+- Use fs_use_xattr for squashf

+- Fix procs_type interface +- Dovecot has a new fifo_file /var/run/dovecot/stats-mail +- Dovecot has a new fifo_file /var/run/stats-mail +- Colord does not need to connect to network +- Allow system_cronjob to dbus chat with NetworkManager +- Puppet manages content, want to make sure it labels everything correctly
2011-12-01 18:25:51 +01:00 · 2011-12-01 18:25:51 +01:00 · 4fe804b367
commit 4fe804b367
parent e5768e0fb6
2 changed files with 194 additions and 85 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -18475,7 +18475,7 @@ index ff006ea..b682bcf 100644
 +	dontaudit $1 file_type:dir_file_class_set write;
 +')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 22821ff..4e8d594 100644
+index 22821ff..4486d80 100644
 --- a/policy/modules/kernel/files.te
 +++ b/policy/modules/kernel/files.te
@@ -10,7 +10,9 @@ attribute files_unconfined_type;
@ -18515,7 +18515,7 @@ index 22821ff..4e8d594 100644
 #
 type system_map_t;
 files_type(system_map_t)
-+procs_type(system_map_t)
+kernel_proc_type(system_map_t)
 genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
 
 #
@ -19114,10 +19114,18 @@ index 97fcdac..6342520 100644
 +')
 +
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index f125dc2..3c6e827 100644
+index f125dc2..f5e522e 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
-@@ -52,6 +52,7 @@ type anon_inodefs_t;
+@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
+ 
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -52,6 +53,7 @@ type anon_inodefs_t;
 fs_type(anon_inodefs_t)
 files_mountpoint(anon_inodefs_t)
 genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@ -19125,7 +19133,7 @@ index f125dc2..3c6e827 100644
 
 type bdev_t;
 fs_type(bdev_t)
-@@ -67,7 +68,7 @@ fs_type(capifs_t)
+@@ -67,7 +69,7 @@ fs_type(capifs_t)
 files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
 
@ -19134,7 +19142,7 @@ index f125dc2..3c6e827 100644
 fs_type(cgroup_t)
 files_type(cgroup_t)
 files_mountpoint(cgroup_t)
-@@ -96,6 +97,7 @@ type hugetlbfs_t;
+@@ -96,6 +98,7 @@ type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
 fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@ -19142,7 +19150,19 @@ index f125dc2..3c6e827 100644
 
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
-@@ -175,6 +177,7 @@ fs_type(tmpfs_t)
+@@ -144,11 +147,6 @@ fs_type(spufs_t)
+ genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+ files_mountpoint(spufs_t)
+ 
+-type squash_t;
+-fs_type(squash_t)
+-genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+-files_mountpoint(squash_t)
+-
+ type sysv_t;
+ fs_noxattr_type(sysv_t)
+ files_mountpoint(sysv_t)
+@@ -175,6 +173,7 @@ fs_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)
@ -19150,7 +19170,7 @@ index f125dc2..3c6e827 100644
 
 # Use a transition SID based on the allocating task SID and the
 # filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +257,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +253,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 type removable_t;
 allow removable_t noxattrfs:filesystem associate;
 fs_noxattr_type(removable_t)
@ -19159,7 +19179,7 @@ index f125dc2..3c6e827 100644
 files_mountpoint(removable_t)
 
