diff --git a/policy-rawhide.patch b/policy-rawhide.patch index b8fd864c..1f3f723c 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -8579,7 +8579,7 @@ index 0000000..97f145e +selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/condor_selinux.8 b/man/man8/condor_selinux.8 new file mode 100644 -index 0000000..a186b3e +index 0000000..b4838c3 --- /dev/null +++ b/man/man8/condor_selinux.8 @@ -0,0 +1,242 @@ @@ -8825,6 +8825,7 @@ index 0000000..a186b3e +.SH "SEE ALSO" +selinux(8), condor(8), semanage(8), restorecon(8), chcon(1) +, setsebool(8) +\ No newline at end of file diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8 new file mode 100644 index 0000000..8efe64c @@ -64086,7 +64087,7 @@ index 7590165..59539e8 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index db981df..b0ff71c 100644 +index db981df..414f3e4 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -64186,7 +64187,7 @@ index db981df..b0ff71c 100644 +/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/pingus -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/pingus.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -64275,27 +64276,29 @@ index db981df..b0ff71c 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -251,11 +289,18 @@ ifdef(`distro_gentoo',` +@@ -251,11 +289,17 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) +-/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) -+ -+/usr/local/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/local/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) -+/usr/local/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0) - /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) ++/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0) ++/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ +/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',` +@@ -271,6 +315,10 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -64306,7 +64309,7 @@ index db981df..b0ff71c 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',` +@@ -290,15 +338,19 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -64327,7 +64330,7 @@ index db981df..b0ff71c 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,8 +367,12 @@ ifdef(`distro_redhat', ` +@@ -314,8 +366,12 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -64340,7 +64343,7 @@ index db981df..b0ff71c 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,9 +382,11 @@ ifdef(`distro_redhat', ` +@@ -325,9 +381,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -64352,7 +64355,7 @@ index db981df..b0ff71c 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -376,11 +435,14 @@ ifdef(`distro_suse', ` +@@ -376,11 +434,14 @@ ifdef(`distro_suse', ` # # /var # @@ -64368,7 +64371,7 @@ index db981df..b0ff71c 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -390,3 +452,12 @@ ifdef(`distro_suse', ` +@@ -390,3 +451,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -68601,7 +68604,7 @@ index cf04cb5..e43701b 100644 + +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 4429d30..b8f8a82 100644 +index 4429d30..38dcaf6 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -68691,23 +68694,33 @@ index 4429d30..b8f8a82 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -211,6 +230,7 @@ ifdef(`distro_debian',` +@@ -202,15 +221,9 @@ ifdef(`distro_debian',` + /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) + +-/usr/local/\.journal <> +- +-/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) +- +-/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) +-/usr/local/lost\+found/.* <> +- /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/lost\+found/.* <> +/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -219,7 +239,6 @@ ifdef(`distro_debian',` +@@ -218,8 +231,6 @@ ifdef(`distro_debian',` + /usr/tmp/.* <> ifndef(`distro_redhat',` - /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) +-/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) - /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -235,11 +254,14 @@ ifndef(`distro_redhat',` +@@ -235,11 +246,14 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -68722,7 +68735,7 @@ index 4429d30..b8f8a82 100644 /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/lost\+found/.* <> -@@ -262,3 +284,5 @@ ifndef(`distro_redhat',` +@@ -262,3 +276,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -71831,7 +71844,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 4bf45cb..712189d 100644 +index 4bf45cb..9c71d8e 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -72055,7 +72068,7 @@ index 4bf45cb..712189d 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2956,5 +3092,60 @@ interface(`kernel_unconfined',` +@@ -2956,5 +3092,79 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -72084,6 +72097,25 @@ index 4bf45cb..712189d 100644 + +######################################## +## ++## Allow the specified domain to getattr on ++## the kernel with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_stream_getattr',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:unix_stream_socket getattr; ++') ++ ++######################################## ++## +## Make the specified type usable for regular entries in proc +## +## @@ -77489,7 +77521,7 @@ index b17e27a..5c691d1 100644 + ssh_rw_dgram_sockets(chroot_user_t) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index fc86b7c..3347d48 100644 +index fc86b7c..ba6be42 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -77507,7 +77539,7 @@ index fc86b7c..3347d48 100644 HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+HOME_DIR/\.cache/gdm(/.