Merge upstream

Changelog

@@ -1,3 +1,4 @@
+- Unconditional staff and user oidentd home config access from Dominick Grift.
 - Conditional mmap_zero support from Dominick Grift.
 - Added devtmpfs support.
 - Dbadm updates from KaiGai Kohei.

policy/modules/admin/certwatch.te

@@ -1,4 +1,4 @@
-policy_module(certwatch, 1.5.1)
+policy_module(certwatch, 1.5.2)
 
 ########################################
 #

policy/modules/admin/firstboot.te

@@ -1,4 +1,4 @@
-policy_module(firstboot, 1.11.1)
+policy_module(firstboot, 1.11.2)
 
 gen_require(`
 	class passwd rootok;

policy/modules/admin/smoltclient.te

@@ -1,4 +1,4 @@
-policy_module(smoltclient,1.0.0)
+policy_module(smoltclient, 1.0.1)
 
 ########################################
 #
@@ -18,7 +18,7 @@ files_tmp_file(smoltclient_tmp_t)
 # Local policy
 #
 
-allow smoltclient_t self:process { setsched getsched }; 
+allow smoltclient_t self:process { setsched getsched };
 
 allow smoltclient_t self:fifo_file rw_fifo_file_perms;
 allow smoltclient_t self:tcp_socket create_socket_perms;

policy/modules/apps/awstats.te

@@ -1,4 +1,4 @@
-policy_module(awstats, 1.2.0)
+policy_module(awstats, 1.2.1)
 
 ########################################
 #

policy/modules/roles/staff.te

@@ -1,4 +1,4 @@
-policy_module(staff, 2.1.1)
+policy_module(staff, 2.1.2)
 
 ########################################
 #
@@ -52,10 +52,6 @@ optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
 
-optional_policy(`
-	mozilla_run_plugin(staff_t, staff_r)
-')
-
 optional_policy(`
 	auditadm_role_change(staff_r)
 ')
@@ -64,16 +60,33 @@ optional_policy(`
 	dbadm_role_change(staff_r)
 ')
 
+optional_policy(`
+	accountsd_dbus_chat(staff_t)
+	accountsd_read_lib_files(staff_t)
+')
+
+optional_policy(`
+	gnomeclock_dbus_chat(staff_t)
+')
+
+optional_policy(`
+	firewallgui_dbus_chat(staff_t)
+')
+
+optional_policy(`
+	lpd_list_spool(staff_t)
+')
+
+optional_policy(`
+	kerneloops_dbus_chat(staff_t)
+')
+
 optional_policy(`
 	logadm_role_change(staff_r)
 ')
 
 optional_policy(`
-	webadm_role_change(staff_r)
+	mozilla_run_plugin(staff_t, staff_r)
-')
-
-optional_policy(`
-	kerneloops_manage_tmp_files(staff_t)
 ')
 
 optional_policy(`
@@ -85,22 +98,36 @@ optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 
-optional_policy(`
-	secadm_role_change(staff_r)
-')
-
-optional_policy(`
-	unconfined_role_change(staff_r)
-')
-
 optional_policy(`
 	rtkit_scheduled(staff_t)
 ')
 
+optional_policy(`
+	rpm_dbus_chat(staff_usertype)
+')
+
+optional_policy(`
+	secadm_role_change(staff_r)
+')
+
+optional_policy(`
+	sandbox_transition(staff_t, staff_r)
+')
+
 optional_policy(`
 	screen_role_template(staff, staff_r, staff_t)
 ')
 
+optional_policy(`
+	sysadm_role_change(staff_r)
+	userdom_dontaudit_use_user_terminals(staff_t)
+')
+optional_policy(`
+	setroubleshoot_stream_connect(staff_t)
+	setroubleshoot_dbus_chat(staff_t)
+	setroubleshoot_dbus_chat_fixit(staff_t)
+')
+
 optional_policy(`
 	ssh_role_template(staff, staff_r, staff_t)
 ')
@@ -110,12 +137,23 @@ optional_policy(`
 ')
 
 optional_policy(`
-	sysadm_role_change(staff_r)
+	telepathy_dbus_session_role(staff_r, staff_t)
-	userdom_dontaudit_use_user_terminals(staff_t)
 ')
 
 optional_policy(`
-	telepathy_dbus_session_role(staff_r, staff_t)
+	userhelper_console_role_template(staff, staff_r, staff_usertype)
+')
+
+optional_policy(`
+	unconfined_role_change(staff_r)
+')
+
+optional_policy(`
+	virt_stream_connect(staff_t)
+')
+
+optional_policy(`
+	webadm_role_change(staff_r)
 ')
 