 #
-@@ -273,6 +278,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +274,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@ -19168,7 +19188,7 @@ index f125dc2..3c6e827 100644
 ########################################
 #
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 6346378..4845190 100644
+index 6346378..34c6897 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -345,13 +345,8 @@ interface(`kernel_load_module',`
@ -19383,9 +19403,9 @@ index 6346378..4845190 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`procs_type',`
+interface(`kernel_proc_type',`
 +	gen_require(`
-+		attribute proc_type
+		attribute proc_type;
 +	')
 +
 +	typeattribute $1 proc_type;
@ -31285,24 +31305,10 @@ index 0000000..ca71d08
 +')
 +
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..2f9b1bc 100644
+index 74505cc..be3683b 100644
 --- a/policy/modules/services/colord.te
 +++ b/policy/modules/services/colord.te
-@@ -5,6 +5,13 @@ policy_module(colord, 1.0.0)
- # Declarations
- #
- 
-+## <desc>
-+##  <p>
-+##  Allow colord domain to connect to the network using TCP.
-+##  </p>
-+## </desc>
-+gen_tunable(colord_can_network_connect, false)
-+
- type colord_t;
- type colord_exec_t;
- dbus_system_domain(colord_t, colord_exec_t)
-@@ -23,9 +30,11 @@ files_type(colord_var_lib_t)
+@@ -23,9 +23,11 @@ files_type(colord_var_lib_t)
 # colord local policy
 #
 allow colord_t self:capability { dac_read_search dac_override };
@ -31314,7 +31320,7 @@ index 74505cc..2f9b1bc 100644
 allow colord_t self:udp_socket create_socket_perms;
 allow colord_t self:unix_dgram_socket create_socket_perms;
 
-@@ -41,8 +50,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,8 +43,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
 
@ -31330,7 +31336,7 @@ index 74505cc..2f9b1bc 100644
 
 corenet_all_recvfrom_unlabeled(colord_t)
 corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +65,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +58,8 @@ corenet_udp_bind_generic_node(colord_t)
 corenet_udp_bind_ipp_port(colord_t)
 corenet_tcp_connect_ipp_port(colord_t)
 
@ -31339,7 +31345,7 @@ index 74505cc..2f9b1bc 100644
 dev_read_video_dev(colord_t)
 dev_write_video_dev(colord_t)
 dev_rw_printer(colord_t)
-@@ -65,19 +82,37 @@ files_list_mnt(colord_t)
+@@ -65,19 +75,33 @@ files_list_mnt(colord_t)
 files_read_etc_files(colord_t)
 files_read_usr_files(colord_t)
 
@ -31363,10 +31369,6 @@ index 74505cc..2f9b1bc 100644
 +userdom_rw_user_tmpfs_files(colord_t)
 +
 +userdom_home_reader(colord_t)
-+
-+tunable_policy(`colord_can_network_connect',`
-+    corenet_tcp_connect_all_ports(colord_t)
-+')
 
 tunable_policy(`use_nfs_home_dirs',`
 +	fs_getattr_nfs(colord_t)
@ -31378,7 +31380,7 @@ index 74505cc..2f9b1bc 100644
 	fs_read_cifs_files(colord_t)
 ')
 
-@@ -89,6 +124,12 @@ optional_policy(`
+@@ -89,6 +113,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31391,7 +31393,7 @@ index 74505cc..2f9b1bc 100644
 	policykit_dbus_chat(colord_t)
 	policykit_domtrans_auth(colord_t)
 	policykit_read_lib(colord_t)
-@@ -96,5 +137,16 @@ optional_policy(`
+@@ -96,5 +126,16 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -32485,7 +32487,7 @@ index 35241ed..7a0913c 100644
 +	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 ')
 diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..230cbb2 100644
+index f7583ab..a4d25d9 100644
 --- a/policy/modules/services/cron.te
 +++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@ -32878,7 +32880,18 @@ index f7583ab..230cbb2 100644
 ')
 
 optional_policy(`
-@@ -480,7 +582,7 @@ optional_policy(`
+@@ -472,6 +574,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	networkmanager_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
+ 	postfix_read_config(system_cronjob_t)
+ ')	
+ 
+@@ -480,7 +586,7 @@ optional_policy(`
 	prelink_manage_lib(system_cronjob_t)
 	prelink_manage_log(system_cronjob_t)
 	prelink_read_cache(system_cronjob_t)
@ -32887,7 +32900,7 @@ index f7583ab..230cbb2 100644
 ')
 
 optional_policy(`
-@@ -495,6 +597,7 @@ optional_policy(`
+@@ -495,6 +601,7 @@ optional_policy(`
 
 optional_policy(`
 	spamassassin_manage_lib_files(system_cronjob_t)
@ -32895,7 +32908,7 @@ index f7583ab..230cbb2 100644
 ')
 
 optional_policy(`
-@@ -502,7 +605,13 @@ optional_policy(`
+@@ -502,7 +609,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -32909,7 +32922,7 @@ index f7583ab..230cbb2 100644
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')
 
