- Add policykit fixes from Tim Waugh

- dontaudit sandbox domains sandbox_file_t:dir mounton - Add new dontaudit rules for sysadm_dbusd_t - Change label for /var/run/faillock
2011-03-10 12:46:20 +00:00 · 2011-03-10 12:46:20 +00:00 · 8d54634624
parent 9b89d85005
commit 8d54634624
2 changed files with 116 additions and 60 deletions
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -2354,7 +2354,7 @@ index d5aaf0e..689b2fd 100644
 optional_policy(`
 	mta_send_mail(sxid_t)
 diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..9b0f49e 100644
+index 6a5004b..b6ede9a 100644
 --- a/policy/modules/admin/tmpreaper.te
 +++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@ -2365,7 +2365,7 @@ index 6a5004b..9b0f49e 100644
 application_domain(tmpreaper_t, tmpreaper_exec_t)
 role system_r types tmpreaper_t;
 
-@@ -25,8 +26,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
+@@ -25,11 +26,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
 files_read_etc_files(tmpreaper_t)
 files_read_var_lib_files(tmpreaper_t)
 files_purge_tmp(tmpreaper_t)
@ -2377,7 +2377,12 @@ index 6a5004b..9b0f49e 100644
 files_getattr_all_dirs(tmpreaper_t)
 files_getattr_all_files(tmpreaper_t)
 
-@@ -38,7 +42,9 @@ logging_send_syslog_msg(tmpreaper_t)
+mcs_file_read_all(tmpreaper_t)
+mcs_file_write_all(tmpreaper_t)
+ mls_file_read_all_levels(tmpreaper_t)
+ mls_file_write_all_levels(tmpreaper_t)
+ 
+@@ -38,7 +44,9 @@ logging_send_syslog_msg(tmpreaper_t)
 miscfiles_read_localization(tmpreaper_t)
 miscfiles_delete_man_pages(tmpreaper_t)
 
@ -2388,7 +2393,7 @@ index 6a5004b..9b0f49e 100644
 
 ifdef(`distro_redhat',`
 	userdom_list_user_home_content(tmpreaper_t)
-@@ -52,7 +58,9 @@ optional_policy(`
+@@ -52,7 +60,9 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -2398,7 +2403,7 @@ index 6a5004b..9b0f49e 100644
 	apache_delete_cache_files(tmpreaper_t)
 	apache_setattr_cache_dirs(tmpreaper_t)
 ')
-@@ -66,6 +74,14 @@ optional_policy(`
+@@ -66,6 +76,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -7628,10 +7633,10 @@ index 0000000..0fedd57
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..2280381
+index 0000000..f2201d7
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,474 @@
+@@ -0,0 +1,476 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@ -7768,6 +7773,7 @@ index 0000000..2280381
 +manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
 +manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
 +manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_domain sandbox_file_t:dir mounton;
 +
 +gen_require(`
 +	type usr_t, lib_t, locale_t;
@ -7849,6 +7855,7 @@ index 0000000..2280381
 +fs_getattr_tmpfs(sandbox_x_domain)
 +fs_getattr_xattr_fs(sandbox_x_domain)
 +fs_list_inotifyfs(sandbox_x_domain)
+fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
 +
 +auth_dontaudit_read_login_records(sandbox_x_domain)
 +auth_dontaudit_write_login_records(sandbox_x_domain)
@ -12702,7 +12709,7 @@ index a9b8982..57c4a6a 100644
 +/lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 +/lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
 diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 3723150..bde6daa 100644
+index 3723150..d6d1dbe 100644
 --- a/policy/modules/kernel/storage.if
 +++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@ -12714,20 +12721,30 @@ index 3723150..bde6daa 100644
 	typeattribute $1 fixed_disk_raw_read;
 ')
 
-@@ -203,6 +205,8 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',`
 		type fixed_disk_device_t;
 	')
 
