- Add labeling for /usr/share/pki

- Allow programs that read var_run_t symlinks also read var_t symlinks
- Add additional ports as mongod_port_t for  27018, 27019, 28017, 28018 and 28019
- Fix labeling for /etc/dhcp directory
- add missing systemd_stub_unit_file() interface
- Add files_stub_var() interface
- Add lables for cert_t directories
- Make localectl set-x11-keymap working at all
- Allow abrt to manage mock build environments to catch build problems.
- Allow virt_domains to setsched for running gdb on itself
- Allow thumb_t to execute user home content
- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
- Allow certwatch to execut /usr/bin/httpd
- Allow cgred to send signal perms to itself, needs back port to RHEL6
- Allow openshift_cron_t to look at quota
- Allow cups_t to read inhered tmpfs_t from the kernel
- Allow yppasswdd to use NIS
- Tuned wants sys_rawio capability
- Add ftpd_use_fusefs boolean
- Allow dirsrvadmin_t to signal itself
This commit is contained in:
Miroslav Grepl 2013-03-27 13:13:37 +01:00
parent 43a40ee0c7
commit 30fc9edc15
3 changed files with 476 additions and 371 deletions

File diff suppressed because it is too large Load Diff

View File

@ -516,7 +516,7 @@ index 058d908..702b716 100644
+') +')
+ +
diff --git a/abrt.te b/abrt.te diff --git a/abrt.te b/abrt.te
index cc43d25..304203f 100644 index cc43d25..0842350 100644
--- a/abrt.te --- a/abrt.te
+++ b/abrt.te +++ b/abrt.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -935,7 +935,7 @@ index cc43d25..304203f 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -352,30 +406,37 @@ corecmd_exec_shell(abrt_retrace_worker_t) @@ -352,30 +406,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t)
@ -947,6 +947,7 @@ index cc43d25..304203f 100644
+optional_policy(` +optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t) + mock_domtrans(abrt_retrace_worker_t)
+ mock_manage_lib_files(abrt_t)
+') +')
+ +
######################################## ########################################
@ -976,7 +977,7 @@ index cc43d25..304203f 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t)
@@ -384,14 +445,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) @@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t)
@ -994,7 +995,7 @@ index cc43d25..304203f 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
@@ -400,16 +462,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) @@ -400,16 +463,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t) corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t)
@ -9740,10 +9741,10 @@ index 2354e21..bec6c06 100644
+ ') + ')
+') +')
diff --git a/certwatch.te b/certwatch.te diff --git a/certwatch.te b/certwatch.te
index 403af41..7c0b1be 100644 index 403af41..68a5e26 100644
--- a/certwatch.te --- a/certwatch.te
+++ b/certwatch.te +++ b/certwatch.te
@@ -21,25 +21,26 @@ role certwatch_roles types certwatch_t; @@ -21,27 +21,29 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice; allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched }; allow certwatch_t self:process { setsched getsched };
@ -9774,7 +9775,10 @@ index 403af41..7c0b1be 100644
+userdom_dontaudit_list_admin_dir(certwatch_t) +userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(` optional_policy(`
+ apache_exec(certwatch_t)
apache_exec_modules(certwatch_t) apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
diff --git a/cfengine.if b/cfengine.if diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644 index a731122..5279d4e 100644
--- a/cfengine.if --- a/cfengine.if
@ -9933,7 +9937,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1) files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te diff --git a/cgroup.te b/cgroup.te
index fdee107..eb7a3ac 100644 index fdee107..7a38b63 100644
--- a/cgroup.te --- a/cgroup.te
+++ b/cgroup.te +++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@ -9979,10 +9983,10 @@ index fdee107..eb7a3ac 100644
# #
# cgred local policy # cgred local policy
# #
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
+allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
+
allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect }; allow cgred_t self:unix_dgram_socket { write create connect };
@ -16021,7 +16025,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t) + ps_process_pattern($1, cupsd_t)