*)? -- gen_context(system_u:object_r:xdm_home_t,s0) ++HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) + @@ -81406,7 +81438,7 @@ index a97a096..e1b5cd8 100644 /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 6c4b6ee..77db743 100644 +index 6c4b6ee..3daf357 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -44,6 +44,8 @@ can_exec(fsadm_t, fsadm_exec_t) @@ -81444,7 +81476,7 @@ index 6c4b6ee..77db743 100644 mls_file_read_all_levels(fsadm_t) mls_file_write_all_levels(fsadm_t) -@@ -133,13 +142,16 @@ storage_raw_write_fixed_disk(fsadm_t) +@@ -133,21 +142,25 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) @@ -81460,8 +81492,9 @@ index 6c4b6ee..77db743 100644 +init_stream_connect(fsadm_t) logging_send_syslog_msg(fsadm_t) ++logging_stream_connect_syslog(fsadm_t) -@@ -147,7 +159,7 @@ miscfiles_read_localization(fsadm_t) + miscfiles_read_localization(fsadm_t) seutil_read_config(fsadm_t) @@ -81470,7 +81503,7 @@ index 6c4b6ee..77db743 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +178,11 @@ optional_policy(` +@@ -166,6 +179,11 @@ optional_policy(` ') optional_policy(` @@ -81482,7 +81515,7 @@ index 6c4b6ee..77db743 100644 hal_dontaudit_write_log(fsadm_t) ') -@@ -192,6 +209,10 @@ optional_policy(` +@@ -192,6 +210,10 @@ optional_policy(` ') optional_policy(` @@ -82843,7 +82876,7 @@ index d26fe81..3f3a57f 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 5fb9683..671de76 100644 +index 5fb9683..dfa38ad 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -83014,7 +83047,7 @@ index 5fb9683..671de76 100644 mcs_process_set_categories(init_t) mcs_killall(init_t) -@@ -156,22 +222,41 @@ mls_file_read_all_levels(init_t) +@@ -156,22 +222,42 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -83043,6 +83076,7 @@ index 5fb9683..671de76 100644 +logging_send_audit_msgs(init_t) logging_rw_generic_logs(init_t) +logging_relabel_devlog_dev(init_t) ++logging_stream_connect_syslog(init_t) seutil_read_config(init_t) +seutil_read_module_store(init_t) @@ -83057,11 +83091,12 @@ index 5fb9683..671de76 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -180,12 +265,14 @@ ifdef(`distro_gentoo',` +@@ -180,12 +266,15 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` + fs_manage_tmpfs_files(init_t) ++ fs_manage_tmpfs_sockets(init_t) + fs_exec_tmpfs_files(init_t) fs_read_tmpfs_symlinks(init_t) fs_rw_tmpfs_chr_files(init_t) @@ -83073,7 +83108,7 @@ index 5fb9683..671de76 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -193,16 +280,148 @@ tunable_policy(`init_upstart',` +@@ -193,16 +282,148 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -83224,7 +83259,7 @@ index 5fb9683..671de76 100644 ') optional_policy(` -@@ -210,6 +429,18 @@ optional_policy(` +@@ -210,6 +431,18 @@ optional_policy(` ') optional_policy(` @@ -83243,7 +83278,7 @@ index 5fb9683..671de76 100644 unconfined_domain(init_t) ') -@@ -219,8 +450,8 @@ optional_policy(` +@@ -219,8 +452,8 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -83254,7 +83289,7 @@ index 5fb9683..671de76 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -248,12 +479,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -248,12 +481,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -83270,7 +83305,7 @@ index 5fb9683..671de76 100644 init_write_initctl(initrc_t) -@@ -265,20 +499,34 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -265,20 +501,34 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -83310,7 +83345,7 @@ index 5fb9683..671de76 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -286,6 +534,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -286,6 +536,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -83318,7 +83353,7 @@ index 5fb9683..671de76 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -296,8 +545,10 @@ dev_write_framebuffer(initrc_t) +@@ -296,8 +547,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -83329,7 +83364,7 @@ index 5fb9683..671de76 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -305,17 +556,16 @@ dev_manage_generic_files(initrc_t) +@@ -305,17 +558,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -83349,7 +83384,7 @@ index 5fb9683..671de76 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -323,6 +573,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -323,6 +575,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -83357,7 +83392,7 @@ index 5fb9683..671de76 