-@@ -595,9 +704,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +708,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
 #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
 
 list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@ -36655,7 +36668,7 @@ index e1d7dc5..0557be0 100644
 	admin_pattern($1, dovecot_var_run_t)
 
 diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..194f170 100644
+index acf6d4f..47969fe 100644
 --- a/policy/modules/services/dovecot.te
 +++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@ -36709,7 +36722,7 @@ index acf6d4f..194f170 100644
 files_search_etc(dovecot_t)
 
 can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,10 +99,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,10 +99,12 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
 manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
 manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
 
@ -36718,11 +36731,12 @@ index acf6d4f..194f170 100644
 manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 -files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
-+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
+manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
 
 kernel_read_kernel_sysctls(dovecot_t)
 kernel_read_system_state(dovecot_t)
-@@ -110,6 +116,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,6 +117,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
 corenet_tcp_bind_generic_node(dovecot_t)
 corenet_tcp_bind_mail_port(dovecot_t)
 corenet_tcp_bind_pop_port(dovecot_t)
@ -36730,7 +36744,7 @@ index acf6d4f..194f170 100644
 corenet_tcp_bind_sieve_port(dovecot_t)
 corenet_tcp_connect_all_ports(dovecot_t)
 corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -135,6 +142,7 @@ files_dontaudit_list_default(dovecot_t)
+@@ -135,6 +143,7 @@ files_dontaudit_list_default(dovecot_t)
 # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
 files_read_etc_runtime_files(dovecot_t)
 files_search_all_mountpoints(dovecot_t)
@ -36738,7 +36752,7 @@ index acf6d4f..194f170 100644
 
 init_getattr_utmp(dovecot_t)
 
-@@ -145,6 +153,7 @@ logging_send_syslog_msg(dovecot_t)
+@@ -145,6 +154,7 @@ logging_send_syslog_msg(dovecot_t)
 miscfiles_read_generic_certs(dovecot_t)
 miscfiles_read_localization(dovecot_t)
 
@ -36746,7 +36760,7 @@ index acf6d4f..194f170 100644
 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
 userdom_manage_user_home_content_dirs(dovecot_t)
 userdom_manage_user_home_content_files(dovecot_t)
-@@ -160,6 +169,15 @@ optional_policy(`
+@@ -160,6 +170,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36762,7 +36776,7 @@ index acf6d4f..194f170 100644
 	postgresql_stream_connect(dovecot_t)
 ')
 
-@@ -180,8 +198,8 @@ optional_policy(`
+@@ -180,8 +199,8 @@ optional_policy(`
 # dovecot auth local policy
 #
 
@ -36773,7 +36787,7 @@ index acf6d4f..194f170 100644
 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
 allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +208,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +209,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
 
 read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
 
@ -36783,7 +36797,7 @@ index acf6d4f..194f170 100644
 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +222,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +223,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
 kernel_read_all_sysctls(dovecot_auth_t)
 kernel_read_system_state(dovecot_auth_t)
 
@ -36796,7 +36810,7 @@ index acf6d4f..194f170 100644
 dev_read_urand(dovecot_auth_t)
 
 auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +240,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +241,8 @@ files_read_usr_files(dovecot_auth_t)
 files_read_usr_symlinks(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)
 files_search_tmp(dovecot_auth_t)
@ -36806,7 +36820,7 @@ index acf6d4f..194f170 100644
 
 init_rw_utmp(dovecot_auth_t)
 
