- Turn on allow_postfix_local_write_mail_spool

- Allow initrc_t to transition to shutdown_t - Allow logwatch and cron to mls_read_to_clearance for MLS boxes - Allow wm to send signull to all applications and receive them from users - lircd patch from field - Login programs have to read /etc/samba - New programs under /lib/systemd - Abrt needs to read config files
2010-11-18 17:37:29 +01:00 · 2010-11-18 17:37:29 +01:00 · 4eb45ebeaa
commit 4eb45ebeaa
parent 41ebcc9ac9
4 changed files with 227 additions and 87 deletions
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -233,7 +233,7 @@ browser_confine_xguest=false

 # Allow postfix locat to write to mail spool
 # 
-allow_postfix_local_write_mail_spool=false
+allow_postfix_local_write_mail_spool=true

 # Allow common users to read/write noexattrfile systems
 # 
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1322,6 +1322,13 @@ publicfile = module
 # 
 pulseaudio = module

+# Layer: services
+# Module: pyzor
+#
+# Spam Blocker
+# 
+pyzor = module
+
 # Layer: services
 # Module: qmail
 #
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -444,7 +444,7 @@ index 3c7b1e8..1e155f5 100644
 +
 +/var/run/epylog\.pid		gen_context(system_u:object_r:logwatch_var_run_t,s0)
 diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..f3347aa 100644
+index 75ce30f..f7dcdf8 100644
 --- a/policy/modules/admin/logwatch.te
 +++ b/policy/modules/admin/logwatch.te
@@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t)
@ -467,7 +467,16 @@ index 75ce30f..f3347aa 100644
 kernel_read_fs_sysctls(logwatch_t)
 kernel_read_kernel_sysctls(logwatch_t)
 kernel_read_system_state(logwatch_t)
-@@ -92,11 +98,20 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -70,6 +76,8 @@ fs_getattr_all_fs(logwatch_t)
+ fs_dontaudit_list_auto_mountpoints(logwatch_t)
+ fs_list_inotifyfs(logwatch_t)
+ 
+mls_file_read_to_clearance(logwatch_t)
+
+ term_dontaudit_getattr_pty_dirs(logwatch_t)
+ term_dontaudit_list_ptys(logwatch_t)
+ 
+@@ -92,11 +100,20 @@ sysnet_dns_name_resolve(logwatch_t)
 sysnet_exec_ifconfig(logwatch_t)
 
 userdom_dontaudit_search_user_home_dirs(logwatch_t)
@ -489,6 +498,15 @@ index 75ce30f..f3347aa 100644
 	files_getattr_all_file_type_fs(logwatch_t)
 ')
 
+diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc
+index 56c43c0..de535e4 100644
+--- a/policy/modules/admin/mcelog.fc
+++ b/policy/modules/admin/mcelog.fc
+@@ -1 +1,4 @@
+ /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/run/mcelog-client  -s 	gen_context(system_u:object_r:mcelog_var_run_t,s0)
+
 diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
 index 5a9cebf..2e08bef 100644
 --- a/policy/modules/admin/mcelog.te
@ -1488,10 +1506,18 @@ index d0604cf..679d61c 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
-index 3863241..5280124 100644
+index 3863241..344a158 100644
 --- a/policy/modules/admin/shutdown.te
 +++ b/policy/modules/admin/shutdown.te
-@@ -38,13 +38,14 @@ domain_use_interactive_fds(shutdown_t)
+@@ -7,6 +7,7 @@ policy_module(shutdown, 1.0.1)
+ 
+ type shutdown_t;
+ type shutdown_exec_t;
+init_system_domain(shutdown_t, shutdown_exec_t)
+ application_domain(shutdown_t, shutdown_exec_t)
+ role system_r types shutdown_t;
+ 
+@@ -38,13 +39,14 @@ domain_use_interactive_fds(shutdown_t)
 files_read_etc_files(shutdown_t)
 files_read_generic_pids(shutdown_t)
 