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -330,8 +581,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -330,8 +583,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -83369,7 +83404,7 @@ index 5fb9683..671de76 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -347,8 +600,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -347,8 +602,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -83383,7 +83418,7 @@ index 5fb9683..671de76 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -358,9 +615,12 @@ fs_mount_all_fs(initrc_t) +@@ -358,9 +617,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -83397,7 +83432,7 @@ index 5fb9683..671de76 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -370,6 +630,7 @@ mls_process_read_up(initrc_t) +@@ -370,6 +632,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -83405,7 +83440,7 @@ index 5fb9683..671de76 100644 selinux_get_enforce_mode(initrc_t) -@@ -381,6 +642,7 @@ term_use_all_terms(initrc_t) +@@ -381,6 +644,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -83413,7 +83448,7 @@ index 5fb9683..671de76 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -401,18 +663,17 @@ logging_read_audit_config(initrc_t) +@@ -401,18 +665,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -83435,7 +83470,7 @@ index 5fb9683..671de76 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -465,6 +726,10 @@ ifdef(`distro_gentoo',` +@@ -465,6 +728,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -83446,7 +83481,7 @@ index 5fb9683..671de76 100644 alsa_read_lib(initrc_t) ') -@@ -485,7 +750,7 @@ ifdef(`distro_redhat',` +@@ -485,7 +752,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -83455,7 +83490,7 @@ index 5fb9683..671de76 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -500,6 +765,7 @@ ifdef(`distro_redhat',` +@@ -500,6 +767,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -83463,7 +83498,7 @@ index 5fb9683..671de76 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -520,6 +786,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +788,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -83471,7 +83506,7 @@ index 5fb9683..671de76 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -529,8 +796,35 @@ ifdef(`distro_redhat',` +@@ -529,8 +798,35 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -83507,7 +83542,7 @@ index 5fb9683..671de76 100644 ') optional_policy(` -@@ -538,14 +832,27 @@ ifdef(`distro_redhat',` +@@ -538,14 +834,27 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -83535,7 +83570,7 @@ index 5fb9683..671de76 100644 ') ') -@@ -556,6 +863,39 @@ ifdef(`distro_suse',` +@@ -556,6 +865,39 @@ ifdef(`distro_suse',` ') ') @@ -83575,7 +83610,7 @@ index 5fb9683..671de76 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -568,6 +908,8 @@ optional_policy(` +@@ -568,6 +910,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -83584,7 +83619,7 @@ index 5fb9683..671de76 100644 ') optional_policy(` -@@ -589,6 +931,7 @@ optional_policy(` +@@ -589,6 +933,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -83592,7 +83627,7 @@ index 5fb9683..671de76 100644 ') optional_policy(` -@@ -601,6 +944,17 @@ optional_policy(` +@@ -601,6 +946,17 @@ optional_policy(` ') optional_policy(` @@ -83610,7 +83645,7 @@ index 5fb9683..671de76 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -617,9 +971,13 @@ optional_policy(` +@@ -617,9 +973,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -83624,7 +83659,7 @@ index 5fb9683..671de76 100644 ') optional_policy(` -@@ -644,6 +1002,10 @@ optional_policy(` +@@ -644,6 +1004,10 @@ optional_policy(` ') optional_policy(` @@ -83635,7 +83670,7 @@ index 5fb9683..671de76 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -661,6 +1023,15 @@ optional_policy(` +@@ -661,6 +1025,15 @@ optional_policy(` ') optional_policy(` @@ -83651,7 +83686,7 @@ index 5fb9683..671de76 100644 inn_exec_config(initrc_t) ') -@@ -701,6 +1072,7 @@ optional_policy(` +@@ -701,6 +1074,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -83659,7 +83694,7 @@ index 5fb9683..671de76 100644 ') optional_policy(` -@@ -718,7 +1090,13 @@ optional_policy(` +@@ -718,7 +1092,13 @@ optional_policy(` ') optional_policy(` @@ -83673,7 +83708,7 @@ index 5fb9683..671de76 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -741,6 +1119,10 @@ optional_policy(` +@@ -741,6 +1121,10 @@ optional_policy(` ') optional_policy(` @@ -83684,7 +83719,7 @@ index 5fb9683..671de76 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -750,10 +1132,20 @@ optional_policy(` +@@ -750,10 +1134,20 @@ optional_policy(` ') optional_policy(` @@ -83705,7 +83740,7 @@ index 5fb9683..671de76 100644 quota_manage_flags(initrc_t) ') -@@ -762,6 +1154,10 @@ optional_policy(` +@@ -762,6 +1156,10 @@ optional_policy(` ') optional_policy(` @@ -83716,7 +83751,7 @@ index 5fb9683..671de76 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -783,8 +1179,6 @@ optional_policy(` +@@ -783,8 +1181,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -83725,7 +83760,7 @@ index 5fb9683..671de76 100644 ') optional_policy(` -@@ -793,6 +1187,10 @@ optional_policy(` +@@ -793,6 +1189,10 @@ optional_policy(` ') optional_policy(` @@ -83736,7 +83771,7 @@ index 5fb9683..671de76 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -802,10 +1200,12 @@ optional_policy(` +@@ -802,10 +1202,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -83749,7 +83784,7 @@ index 5fb9683..671de76 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -817,7 +1217,6 @@ optional_policy(` +@@ -817,7 +1219,6 @@ optional_policy(` ') optional_policy(` @@ -83757,7 +83792,7 @@ index 5fb9683..671de76 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -827,12 +1226,30 @@ optional_policy(` +@@ -827,12 +1228,30 @@ optional_policy(` ') optional_policy(` @@ -83790,7 +83825,7 @@ index 5fb9683..671de76 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -842,6 +1259,18 @@ optional_policy(` +@@ -842,6 +1261,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -83809,7 +83844,7 @@ index 5fb9683..671de76 100644 ') optional_policy(` -@@ -857,6 +1286,10 @@ optional_policy(` +@@ -857,6 +1288,10 @@ optional_policy(` ') optional_policy(` @@ -83820,7 +83855,7 @@ index 5fb9683..671de76 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -867,3 +1300,165 @@ optional_policy(` +@@ -867,3 +1302,165 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -83987,10 +84022,10 @@ index 5fb9683..671de76 100644 +#') + diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index ec85acb..1135ebc 100644 +index ec85acb..662e79b 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -27,10 +27,10 @@ +@@ -27,11 +27,6 @@ /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -83998,13 +84033,10 @@ index ec85acb..1135ebc 100644 -/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) -+/usr/local/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) -+/usr/local/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) -+/usr/local/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) -+/usr/local/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) - +- /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) + /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index 0d4c8d3..9d66bf7 100644 --- a/policy/modules/system/ipsec.if @@ -84458,7 +84490,7 @@ index 0646ee7..36e02fa 100644 ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index ef8bbaf..6721637 100644 +index ef8bbaf..49286ec 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -28,14 +28,17 @@ ifdef(`distro_redhat',` @@ -84504,7 +84536,7 @@ index ef8bbaf..6721637 100644 /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -111,9 +119,8 @@ ifdef(`distro_redhat',` +@@ -111,12 +119,12 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -84515,7 +84547,11 @@ index ef8bbaf..6721637 100644 /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -140,6 +147,7 @@ ifdef(`distro_redhat',` ++/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -140,6 +148,7 @@ ifdef(`distro_redhat',` /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -84523,27 +84559,76 @@ index ef8bbaf..6721637 100644 /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -151,8 +159,8 @@ ifdef(`distro_redhat',` +@@ -150,9 +159,9 @@ ifdef(`distro_redhat',` + /usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) +-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/(local/)?lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/(local/)?lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -244,8 +252,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ +@@ -181,6 +190,8 @@ ifdef(`distro_redhat',` + # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv + # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php + HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -240,14 +251,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ + + # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame + /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +305,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te + # Jai, Sun Microsystems (Jpackage SPRM) + /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -269,20 +276,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te + + # Java, Sun Microsystems (JPackage SRPM) + /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +@@ -299,17 +305,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -84588,7 +84673,7 @@ index ef8bbaf..6721637 100644 + +/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/local/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -84609,9 +84694,8 @@ index ef8bbaf..6721637 100644 +/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -84639,7 +84723,6 @@ index ef8bbaf..6721637 100644 +/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +ifdef(`fixed',` +/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -84672,10 +84755,10 @@ index ef8bbaf..6721637 100644 +/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -85181,7 +85264,7 @@ index 9fd5be7..226328b 