-@@ -236,6 +261,8 @@ optional_policy(`
+@@ -236,6 +262,8 @@ optional_policy(`
 optional_policy(`
 	mysql_search_db(dovecot_auth_t)
 	mysql_stream_connect(dovecot_auth_t)
@ -36815,7 +36829,7 @@ index acf6d4f..194f170 100644
 ')
 
 optional_policy(`
-@@ -243,6 +270,8 @@ optional_policy(`
+@@ -243,6 +271,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36824,7 +36838,7 @@ index acf6d4f..194f170 100644
 	postfix_search_spool(dovecot_auth_t)
 ')
 
-@@ -250,23 +279,42 @@ optional_policy(`
+@@ -250,23 +280,42 @@ optional_policy(`
 #
 # dovecot deliver local policy
 #
@ -36869,7 +36883,7 @@ index acf6d4f..194f170 100644
 
 miscfiles_read_localization(dovecot_deliver_t)
 
-@@ -283,24 +331,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +332,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
 userdom_manage_user_home_content_sockets(dovecot_deliver_t)
 userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
 
@ -53252,7 +53266,7 @@ index 2855a44..58bb459 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..fa3c113 100644
+index 64c5f95..39d23dc 100644
 --- a/policy/modules/services/puppet.te
 +++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@ -53376,7 +53390,7 @@ index 64c5f95..fa3c113 100644
 	files_rw_var_files(puppet_t)
 
 	rpm_domtrans(puppet_t)
-@@ -156,13 +188,68 @@ optional_policy(`
+@@ -156,13 +188,136 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -53387,8 +53401,77 @@ index 64c5f95..fa3c113 100644
 +    usermanage_access_check_useradd(puppet_t)
 +')
 +
-+########################################
-+#
+optional_policy(`
+	auth_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	alsa_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	bootloader_filetrans_config(puppet_t)
+')
+
+optional_policy(`
+	devicekit_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	dnsmasq_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	kerberos_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	libs_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	miscfiles_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	mta_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	modules_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	networkmanager_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	nx_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	postfix_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	quota_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	sysnet_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+	virt_filetrans_home_content(puppet_t)
+')
+
+optional_policy(`
+	ssh_filetrans_admin_home_content(puppet_t)
+ ')
+ 
+ ########################################
+ #
+-# Pupper master personal policy
 +# PuppetCA personal policy
 +#
 +
@ -53439,16 +53522,15 @@ index 64c5f95..fa3c113 100644
 +    usermanage_access_check_groupadd(puppet_t)
 +    usermanage_access_check_passwd(puppet_t)
 +    usermanage_access_check_useradd(puppet_t)
- ')
- 
- ########################################
- #
-# Pupper master personal policy
+')
+
+########################################
+#
 +# Puppet master personal policy
 #
 
 allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +258,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +326,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
 allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
 allow puppetmaster_t self:socket create;
 allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@ -53488,7 +53570,7 @@ index 64c5f95..fa3c113 100644
 
 corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +300,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +368,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
 corenet_tcp_bind_puppet_port(puppetmaster_t)
 corenet_sendrecv_puppet_server_packets(puppetmaster_t)
 
@ -53502,11 +53584,11 @@ index 64c5f95..fa3c113 100644
 
 domain_read_all_domains_state(puppetmaster_t)
 +domain_obj_id_change_exemption(puppetmaster_t)
-+
-+files_read_usr_files(puppetmaster_t)
 