@ -1508,7 +1534,7 @@ index 3863241..5280124 100644
 init_stream_connect(shutdown_t)
 init_telinit(shutdown_t)
 
-@@ -59,5 +60,10 @@ optional_policy(`
+@@ -59,5 +61,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -1919,7 +1945,7 @@ index 0000000..5ef90cd
 +
 diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
 new file mode 100644
-index 0000000..0738be8
+index 0000000..41a9493
 --- /dev/null
 +++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,93 @@
@ -1952,7 +1978,7 @@ index 0000000..0738be8
 +allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
 +allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow chrome_sandbox_t self:shm create_shm_perms;
-+allow chrome_sandbox_t self:netlink_route_socket  create_socket_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
 +
 +manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
 +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
@ -4292,10 +4318,10 @@ index 0000000..717eb3f
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
 new file mode 100644
-index 0000000..4dbb161
+index 0000000..c06e99e
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,436 @@
+@@ -0,0 +1,455 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@ -4732,6 +4758,25 @@ index 0000000..4dbb161
 +
 +	userdom_user_home_content_filetrans($1, nsplugin_home_t,  $2)
 +')
+
+########################################
+## <summary>
+##	Send signull signal to nsplugin
+##	processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_signull',`
+	gen_require(`
+		type nsplugin_t;
+	')
+
+	allow $1 nsplugin_t:process signull;
+')
 diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
 new file mode 100644
 index 0000000..182e476
@ -7405,10 +7450,24 @@ index d4e9877..ebb6ca4 100644
 
 type wireshark_tmp_t;
 diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
-index 82842a0..369c3b5 100644
+index 82842a0..4111a1d 100644
 --- a/policy/modules/apps/wm.if
 +++ b/policy/modules/apps/wm.if
-@@ -75,6 +75,10 @@ template(`wm_role_template',`
+@@ -44,7 +44,7 @@ template(`wm_role_template',`
+ 
+ 	allow $1_wm_t $3:unix_stream_socket connectto;
+ 	allow $3 $1_wm_t:unix_stream_socket connectto;
+-	allow $3 $1_wm_t:process { signal sigchld };
+	allow $3 $1_wm_t:process { signal sigchld signull };
+ 	allow $1_wm_t $3:process { signull sigkill };
+ 
+ 	allow $1_wm_t $3:dbus send_msg;
+@@ -72,9 +72,15 @@ template(`wm_role_template',`
+ 
+ 	auth_use_nsswitch($1_wm_t)
+ 
+	application_signull($1_wm_t)
+
 	miscfiles_read_fonts($1_wm_t)
 	miscfiles_read_localization($1_wm_t)
 
@ -12560,7 +12619,7 @@ index 0b827c5..8961dba 100644
 	admin_pattern($1, abrt_tmp_t)
 ')
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 98646c4..73ae7f0 100644
+index 98646c4..5fdea83 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1)
@ -12587,7 +12646,15 @@ index 98646c4..73ae7f0 100644
 
 allow abrt_t self:fifo_file rw_fifo_file_perms;
 allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -69,6 +77,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -59,6 +67,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+ allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ # abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+ rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+ 
+ # log file
+@@ -69,6 +78,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
 manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@ -12595,7 +12662,7 @@ index 98646c4..73ae7f0 100644
 
 # abrt var/cache files
 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,7 +91,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,7 +92,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@ -12604,15 +12671,17 @@ index 98646c4..73ae7f0 100644
 
 kernel_read_ring_buffer(abrt_t)
 kernel_read_system_state(abrt_t)
-@@ -114,6 +123,7 @@ domain_signull_all_domains(abrt_t)
+@@ -113,7 +123,8 @@ domain_read_all_domains_state(abrt_t)
+ domain_signull_all_domains(abrt_t)
 
