From 5ed54459f625d45495ed8aeba142aee70a7c1171 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Wed, 31 Jul 2013 14:15:19 +0200 Subject: [PATCH] - Add more aliases in pegasus.te - Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for a - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewa - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in / - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working i - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec --- policy-rawhide-base.patch | 88 +++++++------ policy-rawhide-contrib.patch | 247 ++++++++++++++++++++++------------- selinux-policy.spec | 21 ++- 3 files changed, 228 insertions(+), 128 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c10ad38b..72018eef 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3381,7 +3381,7 @@ index 644d4d7..51181b8 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..979f47f 100644 +index 9e9263a..43cdcb9 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ @@ -3508,7 +3508,15 @@ index 9e9263a..979f47f 100644 mmap_files_pattern($1, bin_t, bin_t) ') -@@ -954,6 +999,24 @@ interface(`corecmd_exec_chroot',` +@@ -945,6 +990,7 @@ interface(`corecmd_shell_domtrans',` + interface(`corecmd_exec_chroot',` + gen_require(` + type chroot_exec_t; ++ type bin_t; + ') + + read_lnk_files_pattern($1, bin_t, bin_t) +@@ -954,6 +1000,24 @@ interface(`corecmd_exec_chroot',` ######################################## ## @@ -3533,7 +3541,7 @@ index 9e9263a..979f47f 100644 ## Get the attributes of all executable files. ## ## -@@ -1012,6 +1075,10 @@ interface(`corecmd_exec_all_executables',` +@@ -1012,6 +1076,10 @@ interface(`corecmd_exec_all_executables',` can_exec($1, exec_type) list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, exec_type) @@ -3544,7 +3552,7 @@ index 9e9263a..979f47f 100644 ') ######################################## -@@ -1049,6 +1116,7 @@ interface(`corecmd_manage_all_executables',` +@@ -1049,6 +1117,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -3552,7 +3560,7 @@ index 9e9263a..979f47f 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -@@ -1091,3 +1159,36 @@ interface(`corecmd_mmap_all_executables',` +@@ -1091,3 +1160,36 @@ interface(`corecmd_mmap_all_executables',` mmap_files_pattern($1, bin_t, exec_type) ') @@ -18381,10 +18389,10 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..3c3b9b3 +index 0000000..d74943c --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,331 @@ +@@ -0,0 +1,332 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -18574,6 +18582,7 @@ index 0000000..3c3b9b3 + +optional_policy(` + dbus_role_template(unconfined, unconfined_r, unconfined_t) ++ role system_r types unconfined_dbusd_t; + + optional_policy(` + unconfined_domain(unconfined_dbusd_t) @@ -22530,7 +22539,7 @@ index 6bf0ecc..d740738 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..63fd06a 100644 +index 2696452..0426df3 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -22876,7 +22885,7 @@ index 2696452..63fd06a 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -299,64 +408,108 @@ optional_policy(` +@@ -299,64 +408,109 @@ optional_policy(` # XDM Local policy # @@ -22903,10 +22912,11 @@ index 2696452..63fd06a 100644 allow xdm_t self:socket create_socket_perms; allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:key { search link write }; ++allow xdm_t self:dbus { send_msg acquire_svc }; ++ ++allow xdm_t xauth_home_t:file manage_file_perms; -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -+allow xdm_t xauth_home_t:file manage_file_perms; -+ +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) @@ -22995,7 +23005,7 @@ index 2696452..63fd06a 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +518,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +519,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -23025,7 +23035,7 @@ index 2696452..63fd06a 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +548,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +549,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -23078,7 +23088,7 @@ index 2696452..63fd06a 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +600,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +601,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23107,7 +23117,7 @@ index 2696452..63fd06a 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +630,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +631,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23156,7 +23166,7 @@ index 2696452..63fd06a 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +677,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +678,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23307,7 +23317,7 @@ index 2696452..63fd06a 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +828,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +829,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -23334,7 +23344,7 @@ index 2696452..63fd06a 100644 ') optional_policy(` -@@ -514,12 +855,56 @@ optional_policy(` +@@ -514,12 +856,56 @@ optional_policy(` ') optional_policy(` @@ -23391,7 +23401,7 @@ index 2696452..63fd06a 100644 hostname_exec(xdm_t) ') -@@ -537,28 +922,78 @@ optional_policy(` +@@ -537,28 +923,78 @@ optional_policy(` ') optional_policy(` @@ -23479,7 +23489,7 @@ index 2696452..63fd06a 100644 ') optional_policy(` -@@ -570,6 +1005,14 @@ optional_policy(` +@@ -570,6 +1006,14 @@ optional_policy(` ') optional_policy(` @@ -23494,7 +23504,7 @@ index 2696452..63fd06a 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +1037,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1038,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23507,7 +23517,7 @@ index 2696452..63fd06a 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1054,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1055,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23523,7 +23533,7 @@ index 2696452..63fd06a 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1070,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1071,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23534,7 +23544,7 @@ index 2696452..63fd06a 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1085,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1086,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23556,7 +23566,7 @@ index 2696452..63fd06a 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1105,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1106,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23570,7 +23580,7 @@ index 2696452..63fd06a 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1131,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1132,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23602,7 +23612,7 @@ index 2696452..63fd06a 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1163,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1164,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23620,7 +23630,7 @@ index 2696452..63fd06a 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1186,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1187,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23644,7 +23654,7 @@ index 2696452..63fd06a 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1205,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1206,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23653,7 +23663,7 @@ index 2696452..63fd06a 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1249,44 @@ optional_policy(` +@@ -775,16 +1250,44 @@ optional_policy(` ') optional_policy(` @@ -23699,7 +23709,7 @@ index 2696452..63fd06a 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1295,10 @@ optional_policy(` +@@ -793,6 +1296,10 @@ optional_policy(` ') optional_policy(` @@ -23710,7 +23720,7 @@ index 2696452..63fd06a 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1314,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1315,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23724,7 +23734,7 @@ index 2696452..63fd06a 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1325,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1326,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23733,7 +23743,7 @@ index 2696452..63fd06a 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1338,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1339,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23768,7 +23778,7 @@ index 2696452..63fd06a 100644 ') optional_policy(` -@@ -902,7 +1403,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1404,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23777,7 +23787,7 @@ index 2696452..63fd06a 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1457,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1458,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23809,7 +23819,7 @@ index 2696452..63fd06a 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1503,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1504,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -30235,7 +30245,7 @@ index b50c5fe..2faaaf2 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..55d2481 100644 +index 4e94884..9b82ed0 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -30397,7 +30407,7 @@ index 4e94884..55d2481 100644 +# +interface(`logging_relabel_syslog_pid_socket',` + gen_require(` -+ type devlog_t; ++ type syslogd_var_run_t; + ') + + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 13a4016e..e8b95e69 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9774,10 +9774,15 @@ index 4ec0626..88e7e89 100644 userdom_dontaudit_use_unpriv_user_fds(canna_t) diff --git a/ccs.if b/ccs.if -index 5ded72d..c1b4d35 100644 +index 5ded72d..cb94e5e 100644 --- a/ccs.if +++ b/ccs.if -@@ -102,16 +102,20 @@ interface(`ccs_admin',` +@@ -98,20 +98,24 @@ interface(`ccs_manage_config',` + interface(`ccs_admin',` + gen_require(` + type ccs_t, ccs_initrc_exec_t, cluster_conf_t; +- type