt_dump_oops_t)
+dev_read_rand(abrt_dump_oops_t)
+
@@ -1047,7 +1049,7 @@ index eb50f07..d77f4a6 100644
#######################################
#
-@@ -404,7 +510,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +512,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1056,7 +1058,7 @@ index eb50f07..d77f4a6 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,16 +519,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +521,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1100,7 +1102,7 @@ index eb50f07..d77f4a6 100644
')
#######################################
-@@ -430,10 +562,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +564,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -5147,7 +5149,7 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..3226dec 100644
+index 6649962..12fcbb6 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -6924,7 +6926,7 @@ index 6649962..3226dec 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1391,106 @@ optional_policy(`
+@@ -1083,172 +1391,107 @@ optional_policy(`
')
')
@@ -6989,6 +6991,7 @@ index 6649962..3226dec 100644
+files_search_spool(httpd_sys_script_t)
-seutil_dontaudit_search_config(httpd_script_domains)
++logging_send_syslog_msg(httpd_sys_script_t)
+logging_inherit_append_all_logs(httpd_sys_script_t)
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -7161,7 +7164,7 @@ index 6649962..3226dec 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1498,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1499,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7258,7 +7261,7 @@ index 6649962..3226dec 100644
########################################
#
-@@ -1321,8 +1573,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1574,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7275,7 +7278,7 @@ index 6649962..3226dec 100644
')
########################################
-@@ -1330,49 +1589,38 @@ optional_policy(`
+@@ -1330,49 +1590,38 @@ optional_policy(`
# User content local policy
#
@@ -7340,7 +7343,7 @@ index 6649962..3226dec 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1630,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1631,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -9460,7 +9463,7 @@ index e73fb79..2badfc0 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
-index f5c1a48..f255b29 100644
+index f5c1a48..f7b4f1d 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@@ -9508,7 +9511,7 @@ index f5c1a48..f255b29 100644
corenet_tcp_connect_ircd_port(bitlbee_t)
corenet_tcp_sendrecv_ircd_port(bitlbee_t)
-@@ -109,16 +116,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+@@ -109,16 +116,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
@@ -9521,10 +9524,14 @@ index f5c1a48..f255b29 100644
logging_send_syslog_msg(bitlbee_t)
-miscfiles_read_localization(bitlbee_t)
--
++optional_policy(`
++ dbus_system_bus_client(bitlbee_t)
++')
+
optional_policy(`
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')
++
diff --git a/blueman.fc b/blueman.fc
index c295d2e..4f84e9c 100644
--- a/blueman.fc
@@ -10522,10 +10529,10 @@ index 0000000..968c957
+')
diff --git a/brltty.te b/brltty.te
new file mode 100644
-index 0000000..0efa3a2
+index 0000000..eabda1e
--- /dev/null
+++ b/brltty.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,62 @@
+policy_module(brltty, 1.0.0)
+
+########################################
@@ -10577,6 +10584,7 @@ index 0000000..0efa3a2
+
+dev_read_sysfs(brltty_t)
+dev_rw_generic_usb_dev(brltty_t)
++dev_rw_input_dev(brltty_t)
+
+fs_getattr_all_fs(brltty_t)
+
@@ -19713,7 +19721,7 @@ index 3023be7..0317731 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813c..325c5e3 100644
+index c91813c..9533fa0 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -19986,7 +19994,7 @@ index c91813c..325c5e3 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -244,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -20008,18 +20016,17 @@ index c91813c..325c5e3 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
-+userdom_dontaudit_search_user_home_content(cupsd_t)