 files_getattr_all_files(abrt_t)
- files_read_etc_files(abrt_t)
+-files_read_etc_files(abrt_t)
+files_read_config_files(abrt_t)
 +files_read_etc_runtime_files(abrt_t)
 files_read_var_symlinks(abrt_t)
 files_read_var_lib_files(abrt_t)
 files_read_usr_files(abrt_t)
-@@ -121,6 +131,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +132,8 @@ files_read_generic_tmp_files(abrt_t)
 files_read_kernel_modules(abrt_t)
 files_dontaudit_list_default(abrt_t)
 files_dontaudit_read_default_files(abrt_t)
@ -12621,7 +12690,7 @@ index 98646c4..73ae7f0 100644
 
 fs_list_inotifyfs(abrt_t)
 fs_getattr_all_fs(abrt_t)
-@@ -131,7 +143,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,7 +144,7 @@ fs_read_nfs_files(abrt_t)
 fs_read_nfs_symlinks(abrt_t)
 fs_search_all(abrt_t)
 
@ -12630,7 +12699,7 @@ index 98646c4..73ae7f0 100644
 
 logging_read_generic_logs(abrt_t)
 logging_send_syslog_msg(abrt_t)
-@@ -140,6 +152,15 @@ miscfiles_read_generic_certs(abrt_t)
+@@ -140,6 +153,15 @@ miscfiles_read_generic_certs(abrt_t)
 miscfiles_read_localization(abrt_t)
 
 userdom_dontaudit_read_user_home_content_files(abrt_t)
@ -12646,7 +12715,7 @@ index 98646c4..73ae7f0 100644
 
 optional_policy(`
 	dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +171,11 @@ optional_policy(`
+@@ -150,6 +172,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -12658,7 +12727,7 @@ index 98646c4..73ae7f0 100644
 	policykit_dbus_chat(abrt_t)
 	policykit_domtrans_auth(abrt_t)
 	policykit_read_lib(abrt_t)
-@@ -178,12 +204,18 @@ optional_policy(`
+@@ -178,12 +205,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -12678,7 +12747,7 @@ index 98646c4..73ae7f0 100644
 #
 
 allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +235,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -203,6 +236,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
 domain_read_all_domains_state(abrt_helper_t)
 
 files_read_etc_files(abrt_helper_t)
@ -12686,7 +12755,7 @@ index 98646c4..73ae7f0 100644
 
 fs_list_inotifyfs(abrt_helper_t)
 fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +249,8 @@ miscfiles_read_localization(abrt_helper_t)
+@@ -216,7 +250,8 @@ miscfiles_read_localization(abrt_helper_t)
 term_dontaudit_use_all_ttys(abrt_helper_t)
 term_dontaudit_use_all_ptys(abrt_helper_t)
 
@ -12696,7 +12765,7 @@ index 98646c4..73ae7f0 100644
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +258,18 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +259,18 @@ ifdef(`hide_broken_symptoms', `
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -16244,7 +16313,7 @@ index d020c93..e5cbcef 100644
 	cgroup_initrc_domtrans_cgconfig($1)
 	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index 8ca2333..63a18fc 100644
+index 8ca2333..8750492 100644
 --- a/policy/modules/services/cgroup.te
 +++ b/policy/modules/services/cgroup.te
@@ -22,8 +22,8 @@ files_pid_file(cgred_var_run_t)
@ -16263,7 +16332,7 @@ index 8ca2333..63a18fc 100644
 #
 
 -allow cgconfig_t self:capability { chown sys_admin };
-+allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
+allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin };
 
 allow cgconfig_t cgconfig_etc_t:file read_file_perms;
 