') ')
diff --git a/cups.te b/cups.te diff --git a/cups.te b/cups.te
index 9f34c2e..45fe9a0 100644 index 9f34c2e..3b03f21 100644
--- a/cups.te --- a/cups.te
+++ b/cups.te +++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@ -16243,7 +16247,7 @@ index 9f34c2e..45fe9a0 100644
files_exec_usr_files(cupsd_t) files_exec_usr_files(cupsd_t)
# for /var/lib/defoma # for /var/lib/defoma
files_read_var_lib_files(cupsd_t) files_read_var_lib_files(cupsd_t)
@@ -215,16 +246,16 @@ files_read_world_readable_files(cupsd_t) @@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t) files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t) files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t) files_read_var_symlinks(cupsd_t)
@ -16259,10 +16263,11 @@ index 9f34c2e..45fe9a0 100644
fs_search_fusefs(cupsd_t) fs_search_fusefs(cupsd_t)
fs_read_anon_inodefs_files(cupsd_t) fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t) +fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
mls_fd_use_all_levels(cupsd_t) mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t) mls_file_downgrade(cupsd_t)
@@ -235,6 +266,8 @@ mls_socket_write_all_levels(cupsd_t) @@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t) term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t) term_use_unallocated_ttys(cupsd_t)
@ -16271,7 +16276,7 @@ index 9f34c2e..45fe9a0 100644
selinux_compute_access_vector(cupsd_t) selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t) selinux_validate_context(cupsd_t)
@@ -247,21 +280,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) @@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t) auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t) auth_use_nsswitch(cupsd_t)
@ -16297,7 +16302,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dontaudit_search_user_home_content(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(` optional_policy(`
@@ -275,6 +307,8 @@ optional_policy(` @@ -275,6 +308,8 @@ optional_policy(`
optional_policy(` optional_policy(`
dbus_system_bus_client(cupsd_t) dbus_system_bus_client(cupsd_t)
@ -16306,7 +16311,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dbus_send_all_users(cupsd_t) userdom_dbus_send_all_users(cupsd_t)
optional_policy(` optional_policy(`
@@ -285,8 +319,10 @@ optional_policy(` @@ -285,8 +320,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t) hal_dbus_chat(cupsd_t)
') ')
@ -16317,7 +16322,7 @@ index 9f34c2e..45fe9a0 100644
') ')
') ')
@@ -299,8 +335,8 @@ optional_policy(` @@ -299,8 +336,8 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -16327,7 +16332,7 @@ index 9f34c2e..45fe9a0 100644
') ')
optional_policy(` optional_policy(`
@@ -309,7 +345,6 @@ optional_policy(` @@ -309,7 +346,6 @@ optional_policy(`
optional_policy(` optional_policy(`
lpd_exec_lpr(cupsd_t) lpd_exec_lpr(cupsd_t)
@ -16335,7 +16340,7 @@ index 9f34c2e..45fe9a0 100644
lpd_read_config(cupsd_t) lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t) lpd_relabel_spool(cupsd_t)
') ')
@@ -337,7 +372,7 @@ optional_policy(` @@ -337,7 +373,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -16344,7 +16349,7 @@ index 9f34c2e..45fe9a0 100644
') ')
######################################## ########################################
@@ -345,11 +380,9 @@ optional_policy(` @@ -345,11 +381,9 @@ optional_policy(`
# Configuration daemon local policy # Configuration daemon local policy
# #
@ -16358,7 +16363,7 @@ index 9f34c2e..45fe9a0 100644
allow cupsd_config_t cupsd_t:process signal; allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t) ps_process_pattern(cupsd_config_t, cupsd_t)
@@ -375,18 +408,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run @@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@ -16378,7 +16383,7 @@ index 9f34c2e..45fe9a0 100644
corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -395,20 +425,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) @@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t)
@ -16399,7 +16404,7 @@ index 9f34c2e..45fe9a0 100644
fs_search_auto_mountpoints(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t)
@@ -420,11 +442,6 @@ auth_use_nsswitch(cupsd_config_t) @@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t)
@ -16411,7 +16416,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t)
