* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2

- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/ - Additional fixes for seutil_manage_module_store() - dbus_system_domain() should be used with optional_policy - Fix svirt to be allowed to use fusefs file system - Allow login programs to read /run/ data created by systemd_login - sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM modu - Fix svirt to be allowed to use fusefs file system - Allow piranha domain to use nsswitch - Sanlock needs to send Kill Signals to non root processes - Pulseaudio wants to execute /run/user/PID/.orc
2012-08-07 16:51:57 +02:00 · 2012-08-07 16:51:57 +02:00 · 711b0e2035
parent e2915aed43
commit 711b0e2035
3 changed files with 541 additions and 197 deletions
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@ -70640,7 +70640,7 @@ index cda5588..91d1e25 100644
 +/usr/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
 +/usr/lib/udev/devices/shm/.*	<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..aad6319 100644
+index 7c6b791..b40a5a5 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -71137,7 +71137,7 @@ index 7c6b791..aad6319 100644
 ########################################
 ## <summary>
 ##	Mount a FUSE filesystem.
-@@ -2025,6 +2387,68 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',`
 ########################################
 ## <summary>
@ -71202,11 +71202,30 @@ index 7c6b791..aad6319 100644
 +')
 +
 +########################################
 +## <summary>
 +##	Get the attributes of a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`fs_getattr_fusefs',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
 +	allow $1 fusefs_t:filesystem getattr;
 +')
 +
 +########################################
 +## <summary>
 ##	Get the attributes of an hugetlbfs
 ##	filesystem.
 ## </summary>
-@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
 ########################################
 ## <summary>
@ -71231,7 +71250,7 @@ index 7c6b791..aad6319 100644
 ##	Read and write hugetlbfs files.
 ## </summary>
 ## <param name="domain">
-@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',`
 	')
 	allow $1 inotifyfs_t:dir list_dir_perms;
@ -71245,7 +71264,7 @@ index 7c6b791..aad6319 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',`
 		type nfs_t;
 	')
@ -71253,7 +71272,7 @@ index 7c6b791..aad6319 100644
 	allow $1 nfs_t:dir list_dir_perms;
 	read_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +2986,7 @@ interface(`fs_write_nfs_files',`
 		type nfs_t;
 	')
@ -71261,7 +71280,7 @@ index 7c6b791..aad6319 100644
 	allow $1 nfs_t:dir list_dir_perms;
 	write_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3013,25 @@ interface(`fs_exec_nfs_files',`
 ########################################
 ## <summary>
@ -71287,7 +71306,7 @@ index 7c6b791..aad6319 100644
 ##	Append files
 ##	on a NFS filesystem.
 ## </summary>
-@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3052,7 @@ interface(`fs_append_nfs_files',`
 ########################################
 ## <summary>
@ -71296,7 +71315,7 @@ index 7c6b791..aad6319 100644
 ##	on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3072,42 @@ interface(`fs_dontaudit_append_nfs_files',`
 ########################################
 ## <summary>
@ -71339,7 +71358,7 @@ index 7c6b791..aad6319 100644
 ##	Do not audit attempts to read or
 ##	write files on a NFS filesystem.
 ## </summary>
-@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
 		type nfs_t;
 	')
@ -71348,7 +71367,7 @@ index 7c6b791..aad6319 100644
 ')
 ########################################
-@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',`
 ########################################
 ## <summary>
@ -71357,7 +71376,7 @@ index 7c6b791..aad6319 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -71366,7 +71385,7 @@ index 7c6b791..aad6319 100644
 ##	</summary>
 ## </param>
 #
-@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -71375,7 +71394,7 @@ index 7c6b791..aad6319 100644
 ##	</summary>
 ## </param>
 #
-@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',`
 		type nfs_t;
 	')
@ -71383,7 +71402,7 @@ index 7c6b791..aad6319 100644
 	allow $1 nfs_t:dir manage_dir_perms;
 ')
-@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',`
 		type nfs_t;
 	')
@ -71391,7 +71410,7 @@ index 7c6b791..aad6319 100644
 	manage_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',`
 		type nfs_t;
 	')
@ -71399,7 +71418,7 @@ index 7c6b791..aad6319 100644
 	manage_lnk_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',`
 	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
 ')