@ -17939,7 +18008,7 @@ index 35241ed..b6402c9 100644
 +	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 ')
 diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..2a7f7f4 100644
+index f35b243..6d44d8c 100644
 --- a/policy/modules/services/cron.te
 +++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@ -18163,7 +18232,7 @@ index f35b243..2a7f7f4 100644
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
-@@ -301,10 +351,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -301,10 +351,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
 # This is to handle /var/lib/misc directory.  Used currently
 # by prelink var/lib files for cron 
@ -18176,13 +18245,15 @@ index f35b243..2a7f7f4 100644
 +
 allow system_cronjob_t system_cron_spool_t:file read_file_perms;
 +
+mls_file_read_to_clearance(system_cronjob_t)
+
 +# anacron forces the following
 +manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
 +
 # The entrypoint interface is not used as this is not
 # a regular entrypoint.  Since crontab files are
 # not directly executed, crond must ensure that
-@@ -324,6 +381,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -324,6 +383,7 @@ allow crond_t system_cronjob_t:fd use;
 allow system_cronjob_t crond_t:fd use;
 allow system_cronjob_t crond_t:fifo_file rw_file_perms;
 allow system_cronjob_t crond_t:process sigchld;
@ -18190,7 +18261,7 @@ index f35b243..2a7f7f4 100644
 
 # Write /var/lock/makewhatis.lock.
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -335,9 +393,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -335,9 +395,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
 files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
 
@ -18205,7 +18276,7 @@ index f35b243..2a7f7f4 100644
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
-@@ -360,6 +422,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -360,6 +424,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
 dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
 dev_read_urand(system_cronjob_t)
@ -18213,7 +18284,7 @@ index f35b243..2a7f7f4 100644
 
 fs_getattr_all_fs(system_cronjob_t)
 fs_getattr_all_files(system_cronjob_t)
-@@ -386,6 +449,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -386,6 +451,7 @@ files_dontaudit_search_pids(system_cronjob_t)
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
 files_manage_generic_spool(system_cronjob_t)
@ -18221,7 +18292,7 @@ index f35b243..2a7f7f4 100644
 
 init_use_script_fds(system_cronjob_t)
 init_read_utmp(system_cronjob_t)
-@@ -408,8 +472,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -408,8 +474,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
 
 seutil_read_config(system_cronjob_t)
 
@ -18233,7 +18304,7 @@ index f35b243..2a7f7f4 100644
 	# via redirection of standard out.
 	optional_policy(`
 		rpm_manage_log(system_cronjob_t)
-@@ -434,6 +500,8 @@ optional_policy(`
+@@ -434,6 +502,8 @@ optional_policy(`
 	apache_read_config(system_cronjob_t)
 	apache_read_log(system_cronjob_t)
 	apache_read_sys_content(system_cronjob_t)
@ -18242,7 +18313,7 @@ index f35b243..2a7f7f4 100644
 ')
 
 optional_policy(`
-@@ -441,6 +509,14 @@ optional_policy(`
+@@ -441,6 +511,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18257,7 +18328,7 @@ index f35b243..2a7f7f4 100644
 	ftp_read_log(system_cronjob_t)
 ')
 
-@@ -451,15 +527,24 @@ optional_policy(`
+@@ -451,15 +529,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18282,7 +18353,7 @@ index f35b243..2a7f7f4 100644
 ')
 
 optional_policy(`
-@@ -475,7 +560,7 @@ optional_policy(`
+@@ -475,7 +562,7 @@ optional_policy(`
 	prelink_manage_lib(system_cronjob_t)
 	prelink_manage_log(system_cronjob_t)
 	prelink_read_cache(system_cronjob_t)
@ -18291,7 +18362,7 @@ index f35b243..2a7f7f4 100644
 ')
 
 optional_policy(`
-@@ -490,6 +575,7 @@ optional_policy(`
+@@ -490,6 +577,7 @@ optional_policy(`
 
 optional_policy(`
 	spamassassin_manage_lib_files(system_cronjob_t)
@ -18299,7 +18370,7 @@ index f35b243..2a7f7f4 100644
 ')
 
 optional_policy(`
-@@ -497,7 +583,13 @@ optional_policy(`
+@@ -497,7 +585,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18313,7 +18384,7 @@ index f35b243..2a7f7f4 100644
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')
 