-+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
-
++userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
++userdom_dontaudit_search_user_home_content(cupsd_t)
++
+tunable_policy(`cups_execmem',`
+ allow cupsd_t self:process { execmem execstack };
+')
+
-+
+
optional_policy(`
apm_domtrans_client(cupsd_t)
- ')
@@ -272,6 +320,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -20166,7 +20173,18 @@ index c91813c..325c5e3 100644
')
optional_policy(`
-@@ -487,10 +533,6 @@ optional_policy(`
+@@ -467,6 +513,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ libs_exec_ldconfig(cupsd_config_t)
++')
++
++optional_policy(`
+ rpm_read_db(cupsd_config_t)
+ ')
+
+@@ -487,10 +537,6 @@ optional_policy(`
# Lpd local policy
#
@@ -20177,7 +20195,7 @@ index c91813c..325c5e3 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +550,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +554,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -20195,7 +20213,7 @@ index c91813c..325c5e3 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +579,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +583,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -20205,7 +20223,7 @@ index c91813c..325c5e3 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -550,7 +589,6 @@ optional_policy(`
+@@ -550,7 +593,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -20213,7 +20231,7 @@ index c91813c..325c5e3 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +604,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +608,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -20242,11 +20260,13 @@ index c91813c..325c5e3 100644
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-')
--
--optional_policy(`
++userdom_home_manager(cups_pdf_t)
+
+ optional_policy(`
- lpd_manage_spool(cups_pdf_t)
--')
--
++ gnome_read_config(cups_pdf_t)
+ ')
+
-########################################
-#
-# HPLIP local policy
@@ -20352,20 +20372,18 @@ index c91813c..325c5e3 100644
-optional_policy(`
- seutil_sigchld_newrole(hplip_t)
-')
-+userdom_home_manager(cups_pdf_t)
-
- optional_policy(`
+-
+-optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-+ gnome_read_config(cups_pdf_t)
- ')
-
+-')
+-
-optional_policy(`
- udev_read_db(hplip_t)
-')
########################################
#
-@@ -735,7 +648,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +652,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -20373,7 +20391,7 @@ index c91813c..325c5e3 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +657,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +661,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -20387,7 +20405,7 @@ index c91813c..325c5e3 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +669,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +673,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -20396,7 +20414,7 @@ index c91813c..325c5e3 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +681,4 @@ optional_policy(`
+@@ -773,3 +685,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -20666,7 +20684,7 @@ index 83bfda6..92d9fb2 100644
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
-index 4283f2d..0632ef7 100644
+index 4283f2d..21a3620 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
@@ -20678,7 +20696,7 @@ index 4283f2d..0632ef7 100644
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
-@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(cyrus_t)
+@@ -63,12 +63,12 @@ kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
@@ -20686,7 +20704,13 @@ index 4283f2d..0632ef7 100644
corenet_all_recvfrom_netlabel(cyrus_t)
corenet_tcp_sendrecv_generic_if(cyrus_t)
corenet_tcp_sendrecv_generic_node(cyrus_t)
-@@ -76,6 +75,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
+ corenet_tcp_sendrecv_all_ports(cyrus_t)
+ corenet_tcp_bind_generic_node(cyrus_t)
++corenet_tcp_bind_cyrus_imapd_port(cyrus_t)
+
+ corenet_sendrecv_mail_server_packets(cyrus_t)
+ corenet_tcp_bind_mail_port(cyrus_t)
+@@ -76,6 +76,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