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..debdd69 100644 +index 02f4c97..be8c9a1 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -6,6 +6,8 @@ @@ -85203,7 +85286,7 @@ index 02f4c97..debdd69 100644 +/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + -+/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++/usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) +/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) @@ -85613,7 +85696,7 @@ index 321bb13..7b4e560 100644 + init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 92555db..3637166 100644 +index 92555db..6970a23 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -5,6 +5,20 @@ policy_module(logging, 1.18.2) @@ -85800,7 +85883,7 @@ index 92555db..3637166 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -386,9 +430,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -386,13 +430,20 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -85816,7 +85899,12 @@ index 92555db..3637166 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -401,7 +451,10 @@ kernel_read_messages(syslogd_t) + ++kernel_stream_getattr(syslogd_t) + kernel_read_system_state(syslogd_t) + kernel_read_kernel_sysctls(syslogd_t) + kernel_read_proc_symlinks(syslogd_t) +@@ -401,7 +452,10 @@ kernel_read_messages(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) @@ -85828,7 +85916,7 @@ index 92555db..3637166 100644 corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_generic_if(syslogd_t) corenet_udp_sendrecv_generic_node(syslogd_t) -@@ -427,10 +480,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -427,10 +481,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -85856,7 +85944,7 @@ index 92555db..3637166 100644 files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -@@ -448,7 +518,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and +@@ -448,7 +519,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -85866,7 +85954,7 @@ index 92555db..3637166 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -460,6 +532,7 @@ init_use_fds(syslogd_t) +@@ -460,6 +533,7 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -85874,7 +85962,7 @@ index 92555db..3637166 100644 miscfiles_read_localization(syslogd_t) -@@ -493,15 +566,29 @@ optional_policy(` +@@ -493,15 +567,29 @@ optional_policy(` ') optional_policy(` @@ -86335,7 +86423,7 @@ index 7b6bcb9..61aa1ce 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index fe3427d..88fc786 100644 +index fe3427d..242ed4e 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,8 +9,9 @@ ifdef(`distro_gentoo',` @@ -86349,6 +86437,18 @@ index fe3427d..88fc786 100644 /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) +@@ -36,11 +37,6 @@ ifdef(`distro_redhat',` + + /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) + +-/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) +-/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) +- +-/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) +- + /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) + + /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 926ba65..b2a1675 100644 --- a/policy/modules/system/miscfiles.if @@ -90228,10 +90328,10 @@ index 0000000..40fe8f5 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..93c10a9 +index 0000000..62163a7 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,439 @@ +@@ -0,0 +1,443 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -90372,6 +90472,7 @@ index 0000000..93c10a9 +init_rw_stream_sockets(systemd_logind_t) + +logging_send_syslog_msg(systemd_logind_t) ++logging_stream_connect_syslog(systemd_logind_t) + +miscfiles_read_localization(systemd_logind_t) + @@ -90453,6 +90554,7 @@ index 0000000..93c10a9 +init_stream_connect(systemd_passwd_agent_t) + +logging_send_syslog_msg(systemd_passwd_agent_t) ++logging_stream_connect_syslog(systemd_passwd_agent_t) + +miscfiles_read_localization(systemd_passwd_agent_t) + @@ -90540,6 +90642,7 @@ index 0000000..93c10a9 + +logging_create_devlog_dev(systemd_tmpfiles_t) +logging_send_syslog_msg(systemd_tmpfiles_t) ++logging_stream_connect_syslog(systemd_tmpfiles_t) + +miscfiles_filetrans_named_content(systemd_tmpfiles_t) +miscfiles_manage_man_pages(systemd_tmpfiles_t) @@ -90649,6 +90752,7 @@ index 0000000..93c10a9 +init_write_pid_socket(systemd_logger_t) + +logging_send_syslog_msg(systemd_logger_t) ++logging_stream_connect_syslog(systemd_logger_t) + +miscfiles_read_localization(systemd_logger_t) + @@ -90940,7 +91044,7 @@ index 025348a..d7b15a4 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index cf279df..5cd1cf1 100644 +index cf279df..44ade49 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -91067,7 +91171,7 @@ index cf279df..5cd1cf1 100644 mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) -@@ -143,6 +156,7 @@ auth_use_nsswitch(udev_t) +@@ -143,10 +156,12 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -91075,7 +91179,12 @@ index cf279df..5cd1cf1 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -154,6 +168,8 @@ miscfiles_read_hwdata(udev_t) + logging_send_audit_msgs(udev_t) ++logging_stream_connect_syslog(udev_t) + + miscfiles_read_localization(udev_t) + miscfiles_read_hwdata(udev_t) +@@ -154,6 +169,8 @@ miscfiles_read_hwdata(udev_t) modutils_domtrans_insmod(udev_t) # read modules.inputmap: modutils_read_module_deps(udev_t) @@ -91084,7 +91193,7 @@ index cf279df..5cd1cf1 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -169,6 +185,8 @@ sysnet_signal_dhcpc(udev_t) +@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -91093,7 +91202,7 @@ index cf279df..5cd1cf1 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -178,16 +196,9 @@ ifdef(`distro_gentoo',` +@@ -178,16 +197,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -91112,7 +91221,7 @@ index cf279df..5cd1cf1 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -216,11 +227,16 @@ optional_policy(` +@@ -216,11 +228,16 @@ optional_policy(` ') optional_policy(` @@ -91129,7 +91238,7 @@ index cf279df..5cd1cf1 100644 ') optional_policy(` -@@ -230,10 +246,20 @@ optional_policy(` +@@ -230,10 +247,20 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -91150,7 +91259,7 @@ index cf279df..5cd1cf1 100644 ') optional_policy(` -@@ -259,6 +285,10 @@ optional_policy(` +@@ -259,6 +286,10 @@ optional_policy(` ') optional_policy(` @@ -91161,7 +91270,7 @@ index cf279df..5cd1cf1 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +303,11 @@ optional_policy(` +@@ -273,6 +304,11 @@ optional_policy(` ') optional_policy(` @@ -91173,7 +91282,7 @@ index cf279df..5cd1cf1 100644 unconfined_signal(udev_t) ') -@@ -285,6 +320,7 @@ optional_policy(` +@@ -285,6 +321,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index dc3dbcd7..b7ccac63 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -4742,7 +4742,7 @@ index 61c74bc..17b3ecc 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index a7a0e71..65bbd77 100644 +index a7a0e71..258486d 100644 --- a/avahi.te +++ b/avahi.te @@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t) @@ -4769,15 +4769,17 @@ index a7a0e71..65bbd77 100644 corenet_all_recvfrom_netlabel(avahi_t) corenet_tcp_sendrecv_generic_if(avahi_t) corenet_udp_sendrecv_generic_if(avahi_t) -@@ -74,7 +78,6 @@ fs_list_inotifyfs(avahi_t) +@@ -73,8 +77,8 @@ fs_search_auto_mountpoints(avahi_t) + fs_list_inotifyfs(avahi_t) domain_use_interactive_fds(avahi_t) ++domain_dontaudit_signull_all_domains(avahi_t) -files_read_etc_files(avahi_t) files_read_etc_runtime_files(avahi_t) files_read_usr_files(avahi_t) -@@ -92,6 +95,8 @@ sysnet_domtrans_ifconfig(avahi_t) +@@ -92,6 +96,8 @@ sysnet_domtrans_ifconfig(avahi_t) sysnet_manage_config(avahi_t) sysnet_etc_filetrans_config(avahi_t) @@ -4786,7 +4788,7 @@ index a7a0e71..65bbd77 100644 userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) -@@ -104,6 +109,10 @@ optional_policy(` +@@ -104,6 +110,10 @@ optional_policy(` ') optional_policy(` @@ -13551,7 +13553,7 @@ index 0000000..284fbae + sysnet_domtrans_ifconfig(ctdbd_t) +') diff --git a/cups.fc b/cups.fc -index 848bb92..306cd8e 100644 +index 848bb92..624fc09 100644 --- a/cups.fc +++ b/cups.fc @@ -19,7 +19,10 @@ @@ -13586,9 +13588,9 @@ index 848bb92..306cd8e 100644 /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + -+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) -+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) ++/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + @@ -25918,6 +25920,19 @@ index 53e53ca..92520eb 100644 +miscfiles_read_localization(jabberd_domain) + +sysnet_read_config(jabberd_domain) +diff --git a/java.fc b/java.fc +index 72f3df0..43b488f 100644 +--- a/java.fc ++++ b/java.fc +@@ -28,8 +28,6 @@ + /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) + /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) + +-/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +- + /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) + + ifdef(`distro_redhat',` diff --git a/java.te b/java.te index 95771f4..9d7f599 100644 --- a/java.te @@ -26864,9 +26879,27 @@ index 0c52f60..a085fbd 100644 optional_policy(` diff --git a/kerberos.fc b/kerberos.fc -index 3525d24..ad19527 100644 +index 3525d24..de533f9 100644 --- a/kerberos.fc +++ b/kerberos.fc +@@ -13,13 +13,13 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + +-/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +-/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) ++/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) + /usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) + /usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) + +-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + + /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) @@ -27,7 +27,15 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) /var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) @@ -29116,7 +29149,7 @@ index 572b5db..1e55f43 100644 +userdom_use_inherited_user_terminals(lockdev_t) + diff --git