-@@ -590,9 +682,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -590,9 +684,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
 #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
 
 list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@ -19401,10 +19472,10 @@ index 0000000..60c81d6
 +')
 diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
 new file mode 100644
-index 0000000..a7eee5f
+index 0000000..c88f611
 --- /dev/null
 +++ b/policy/modules/services/dirsrv-admin.te
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,94 @@
 +policy_module(dirsrv-admin,1.0.0) 
 +
 +########################################
@ -19443,6 +19514,8 @@ index 0000000..a7eee5f
 +
 +files_exec_etc_files(dirsrvadmin_t)
 +
+libs_exec_ld_so(dirsrvadmin_t)
+
 +logging_search_logs(dirsrvadmin_t)
 +
 +miscfiles_read_localization(dirsrvadmin_t)
@ -23109,7 +23182,7 @@ index ae9d49f..65e6d81 100644
 manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
 
 diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if
-index 418cc81..5cfe950 100644
+index 418cc81..b9a3327 100644
 --- a/policy/modules/services/lircd.if
 +++ b/policy/modules/services/lircd.if
@@ -5,9 +5,9 @@
@ -23132,46 +23205,66 @@ index 418cc81..5cfe950 100644
 ')
 
 ######################################
-@@ -44,9 +43,9 @@ interface(`lircd_stream_connect',`
- ##	Read lircd etc file
- ## </summary>
- ## <param name="domain">
+@@ -39,24 +38,6 @@ interface(`lircd_stream_connect',`
+ 	stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t)
+ ')
+ 
+-#######################################
 -## <summary>
-+##	<summary>
- ##	Domain allowed access.
+-##	Read lircd etc file
 -## </summary>
-+##	</summary>
- ## </param>
- #
- interface(`lircd_read_config',`
-@@ -76,8 +75,8 @@ interface(`lircd_read_config',`
- #
+-## <param name="domain">
+-## <summary>
+-##	Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`lircd_read_config',`
+-	gen_require(`
+-		type lircd_etc_t;
+-	')
+-
+-	read_files_pattern($1, lircd_etc_t, lircd_etc_t)
+-')
+-
+ ########################################
+ ## <summary>
+ ##	All of the rules required to administrate
+@@ -77,7 +58,7 @@ interface(`lircd_read_config',`
 interface(`lircd_admin',`
 	gen_require(`
-		type lircd_t, lircd_var_run_t;
+ 		type lircd_t, lircd_var_run_t;
 -		type lircd_initrc_exec_t, lircd_etc_t;
-+		type lircd_t, lircd_var_run_t, lircd_etc_t;
 +		type lircd_initrc_exec_t;
 	')
 
 	allow $1 lircd_t:process { ptrace signal_perms };
-@@ -88,9 +87,9 @@ interface(`lircd_admin',`
+@@ -88,9 +69,6 @@ interface(`lircd_admin',`
 	role_transition $2 lircd_initrc_exec_t system_r;
 	allow $2 system_r;
 
 -	files_search_etc($1)
-+	files_list_etc($1)
- 	admin_pattern($1, lircd_etc_t)
- 
+-	admin_pattern($1, lircd_etc_t)
+-
 -	files_search_pids($1)
 +	files_list_pids($1)
 	admin_pattern($1, lircd_var_run_t)
 ')
 diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
-index 6a78de1..02f6985 100644
+index 6a78de1..d90cb9b 100644
 --- a/policy/modules/services/lircd.te
 +++ b/policy/modules/services/lircd.te
-@@ -24,6 +24,7 @@ files_pid_file(lircd_var_run_t)
+@@ -12,9 +12,6 @@ init_daemon_domain(lircd_t, lircd_exec_t)
+ type lircd_initrc_exec_t;
+ init_script_file(lircd_initrc_exec_t)
+ 
+-type lircd_etc_t;
+-files_type(lircd_etc_t)
+-
+ type lircd_var_run_t alias lircd_sock_t;
+ files_pid_file(lircd_var_run_t)
+ 
+@@ -24,17 +21,15 @@ files_pid_file(lircd_var_run_t)
 #
 
 allow lircd_t self:capability { chown kill sys_admin };
@ -23179,7 +23272,10 @@ index 6a78de1..02f6985 100644
 allow lircd_t self:fifo_file rw_fifo_file_perms;
 allow lircd_t self:unix_dgram_socket create_socket_perms;
 allow lircd_t self:tcp_socket create_stream_socket_perms;
-@@ -34,7 +35,7 @@ read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+ 
+-# etc file
+-read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+-
 manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
 manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
 manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
@ -23188,7 +23284,7 @@ index 6a78de1..02f6985 100644
 # /dev/lircd socket
 dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
 
