- default trans rules for Rawhide policy

- Make sure sound_devices controlC* are labeled correctly on creation - sssd now needs sys_admin - Allow snmp to read all proc_type - Allow to setup users homedir with quota.group
2011-12-20 19:41:35 +01:00 · 2011-12-20 19:41:35 +01:00 · 67539d56f8
commit 67539d56f8
parent bce4ec2b6e
2 changed files with 148 additions and 56 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -226,10 +226,17 @@ index 4705ab6..0f0bb47 100644
 +gen_tunable(allow_console_login,false)
 +
 diff --git a/policy/mcs b/policy/mcs
-index df8e0fa..09eea90 100644
+index df8e0fa..38146ed 100644
 --- a/policy/mcs
 +++ b/policy/mcs
-@@ -69,16 +69,32 @@ gen_levels(1,mcs_num_cats)
+@@ -1,4 +1,6 @@
 ifdef(`enable_mcs',`
 +default_range dir_file_class_set target low;
 +
 #
 # Define sensitivities 
 #
@@ -69,16 +71,32 @@ gen_levels(1,mcs_num_cats)
 #  - /proc/pid operations are not constrained.
 mlsconstrain file { read ioctl lock execute execute_no_trans }
@ -266,7 +273,7 @@ index df8e0fa..09eea90 100644
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
-@@ -87,10 +103,13 @@ mlsconstrain file { create relabelto }
+@@ -87,10 +105,13 @@ mlsconstrain file { create relabelto }
 # new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
@ -282,7 +289,7 @@ index df8e0fa..09eea90 100644
 mlsconstrain process { transition dyntransition }
 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
-@@ -101,6 +120,9 @@ mlsconstrain process { ptrace }
+@@ -101,6 +122,9 @@ mlsconstrain process { ptrace }
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
@ -292,7 +299,7 @@ index df8e0fa..09eea90 100644
 #
 # MCS policy for SELinux-enabled databases
 #
-@@ -144,4 +166,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -144,4 +168,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
 	( h1 dom h2 );
@ -2335,10 +2342,16 @@ index af55369..5d940f8 100644
 +	miscfiles_read_man_pages(prelink_t)
 +')
 diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc
-index f387230..98adfd2 100644
+index f387230..e63f9c6 100644
 --- a/policy/modules/admin/quota.fc
 +++ b/policy/modules/admin/quota.fc
-@@ -8,12 +8,18 @@ HOME_ROOT/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+@@ -1,4 +1,5 @@
 HOME_ROOT/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
 +HOME_DIR/a?quota\.(user|group) --  gen_context(system_u:object_r:quota_db_t,s0)
 /a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
@@ -8,12 +9,18 @@ HOME_ROOT/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
 /sbin/quota(check|on)		--	gen_context(system_u:object_r:quota_exec_t,s0)
@ -2423,7 +2436,7 @@ index bf75d99..d1af9cf 100644
 +    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
 +')
 diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
-index 5dd42f5..bef4392 100644
+index 5dd42f5..c0b7cd0 100644
 --- a/policy/modules/admin/quota.te
 +++ b/policy/modules/admin/quota.te
@@ -15,6 +15,13 @@ files_type(quota_db_t)
@ -2440,17 +2453,21 @@ index 5dd42f5..bef4392 100644
 ########################################
 #
 # Local policy
-@@ -34,6 +41,9 @@ files_home_filetrans(quota_t, quota_db_t, file)
+@@ -34,6 +41,13 @@ files_home_filetrans(quota_t, quota_db_t, file)
 files_usr_filetrans(quota_t, quota_db_t, file)
 files_var_filetrans(quota_t, quota_db_t, file)
 files_spool_filetrans(quota_t, quota_db_t, file)
-+mta_spool_filetrans(quota_t, quota_db_t, file)
+userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
-+mta_spool_filetrans(quota_t, quota_db_t, file)
+
-+mta_spool_filetrans_queue(quota_t, quota_db_t, file)
+optional_policy(`
 +	mta_spool_filetrans(quota_t, quota_db_t, file)
 +	mta_spool_filetrans(quota_t, quota_db_t, file)
 +	mta_spool_filetrans_queue(quota_t, quota_db_t, file)
 +')
 kernel_list_proc(quota_t)
 kernel_read_proc_symlinks(quota_t)
-@@ -72,7 +82,7 @@ init_use_script_ptys(quota_t)
+@@ -72,7 +86,7 @@ init_use_script_ptys(quota_t)
 logging_send_syslog_msg(quota_t)
@ -2459,7 +2476,7 @@ index 5dd42f5..bef4392 100644
 userdom_dontaudit_use_unpriv_user_fds(quota_t)
 optional_policy(`
-@@ -82,3 +92,34 @@ optional_policy(`
+@@ -82,3 +96,34 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(quota_t)
 ')
@ -7904,7 +7921,7 @@ index 0bac996..ca2388d 100644
 +userdom_use_inherited_user_terminals(lockdev_t)
 diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..800b5c8 100644
+index 93ac529..4c0895e 100644
 --- a/policy/modules/apps/mozilla.fc
 +++ b/policy/modules/apps/mozilla.fc