@ -71424,7 +71443,7 @@ index 7c6b791..aad6319 100644
 ########################################
 ## <summary>
 ##	Read and write NFS server files.
-@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',`
 ########################################
 ## <summary>
@ -71449,7 +71468,7 @@ index 7c6b791..aad6319 100644
 ##	Allow the type to associate to ramfs filesystems.
 ## </summary>
 ## <param name="type">
-@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',`
 ########################################
 ## <summary>
@ -71458,7 +71477,7 @@ index 7c6b791..aad6319 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',`
 ########################################
 ## <summary>
@ -71467,7 +71486,7 @@ index 7c6b791..aad6319 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
 ########################################
 ## <summary>
@ -71476,7 +71495,7 @@ index 7c6b791..aad6319 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',`
 ########################################
 ## <summary>
@ -71501,7 +71520,7 @@ index 7c6b791..aad6319 100644
 ##	Get the attributes of a tmpfs
 ##	filesystem.
 ## </summary>
-@@ -3963,6 +4520,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3963,6 +4539,42 @@ interface(`fs_dontaudit_list_tmpfs',`
 ########################################
 ## <summary>
@ -71544,7 +71563,7 @@ index 7c6b791..aad6319 100644
 ##	Create, read, write, and delete
 ##	tmpfs directories
 ## </summary>
-@@ -4069,7 +4662,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4069,7 +4681,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
 		type tmpfs_t;
 	')
@ -71553,7 +71572,7 @@ index 7c6b791..aad6319 100644
 ')
 ########################################
-@@ -4129,6 +4722,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4129,6 +4741,24 @@ interface(`fs_rw_tmpfs_files',`
 ########################################
 ## <summary>
@ -71578,7 +71597,7 @@ index 7c6b791..aad6319 100644
 ##	Read tmpfs link files.
 ## </summary>
 ## <param name="domain">
-@@ -4166,7 +4777,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4166,7 +4796,7 @@ interface(`fs_rw_tmpfs_chr_files',`
 ########################################
 ## <summary>
@ -71587,7 +71606,7 @@ index 7c6b791..aad6319 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4185,6 +4796,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4185,6 +4815,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 ########################################
 ## <summary>
@ -71630,7 +71649,7 @@ index 7c6b791..aad6319 100644
 ##	Relabel character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
-@@ -4242,6 +4889,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4242,6 +4908,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
 ########################################
 ## <summary>
@ -71674,7 +71693,7 @@ index 7c6b791..aad6319 100644
 ##	Read and write, create and delete generic
 ##	files on tmpfs filesystems.
 ## </summary>
-@@ -4261,6 +4945,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4261,6 +4964,25 @@ interface(`fs_manage_tmpfs_files',`
 ########################################
 ## <summary>
@ -71700,7 +71719,7 @@ index 7c6b791..aad6319 100644
 ##	Read and write, create and delete symbolic
 ##	links on tmpfs filesystems.
 ## </summary>
-@@ -4467,6 +5170,8 @@ interface(`fs_mount_all_fs',`
+@@ -4467,6 +5189,8 @@ interface(`fs_mount_all_fs',`
 	')
 	allow $1 filesystem_type:filesystem mount;
@ -71709,7 +71728,7 @@ index 7c6b791..aad6319 100644
 ')
 ########################################
-@@ -4513,7 +5218,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4513,7 +5237,7 @@ interface(`fs_unmount_all_fs',`
 ## <desc>
 ##	<p>
 ##	Allow the specified domain to
@ -71718,7 +71737,7 @@ index 7c6b791..aad6319 100644
 ##	Example attributes:
 ##	</p>
 ##	<ul>
-@@ -4876,3 +5581,43 @@ interface(`fs_unconfined',`
+@@ -4876,3 +5600,43 @@ interface(`fs_unconfined',`
 	typeattribute $1 filesystem_unconfined_type;
 ')
@ -87697,14 +87716,15 @@ index cbbda4a..8dcc346 100644
 +userdom_use_inherited_user_terminals(netlabel_mgmt_t)
 +
 diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index d43f3b1..5858c5f 100644
+index d43f3b1..c4182e8 100644
 --- a/policy/modules/system/selinuxutil.fc
 +++ b/policy/modules/system/selinuxutil.fc
-@@ -6,13 +6,13 @@
+@@ -6,13 +6,14 @@
 /etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
 /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
 /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
 -/etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
 +/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
 +/etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 /etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 -/etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