@@ -452,9 +469,12 @@ optional_policy(` @@ -452,9 +470,12 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -16425,7 +16430,7 @@ index 9f34c2e..45fe9a0 100644
') ')
optional_policy(` optional_policy(`
@@ -490,10 +510,6 @@ optional_policy(` @@ -490,10 +511,6 @@ optional_policy(`
# Lpd local policy # Lpd local policy
# #
@ -16436,7 +16441,7 @@ index 9f34c2e..45fe9a0 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -511,31 +527,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) @@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t)
@ -16469,7 +16474,7 @@ index 9f34c2e..45fe9a0 100644
optional_policy(` optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
') ')
@@ -546,7 +553,6 @@ optional_policy(` @@ -546,7 +554,6 @@ optional_policy(`
# #
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@ -16477,7 +16482,7 @@ index 9f34c2e..45fe9a0 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -562,17 +568,8 @@ fs_search_auto_mountpoints(cups_pdf_t) @@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t) kernel_read_system_state(cups_pdf_t)
@ -16495,7 +16500,7 @@ index 9f34c2e..45fe9a0 100644
userdom_manage_user_home_content_dirs(cups_pdf_t) userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t) userdom_manage_user_home_content_files(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -582,128 +579,12 @@ tunable_policy(`use_nfs_home_dirs',` @@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(cups_pdf_t) fs_manage_nfs_files(cups_pdf_t)
') ')
@ -16626,7 +16631,7 @@ index 9f34c2e..45fe9a0 100644
######################################## ########################################
# #
@@ -731,7 +612,6 @@ kernel_read_kernel_sysctls(ptal_t) @@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t) kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t) kernel_read_proc_symlinks(ptal_t)
@ -16634,7 +16639,7 @@ index 9f34c2e..45fe9a0 100644
corenet_all_recvfrom_netlabel(ptal_t) corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -741,13 +621,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) @@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t)
@ -16648,7 +16653,7 @@ index 9f34c2e..45fe9a0 100644
files_read_etc_runtime_files(ptal_t) files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t) fs_getattr_all_fs(ptal_t)
@@ -755,8 +633,6 @@ fs_search_auto_mountpoints(ptal_t) @@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t) logging_send_syslog_msg(ptal_t)
@ -19296,7 +19301,7 @@ index 0000000..332a1c9
+') +')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644 new file mode 100644
index 0000000..a3d076f index 0000000..ab083cf
--- /dev/null --- /dev/null
+++ b/dirsrv-admin.te +++ b/dirsrv-admin.te
@@ -0,0 +1,144 @@ @@ -0,0 +1,144 @@
@ -19334,7 +19339,7 @@ index 0000000..a3d076f
+# +#
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; +allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; +allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
+allow dirsrvadmin_t self:process setrlimit; +allow dirsrvadmin_t self:process { setrlimit signal_perms };
+ +
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) +manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) +manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
@ -23081,7 +23086,7 @@ index d062080..e098a40 100644
ftp_run_ftpdctl($1, $2) ftp_run_ftpdctl($1, $2)
') ')
diff --git a/ftp.te b/ftp.te diff --git a/ftp.te b/ftp.te
index e50f33c..2f7de33 100644 index e50f33c..5e6cdb8 100644
--- a/ftp.te --- a/ftp.te
+++ b/ftp.te +++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@ -23102,16 +23107,23 @@ index e50f33c..2f7de33 100644
## <desc> ## <desc>
## <p> ## <p>
@@ -30,7 +30,7 @@ gen_tunable(allow_ftpd_full_access, false) @@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
## used for public file transfer services. ## used for public file transfer services.
## </p> ## </p>
## </desc> ## </desc>
-gen_tunable(allow_ftpd_use_cifs, false) -gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false) +gen_tunable(ftpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow samba to export ntfs/fusefs volumes.
+## </p>
+## </desc>
+gen_tunable(ftpd_use_fusefs, false)
## <desc> ## <desc>
## <p> ## <p>
@@ -38,7 +38,7 @@ gen_tunable(allow_ftpd_use_cifs, false) @@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