@@ -1,8 +1,14 @@
@ -7922,13 +7939,15 @@ index 93ac529..800b5c8 100644
 #
 # /bin
-@@ -14,16 +20,24 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -14,16 +20,28 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 /usr/bin/epiphany		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 +ifdef(`distro_redhat',`
 +/usr/bin/nspluginscan		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 +/usr/bin/nspluginviewer		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 +/usr/lib/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 +')
 #
 # /lib
@ -7955,7 +7974,9 @@ index 93ac529..800b5c8 100644
 +
 +/usr/lib/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
 +
 +ifdef(`distro_redhat',`
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
 index fbb5c5a..ffeec16 100644
 --- a/policy/modules/apps/mozilla.if
@ -8176,15 +8197,12 @@ index fbb5c5a..ffeec16 100644
 +')
 +
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..bb90a3b 100644
+index 2e9318b..04159de 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
-@@ -23,8 +23,9 @@ type mozilla_conf_t;
+@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
 files_config_file(mozilla_conf_t)
 type mozilla_home_t;
-typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+ typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
 +typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t nsplugin_home_t };
 typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
 +files_poly_member(mozilla_home_t)
 userdom_user_home_content(mozilla_home_t)
@ -8203,7 +8221,7 @@ index 2e9318b..bb90a3b 100644
 files_tmpfs_file(mozilla_plugin_tmpfs_t)
 ubac_constrained(mozilla_plugin_tmpfs_t)
-+type mozilla_plugin_rw_t alias nsplugin_rw_t;
+type mozilla_plugin_rw_t;
 +files_type(mozilla_plugin_rw_t)
 +
 +type mozilla_plugin_config_t;
@ -8421,7 +8439,7 @@ index 2e9318b..bb90a3b 100644
 ')
 optional_policy(`
-@@ -438,18 +460,88 @@ optional_policy(`
+@@ -438,18 +460,97 @@ optional_policy(`
 ')
 optional_policy(`
@ -8513,6 +8531,15 @@ index 2e9318b..bb90a3b 100644
 +
 +optional_policy(`
 +	xserver_use_user_fonts(mozilla_plugin_config_t)
 +')
 +ifdef(`distro_redhat',`
 +	typealias mozilla_plugin_t  alias nsplugin_t;
 +	typealias mozilla_plugin_exec_t  alias nsplugin_exec_t;
 +	typealias mozilla_plugin_rw_t alias nsplugin_rw_t;
 +	typealias mozilla_plugin_tmp_t  alias nsplugin_tmp_t;
 +	typealias mozilla_home_t alias nsplugin_home_t;
 +	typealias mozilla_plugin_config_t  alias nsplugin_config_t;
 +	typealias mozilla_plugin_config_exec_t  alias nsplugin_config_exec_t;
 ')
 diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
 index d8ea41d..8bdc526 100644
@ -14858,7 +14885,7 @@ index 6cf8784..2354089 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..cc3f02e 100644
+index f820f3b..1082bb5 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@ -15542,7 +15569,7 @@ index f820f3b..cc3f02e 100644
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
-@@ -4784,3 +5174,812 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5174,822 @@ interface(`dev_unconfined',`
 	typeattribute $1 devices_unconfined_type;
 ')
@ -16271,6 +16298,16 @@ index f820f3b..cc3f02e 100644
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
@ -16356,10 +16393,18 @@ index f820f3b..cc3f02e 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 08f01e7..8f727be 100644
+index 08f01e7..d8c1d48 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
-@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
+@@ -20,6 +20,7 @@ files_mountpoint(device_t)
 files_associate_tmp(device_t)
 fs_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 +dev_node(device_t)
 #
 # Type for /dev/agpgart
@@ -108,6 +109,7 @@ dev_node(ksm_device_t)
 #
 type kvm_device_t;
 dev_node(kvm_device_t)
@ -16367,7 +16412,7 @@ index 08f01e7..8f727be 100644
 #
 # Type for /dev/lirc
-@@ -118,6 +119,12 @@ dev_node(lirc_device_t)
+@@ -118,6 +120,12 @@ dev_node(lirc_device_t)
 #
 # Type for /dev/mapper/control
 #
@ -16380,7 +16425,7 @@ index 08f01e7..8f727be 100644
 type lvm_control_t;
 dev_node(lvm_control_t)
-@@ -218,6 +225,10 @@ files_mountpoint(sysfs_t)
+@@ -218,6 +226,10 @@ files_mountpoint(sysfs_t)
 fs_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
@ -16391,7 +16436,7 @@ index 08f01e7..8f727be 100644
 #
 # Type for /dev/tpm
 #
-@@ -265,6 +276,7 @@ dev_node(v4l_device_t)
+@@ -265,6 +277,7 @@ dev_node(v4l_device_t)
 #
 type vhost_device_t;
 dev_node(vhost_device_t)