corenet_sendrecv_lmtp_server_packets(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
@@ -20696,7 +20720,7 @@ index 4283f2d..0632ef7 100644
corenet_sendrecv_pop_server_packets(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
-@@ -95,8 +97,6 @@ domain_use_interactive_fds(cyrus_t)
+@@ -95,8 +98,6 @@ domain_use_interactive_fds(cyrus_t)
files_list_var_lib(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
@@ -20705,7 +20729,7 @@ index 4283f2d..0632ef7 100644
fs_getattr_all_fs(cyrus_t)
fs_search_auto_mountpoints(cyrus_t)
-@@ -107,7 +107,6 @@ libs_exec_lib_files(cyrus_t)
+@@ -107,7 +108,6 @@ libs_exec_lib_files(cyrus_t)
logging_send_syslog_msg(cyrus_t)
@@ -20713,7 +20737,7 @@ index 4283f2d..0632ef7 100644
miscfiles_read_generic_certs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
-@@ -121,6 +120,10 @@ optional_policy(`
+@@ -121,6 +121,10 @@ optional_policy(`
')
optional_policy(`
@@ -20724,7 +20748,7 @@ index 4283f2d..0632ef7 100644
kerberos_read_keytab(cyrus_t)
kerberos_use(cyrus_t)
')
-@@ -134,8 +137,8 @@ optional_policy(`
+@@ -134,8 +138,8 @@ optional_policy(`
')
optional_policy(`
@@ -22477,7 +22501,7 @@ index a7326da..c87b5b7 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/denyhosts.te b/denyhosts.te
-index 583a527..1053281 100644
+index 583a527..91c4104 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
@@ -22498,7 +22522,7 @@ index 583a527..1053281 100644
corenet_all_recvfrom_netlabel(denyhosts_t)
corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
-@@ -57,13 +59,17 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t)
+@@ -57,13 +59,19 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
corenet_tcp_sendrecv_smtp_port(denyhosts_t)
@@ -22510,6 +22534,8 @@ index 583a527..1053281 100644
+auth_use_nsswitch(denyhosts_t)
+
++iptables_domtrans(denyhosts_t)
++
logging_read_generic_logs(denyhosts_t)
logging_send_syslog_msg(denyhosts_t)
@@ -22518,7 +22544,7 @@ index 583a527..1053281 100644
sysnet_dns_name_resolve(denyhosts_t)
sysnet_manage_config(denyhosts_t)
sysnet_etc_filetrans_config(denyhosts_t)
-@@ -71,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
+@@ -71,3 +79,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
optional_policy(`
cron_system_entry(denyhosts_t, denyhosts_exec_t)
')
@@ -28235,7 +28261,7 @@ index c62c567..6460877 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index 98072a3..cbaf309 100644
+index 98072a3..e91b89f 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -28254,15 +28280,16 @@ index 98072a3..cbaf309 100644
########################################
#
# Local policy
-@@ -37,6 +43,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
+@@ -37,6 +43,8 @@ allow firewalld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
++relabelfrom_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
-@@ -48,8 +55,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
+@@ -48,8 +56,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
@@ -28276,7 +28303,7 @@ index 98072a3..cbaf309 100644
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -63,20 +75,17 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +76,17 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -28302,7 +28329,7 @@ index 98072a3..cbaf309 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +104,10 @@ optional_policy(`
+@@ -95,6 +105,10 @@ optional_policy(`
')
optional_policy(`
@@ -29106,7 +29133,7 @@ index 4498143..84a4858 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index 36838c2..a09e8b2 100644
+index 36838c2..a422d04 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@@ -29152,7 +29179,22 @@ index 36838c2..a09e8b2 100644
## <desc>
## <p>
-@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
+@@ -50,14 +57,6 @@ gen_tunable(ftpd_connect_db, false)
+
+ ## <desc>
+ ## <p>
+-## Determine whether ftpd can bind to all
+-## unreserved ports for passive mode.
+-## </p>
+-## </desc>
+-gen_tunable(ftpd_use_passive_mode, false)
+-
+-## <desc>
+-## <p>
+ ## Determine whether ftpd can connect to
+ ## all unreserved ports.