 optional_policy(`
@@ -235,46 +273,3 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
-
-optional_policy(`
-	accountsd_dbus_chat(staff_t)
-	accountsd_read_lib_files(staff_t)
-')
-
-optional_policy(`
-	gnomeclock_dbus_chat(staff_t)
-')
-
-optional_policy(`
-	firewallgui_dbus_chat(staff_t)
-')
-
-optional_policy(`
-	lpd_list_spool(staff_t)
-')
-
-optional_policy(`
-	kerneloops_dbus_chat(staff_t)
-')
-
-optional_policy(`
-	rpm_dbus_chat(staff_usertype)
-')
-
-optional_policy(`
-	sandbox_transition(staff_t, staff_r)
-')
-
-optional_policy(`
-	setroubleshoot_stream_connect(staff_t)
-	setroubleshoot_dbus_chat(staff_t)
-	setroubleshoot_dbus_chat_fixit(staff_t)
-')
-
-optional_policy(`
-	virt_stream_connect(staff_t)
-')
-
-optional_policy(`
-	userhelper_console_role_template(staff, staff_r, staff_usertype)
-')

policy/modules/roles/unprivuser.te

@@ -1,4 +1,4 @@
-policy_module(unprivuser, 2.1.1)
+policy_module(unprivuser, 2.1.2)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.
@@ -18,6 +18,11 @@ optional_policy(`
 	apache_role(user_r, user_t)
 ')
 
+optional_policy(`
+	oident_manage_user_content(user_t)
+	oident_relabel_user_content(user_t)
+')
+
 optional_policy(`
 	mozilla_run_plugin(user_t, user_r)
 ')
@@ -39,11 +44,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	telepathy_dbus_session_role(user_r, user_t)
+	setroubleshoot_dontaudit_stream_connect(user_t)
 ')
 
 optional_policy(`
-	setroubleshoot_dontaudit_stream_connect(user_t)
+	telepathy_dbus_session_role(user_r, user_t)
 ')
 
 optional_policy(`
@@ -53,7 +58,7 @@ optional_policy(`
 ifndef(`distro_redhat',`
 	optional_policy(`
 		auth_role(user_r, user_t)
-	')		
+	')
 
 	optional_policy(`
 		bluetooth_role(user_r, user_t)
@@ -70,7 +75,7 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		dbus_role_template(user, user_r, user_t)
 	')
-		
+
 	optional_policy(`
 		evolution_role(user_r, user_t)
 	')
@@ -119,11 +124,6 @@ ifndef(`distro_redhat',`
 		mta_role(user_r, user_t)
 	')
 
-	optional_policy(`
-		oident_manage_user_content(user_t)
-		oident_relabel_user_content(user_t)
-	')
-	
 	optional_policy(`
 		postgresql_role(user_r, user_t)
 	')

policy/modules/services/amavis.if

@@ -208,7 +208,7 @@ interface(`amavis_create_pid_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an amavis environment
 ## </summary>
 ## <param name="domain">

policy/modules/services/amavis.te

@@ -95,7 +95,7 @@ logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
 manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
 manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
 manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
-files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file dir })
+files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
 
 kernel_read_kernel_sysctls(amavis_t)
 # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...

policy/modules/services/arpwatch.te

@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.9.0)
+policy_module(arpwatch, 1.9.1)
 
 ########################################
 #

policy/modules/services/canna.te

@@ -1,4 +1,4 @@
-policy_module(canna, 1.10.0)
+policy_module(canna, 1.10.1)
 
 ########################################
 #

policy/modules/services/certmaster.if

@@ -20,7 +20,7 @@ interface(`certmaster_domtrans',`
 
 ####################################
 ## <summary>
-##	Execute certmaster.
+##	Execute certmaster in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -98,7 +98,7 @@ interface(`certmaster_manage_log',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an snort environment
 ## </summary>
 ## <param name="domain">

policy/modules/services/certmaster.te

@@ -1,4 +1,4 @@
-policy_module(certmaster, 1.1.1)
+policy_module(certmaster, 1.1.2)
 
 ########################################
 #

policy/modules/services/certmonger.te

@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.0.0)
+policy_module(certmonger, 1.0.1)
 
 ########################################
 #

policy/modules/services/courier.if

@@ -42,6 +42,7 @@ template(`courier_domain_template',`
 	manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
 	manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
 	manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
+	files_search_pids(courier_$1_t)
 	files_pid_filetrans(courier_$1_t, courier_var_run_t, dir)
 
 	kernel_read_system_state(courier_$1_t)

policy/modules/services/courier.te

@@ -1,4 +1,4 @@
-policy_module(courier, 1.9.0)
+policy_module(courier, 1.9.1)
 
 ########################################
 #

policy/modules/services/dcc.te

@@ -1,4 +1,4 @@
-policy_module(dcc, 1.9.0)
+policy_module(dcc, 1.9.1)
 
 ########################################
 #
@@ -233,7 +233,7 @@ files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
 
 manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
 manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
-files_pid_filetrans(dccd_t, dccd_var_run_t, { file dir })
+files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
 
 kernel_read_system_state(dccd_t)
 kernel_read_kernel_sysctls(dccd_t)

policy/modules/services/djbdns.te

@@ -1,4 +1,4 @@
-policy_module(djbdns, 1.4.0)
+policy_module(djbdns, 1.4.1)
 