@ -87717,7 +87737,7 @@ index d43f3b1..5858c5f 100644
 #
 # /root
-@@ -35,12 +35,14 @@
+@@ -35,12 +36,14 @@
 /usr/lib/selinux(/.*)?			gen_context(system_u:object_r:policy_src_t,s0)
 /usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
@ -87733,7 +87753,7 @@ index d43f3b1..5858c5f 100644
 #
 # /var/lib
-@@ -51,3 +53,7 @@
+@@ -51,3 +54,7 @@
 # /var/run
 #
 /var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
@ -87742,7 +87762,7 @@ index d43f3b1..5858c5f 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..cac0b1e 100644
+index 3822072..beae2dc 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@ -87899,7 +87919,7 @@ index 3822072..cac0b1e 100644
 ##	Execute setfiles in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -680,6 +776,7 @@ interface(`seutil_manage_config',`
+@@ -680,10 +776,94 @@ interface(`seutil_manage_config',`
 	')
 	files_search_etc($1)
@ -87907,7 +87927,160 @@ index 3822072..cac0b1e 100644
 	manage_files_pattern($1, selinux_config_t, selinux_config_t)
 	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
 ')
-@@ -746,6 +843,29 @@ interface(`seutil_read_default_contexts',`
+ 
 +########################################
 +## <summary>
 +##	Do not audit attempts to search the SELinux
 +##	login configuration directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`seutil_dontaudit_search_login_config',`
 +	gen_require(`
 +		type selinux_login_config_t;
 +	')
 +
 +	dontaudit $1 selinux_login_config_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to read the SELinux
 +##	login configuration.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`seutil_dontaudit_read_login_config',`
 +	gen_require(`
 +		type selinux_login_config_t;
 +	')
 +	dontaudit $1 selinux_login_config_t:dir search_dir_perms;
 +    dontaudit $1 selinux_login_config_t:file read_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Read the  SELinux login configuration files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`seutil_read_login_config',`
 +	gen_require(`
 +		type selinux_config_t;
 +		type selinux_login_config_t;
 +	')
 +
 +	files_search_etc($1)
 +	allow $1 selinux_config_t:dir search_dir_perms;
 +	allow $1 selinux_login_config_t:dir list_dir_perms;
 +    read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
 +    read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read and write the SELinux login configuration files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`seutil_rw_login_config',`
 +	gen_require(`
 +		type selinux_config_t;
 +		type selinux_login_config_t;
 +	')
 +
 +	files_search_etc($1)
 +	allow $1 selinux_config_t:dir search_dir_perms;
 +    allow $1 selinux_login_config_t:dir list_dir_perms;
 +    rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
 +')
 +
 #######################################
 ## <summary>
 ##	Create, read, write, and delete
@@ -694,15 +874,62 @@ interface(`seutil_manage_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 -## <rolecap/>
 #
 -interface(`seutil_manage_config_dirs',`
 +interface(`seutil_rw_login_config_dirs',`
 	gen_require(`
 		type selinux_config_t;
 +		type selinux_login_config_t;
 	')
 	files_search_etc($1)
 -	allow $1 selinux_config_t:dir manage_dir_perms;
 +	allow $1 selinux_config_t:dir search_dir_perms;
 +	allow $1 selinux_login_config_t:dir rw_dir_perms;
 +')
 +
 +######################################
 +## <summary>
 +##  Create, read, write, and delete
 +##  the general selinux configuration files.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`seutil_manage_login_config',`
 +    gen_require(`
 +		type selinux_config_t;
 +        type selinux_login_config_t;
 +    ')
 +
 +    files_search_etc($1)
 +	allow $1 selinux_config_t:dir search_dir_perms;
 +    manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
 +    manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
 +    read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
 +')
 +
 +######################################
 +## <summary>
 +## 	manage the login selinux configuration files.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`seutil_manage_login_config_files',`
 +    gen_require(`
 +		type selinux_config_t;
 +        type selinux_login_config_t;
 +    ')
 +
 +    files_search_etc($1)
 +	allow $1 selinux_config_t:dir search_dir_perms;
 +	manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
 +	read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
 ')
 ########################################
@@ -746,6 +973,29 @@ interface(`seutil_read_default_contexts',`
 	read_files_pattern($1, default_context_t, default_context_t)
 ')