## used for public file transfer services. ## used for public file transfer services.
## </p> ## </p>
## </desc> ## </desc>
@ -23120,7 +23132,7 @@ index e50f33c..2f7de33 100644
## <desc> ## <desc>
## <p> ## <p>
@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t) @@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t; type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t) init_script_file(ftpd_initrc_exec_t)
@ -23130,7 +23142,7 @@ index e50f33c..2f7de33 100644
type ftpd_lock_t; type ftpd_lock_t;
files_lock_file(ftpd_lock_t) files_lock_file(ftpd_lock_t)
@@ -179,6 +182,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; @@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file) files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@ -23140,7 +23152,7 @@ index e50f33c..2f7de33 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -201,14 +207,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) @@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t) kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t) kernel_read_system_state(ftpd_t)
@ -23156,7 +23168,7 @@ index e50f33c..2f7de33 100644
corenet_all_recvfrom_netlabel(ftpd_t) corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t)
@@ -224,9 +229,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) @@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t)
@ -23170,7 +23182,7 @@ index e50f33c..2f7de33 100644
files_read_etc_runtime_files(ftpd_t) files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t) files_search_var_lib(ftpd_t)
@@ -245,7 +253,6 @@ logging_send_audit_msgs(ftpd_t) @@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t) logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t) logging_set_loginuid(ftpd_t)
@ -23178,7 +23190,7 @@ index e50f33c..2f7de33 100644
miscfiles_read_public_files(ftpd_t) miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t) seutil_dontaudit_search_config(ftpd_t)
@@ -254,32 +261,42 @@ sysnet_use_ldap(ftpd_t) @@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t)
@ -23201,6 +23213,13 @@ index e50f33c..2f7de33 100644
') ')
-tunable_policy(`allow_ftpd_use_nfs',` -tunable_policy(`allow_ftpd_use_nfs',`
+tunable_policy(`ftpd_use_fusefs',`
+ fs_manage_fusefs_dirs(ftpd_t)
+ fs_manage_fusefs_files(ftpd_t)
+',`
+ fs_search_fusefs(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_nfs',` +tunable_policy(`ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t) fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t) fs_read_nfs_symlinks(ftpd_t)
@ -23228,7 +23247,7 @@ index e50f33c..2f7de33 100644
') ')
tunable_policy(`ftpd_use_passive_mode',` tunable_policy(`ftpd_use_passive_mode',`
@@ -299,9 +316,9 @@ tunable_policy(`ftpd_connect_db',` @@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t)
@ -23241,7 +23260,7 @@ index e50f33c..2f7de33 100644
') ')
tunable_policy(`ftp_home_dir',` tunable_policy(`ftp_home_dir',`
@@ -309,12 +326,9 @@ tunable_policy(`ftp_home_dir',` @@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_home_content_dirs(ftpd_t) userdom_manage_user_home_content_dirs(ftpd_t)
userdom_manage_user_home_content_files(ftpd_t) userdom_manage_user_home_content_files(ftpd_t)
@ -23254,7 +23273,7 @@ index e50f33c..2f7de33 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
') ')
@@ -360,7 +374,7 @@ optional_policy(` @@ -360,7 +388,7 @@ optional_policy(`
selinux_validate_context(ftpd_t) selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t) kerberos_keytab_template(ftpd, ftpd_t)
@ -23263,7 +23282,7 @@ index e50f33c..2f7de33 100644
') ')
optional_policy(` optional_policy(`
@@ -410,21 +424,20 @@ optional_policy(` @@ -410,21 +438,20 @@ optional_policy(`
# #
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@ -23287,7 +23306,7 @@ index e50f33c..2f7de33 100644
miscfiles_read_public_files(anon_sftpd_t) miscfiles_read_public_files(anon_sftpd_t)
@@ -437,23 +450,34 @@ tunable_policy(`sftpd_anon_write',` @@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy # Sftpd local policy
# #
@ -23328,7 +23347,7 @@ index e50f33c..2f7de33 100644
') ')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
@@ -475,21 +499,11 @@ tunable_policy(`sftpd_anon_write',` @@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',` tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search }; allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t) fs_read_noxattr_fs_files(sftpd_t)
@ -36788,7 +36807,7 @@ index 6194b80..648d041 100644
') ')
+ +
diff --git a/mozilla.te b/mozilla.te diff --git a/mozilla.te b/mozilla.te
index 6a306ee..4c1c064 100644 index 6a306ee..8faac8d 100644
--- a/mozilla.te --- a/mozilla.te
+++ b/mozilla.te +++ b/mozilla.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -37047,10 +37066,10 @@ index 6a306ee..4c1c064 100644
-userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-
-userdom_write_user_tmp_sockets(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t) +userdom_use_inherited_user_ptys(mozilla_t)