 ########################################
 #
@@ -7,10 +7,11 @@ policy_module(djbdns, 1.4.0)
 
 type djbdns_axfrdns_t;
 type djbdns_axfrdns_exec_t;
-type djbdns_axfrdns_conf_t;
 domain_type(djbdns_axfrdns_t)
 domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
 role system_r types djbdns_axfrdns_t;
+
+type djbdns_axfrdns_conf_t;
 files_config_file(djbdns_axfrdns_conf_t)
 
 djbdns_daemontools_domain_template(dnscache)

policy/modules/services/fetchmail.te

@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.10.0)
+policy_module(fetchmail, 1.10.1)
 
 ########################################
 #

policy/modules/services/icecast.te

@@ -1,4 +1,4 @@
-policy_module(icecast, 1.0.0)
+policy_module(icecast, 1.0.1)
 
 ########################################
 #

policy/modules/services/nslcd.te

@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.1.0)
+policy_module(nslcd, 1.1.1)
 
 ########################################
 #

policy/modules/services/nut.te

@@ -1,4 +1,4 @@
-policy_module(nut, 1.1.0)
+policy_module(nut, 1.1.1)
 
 ########################################
 #
@@ -41,7 +41,7 @@ read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
 manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
 manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
 manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file dir })
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
 
 kernel_read_kernel_sysctls(nut_upsd_t)
 

policy/modules/services/openct.te

@@ -1,4 +1,4 @@
-policy_module(openct, 1.4.0)
+policy_module(openct, 1.4.1)
 
 ########################################
 #
@@ -23,7 +23,7 @@ allow openct_t self:process signal_perms;
 manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
 manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
 manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
-files_pid_filetrans(openct_t, openct_var_run_t, { file sock_file dir })
+files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
 
 kernel_read_kernel_sysctls(openct_t)
 kernel_list_proc(openct_t)

policy/modules/services/pcscd.te

@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.6.0)
+policy_module(pcscd, 1.6.1)
 
 ########################################
 #
@@ -44,7 +44,6 @@ corenet_tcp_connect_http_port(pcscd_t)
 dev_rw_generic_usb_dev(pcscd_t)
 dev_rw_smartcard(pcscd_t)
 dev_rw_usbfs(pcscd_t)
-dev_list_sysfs(pcscd_t)
 dev_read_sysfs(pcscd_t)
 
 files_read_etc_files(pcscd_t)

policy/modules/services/postgresql.te

@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.11.0)
+policy_module(postgresql, 1.11.1)
 
 gen_require(`
 	class db_database all_db_database_perms;
@@ -205,7 +205,7 @@ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file
 manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
 manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
 manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
-files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file dir })
+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(postgresql_t)
 kernel_read_system_state(postgresql_t)
@@ -352,7 +352,6 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
 # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
 dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
 
-
 ########################################
 #
 # Rules common to administrator clients

policy/modules/services/postgrey.te

@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.7.0)
+policy_module(postgrey, 1.7.1)
 
 ########################################
 #
@@ -50,7 +50,7 @@ files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
 manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
 manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
 manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
-files_pid_filetrans(postgrey_t, postgrey_var_run_t, { file sock_file dir })
+files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(postgrey_t)
 kernel_read_kernel_sysctls(postgrey_t)

policy/modules/services/prelude.te

@@ -1,4 +1,4 @@
-policy_module(prelude, 1.2.0)
+policy_module(prelude, 1.2.1)
 
 ########################################
 #

policy/modules/services/radvd.te

@@ -1,4 +1,4 @@
-policy_module(radvd, 1.12.0)
+policy_module(radvd, 1.12.1)
 
 ########################################
 #
@@ -35,7 +35,7 @@ allow radvd_t radvd_etc_t:file read_file_perms;
 
 manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
 manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
-files_pid_filetrans(radvd_t, radvd_var_run_t, { file dir })
+files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(radvd_t)
 kernel_rw_net_sysctls(radvd_t)

policy/modules/services/snort.te

@@ -1,4 +1,4 @@
-policy_module(snort, 1.9.0)
+policy_module(snort, 1.9.1)
 
 ########################################
 #

policy/modules/services/stunnel.te

@@ -1,4 +1,4 @@
-policy_module(stunnel, 1.9.0)
+policy_module(stunnel, 1.9.1)
 
 ########################################
 #
@@ -48,7 +48,7 @@ files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
 
 manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
 manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
-files_pid_filetrans(stunnel_t, stunnel_var_run_t, { file dir })
+files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(stunnel_t)
 kernel_read_system_state(stunnel_t)

policy/modules/services/zabbix.te

@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.2.0)
+policy_module(zabbix, 1.2.1)
 
 ########################################
 #
@@ -37,7 +37,7 @@ logging_log_filetrans(zabbix_t, zabbix_log_t, file)
 # pid file
 manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
 manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
-files_pid_filetrans(zabbix_t, zabbix_var_run_t, { file dir })
+files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
 
 files_read_etc_files(zabbix_t)
 

policy/modules/services/zebra.te

@@ -1,4 +1,4 @@
-policy_module(zebra, 1.11.0)
+policy_module(zebra, 1.11.1)
 
 ########################################
 #
@@ -64,7 +64,7 @@ files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
 manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
 manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
 manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
-files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file dir })
+files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(zebra_t)
 kernel_read_network_state(zebra_t)