ccs_var_lib_t_t, ccs_var_log_t; ++ type ccs_var_lib_t, ccs_var_log_t; type ccs_var_run_t, ccs_tmp_t; ') @@ -12633,7 +12638,7 @@ index 23dc348..7cc536b 100644 /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) diff --git a/condor.if b/condor.if -index 3fe3cb8..b8e08c6 100644 +index 3fe3cb8..5fe84a6 100644 --- a/condor.if +++ b/condor.if @@ -1,81 +1,397 @@ @@ -13046,7 +13051,7 @@ index 3fe3cb8..b8e08c6 100644 +interface(`condor_admin',` + gen_require(` + attribute condor_domain; -+ type condor_initrc_exec_config_t, condor_log_t; ++ type condor_initrc_exec_t, condor_log_t; + type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; + type condor_var_run_t, condor_startd_tmp_t; + type condor_unit_file_t; @@ -20898,7 +20903,7 @@ index 23ab808..4a801b5 100644 /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if -index 19aa0b8..531cf03 100644 +index 19aa0b8..1e8b244 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,7 +10,6 @@ @@ -21107,11 +21112,12 @@ index 19aa0b8..531cf03 100644 ') ######################################## -@@ -267,12 +354,17 @@ interface(`dnsmasq_spec_filetrans_pid',` +@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',` interface(`dnsmasq_admin',` gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; - type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; ++ type dnsmasq_var_log_t; + type dnsmasq_initrc_exec_t; + type dnsmasq_unit_file_t; ') @@ -21127,7 +21133,7 @@ index 19aa0b8..531cf03 100644 init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dnsmasq_initrc_exec_t system_r; -@@ -281,9 +373,13 @@ interface(`dnsmasq_admin',` +@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',` files_list_var_lib($1) admin_pattern($1, dnsmasq_lease_t) @@ -23594,7 +23600,7 @@ index 5cf6ac6..0fc685b 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index c8014f8..64e18e1 100644 +index c8014f8..2888d51 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) @@ -23619,7 +23625,15 @@ index c8014f8..64e18e1 100644 dontaudit firewalld_t self:capability sys_tty_config; allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; -@@ -40,11 +49,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; +@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms; + + manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) + manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) ++manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) + + allow firewalld_t firewalld_var_log_t:file append_file_perms; + allow firewalld_t firewalld_var_log_t:file create_file_perms; +@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; allow firewalld_t firewalld_var_log_t:file setattr_file_perms; logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) @@ -23641,7 +23655,7 @@ index c8014f8..64e18e1 100644 corecmd_exec_bin(firewalld_t) corecmd_exec_shell(firewalld_t) -@@ -53,20 +72,17 @@ dev_read_urand(firewalld_t) +@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -23667,7 +23681,7 @@ index c8014f8..64e18e1 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -85,6 +101,10 @@ optional_policy(` +@@ -85,6 +102,10 @@ optional_policy(` ') optional_policy(` @@ -28851,10 +28865,10 @@ index 0000000..f4659d1 +/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) diff --git a/gssproxy.if b/gssproxy.if new file mode 100644 -index 0000000..28263c7 +index 0000000..4bd5abf --- /dev/null +++ b/gssproxy.if -@@ -0,0 +1,204 @@ +@@ -0,0 +1,203 @@ + +## policy for gssproxy + @@ -28989,7 +29003,6 @@ index 0000000..28263c7 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) + allow $1 gssproxy_unit_file_t:file read_file_perms; + allow $1 gssproxy_unit_file_t:service manage_service_perms; + @@ -29927,6 +29940,21 @@ index ecad9c7..86d790f 100644 optional_policy(` seutil_use_newrole_fds(irc_t) ') +diff --git a/ircd.if b/ircd.if +index ade9803..3620c9a 100644 +--- a/ircd.if ++++ b/ircd.if +@@ -33,8 +33,8 @@ interface(`ircd_admin',` + + files_search_etc($1) + admin_pattern($1, ircd_etc_t) +- +- logging_search_log($1) ++ ++ logging_search_logs($1) + admin_pattern($1, ircd_log_t) + + files_search_var_lib($1) diff --git a/ircd.te b/ircd.te index e9f746e..40e440c 100644 --- a/ircd.te @@ -37838,7 +37866,7 @@ index a83894c..481dca3 100644 + +/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0) diff --git a/modemmanager.if b/modemmanager.if -index b1ac8b5..90ca430 100644 +index b1ac8b5..d65017f 100644 --- a/modemmanager.if +++ b/modemmanager.if @@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',` @@ -37860,7 +37888,7 @@ index b1ac8b5..90ca430 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 modemmanager_unit_file_t:file read_file_perms; + allow $1 modemmanager_unit_file_t:service manage_service_perms; + @@ -38038,6 +38066,19 @@ index d287fe9..3dc493c 100644 init_dbus_chat_script(mono_t) +diff --git a/monop.if b/monop.if +index 8fdaece..5440757 100644 +--- a/monop.if ++++ b/monop.if +@@ -31,7 +31,7 @@ interface(`monop_admin',` + role_transition $2 monopd_initrc_exec_t system_r; + allow $2 system_r; + +- logging_search_etc($1) ++ logging_search_logs($1) + admin_pattern($1, monopd_etc_t) + + files_search_pids($1) diff --git a/monop.te b/monop.te index 4462c0e..84944d1 100644 --- a/monop.te @@ -46701,7 +46742,7 @@ index 8f2ab09..7b8f5ad 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index df4c10f..2814186 100644 +index df4c10f..8c09c68 100644 --- a/nscd.te +++ b/nscd.te @@ -1,36 +1,37 @@ @@ -46851,7 +46892,7 @@ index df4c10f..2814186 100644 userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) -@@ -121,20 +130,30 @@ optional_policy(` +@@ -121,20 +130,31 @@ optional_policy(` ') optional_policy(` @@ -46881,6 +46922,7 @@ index df4c10f..2814186 100644 - udev_read_db(nscd_t) + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) ++ samba_stream_connect_nmbd(nscd_t) ') optional_policy(` @@ -52601,10 +52643,10 @@ index 96db654..ff3aadd 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..0aead56 100644 +index dfd46e4..2e04b85 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,21 @@ +@@ -1,15 +1,24 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) @@ -52613,27 +52655,30 @@ index dfd46e4..0aead56 100644 -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++ ++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) - --/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) +/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) --/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) +-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) +/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) --/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) +-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) +#openlmi agents +/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_networking_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_service_exec_t,s0) -+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) + +-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) diff --git a/pegasus.if b/pegasus.if index d2fc677..ded726f 100644 --- a/pegasus.if @@ -52735,7 +52780,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..b6885d4 100644 +index 7bcf327..f36e1ae 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -52759,21 +52804,24 @@ index 7bcf327..b6885d4 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,199 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,213 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) +# pegasus openlmi providers ++pegasus_openlmi_domain_template(admin) ++typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t; ++ +pegasus_openlmi_domain_template(account) +pegasus_openlmi_domain_template(logicalfile) -+pegasus_openlmi_domain_template(networking) -+pegasus_openlmi_domain_template(service) ++pegasus_openlmi_domain_template(services) + +pegasus_openlmi_domain_template(storage) +type pegasus_openlmi_storage_tmp_t; +files_tmp_file(pegasus_openlmi_storage_tmp_t) + +pegasus_openlmi_domain_template(system) ++typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t; +pegasus_openlmi_domain_template(unconfined) + +####################################### @@ -52862,26 +52910,38 @@ index 7bcf327..b6885d4 100644 + # so we want to have unconfined_domain attribute for filename rules + unconfined_domain(pegasus_openlmi_logicalfile_t) +') ++###################################### ++# ++# pegasus openlmi networking local policy ++# ++ ++optional_policy(` ++ dbus_system_bus_client(pegasus_openlmi_services_t) ++') ++ ++optional_policy(` ++ realmd_dbus_chat(pegasus_openlmi_services_t) ++') + +###################################### +# +# pegasus openlmi networking local policy +# + -+allow pegasus_openlmi_networking_t self:capability { net_admin }; ++allow pegasus_openlmi_system_t self:capability { net_admin }; + -+allow pegasus_openlmi_networking_t self:netlink_route_socket r_netlink_socket_perms;; -+allow pegasus_openlmi_networking_t self:udp_socket create_socket_perms; ++allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;; ++allow pegasus_openlmi_system_t self:udp_socket create_socket_perms; + -+dev_rw_sysfs(pegasus_openlmi_networking_t) -+dev_read_urand(pegasus_openlmi_networking_t) ++dev_rw_sysfs(pegasus_openlmi_system_t) ++dev_read_urand(pegasus_openlmi_system_t) + +optional_policy(` -+ dbus_system_bus_client(pegasus_openlmi_networking_t) ++ dbus_system_bus_client(pegasus_openlmi_system_t) ++') + -+ optional_policy(` -+ networkmanager_dbus_chat(pegasus_openlmi_networking_t) -+ ') ++optional_policy(` ++ networkmanager_dbus_chat(pegasus_openlmi_system_t) +') + +###################################### @@ -52889,20 +52949,19 @@ index 7bcf327..b6885d4 100644 +# pegasus openlmi service local policy +# + ++init_disable_services(pegasus_openlmi_admin_t) ++init_enable_services(pegasus_openlmi_admin_t) ++init_reload_services(pegasus_openlmi_admin_t) ++init_exec(pegasus_openlmi_admin_t) + -+init_disable_services(pegasus_openlmi_service_t) -+init_enable_services(pegasus_openlmi_service_t) -+init_reload_services(pegasus_openlmi_service_t) -+init_exec(pegasus_openlmi_service_t) -+ -+systemd_config_all_services(pegasus_openlmi_service_t) -+systemd_manage_all_unit_files(pegasus_openlmi_service_t) -+systemd_manage_all_unit_lnk_files(pegasus_openlmi_service_t) ++systemd_config_all_services(pegasus_openlmi_admin_t) ++systemd_manage_all_unit_files(pegasus_openlmi_admin_t) ++systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t) + +allow pegasus_openlmi_service_t self:udp_socket create_socket_perms; + +optional_policy(` -+ dbus_system_bus_client(pegasus_openlmi_service_t) ++ dbus_system_bus_client(pegasus_openlmi_admin_t) +') + +###################################### @@ -52964,7 +53023,7 @@ index 7bcf327..b6885d4 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +232,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +246,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -52995,7 +53054,7 @@ index 7bcf327..b6885d4 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +258,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +272,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -53028,7 +53087,7 @@ index 7bcf327..b6885d4 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +286,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +300,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -53036,7 +53095,7 @@ index 7bcf327..b6885d4 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +301,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +315,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -53068,7 +53127,7 @@ index 7bcf327..b6885d4 100644 ') optional_policy(` -@@ -151,16 +331,24 @@ optional_policy(` +@@ -151,16 +345,24 @@ optional_policy(` ') optional_policy(` @@ -53097,7 +53156,7 @@ index 7bcf327..b6885d4 100644 ') optional_policy(` -@@ -168,7 +356,7 @@ optional_policy(` +@@ -168,7 +370,7 @@ optional_policy(` ') optional_policy(` @@ -53120,7 +53179,7 @@ index 0000000..7b54c39 +/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0) diff --git a/pesign.if b/pesign.if new file mode 100644 -index 0000000..c20674c +index 0000000..26b1f0c --- /dev/null +++ b/pesign.if @@ -0,0 +1,103 @@ @@ -53181,7 +53240,7 @@ index 0000000..c20674c + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 pesign_unit_file_t:file read_file_perms; + allow $1 pesign_unit_file_t:service manage_service_perms; + @@ -56706,7 +56765,7 @@ index c0e8785..c0e0959 100644 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/postfix.if b/postfix.if -index 2e23946..589bbf2 100644 +index 2e23946..e9ac366 100644 --- a/postfix.if +++ b/postfix.if @@ -1,4 +1,4 @@ @@ -57145,7 +57204,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -478,30 +479,84 @@ interface(`postfix_domtrans_postqueue',` +@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',` type postfix_postqueue_t, postfix_postqueue_exec_t; ') @@ -57198,6 +57257,7 @@ index 2e23946..589bbf2 100644 +interface(`postfix_domtrans_postgqueue',` + gen_require(` + type postfix_postgqueue_t; ++ type postfix_postgqueue_exec_t; + ') + domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t) +') @@ -57240,7 +57300,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -514,13 +569,12 @@ interface(`postfix_exec_postqueue',` +@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',` type postfix_postqueue_exec_t; ') @@ -57255,7 +57315,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -533,13 +587,13 @@ interface(`postfix_create_private_sockets',` +@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',` type postfix_private_t; ') @@ -57271,7 +57331,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -552,13 +606,14 @@ interface(`postfix_manage_private_sockets',` +@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',` type postfix_private_t; ') @@ -57288,7 +57348,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -571,14 +626,12 @@ interface(`postfix_domtrans_smtp',` +@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',` type postfix_smtp_t, postfix_smtp_exec_t; ') @@ -57304,7 +57364,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -586,7 +639,7 @@ interface(`postfix_domtrans_smtp',` +@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',` ## ## # @@ -57313,7 +57373,7 @@ index 2e23946..589bbf2 100644 gen_require(` attribute postfix_spool_type; ') -@@ -607,11 +660,11 @@ interface(`postfix_getattr_all_spool_files',` +@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',` # interface(`postfix_search_spool',` gen_require(` @@ -57327,7 +57387,7 @@ index 2e23946..589bbf2 100644 ') ######################################## -@@ -626,11 +679,11 @@ interface(`postfix_search_spool',` +@@ -626,11 +680,11 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -57341,7 +57401,7 @@ index 2e23946..589bbf2 100644 ') ######################################## -@@ -645,17 +698,16 @@ interface(`postfix_list_spool',` +@@ -645,17 +699,16 