@ -16399,7 +16444,7 @@ index 08f01e7..8f727be 100644
 # Type for vmware devices.
 type vmware_device_t;
-@@ -310,5 +322,5 @@ files_associate_tmp(device_node)
+@@ -310,5 +323,5 @@ files_associate_tmp(device_node)
 #
 allow devices_unconfined_type self:capability sys_rawio;
@ -19523,7 +19568,7 @@ index 7be4ddf..f7021a0 100644
 +
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 6346378..34c6897 100644
+index 6346378..3bfb1f8 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -345,13 +345,8 @@ interface(`kernel_load_module',`
@ -19540,7 +19585,32 @@ index 6346378..34c6897 100644
 ')
 ########################################
-@@ -2072,7 +2067,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -1464,6 +1459,24 @@ interface(`kernel_dontaudit_list_all_proc',`
 ########################################
 ## <summary>
 +##	Allow attempts to read all proc types.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`kernel_read_all_proc',`
 +	gen_require(`
 +		attribute proc_type;
 +	')
 +
 +	read_files_pattern($1, proc_type, proc_type)
 +')
 +
 +########################################
 +## <summary>
 ##	Do not audit attempts by caller to search
 ##	the base directory of sysctls.
 ## </summary>
@@ -2072,7 +2085,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 	')
 	dontaudit $1 sysctl_type:dir list_dir_perms;
@ -19549,7 +19619,7 @@ index 6346378..34c6897 100644
 ')
 ########################################
-@@ -2293,7 +2288,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2293,7 +2306,7 @@ interface(`kernel_read_unlabeled_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -19558,7 +19628,7 @@ index 6346378..34c6897 100644
 ##	</summary>
 ## </param>
 #
-@@ -2475,6 +2470,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2475,6 +2488,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
 ########################################
 ## <summary>
@ -19583,7 +19653,7 @@ index 6346378..34c6897 100644
 ##	Do not audit attempts by caller to get attributes for
 ##	unlabeled character devices.
 ## </summary>
-@@ -2619,7 +2632,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2619,7 +2650,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
 	allow $1 unlabeled_t:association { sendto recvfrom };
 	# temporary hack until labeling on packets is supported
@ -19592,7 +19662,7 @@ index 6346378..34c6897 100644
 ')
 ########################################
-@@ -2657,6 +2670,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2657,6 +2688,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
 ########################################
 ## <summary>
@ -19617,7 +19687,7 @@ index 6346378..34c6897 100644
 ##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
-@@ -2684,6 +2715,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2684,6 +2733,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