 -files_read_etc_files(puppetmaster_t)
 -files_search_var_lib(puppetmaster_t)
+files_read_usr_files(puppetmaster_t)
+
 +selinux_validate_context(puppetmaster_t)
 +
 +auth_use_nsswitch(puppetmaster_t)
@ -53538,7 +53620,7 @@ index 64c5f95..fa3c113 100644
 optional_policy(`
 	hostname_exec(puppetmaster_t)
 ')
-@@ -231,3 +350,9 @@ optional_policy(`
+@@ -231,3 +418,9 @@ optional_policy(`
 	rpm_exec(puppetmaster_t)
 	rpm_read_db(puppetmaster_t)
 ')
@ -59443,7 +59525,7 @@ index 623c8fa..0a802f7 100644
 /var/run/snmpd(/.*)?		gen_context(system_u:object_r:snmpd_var_run_t,s0)
 /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
 diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
-index 275f9fb..ad10bef 100644
+index 275f9fb..f1343b7 100644
 --- a/policy/modules/services/snmp.if
 +++ b/policy/modules/services/snmp.if
@@ -11,12 +11,12 @@
@ -59463,7 +59545,7 @@ index 275f9fb..ad10bef 100644
 ')
 
 ########################################
-@@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
+@@ -62,11 +62,70 @@ interface(`snmp_read_snmp_var_lib_files',`
 		type snmpd_var_lib_t;
 	')
 
@ -59471,10 +59553,29 @@ index 275f9fb..ad10bef 100644
 	allow $1 snmpd_var_lib_t:dir list_dir_perms;
 	read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
 	read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-@@ -69,6 +70,45 @@ interface(`snmp_read_snmp_var_lib_files',`
+ ')
 
- ########################################
- ## <summary>
+#######################################
+## <summary>
+##  Read snmpd libraries directories
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`snmp_read_snmp_var_lib_dirs',`
+    gen_require(`
+        type snmpd_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    allow $1 snmpd_var_lib_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 +##	Manage snmpd libraries directories
 +## </summary>
 +## <param name="domain">
@ -59512,12 +59613,10 @@ index 275f9fb..ad10bef 100644
 +	manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
 +')
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
 ##	dontaudit Read snmpd libraries.
- ## </summary>
- ## <param name="domain">
-@@ -81,9 +121,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+@@ -81,9 +140,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
 	gen_require(`
 		type snmpd_var_lib_t;
 	')
@ -59529,7 +59628,7 @@ index 275f9fb..ad10bef 100644
 ')
 
 ########################################
-@@ -123,13 +164,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+@@ -123,13 +183,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
 #
 interface(`snmp_admin',`
 	gen_require(`
@ -63903,7 +64002,7 @@ index 7c5d8d8..3fd8f12 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..30c47b0 100644
+index 3eca020..59444ba 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
@ -64460,7 +64559,7 @@ index 3eca020..30c47b0 100644
 files_read_usr_files(virt_domain)
 files_read_var_files(virt_domain)
 files_search_all(virt_domain)
-@@ -440,25 +626,358 @@ files_search_all(virt_domain)
+@@ -440,25 +626,359 @@ files_search_all(virt_domain)
 fs_getattr_tmpfs(virt_domain)
 fs_rw_anon_inodefs_files(virt_domain)
 fs_rw_tmpfs_files(virt_domain)
@ -64796,6 +64895,7 @@ index 3eca020..30c47b0 100644
 +
 +domain_entry_file(svirt_lxc_net_t, svirt_lxc_file_t)
 +domtrans_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_net_t)
+corecmd_shell_domtrans(virtd_lxc_t, svirt_lxc_net_t)
 +fs_noxattr_type(svirt_lxc_file_t)
 +term_pty(svirt_lxc_file_t)
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 63%{?dist}
+Release: 64%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -470,6 +470,15 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Thu Dec 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-64
+- Use fs_use_xattr for squashf
+-  Fix procs_type interface
+- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
+- Dovecot has a new fifo_file /var/run/stats-mail
+- Colord does not need to connect to network
+- Allow system_cronjob to dbus chat with NetworkManager
+- Puppet manages content, want to make sure it labels everything correctly
+
 * Tue Nov 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-63
 - Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it
 - Allow all postfix domains to use the fifo_file