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -57362,7 +57422,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -665,11 +717,31 @@ interface(`postfix_read_spool_files',` +@@ -665,11 +718,31 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -57396,7 +57456,7 @@ index 2e23946..589bbf2 100644 ') ######################################## -@@ -693,8 +765,8 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -693,8 +766,8 @@ interface(`postfix_domtrans_user_mail_handler',` ######################################## ## @@ -57407,7 +57467,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -710,37 +782,137 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -710,37 +783,137 @@ interface(`postfix_domtrans_user_mail_handler',` # interface(`postfix_admin',` gen_require(` @@ -64824,10 +64884,10 @@ index 70ab68b..e97da31 100644 /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) diff --git a/quantum.if b/quantum.if -index afc0068..5fb7731 100644 +index afc0068..7b3cfad 100644 --- a/quantum.if +++ b/quantum.if -@@ -2,41 +2,292 @@ +@@ -2,41 +2,293 @@ ######################################## ## @@ -65056,6 +65116,7 @@ index afc0068..5fb7731 100644 +# +interface(`quantum_stream_connect',` + gen_require(` ++ type quantum_t; + type quantum_var_lib_t; + ') + @@ -80163,7 +80224,7 @@ index 0000000..92c3638 + +sysnet_dns_name_resolve(smsd_t) diff --git a/smstools.if b/smstools.if -index cbfe369..085ac13 100644 +index cbfe369..6594af3 100644 --- a/smstools.if +++ b/smstools.if @@ -1,5 +1,81 @@ @@ -80248,6 +80309,15 @@ index cbfe369..085ac13 100644 ######################################## ## ## All of the rules required to +@@ -32,7 +108,7 @@ interface(`smstools_admin',` + role_transition $2 smsd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_config($1) ++ files_search_etc($1) + admin_pattern($1, smsd_conf_t) + + files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 index 0000000..3f412d5 @@ -95127,7 +95197,7 @@ index 36e32df..3d08962 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ') diff --git a/zarafa.te b/zarafa.te -index a4479b1..1d12d58 100644 +index a4479b1..7a9f1b6 100644 --- a/zarafa.te +++ b/zarafa.te @@ -1,4 +1,4 @@ @@ -95250,7 +95320,7 @@ index a4479b1..1d12d58 100644 manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) -@@ -109,70 +117,78 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } +@@ -109,70 +117,80 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) @@ -95307,9 +95377,10 @@ index a4479b1..1d12d58 100644 -corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) + +auth_use_nsswitch(zarafa_spooler_t) -+ -+######################################## -+# + + ######################################## + # +-# Zarafa domain local policy +# zarafa_gateway local policy +# +corenet_tcp_bind_pop_port(zarafa_gateway_t) @@ -95317,8 +95388,8 @@ index a4479b1..1d12d58 100644 +####################################### +# +# zarafa-ical local policy -+# -+ + # + +corenet_tcp_bind_http_cache_port(zarafa_ical_t) + +###################################### @@ -95326,13 +95397,12 @@ index a4479b1..1d12d58 100644 +# zarafa-monitor local policy +# + - - ######################################## - # --# Zarafa domain local policy ++ ++######################################## ++# +# zarafa domains local policy - # - ++# ++ +# bad permission on /etc/zarafa allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; -allow zarafa_domain self:process { setrlimit signal }; @@ -95351,10 +95421,11 @@ index a4479b1..1d12d58 100644 - dev_read_rand(zarafa_domain) dev_read_urand(zarafa_domain) -- + -logging_send_syslog_msg(zarafa_domain) - -miscfiles_read_localization(zarafa_domain) ++dev_read_sysfs(zarafa_domain) diff --git a/zebra.fc b/zebra.fc index 28ee4ca..e1b30b2 100644 --- a/zebra.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 745f844e..5e399061 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 68%{?dist} +Release: 69%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -538,6 +538,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jul 31 2013 Miroslav Grepl 3.12.1-69 +- Add more aliases in pegasus.te +- Add more fixes for *_admin interfaces +- Add interface fixes +- Allow nscd to stream connect to nmbd +- Allow gnupg apps to write to pcscd socket +- Add more fixes for openlmi provides. Fix naming and support for additionals +- Allow fetchmail to resolve host names +- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t +- Add labeling for cmpiLMI_Fan-cimprovagt +- Allow net_admin for glusterd +- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ +- Add pegasus_openlmi_system_t +- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te +- Fix corecmd_exec_chroot() +- Fix logging_relabel_syslog_pid_socket interface +- Fix typo in unconfineduser.te +- Allow system_r to access unconfined_dbusd_t to run hp_chec + * Tue Jul 30 2013 Miroslav Grepl 3.12.1-68 - Allow xdm_t to act as a dbus client to itsel - Allow fetchmail to resolve host names