@ -87937,7 +88110,7 @@ index 3822072..cac0b1e 100644
 ########################################
 ## <summary>
 ##	Create, read, write, and delete the default_contexts files.
-@@ -999,6 +1119,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1249,26 @@ interface(`seutil_domtrans_semanage',`
 ########################################
 ## <summary>
@ -87964,7 +88137,7 @@ index 3822072..cac0b1e 100644
 ##	Execute semanage in the semanage domain, and
 ##	allow the specified role the semanage domain,
 ##	and use the caller's terminal.
-@@ -1017,11 +1157,66 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1287,66 @@ interface(`seutil_domtrans_semanage',`
 #
 interface(`seutil_run_semanage',`
 	gen_require(`
@ -88033,7 +88206,17 @@ index 3822072..cac0b1e 100644
 ')
 ########################################
-@@ -1137,3 +1332,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1044,6 +1369,9 @@ interface(`seutil_manage_module_store',`
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
 	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
 +	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
 +	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
 +	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
 ')
 #######################################
@@ -1137,3 +1465,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
 	selinux_dontaudit_get_fs_mount($1)
 	seutil_dontaudit_read_config($1)
 ')
@ -88093,7 +88276,7 @@ index 3822072..cac0b1e 100644
 +	auth_relabelto_shadow($1)
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..98094ae 100644
+index ec01d0b..12ed3ea 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@ -88119,17 +88302,20 @@ index ec01d0b..98094ae 100644
 #
 # selinux_config_t is the type applied to
-@@ -30,6 +33,9 @@ roleattribute system_r semanage_roles;
+@@ -30,6 +33,12 @@ roleattribute system_r semanage_roles;
 type selinux_config_t;
 files_type(selinux_config_t)
 +type selinux_login_config_t;
 +files_type(selinux_login_config_t)
 +
 +type selinux_var_lib_t;
 +files_type(selinux_var_lib_t)
 +
 type checkpolicy_t, can_write_binary_policy;
 type checkpolicy_exec_t;
 application_domain(checkpolicy_t, checkpolicy_exec_t)
-@@ -60,14 +66,20 @@ application_domain(newrole_t, newrole_exec_t)
+@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
 domain_role_change_exemption(newrole_t)
 domain_obj_id_change_exemption(newrole_t)
 domain_interactive_fd(newrole_t)
@ -88153,7 +88339,7 @@ index ec01d0b..98094ae 100644
 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
 #neverallow ~can_write_binary_policy policy_config_t:file { write append };
-@@ -83,7 +95,6 @@ type restorecond_t;
+@@ -83,7 +98,6 @@ type restorecond_t;
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t, restorecond_exec_t)
 domain_obj_id_change_exemption(restorecond_t)
@ -88161,7 +88347,7 @@ index ec01d0b..98094ae 100644
 type restorecond_var_run_t;
 files_pid_file(restorecond_var_run_t)
-@@ -92,25 +103,33 @@ type run_init_t;
+@@ -92,25 +106,32 @@ type run_init_t;
 type run_init_exec_t;
 application_domain(run_init_t, run_init_exec_t)
 domain_system_change_exemption(run_init_t)
@ -88172,7 +88358,6 @@ index ec01d0b..98094ae 100644
 type semanage_t;
 type semanage_exec_t;
 application_domain(semanage_t, semanage_exec_t)
 +dbus_system_domain(semanage_t, semanage_exec_t)
 +init_daemon_domain(semanage_t, semanage_exec_t)
 domain_interactive_fd(semanage_t)
 -role semanage_roles types semanage_t;
@ -88200,7 +88385,7 @@ index ec01d0b..98094ae 100644
 type semanage_var_lib_t;
 files_type(semanage_var_lib_t)
-@@ -120,6 +139,11 @@ type setfiles_exec_t alias restorecon_exec_t;
+@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
 init_system_domain(setfiles_t, setfiles_exec_t)
 domain_obj_id_change_exemption(setfiles_t)
@ -88212,7 +88397,15 @@ index ec01d0b..98094ae 100644
 ########################################
 #
 # Checkpolicy local policy
-@@ -151,7 +175,7 @@ term_use_console(checkpolicy_t)
+@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
 read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
 read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
 allow checkpolicy_t selinux_config_t:dir search_dir_perms;
 +allow checkpolicy_t selinux_login_config_t:dir search_dir_perms;
 domain_use_interactive_fds(checkpolicy_t)
@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
 init_use_fds(checkpolicy_t)
 init_use_script_ptys(checkpolicy_t)
@ -88221,7 +88414,7 @@ index ec01d0b..98094ae 100644
 userdom_use_all_users_fds(checkpolicy_t)
 ifdef(`distro_ubuntu',`
-@@ -188,13 +212,15 @@ term_list_ptys(load_policy_t)
+@@ -188,13 +215,15 @@ term_list_ptys(load_policy_t)
 init_use_script_fds(load_policy_t)
 init_use_script_ptys(load_policy_t)