 +	allow $1 self:capability mknod;
 +
 	allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+	allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
 	dev_add_entry_generic_dirs($1)
 ')
+ 
 diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 3994e57..43aa641 100644
+index 3994e57..a1923fe 100644
 --- a/policy/modules/kernel/terminal.fc
 +++ b/policy/modules/kernel/terminal.fc
-@@ -18,6 +18,7 @@
+@@ -6,6 +6,7 @@
+ /dev/console		-c	gen_context(system_u:object_r:console_device_t,s0)
+ /dev/cu.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/dcbri[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/hpilo/[^/]*      -c  gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvc.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvsi.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/i2c[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+@@ -18,6 +19,7 @@
 /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
 /dev/ttySG.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
@ -12735,7 +12752,7 @@ index 3994e57..43aa641 100644
 /dev/xvc[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
 /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -40,3 +41,5 @@ ifdef(`distro_gentoo',`
+@@ -40,3 +42,5 @@ ifdef(`distro_gentoo',`
 # used by init scripts to initally populate udev /dev
 /lib/udev/devices/console -c	gen_context(system_u:object_r:console_device_t,s0)
 ')
@ -20408,13 +20425,14 @@ index 0258b48..8fde016 100644
 manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
 diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
 new file mode 100644
-index 0000000..7a01ff6
+index 0000000..0a83e88
 --- /dev/null
 +++ b/policy/modules/services/colord.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,5 @@
 +
 +/usr/libexec/colord		--	gen_context(system_u:object_r:colord_exec_t,s0)
 +
+/var/lib/color(/.*)?			gen_context(system_u:object_r:colord_var_lib_t,s0)
 +/var/lib/colord(/.*)?			gen_context(system_u:object_r:colord_var_lib_t,s0)
 diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
 new file mode 100644
@ -20466,10 +20484,10 @@ index 0000000..38cb883
 +
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
 new file mode 100644
-index 0000000..0ecb72e
+index 0000000..173e56f
 --- /dev/null
 +++ b/policy/modules/services/colord.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,78 @@
 +policy_module(colord,1.0.0)
 +
 +########################################
@ -20509,6 +20527,7 @@ index 0000000..0ecb72e
 +
 +corenet_udp_bind_generic_node(colord_t)
 +corenet_udp_bind_ipp_port(colord_t)
+corenet_tcp_connect_ipp_port(colord_t)
 +
 +dev_read_raw_memory(colord_t)
 +dev_write_raw_memory(colord_t)
@ -20519,6 +20538,8 @@ index 0000000..0ecb72e
 +dev_read_urand(colord_t)
 +dev_list_sysfs(colord_t)
 +dev_read_generic_usb_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
 +
 +domain_use_interactive_fds(colord_t)
 +
@ -20536,6 +20557,13 @@ index 0000000..0ecb72e
 +')
 +
 +optional_policy(`
+	policykit_dbus_chat(colord_t)
+	policykit_domtrans_auth(colord_t)
+	policykit_read_lib(colord_t)
+	policykit_read_reload(colord_t)
+')
+
+optional_policy(`
 +	udev_read_db(colord_t)
 +')
 diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
@ -22048,7 +22076,7 @@ index a8b93c0..831ce70 100644
 type dante_var_run_t;
 files_pid_file(dante_var_run_t)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..2f38c31 100644
+index 0d5711c..cee56c8 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@ -22073,7 +22101,18 @@ index 0d5711c..2f38c31 100644
 	ubac_constrained($1_dbusd_t)
 	role $2 types $1_dbusd_t;
 
-@@ -76,7 +75,7 @@ template(`dbus_role_template',`
+@@ -62,8 +61,9 @@ template(`dbus_role_template',`
+ 	# Local policy
+ 	#
+ 
+	dontaudit $1_dbusd_t self:capability sys_resource;
+ 	allow $1_dbusd_t self:process { getattr sigkill signal };
+-	dontaudit $1_dbusd_t self:process ptrace;
+	dontaudit $1_dbusd_t self:process { ptrace setrlimit };
+ 	allow $1_dbusd_t self:file { getattr read write };
+ 	allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
+ 	allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+@@ -76,7 +76,7 @@ template(`dbus_role_template',`
 	allow $3 $1_dbusd_t:unix_stream_socket connectto;
 
 	# SE-DBus specific permissions
@ -22082,7 +22121,7 @@ index 0d5711c..2f38c31 100644
 	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 
 	allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
-@@ -88,14 +87,16 @@ template(`dbus_role_template',`
+@@ -88,14 +88,16 @@ template(`dbus_role_template',`
 	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
 