a/logrotate.te b/logrotate.te -index 7090dae..0b9e946 100644 +index 7090dae..ea589dd 100644 --- a/logrotate.te +++ b/logrotate.te @@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t) @@ -29178,12 +29211,13 @@ index 7090dae..0b9e946 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -116,17 +118,17 @@ miscfiles_read_localization(logrotate_t) +@@ -116,17 +118,18 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) -userdom_use_user_terminals(logrotate_t) +systemd_exec_systemctl(logrotate_t) ++systemd_getattr_unit_files(logrotate_t) +init_stream_connect(logrotate_t) + +userdom_use_inherited_user_terminals(logrotate_t) @@ -29203,7 +29237,7 @@ index 7090dae..0b9e946 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -138,7 +140,7 @@ ifdef(`distro_debian', ` +@@ -138,7 +141,7 @@ ifdef(`distro_debian', ` ') optional_policy(` @@ -29212,7 +29246,7 @@ index 7090dae..0b9e946 100644 ') optional_policy(` -@@ -154,6 +156,10 @@ optional_policy(` +@@ -154,6 +157,10 @@ optional_policy(` ') optional_policy(` @@ -29223,7 +29257,7 @@ index 7090dae..0b9e946 100644 asterisk_domtrans(logrotate_t) ') -@@ -162,10 +168,20 @@ optional_policy(` +@@ -162,10 +169,20 @@ optional_policy(` ') optional_policy(` @@ -29244,7 +29278,7 @@ index 7090dae..0b9e946 100644 cups_domtrans(logrotate_t) ') -@@ -178,6 +194,10 @@ optional_policy(` +@@ -178,6 +195,10 @@ optional_policy(` ') optional_policy(` @@ -29255,7 +29289,7 @@ index 7090dae..0b9e946 100644 icecast_signal(logrotate_t) ') -@@ -194,15 +214,19 @@ optional_policy(` +@@ -194,15 +215,19 @@ optional_policy(` ') optional_policy(` @@ -29276,7 +29310,7 @@ index 7090dae..0b9e946 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -228,3 +252,14 @@ optional_policy(` +@@ -228,3 +253,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -29409,9 +29443,18 @@ index 75ce30f..7f05283 100644 + cron_use_system_job_fds(logwatch_mail_t) +') diff --git a/lpd.fc b/lpd.fc -index 5c9eb68..ca4fd2b 100644 +index 5c9eb68..e4f3c24 100644 --- a/lpd.fc +++ b/lpd.fc +@@ -24,7 +24,7 @@ + /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) + /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) + +-/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) ++/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) + + /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) + @@ -35,3 +35,4 @@ /var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) @@ -32973,7 +33016,7 @@ index afa18c8..f6e2bb8 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index 4e2a5ba..68e2429 100644 +index 4e2a5ba..c3643f0 100644 --- a/mta.if +++ b/mta.if @@ -37,6 +37,7 @@ interface(`mta_stub',` @@ -33127,7 +33170,7 @@ index 4e2a5ba..68e2429 100644 ######################################## ## ## Make the specified type by a system MTA. -@@ -306,10 +257,11 @@ interface(`mta_mailserver_sender',` +@@ -306,10 +257,15 @@ interface(`mta_mailserver_sender',` interface(`mta_mailserver_delivery',` gen_require(` attribute mailserver_delivery; @@ -33137,10 +33180,14 @@ index 4e2a5ba..68e2429 100644 typeattribute $1 mailserver_delivery; + + userdom_home_manager($1) ++ ++ optional_policy(` ++ mta_rw_delivery_tcp_sockets($1) ++ ') ') ####################################### -@@ -393,12 +345,19 @@ interface(`mta_send_mail',` +@@ -393,12 +349,19 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -33162,7 +33209,7 @@ index 4e2a5ba..68e2429 100644 ') ######################################## -@@ -411,7 +370,6 @@ interface(`mta_sendmail_domtrans',` +@@ -411,7 +374,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -33170,7 +33217,7 @@ index 4e2a5ba..68e2429 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -422,6 +380,60 @@ interface(`mta_signal_system_mail',` +@@ -422,6 +384,60 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -33231,7 +33278,7 @@ index 4e2a5ba..68e2429 100644 ## Execute sendmail in the caller domain. ## ## -@@ -440,6 +452,26 @@ interface(`mta_sendmail_exec',` +@@ -440,6 +456,26 @@ interface(`mta_sendmail_exec',` ######################################## ## @@ -33258,7 +33305,7 @@ index 4e2a5ba..68e2429 100644 ## Read mail server configuration. ## ## -@@ -496,6 +528,7 @@ interface(`mta_read_aliases',` +@@ -496,6 +532,7 @@ interface(`mta_read_aliases',` files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; @@ -33266,7 +33313,7 @@ index 4e2a5ba..68e2429 100644 ') ######################################## -@@ -534,7 +567,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -534,7 +571,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -33275,7 +33322,7 @@ index 4e2a5ba..68e2429 100644 ') ######################################## -@@ -554,7 +587,7 @@ interface(`mta_rw_aliases',` +@@ -554,7 +591,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -33284,7 +33331,33 @@ index 4e2a5ba..68e2429 100644 ') ####################################### -@@ -648,8 +681,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -576,6 +613,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` + dontaudit $1 mailserver_delivery:tcp_socket { read write }; + ') + ++###################################### ++## ++## Allow attempts to read and write TCP ++## sockets of mail delivery domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mta_rw_delivery_tcp_sockets',` ++ gen_require(` ++ attribute mailserver_delivery; ++ ') ++ ++ allow $1 mailserver_delivery:tcp_socket { read write }; ++') ++ + ####################################### + ## + ## Connect to all mail servers over TCP. (Deprecated) +@@ -648,8 +704,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -33295,7 +33368,7 @@ index 4e2a5ba..68e2429 100644 ') ####################################### -@@ -679,7 +712,26 @@ interface(`mta_spool_filetrans',` +@@ -679,7 +735,26 @@ interface(`mta_spool_filetrans',` ') files_search_spool($1) @@ -33323,7 +33396,7 @@ index 4e2a5ba..68e2429 100644 ') ######################################## -@@ -699,8 +751,8 @@ interface(`mta_rw_spool',` +@@ -699,8 +774,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -33334,7 +33407,7 @@ index 4e2a5ba..68e2429 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -840,7 +892,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -840,7 +915,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -33343,7 +33416,7 @@ index 4e2a5ba..68e2429 100644 ') ######################################## -@@ -866,6 +918,36 @@ interface(`mta_manage_queue',` +@@ -866,6 +941,36 @@ interface(`mta_manage_queue',` ####################################### ## @@ -33380,7 +33453,7 @@ index 4e2a5ba..68e2429 100644 ## Read sendmail binary. ## ## -@@ -901,3 +983,170 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -901,3 +1006,170 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -39606,18 +39679,17 @@ index b246bdd..99f27c0 100644 files_read_etc_files(pads_t) files_search_spool(pads_t) diff --git a/passenger.fc b/passenger.fc -index 545518d..e275c31 100644 +index 545518d..7d5bf4c 100644 --- a/passenger.fc +++ b/passenger.fc -@@ -3,6 +3,12 @@ +@@ -3,6 +3,11 @@ /usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) /usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) -+/usr/local/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) -+/usr/local/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) -+/usr/local/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) -+/usr/local/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) -+ ++/usr/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) + /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) @@ -46004,7 +46076,7 @@ index 5014056..9505fce 100644 - allow unconfined_qemu_t qemu_exec_t:file execmod; -') diff --git a/qmail.fc b/qmail.fc -index 0055e54..f988f51 100644 +index 0055e54..edee505 100644 --- a/qmail.fc +++ b/qmail.fc @@ -17,6 +17,7 @@ @@ -46015,6 +46087,15 @@ index 0055e54..f988f51 100644 /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) +@@ -25,7 +26,7 @@ ifdef(`distro_debian', ` + + /usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) + +-#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0) ++#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0) + + /usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) + /usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) diff --git a/qmail.if b/qmail.if index a55bf44..c6dee66 100644 --- a/qmail.if @@ -59852,7 +59933,7 @@ index 904f13e..5801347 100644 + ') ') diff --git a/tor.te b/tor.te -index c842cad..7f05b44 100644 +index c842cad..3c0dfe4 100644 --- a/tor.te +++ b/tor.te @@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t) @@ -59872,15 +59953,18 @@ index c842cad..7f05b44 100644 allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -@@ -75,7 +79,6 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) +@@ -73,9 +77,9 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) + files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) + kernel_read_system_state(tor_t) ++kernel_read_net_sysctls(tor_t) # networking basics -corenet_all_recvfrom_unlabeled(tor_t) corenet_all_recvfrom_netlabel(tor_t) corenet_tcp_sendrecv_generic_if(tor_t) corenet_udp_sendrecv_generic_if(tor_t) -@@ -87,6 +90,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) +@@ -87,6 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) corenet_tcp_bind_tor_port(tor_t) @@ -59888,7 +59972,7 @@ index c842cad..7f05b44 100644 corenet_udp_bind_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_sendrecv_dns_server_packets(tor_t) -@@ -95,13 +99,14 @@ corenet_tcp_connect_all_ports(tor_t) +@@ -95,13 +100,14 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index d9a26982..d2bc56b9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.0 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jul 30 2012 Miroslav Grepl 3.11.0-14 +- Add systemd fixes to make rawhide booting + * Fri Jul 27 2012 Miroslav Grepl 3.11.0-13 - Add systemd_logind_inhibit_var_run_t attribute - Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type