@ -88238,7 +88431,15 @@ index ec01d0b..98094ae 100644
 ifdef(`distro_ubuntu',`
 	optional_policy(`
-@@ -220,7 +246,7 @@ optional_policy(`
+@@ -205,6 +234,7 @@ ifdef(`distro_ubuntu',`
 ifdef(`hide_broken_symptoms',`
 	# cjp: cover up stray file descriptors.
 	dontaudit load_policy_t selinux_config_t:file write;
 +	dontaudit load_policy_t selinux_login_config_t:file write;
 	optional_policy(`
 		unconfined_dontaudit_read_pipes(load_policy_t)
@@ -220,7 +250,7 @@ optional_policy(`
 # Newrole local policy
 #
@ -88247,7 +88448,7 @@ index ec01d0b..98094ae 100644
 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
-@@ -232,7 +258,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -232,7 +262,7 @@ allow newrole_t self:msgq create_msgq_perms;
 allow newrole_t self:msg { send receive };
 allow newrole_t self:unix_dgram_socket sendto;
 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -88256,7 +88457,7 @@ index ec01d0b..98094ae 100644
 read_files_pattern(newrole_t, default_context_t, default_context_t)
 read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -249,6 +275,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -249,6 +279,7 @@ domain_use_interactive_fds(newrole_t)
 # for when the user types "exec newrole" at the command line:
 domain_sigchld_interactive_fds(newrole_t)
@ -88264,7 +88465,7 @@ index ec01d0b..98094ae 100644
 files_read_etc_files(newrole_t)
 files_read_var_files(newrole_t)
 files_read_var_symlinks(newrole_t)
-@@ -276,25 +303,39 @@ term_relabel_all_ptys(newrole_t)
+@@ -276,25 +307,39 @@ term_relabel_all_ptys(newrole_t)
 term_getattr_unallocated_ttys(newrole_t)
 term_dontaudit_use_unallocated_ttys(newrole_t)
@ -88310,7 +88511,7 @@ index ec01d0b..98094ae 100644
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(newrole_t)
-@@ -309,7 +350,7 @@ if(secure_mode) {
+@@ -309,7 +354,7 @@ if(secure_mode) {
 	userdom_spec_domtrans_all_users(newrole_t)
 }
@ -88319,7 +88520,7 @@ index ec01d0b..98094ae 100644
 	files_polyinstantiate_all(newrole_t)
 ')
-@@ -328,9 +369,13 @@ kernel_use_fds(restorecond_t)
+@@ -328,9 +373,13 @@ kernel_use_fds(restorecond_t)
 kernel_rw_pipes(restorecond_t)
 kernel_read_system_state(restorecond_t)
@ -88334,7 +88535,7 @@ index ec01d0b..98094ae 100644
 fs_list_inotifyfs(restorecond_t)
 selinux_validate_context(restorecond_t)
-@@ -341,6 +386,7 @@ selinux_compute_user_contexts(restorecond_t)
+@@ -341,6 +390,7 @@ selinux_compute_user_contexts(restorecond_t)
 files_relabel_non_auth_files(restorecond_t )
 files_read_non_auth_files(restorecond_t)
@ -88342,7 +88543,7 @@ index ec01d0b..98094ae 100644
 auth_use_nsswitch(restorecond_t)
 locallogin_dontaudit_use_fds(restorecond_t)
-@@ -351,6 +397,8 @@ miscfiles_read_localization(restorecond_t)
+@@ -351,6 +401,8 @@ miscfiles_read_localization(restorecond_t)
 seutil_libselinux_linked(restorecond_t)
@ -88351,7 +88552,7 @@ index ec01d0b..98094ae 100644
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(restorecond_t)
-@@ -366,21 +414,24 @@ optional_policy(`
+@@ -366,21 +418,24 @@ optional_policy(`
 # Run_init local policy
 #
@ -88378,7 +88579,7 @@ index ec01d0b..98094ae 100644
 dev_dontaudit_list_all_dev_nodes(run_init_t)
 domain_use_interactive_fds(run_init_t)
-@@ -398,14 +449,23 @@ selinux_compute_create_context(run_init_t)
+@@ -398,14 +453,23 @@ selinux_compute_create_context(run_init_t)