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
@ -22102,7 +22141,7 @@ index 0d5711c..2f38c31 100644
 
 	kernel_read_system_state($1_dbusd_t)
 	kernel_read_kernel_sysctls($1_dbusd_t)
-@@ -116,7 +117,7 @@ template(`dbus_role_template',`
+@@ -116,7 +118,7 @@ template(`dbus_role_template',`
 
 	dev_read_urand($1_dbusd_t)
 
@ -22111,7 +22150,7 @@ index 0d5711c..2f38c31 100644
 	domain_read_all_domains_state($1_dbusd_t)
 
 	files_read_etc_files($1_dbusd_t)
-@@ -149,17 +150,25 @@ template(`dbus_role_template',`
+@@ -149,17 +151,25 @@ template(`dbus_role_template',`
 
 	term_use_all_terms($1_dbusd_t)
 
@ -22139,7 +22178,7 @@ index 0d5711c..2f38c31 100644
 		xserver_use_xdm_fds($1_dbusd_t)
 		xserver_rw_xdm_pipes($1_dbusd_t)
 	')
-@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',`
 		type system_dbusd_t, system_dbusd_t;
 		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
 		class dbus send_msg;
@ -22152,7 +22191,7 @@ index 0d5711c..2f38c31 100644
 
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 	files_search_var_lib($1)
-@@ -197,6 +208,34 @@ interface(`dbus_system_bus_client',`
+@@ -197,6 +209,34 @@ interface(`dbus_system_bus_client',`
 
 #######################################
 ## <summary>
@ -22187,7 +22226,7 @@ index 0d5711c..2f38c31 100644
 ##	Template for creating connections to
 ##	a user DBUS.
 ## </summary>
-@@ -217,6 +256,8 @@ interface(`dbus_session_bus_client',`
+@@ -217,6 +257,8 @@ interface(`dbus_session_bus_client',`
 
 	# For connecting to the bus
 	allow $1 session_bus_type:unix_stream_socket connectto;
@ -22196,7 +22235,7 @@ index 0d5711c..2f38c31 100644
 ')
 
 ########################################
-@@ -431,14 +472,28 @@ interface(`dbus_system_domain',`
+@@ -431,14 +473,28 @@ interface(`dbus_system_domain',`
 
 	domtrans_pattern(system_dbusd_t, $2, $1)
 
@ -22226,7 +22265,7 @@ index 0d5711c..2f38c31 100644
 		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
 	')
 ')
-@@ -497,3 +552,23 @@ interface(`dbus_unconfined',`
+@@ -497,3 +553,23 @@ interface(`dbus_unconfined',`
 
 	typeattribute $1 dbusd_unconfined;
 ')
@ -22251,17 +22290,17 @@ index 0d5711c..2f38c31 100644
 +')
 +
 diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 86d09b4..1c0dd9b 100644
+index 86d09b4..8e05351 100644
 --- a/policy/modules/services/dbus.te
 +++ b/policy/modules/services/dbus.te
-@@ -33,6 +33,7 @@ files_tmp_file(system_dbusd_tmp_t)
- 
- type system_dbusd_var_lib_t;
- files_type(system_dbusd_var_lib_t)
-+init_sock_file(system_dbusd_var_lib_t)
+@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
 
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
+init_sock_file(system_dbusd_var_run_t)
+ 
+ ifdef(`enable_mcs',`
+ 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -52,9 +53,9 @@ ifdef(`enable_mls',`
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
@ -39577,7 +39616,7 @@ index 22adaca..d9913e0 100644
 +	allow $1 sshd_t:process signull;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..f5c37de 100644
+index 2dad3c8..d060ae4 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@ -39716,7 +39755,7 @@ index 2dad3c8..f5c37de 100644
 
 seutil_read_config(ssh_t)
 