+ ## </p>
+@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -29162,7 +29204,7 @@ index 36838c2..a09e8b2 100644
type ftpd_keytab_t;
files_type(ftpd_keytab_t)
-@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
+@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -29172,7 +29214,7 @@ index 36838c2..a09e8b2 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -198,22 +211,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
@@ -29199,7 +29241,7 @@ index 36838c2..a09e8b2 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -229,9 +239,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -29213,7 +29255,7 @@ index 36838c2..a09e8b2 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -250,7 +263,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -29221,7 +29263,7 @@ index 36838c2..a09e8b2 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +271,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,37 +263,47 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -29268,18 +29310,18 @@ index 36838c2..a09e8b2 100644
- files_manage_non_auth_files(ftpd_t)
+ files_manage_non_security_dirs(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
-+')
-+
-+tunable_policy(`ftpd_use_passive_mode',`
-+ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
-+')
+ ')
+
+-tunable_policy(`ftpd_use_passive_mode',`
+- corenet_sendrecv_all_server_packets(ftpd_t)
+- corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+
+tunable_policy(`ftpd_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
')
- tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,22 +334,19 @@ tunable_policy(`ftpd_connect_db',`
+ tunable_policy(`ftpd_connect_all_unreserved',`
+@@ -304,22 +318,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -29307,7 +29349,7 @@ index 36838c2..a09e8b2 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
-@@ -363,9 +390,8 @@ optional_policy(`
+@@ -363,9 +374,8 @@ optional_policy(`
optional_policy(`
selinux_validate_context(ftpd_t)
@@ -29318,7 +29360,7 @@ index 36838c2..a09e8b2 100644
kerberos_use(ftpd_t)
')
-@@ -416,21 +442,20 @@ optional_policy(`
+@@ -416,21 +426,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -29342,7 +29384,7 @@ index 36838c2..a09e8b2 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -443,23 +468,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -443,23 +452,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -29383,7 +29425,7 @@ index 36838c2..a09e8b2 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -481,21 +517,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -481,21 +501,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -30816,10 +30858,10 @@ index 0000000..8c8c6c9
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
-index 0000000..1ed97fe
+index 0000000..07b266a
--- /dev/null
+++ b/glusterd.if
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,170 @@
+
+## <summary>policy for glusterd</summary>
+
@@ -30923,6 +30965,26 @@ index 0000000..1ed97fe
+ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
++######################################
++## <summary>
++## Allow the specified domain to execute gluster's lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gluster_execute_lib',`
++ gen_require(`
++ type glusterd_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ allow $1 glusterd_var_lib_t:dir search_dir_perms;
++ can_exec($1, glusterd_var_lib_t)
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -30972,10 +31034,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..fbc6a67
+index 0000000..9040220
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,205 @@
+policy_module(glusterfs, 1.1.2)
+
+## <desc>
@@ -31166,6 +31228,10 @@ index 0000000..fbc6a67
+')
+
+optional_policy(`
++ gluster_execute_lib(glusterd_t)
++')
++
++optional_policy(`
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_kill_rpcd(glusterd_t)
+')
@@ -37092,7 +37158,7 @@ index ca020fa..5f1a035 100644
optional_policy(`
tgtd_manage_semaphores(iscsid_t)
diff --git a/isns.te b/isns.te
-index bc11034..107ed2f 100644
+index bc11034..81253f4 100644
--- a/isns.te
+++ b/isns.te
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
@@ -37103,15 +37169,18 @@ index bc11034..107ed2f 100644
allow isnsd_t self:udp_socket { accept listen };
allow isnsd_t self:unix_stream_socket { accept listen };
-@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
+@@ -46,10 +47,7 @@ corenet_tcp_bind_generic_node(isnsd_t)
corenet_sendrecv_isns_server_packets(isnsd_t)
corenet_tcp_bind_isns_port(isnsd_t)
-files_read_etc_files(isnsd_t)
--
++auth_use_nsswitch(isnsd_t)
+
logging_send_syslog_msg(isnsd_t)