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles) -mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles) -mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles) +#mozilla_run_plugin(mozilla_t, mozilla_roles)
@ -37213,7 +37232,7 @@ index 6a306ee..4c1c064 100644
') ')
optional_policy(` optional_policy(`
@@ -300,221 +308,171 @@ optional_policy(` @@ -300,221 +308,173 @@ optional_policy(`
######################################## ########################################
# #
@ -37468,7 +37487,8 @@ index 6a306ee..4c1c064 100644
-userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
- +systemd_read_logind_sessions_files(mozilla_plugin_t)
-userdom_write_user_tmp_sockets(mozilla_plugin_t) -userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t)
@ -37528,7 +37548,7 @@ index 6a306ee..4c1c064 100644
') ')
optional_policy(` optional_policy(`
@@ -523,36 +481,47 @@ optional_policy(` @@ -523,36 +483,47 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37589,7 +37609,7 @@ index 6a306ee..4c1c064 100644
') ')
optional_policy(` optional_policy(`
@@ -560,7 +529,7 @@ optional_policy(` @@ -560,7 +531,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37598,7 +37618,7 @@ index 6a306ee..4c1c064 100644
') ')
optional_policy(` optional_policy(`
@@ -568,108 +537,108 @@ optional_policy(` @@ -568,108 +539,108 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -43275,7 +43295,7 @@ index 46e55c3..346242e 100644
+ allow $1 nis_unit_file_t:service all_service_perms; + allow $1 nis_unit_file_t:service all_service_perms;
') ')
diff --git a/nis.te b/nis.te diff --git a/nis.te b/nis.te
index 3e4a31c..0d16edc 100644 index 3e4a31c..bd8e3ff 100644
--- a/nis.te --- a/nis.te
+++ b/nis.te +++ b/nis.te
@@ -1,12 +1,10 @@ @@ -1,12 +1,10 @@
@ -43465,18 +43485,22 @@ index 3e4a31c..0d16edc 100644
sysnet_read_config(yppasswdd_t) sysnet_read_config(yppasswdd_t)
@@ -219,6 +215,10 @@ optional_policy(` @@ -219,6 +215,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
+ mta_send_mail(yppasswdd_t) + mta_send_mail(yppasswdd_t)
+') +')
+ +
+optional_policy(`
+ nis_use_ypbind(yppasswdd_t)
+')
+
+optional_policy(` +optional_policy(`
seutil_sigchld_newrole(yppasswdd_t) seutil_sigchld_newrole(yppasswdd_t)
') ')
@@ -234,7 +234,8 @@ optional_policy(` @@ -234,7 +238,8 @@ optional_policy(`
dontaudit ypserv_t self:capability sys_tty_config; dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_fifo_file_perms; allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms; allow ypserv_t self:process signal_perms;
@ -43486,7 +43510,7 @@ index 3e4a31c..0d16edc 100644
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms; allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms; allow ypserv_t self:udp_socket create_socket_perms;
@@ -254,7 +255,6 @@ kernel_read_kernel_sysctls(ypserv_t) @@ -254,7 +259,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t) kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t) kernel_read_proc_symlinks(ypserv_t)
@ -43494,7 +43518,7 @@ index 3e4a31c..0d16edc 100644
corenet_all_recvfrom_netlabel(ypserv_t) corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t) corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t) corenet_udp_sendrecv_generic_if(ypserv_t)
@@ -264,31 +264,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) @@ -264,31 +268,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t) corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t) corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t) corenet_udp_bind_generic_node(ypserv_t)
@ -43532,7 +43556,7 @@ index 3e4a31c..0d16edc 100644
nis_domtrans_ypxfr(ypserv_t) nis_domtrans_ypxfr(ypserv_t)
@@ -310,8 +306,8 @@ optional_policy(` @@ -310,8 +310,8 @@ optional_policy(`
# ypxfr local policy # ypxfr local policy
# #
@ -43543,7 +43567,7 @@ index 3e4a31c..0d16edc 100644
allow ypxfr_t self:tcp_socket create_stream_socket_perms; allow ypxfr_t self:tcp_socket create_stream_socket_perms;
allow ypxfr_t self:udp_socket create_socket_perms; allow ypxfr_t self:udp_socket create_socket_perms;
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -326,7 +322,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; @@ -326,7 +326,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
@ -43551,7 +43575,7 @@ index 3e4a31c..0d16edc 100644
corenet_all_recvfrom_netlabel(ypxfr_t) corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t) corenet_udp_sendrecv_generic_if(ypxfr_t)
@@ -336,23 +331,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) @@ -336,23 +335,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t) corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t) corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t) corenet_udp_bind_generic_node(ypxfr_t)
@ -48201,10 +48225,10 @@ index 0000000..407386d
+') +')
diff --git a/openshift.te b/openshift.te diff --git a/openshift.te b/openshift.te
new file mode 100644 new file mode 100644
index 0000000..45e60e5 index 0000000..894ce1c
--- /dev/null --- /dev/null
+++ b/openshift.te +++ b/openshift.te
@@ -0,0 +1,526 @@ @@ -0,0 +1,530 @@