-@@ -44,7 +45,7 @@ corenet_tcp_bind_lirc_port(lircd_t)
+@@ -44,13 +39,13 @@ corenet_tcp_bind_lirc_port(lircd_t)
 corenet_tcp_sendrecv_all_ports(lircd_t)
 corenet_tcp_connect_lirc_port(lircd_t)
 
@ -23197,6 +23293,13 @@ index 6a78de1..02f6985 100644
 dev_read_mouse(lircd_t)
 dev_filetrans_lirc(lircd_t)
 dev_rw_lirc(lircd_t)
+ dev_rw_input_dev(lircd_t)
+ 
+-files_read_etc_files(lircd_t)
+files_read_config_files(lircd_t)
+ files_list_var(lircd_t)
+ files_manage_generic_locks(lircd_t)
+ files_read_all_locks(lircd_t)
 diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
 index a4f32f5..ea7dca0 100644
 --- a/policy/modules/services/lpd.if
@ -28408,7 +28511,7 @@ index 46bee12..b87375e 100644
 +	role $2 types postfix_postdrop_t;
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..628fcda 100644
+index 06e37d4..cffba21 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@ -28420,7 +28523,7 @@ index 06e37d4..628fcda 100644
 +##	Allow postfix_local domain full write access to mail_spool directories
 +##	</p>
 +## </desc>
-+gen_tunable(allow_postfix_local_write_mail_spool, false)
+gen_tunable(allow_postfix_local_write_mail_spool, true)
 +
 +attribute postfix_spool_type;
 attribute postfix_user_domains;
@ -35375,6 +35478,19 @@ index a0794bf..37c056b 100644
 	daemontools_read_svc(ucspitcp_t)
 ')
 +
+diff --git a/policy/modules/services/ulogd.fc b/policy/modules/services/ulogd.fc
+index 831b4a3..a206464 100644
+--- a/policy/modules/services/ulogd.fc
+++ b/policy/modules/services/ulogd.fc
+@@ -1,7 +1,7 @@
+ /etc/rc\.d/init\.d/ulogd	--	gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+ /etc/ulogd.conf			--	gen_context(system_u:object_r:ulogd_etc_t,s0)
+ 
+-/usr/lib/ulogd(/.*)?			gen_context(system_u:object_r:ulogd_modules_t,s0)	
+/usr/lib(64)?/ulogd(/.*)?		gen_context(system_u:object_r:ulogd_modules_t,s0)	
+ /usr/sbin/ulogd			--	gen_context(system_u:object_r:ulogd_exec_t,s0)
+ 
+ /var/log/ulogd(/.*)?			gen_context(system_u:object_r:ulogd_var_log_t,s0)
 diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
 index b078bf7..fd72fe8 100644
 --- a/policy/modules/services/ulogd.if
@ -35430,20 +35546,25 @@ index b078bf7..fd72fe8 100644
 	admin_pattern($1, ulogd_modules_t)
 ')
 diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
-index eeaa641..ef97cb3 100644
+index eeaa641..6456c06 100644
 --- a/policy/modules/services/ulogd.te
 +++ b/policy/modules/services/ulogd.te
-@@ -31,6 +31,9 @@ logging_log_file(ulogd_var_log_t)
+@@ -29,8 +29,13 @@ logging_log_file(ulogd_var_log_t)
+ # ulogd local policy
+ #
 