- miscfiles_read_localization(isnsd_t)
+-miscfiles_read_localization(isnsd_t)
+-
+-sysnet_dns_name_resolve(isnsd_t)
diff --git a/jabber.fc b/jabber.fc
index 59ad3b3..bd02cc8 100644
--- a/jabber.fc
@@ -41524,10 +41593,10 @@ index 1664036..51dd14f 100644
- unconfined_domtrans(kudzu_t)
-')
diff --git a/l2tp.fc b/l2tp.fc
-index d5d1572..82267a7 100644
+index d5d1572..ddc6ef2 100644
--- a/l2tp.fc
+++ b/l2tp.fc
-@@ -5,6 +5,7 @@
+@@ -5,7 +5,9 @@
/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0)
/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
@@ -41535,6 +41604,8 @@ index d5d1572..82267a7 100644
/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+ /var/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/*.xl2tpd.* -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
index 73e2803..34ca3aa 100644
--- a/l2tp.if
@@ -41765,7 +41836,7 @@ index 73e2803..34ca3aa 100644
role_transition $2 l2tpd_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/l2tp.te b/l2tp.te
-index bb06a7f..5546de2 100644
+index bb06a7f..01e784b 100644
--- a/l2tp.te
+++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
@@ -41827,7 +41898,7 @@ index bb06a7f..5546de2 100644
+')
+
+optional_policy(`
-+ networkmanager_read_pid_files(l2tpd_t)
++ networkmanager_manage_pid_files(l2tpd_t)
+')
+
+optional_policy(`
@@ -51967,10 +52038,10 @@ index ff1d68c..86d8c9b 100644
+
+
diff --git a/munin.fc b/munin.fc
-index eb4b72a..af28bb5 100644
+index eb4b72a..4ea6ce7 100644
--- a/munin.fc
+++ b/munin.fc
-@@ -1,77 +1,79 @@
+@@ -1,77 +1,78 @@
-/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
-
+/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
@@ -52077,7 +52148,7 @@ index eb4b72a..af28bb5 100644
/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
@@ -53191,7 +53262,7 @@ index 687af38..5381f1b 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe..e14423d 100644
+index 7584bbe..a110a1a 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
@@ -53418,7 +53489,7 @@ index 7584bbe..e14423d 100644
logging_send_syslog_msg(mysqld_safe_t)
-miscfiles_read_localization(mysqld_safe_t)
-+auth_read_passwd(mysqld_safe_t)
++auth_use_nsswitch(mysqld_safe_t)
+
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
@@ -92290,7 +92361,7 @@ index 98c9e0a..562666e 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..2b642a3 100644
+index 299756b..1a69cf7 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -92376,8 +92447,12 @@ index 299756b..2b642a3 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
-@@ -84,6 +97,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -82,8 +95,12 @@ fs_search_cgroup_dirs(sblim_gatherd_t)
+ storage_raw_read_fixed_disk(sblim_gatherd_t)
+ storage_raw_read_removable_device(sblim_gatherd_t)
++auth_use_nsswitch(sblim_gatherd_t)
++
init_read_utmp(sblim_gatherd_t)
+logging_send_syslog_msg(sblim_gatherd_t)
@@ -92385,7 +92460,7 @@ index 299756b..2b642a3 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +118,9 @@ optional_policy(`
+@@ -103,8 +120,9 @@ optional_policy(`
')
optional_policy(`
@@ -92396,7 +92471,7 @@ index 299756b..2b642a3 100644
')
optional_policy(`
-@@ -117,6 +133,59 @@ optional_policy(`
+@@ -117,6 +135,59 @@ optional_policy(`
# Reposd local policy
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 082f1f9..bf4b338 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 114%{?dist}
+Release: 115%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Mar 05 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-115
+- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406)
+- Add gluster_exec_lib interface.
+- Allow l2tpd to manage NetworkManager pid files
+- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327)
+- Allow cyrus bind tcp berknet port. BZ(1198347)
+- Add nsswitch domain for more serviecs.
+- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190)
+- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
+- Make munin yum plugin as unconfined by default.
+- Allow bitlbee connections to the system DBUS.
+- Allow system apache scripts to send log messages.
+- Allow denyhosts execute iptables. BZ(1197371)
+- Allow brltty rw event device. BZ(1190349)
+- Allow cupsd config to execute ldconfig. BZ(1196608)
+- xdm_t now needs to manage user ttys
+- Allow ping_t read urand. BZ(1181831)
+- Add support for tcp/2005 port.
+- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
+- In F23 we are running xserver as the user, need this to allow confined users to us X
+
* Mon Feb 25 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-114
- Fix source filepath for moving html files.
More information about the scm-commits
mailing list