+policy_module(openshift,1.0.0) +policy_module(openshift,1.0.0)
+ +
+gen_require(` +gen_require(`
@ -48728,6 +48752,10 @@ index 0000000..45e60e5
+') +')
+ +
+optional_policy(` +optional_policy(`
+ quota_read_db(openshift_cron_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(openshift_cron_t) + ssh_exec_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t) + ssh_dontaudit_read_server_keys(openshift_cron_t)
+') +')
@ -81326,10 +81354,10 @@ index 0000000..bfcd2c7
+') +')
diff --git a/thumb.te b/thumb.te diff --git a/thumb.te b/thumb.te
new file mode 100644 new file mode 100644
index 0000000..aaf768a index 0000000..49cd645
--- /dev/null --- /dev/null
+++ b/thumb.te +++ b/thumb.te
@@ -0,0 +1,137 @@ @@ -0,0 +1,138 @@
+policy_module(thumb, 1.0.0) +policy_module(thumb, 1.0.0)
+ +
+######################################## +########################################
@ -81424,6 +81452,7 @@ index 0000000..aaf768a
+userdom_dontaudit_setattr_user_tmp(thumb_t) +userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t) +userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t) +userdom_read_user_home_content_files(thumb_t)
+userdom_exec_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t) +userdom_write_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t) +userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t) +userdom_home_reader(thumb_t)
@ -82357,7 +82386,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r; role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te diff --git a/tuned.te b/tuned.te
index 7116181..0bd0be9 100644 index 7116181..7a80e6d 100644
--- a/tuned.te --- a/tuned.te
+++ b/tuned.te +++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@ -82370,9 +82399,12 @@ index 7116181..0bd0be9 100644
type tuned_var_run_t; type tuned_var_run_t;
files_pid_file(tuned_var_run_t) files_pid_file(tuned_var_run_t)
@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t) @@ -29,10 +32,12 @@ files_pid_file(tuned_var_run_t)
# Local policy
#
allow tuned_t self:capability { sys_admin sys_nice }; -allow tuned_t self:capability { sys_admin sys_nice };
+allow tuned_t self:capability { sys_admin sys_nice sys_rawio };
dontaudit tuned_t self:capability { dac_override sys_tty_config }; dontaudit tuned_t self:capability { dac_override sys_tty_config };
-allow tuned_t self:process { setsched signal }; -allow tuned_t self:process { setsched signal };
+allow tuned_t self:process { setsched signal }; +allow tuned_t self:process { setsched signal };
@ -85655,7 +85687,7 @@ index 9dec06c..b991ec7 100644
+ allow svirt_lxc_domain $1:process sigchld; + allow svirt_lxc_domain $1:process sigchld;
') ')
diff --git a/virt.te b/virt.te diff --git a/virt.te b/virt.te
index 1f22fba..e780b1b 100644 index 1f22fba..64e638c 100644
--- a/virt.te --- a/virt.te
+++ b/virt.te +++ b/virt.te
@@ -1,94 +1,98 @@ @@ -1,94 +1,98 @@
@ -86524,7 +86556,7 @@ index 1f22fba..e780b1b 100644
+# virtual domains common policy +# virtual domains common policy
+# +#
+allow virt_domain self:capability2 compromise_kernel; +allow virt_domain self:capability2 compromise_kernel;
+allow virt_domain self:process { setrlimit signal_perms getsched }; +allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms; +allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms; +allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms; +allow virt_domain self:unix_stream_socket create_stream_socket_perms;

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 23%{?dist} Release: 24%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -526,6 +526,28 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Mar 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-24
- Add labeling for /usr/share/pki
- Allow programs that read var_run_t symlinks also read var_t symlinks
- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports
- Fix labeling for /etc/dhcp directory
- add missing systemd_stub_unit_file() interface
- Add files_stub_var() interface
- Add lables for cert_t directories
- Make localectl set-x11-keymap working at all
- Allow abrt to manage mock build environments to catch build problems.
- Allow virt_domains to setsched for running gdb on itself
- Allow thumb_t to execute user home content
- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
- Allow certwatch to execut /usr/bin/httpd
- Allow cgred to send signal perms to itself, needs back port to RHEL6
- Allow openshift_cron_t to look at quota
- Allow cups_t to read inhered tmpfs_t from the kernel
- Allow yppasswdd to use NIS
- Tuned wants sys_rawio capability
- Add ftpd_use_fusefs boolean
- Allow dirsrvadmin_t to signal itself
* Wed Mar 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-23 * Wed Mar 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-23
- Allow localectl to read /etc/X11/xorg.conf.d directory - Allow localectl to read /etc/X11/xorg.conf.d directory
- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors"" - Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""