 ########################################
 ## <summary>
@ -19643,7 +19713,7 @@ index 6346378..34c6897 100644
 ##	Do not audit attempts to receive TCP packets from an unlabeled
 ##	connection.
 ## </summary>
-@@ -2793,6 +2843,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2793,6 +2861,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
 	allow $1 unlabeled_t:rawip_socket recvfrom;
 ')
@ -19677,7 +19747,7 @@ index 6346378..34c6897 100644
 ########################################
 ## <summary>
-@@ -2948,6 +3025,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2948,6 +3043,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
 ########################################
 ## <summary>
@ -19702,12 +19772,12 @@ index 6346378..34c6897 100644
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
-@@ -2962,4 +3057,43 @@ interface(`kernel_unconfined',`
+@@ -2962,4 +3075,43 @@ interface(`kernel_unconfined',`
 	')
 	typeattribute $1 kern_unconfined;
 +	kernel_load_module($1)	
- ')
+')
 +
 +########################################
 +## <summary>
@ -19744,7 +19814,7 @@ index 6346378..34c6897 100644
 +	')
 +
 +	typeattribute $1 proc_type;
-+')
+ ')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
 index d91c62f..8852535 100644
@ -54903,16 +54973,18 @@ index 5a9630c..61f0099 100644
 +	allow $1 qpidd_t:shm rw_shm_perms;
 ')
 diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te
-index cb7ecb5..3df1532 100644
+index cb7ecb5..08d19e6 100644
 --- a/policy/modules/services/qpid.te
 +++ b/policy/modules/services/qpid.te
-@@ -12,12 +12,12 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
+@@ -12,12 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
 type qpidd_initrc_exec_t;
 init_script_file(qpidd_initrc_exec_t)
 -type qpidd_var_lib_t;
 -files_type(qpidd_var_lib_t)
-
+type qpidd_tmpfs_t;
 +files_tmpfs_file(qpidd_tmpfs_t)
 type qpidd_var_run_t;
 files_pid_file(qpidd_var_run_t)
@ -54922,12 +54994,16 @@ index cb7ecb5..3df1532 100644
 ########################################
 #
 # qpidd local policy
-@@ -30,27 +30,30 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -30,27 +33,34 @@ allow qpidd_t self:shm create_shm_perms;
 allow qpidd_t self:tcp_socket create_stream_socket_perms;
 allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
 -manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
 -manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
 +manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
 +manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
 +fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
 +
 +manage_dirs_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
 +manage_files_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
 files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
@ -54958,7 +55034,7 @@ index cb7ecb5..3df1532 100644
 logging_send_syslog_msg(qpidd_t)
-@@ -61,3 +64,8 @@ sysnet_dns_name_resolve(qpidd_t)
+@@ -61,3 +71,8 @@ sysnet_dns_name_resolve(qpidd_t)
 optional_policy(`
 	corosync_stream_connect(qpidd_t)
 ')
@ -60256,7 +60332,7 @@ index 275f9fb..f1343b7 100644
 	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..9c747d4 100644
+index 3d8d1b3..1d22eed 100644
 --- a/policy/modules/services/snmp.te
 +++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@ -60284,7 +60360,7 @@ index 3d8d1b3..9c747d4 100644
 allow snmpd_t self:tcp_socket create_stream_socket_perms;
 allow snmpd_t self:udp_socket connected_stream_socket_perms;
-@@ -41,10 +44,11 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+@@ -41,18 +44,18 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
 manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
 files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
 files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
@ -60298,7 +60374,16 @@ index 3d8d1b3..9c747d4 100644
 kernel_read_device_sysctls(snmpd_t)
 kernel_read_kernel_sysctls(snmpd_t)
-@@ -94,15 +98,19 @@ files_search_home(snmpd_t)
+ kernel_read_fs_sysctls(snmpd_t)
 kernel_read_net_sysctls(snmpd_t)
 kernel_read_proc_symlinks(snmpd_t)
 -kernel_read_system_state(snmpd_t)
 -kernel_read_network_state(snmpd_t)
 +kernel_read_all_proc(snmpd_t)
 corecmd_exec_bin(snmpd_t)
 corecmd_exec_shell(snmpd_t)
@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
 fs_getattr_all_dirs(snmpd_t)
 fs_getattr_all_fs(snmpd_t)
 fs_search_auto_mountpoints(snmpd_t)
@ -60319,7 +60404,7 @@ index 3d8d1b3..9c747d4 100644
 logging_send_syslog_msg(snmpd_t)
-@@ -115,7 +123,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
 userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
 userdom_dontaudit_search_user_home_dirs(snmpd_t)
@ -62424,7 +62509,7 @@ index 941380a..4afc698 100644
 	# Allow sssd_t to restart the apache service
 	sssd_initrc_domtrans($1)
 diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..eb8979d 100644
+index 8ffa257..b698994 100644
 --- a/policy/modules/services/sssd.te
 +++ b/policy/modules/services/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@ -62441,7 +62526,7 @@ index 8ffa257..eb8979d 100644
 #
 -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
 +
-+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid };
+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin };
 allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
 -allow sssd_t self:fifo_file rw_file_perms;
 +allow sssd_t self:fifo_file rw_fifo_file_perms;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -16,7 +16,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 70%{?dist}
+Release: 71%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -471,6 +471,13 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Dec 20 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-71
 - default trans rules for Rawhide policy
 -  Make sure sound_devices controlC* are labeled correctly on creation
 - sssd now needs sys_admin
 - Allow snmp to read all proc_type
 - Allow to setup users homedir with quota.group
 * Mon Dec 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-70
 - Add httpd_can_connect_ldap() interface
 - apcupsd_t needs to use seriel ports connected to usb devices