 selinux_compute_relabel_context(run_init_t)
 selinux_compute_user_contexts(run_init_t)
@ -88404,7 +88605,7 @@ index ec01d0b..98094ae 100644
 logging_send_syslog_msg(run_init_t)
-@@ -414,7 +474,7 @@ miscfiles_read_localization(run_init_t)
+@@ -414,7 +478,7 @@ miscfiles_read_localization(run_init_t)
 seutil_libselinux_linked(run_init_t)
 seutil_read_default_contexts(run_init_t)
@ -88413,7 +88614,7 @@ index ec01d0b..98094ae 100644
 ifndef(`direct_sysadm_daemon',`
 	ifdef(`distro_gentoo',`
-@@ -425,6 +485,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -425,6 +489,19 @@ ifndef(`direct_sysadm_daemon',`
 	')
 ')
@ -88433,7 +88634,7 @@ index ec01d0b..98094ae 100644
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(run_init_t)
-@@ -440,81 +513,83 @@ optional_policy(`
+@@ -440,81 +517,87 @@ optional_policy(`
 # semodule local policy
 #
@ -88480,11 +88681,11 @@ index ec01d0b..98094ae 100644
 -
 -# Running genhomedircon requires this for finding all users
 -auth_use_nsswitch(semanage_t)
 -
 -locallogin_use_fds(semanage_t)
 +# Admins are creating pp files in random locations
 +files_read_non_security_files(semanage_t)
 -locallogin_use_fds(semanage_t)
 -
 -logging_send_syslog_msg(semanage_t)
 -
 -miscfiles_read_localization(semanage_t)
@ -88527,6 +88728,10 @@ index ec01d0b..98094ae 100644
 -		unconfined_domain(semanage_t)
 -	')
 +optional_policy(`
 +	dbus_system_domain(semanage_t, semanage_exec_t)
 +')
 +
 +optional_policy(`
 +	mock_manage_lib_files(semanage_t)
 +	mock_manage_lib_dirs(semanage_t)
 +')
@ -88570,7 +88775,7 @@ index ec01d0b..98094ae 100644
 ')
 ########################################
-@@ -522,108 +597,184 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +605,184 @@ ifdef(`distro_ubuntu',`
 # Setfiles local policy
 #
@ -88647,14 +88852,15 @@ index ec01d0b..98094ae 100644
 +	devicekit_dontaudit_read_pid_files(setfiles_t)
 +	devicekit_dontaudit_rw_log(setfiles_t)
 +')
- 
+
 -seutil_libselinux_linked(setfiles_t)
 +optional_policy(`
 +	xserver_append_xdm_tmp_files(setfiles_t)
 +')
-+
+ 
 -seutil_libselinux_linked(setfiles_t)
 +ifdef(`hide_broken_symptoms',`
-+
+ 
 -userdom_use_all_users_fds(setfiles_t)
 +	optional_policy(`
 +		setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
 +		setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
@ -88665,8 +88871,7 @@ index ec01d0b..98094ae 100644
 +		unconfined_domain(setfiles_t)
 +	')
 +')
- 
+
 -userdom_use_all_users_fds(setfiles_t)
 +########################################
 +#
 +# Setfiles common policy
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -491,6 +491,18 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
 - Add new type selinux_login_config_t for /etc/selinux/<type>/logins/
 - Additional fixes for seutil_manage_module_store()
 - dbus_system_domain() should be used with optional_policy
 - Fix svirt to be allowed to use fusefs file system
 - Allow login programs to read /run/ data created by systemd_login
 - sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
 - Fix svirt to be allowed to use fusefs file system
 - Allow piranha domain to use nsswitch
 - Sanlock needs to send Kill Signals to non root processes
 - Pulseaudio wants to execute /run/user/PID/.orc
 * Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-1
 - Fix saslauthd when it tries to read /etc/shadow
 - Label gnome-boxes as a virt homedir