- allow ulogd_t self:capability net_admin;
+-allow ulogd_t self:capability net_admin;
+allow ulogd_t self:capability { net_admin sys_nice };
+allow ulogd_t self:process { setsched };
 allow ulogd_t self:netlink_nflog_socket create_socket_perms;
 +allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
+allow ulogd_t self:netlink_socket create_socket_perms;
 +allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
 +allow ulogd_t self:udp_socket create_socket_perms;
 
 # config files
 read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
-@@ -43,6 +46,19 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+@@ -43,6 +48,19 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
 manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
 logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
 
@ -39747,7 +39868,7 @@ index 1c4b1e7..ffa4134 100644
 /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..f459bae 100644
+index bea0ade..08a608f 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@ -39794,7 +39915,7 @@ index bea0ade..f459bae 100644
 	manage_files_pattern($1, var_auth_t, var_auth_t)
 
 	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -119,6 +130,10 @@ interface(`auth_login_pgm_domain',`
+@@ -119,13 +130,19 @@ interface(`auth_login_pgm_domain',`
 	# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
 	kernel_rw_afs_state($1)
 
@ -39805,8 +39926,9 @@ index bea0ade..f459bae 100644
 	# for fingerprint readers
 	dev_rw_input_dev($1)
 	dev_rw_generic_usb_dev($1)
-@@ -126,6 +141,8 @@ interface(`auth_login_pgm_domain',`
- 	files_read_etc_files($1)
+ 
+-	files_read_etc_files($1)
+	files_read_config_files($1)
 
 	fs_list_auto_mountpoints($1)
 +	fs_manage_cgroup_dirs($1)
@ -40381,10 +40503,10 @@ index 1fd31c1..683494c 100644
 	xen_dontaudit_use_fds(hostname_t)
 ')
 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 9775375..51bde2a 100644
+index 9775375..41a244a 100644
 --- a/policy/modules/system/init.fc
 +++ b/policy/modules/system/init.fc
-@@ -24,7 +24,19 @@ ifdef(`distro_gentoo',`
+@@ -24,7 +24,20 @@ ifdef(`distro_gentoo',`
 #
 # /sbin
 #
@ -40395,6 +40517,7 @@ index 9775375..51bde2a 100644
 +# systemd init scripts
 +#
 +/lib/systemd/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
+/lib/systemd/system-generators/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
 +
 +#
 +# /sbin
@ -40404,7 +40527,7 @@ index 9775375..51bde2a 100644
 
 ifdef(`distro_gentoo', `
 /sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -44,6 +56,9 @@ ifdef(`distro_gentoo', `
+@@ -44,6 +57,9 @@ ifdef(`distro_gentoo', `
 
 /usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
@ -42657,7 +42780,7 @@ index c7cfb62..db7ad6b 100644
 	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index aa2b0a6..ec04f4f 100644
+index aa2b0a6..fc5aa2c 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -60,6 +60,7 @@ files_type(syslog_conf_t)
@ -42739,23 +42862,23 @@ index aa2b0a6..ec04f4f 100644
 
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
-@@ -369,8 +393,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -369,9 +393,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 
 +manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 files_search_var_lib(syslogd_t)
-+files_search_spool(syslogd_t)
-+
+ 
 +manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 +manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 +files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
- 
+
 # manage pid file
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-@@ -412,6 +443,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+ files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+@@ -412,6 +442,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
@ -42763,7 +42886,7 @@ index aa2b0a6..ec04f4f 100644
 
 domain_use_interactive_fds(syslogd_t)
 
-@@ -488,6 +520,10 @@ optional_policy(`
+@@ -488,6 +519,10 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.9
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -471,6 +471,16 @@ exit 0
 %endif

 %changelog
+* Thu Nov 18 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-2
+- Turn on allow_postfix_local_write_mail_spool
+- Allow initrc_t to transition to shutdown_t
+- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
+- Allow wm to send signull to all applications and receive them from users
+- lircd patch from field
+- Login programs have to read /etc/samba
+- New programs under /lib/systemd
+- Abrt needs to read config files
+
 * Tue Nov 16 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-1
 - Update to upstream
 - Dontaudit leaked sockets from userdomains to user domains