-@@ -169,14 +176,18 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+@@ -169,14 +176,19 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
 userdom_search_user_home_dirs(ssh_t)
 # Write to the user domain tty.
 userdom_use_user_terminals(ssh_t)
@ -39725,6 +39764,7 @@ index 2dad3c8..f5c37de 100644
 userdom_read_user_tmp_files(ssh_t)
 +userdom_write_user_tmp_files(ssh_t)
 +userdom_read_user_home_content_symlinks(ssh_t)
+userdom_read_home_certs(ssh_t)
 
 tunable_policy(`allow_ssh_keysign',`
 -	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
@ -39740,7 +39780,7 @@ index 2dad3c8..f5c37de 100644
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +207,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +208,15 @@ tunable_policy(`user_tcp_server',`
 ')
 
 optional_policy(`
@ -39756,7 +39796,7 @@ index 2dad3c8..f5c37de 100644
 ##############################
 #
 # ssh_keysign_t local policy
-@@ -209,7 +225,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +226,7 @@ tunable_policy(`allow_ssh_keysign',`
 	allow ssh_keysign_t self:capability { setgid setuid };
 	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
 
@ -39765,7 +39805,7 @@ index 2dad3c8..f5c37de 100644
 
 	dev_read_urand(ssh_keysign_t)
 
-@@ -232,33 +248,43 @@ optional_policy(`
+@@ -232,33 +249,43 @@ optional_policy(`
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
@ -39818,7 +39858,7 @@ index 2dad3c8..f5c37de 100644
 ')
 
 optional_policy(`
-@@ -266,11 +292,24 @@ optional_policy(`
+@@ -266,11 +293,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -39844,7 +39884,7 @@ index 2dad3c8..f5c37de 100644
 ')
 
 optional_policy(`
-@@ -284,6 +323,11 @@ optional_policy(`
+@@ -284,6 +324,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -39856,7 +39896,7 @@ index 2dad3c8..f5c37de 100644
 	unconfined_shell_domtrans(sshd_t)
 ')
 
-@@ -292,26 +336,26 @@ optional_policy(`
+@@ -292,26 +337,26 @@ optional_policy(`
 ')
 
 ifdef(`TODO',`
@ -39902,7 +39942,7 @@ index 2dad3c8..f5c37de 100644
 ') dnl endif TODO
 
 ########################################
-@@ -324,12 +368,15 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,12 +369,15 @@ tunable_policy(`ssh_sysadm_login',`
 
 dontaudit ssh_keygen_t self:capability sys_tty_config;
 allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@ -39919,7 +39959,7 @@ index 2dad3c8..f5c37de 100644
 kernel_read_kernel_sysctls(ssh_keygen_t)
 
 fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -353,7 +400,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,7 +401,7 @@ logging_send_syslog_msg(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 
 optional_policy(`
@ -45028,7 +45068,7 @@ index 88df85d..2fa3974 100644
 	ssh_sigchld(application_domain_type)
 	ssh_rw_stream_sockets(application_domain_type)
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 2952cef..4485fd5 100644
+index 2952cef..d845132 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
@@ -10,6 +10,7 @@
@ -45051,12 +45091,12 @@ index 2952cef..4485fd5 100644
 /var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
 
 /var/run/console(/.*)?	 	gen_context(system_u:object_r:pam_var_console_t,s0)
-+/var/run/faillock(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/faillock(/.*)?		gen_context(system_u:object_r:faillog_t,s0)
 /var/run/pam_mount(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..e6b751b 100644
+index 42b4f0f..75cee4d 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@ -45124,15 +45164,16 @@ index 42b4f0f..e6b751b 100644
 
 	selinux_get_fs_mount($1)
 	selinux_validate_context($1)
-@@ -141,6 +158,7 @@ interface(`auth_login_pgm_domain',`
+@@ -141,6 +158,8 @@ interface(`auth_login_pgm_domain',`
 	mls_process_set_level($1)
 	mls_fd_share_all_levels($1)
 
+	auth_manage_faillog($1)
 +	auth_manage_pam_pid($1)
 	auth_use_pam($1)
 
 	init_rw_utmp($1)
-@@ -151,8 +169,45 @@ interface(`auth_login_pgm_domain',`
+@@ -151,8 +170,45 @@ interface(`auth_login_pgm_domain',`
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
 
@ -45180,7 +45221,7 @@ index 42b4f0f..e6b751b 100644
 	')
 ')
 
-@@ -365,13 +420,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -365,13 +421,15 @@ interface(`auth_domtrans_chk_passwd',`
 	')
 
 	optional_policy(`
@ -45197,7 +45238,7 @@ index 42b4f0f..e6b751b 100644
 ')
 
 ########################################
-@@ -418,6 +475,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +476,7 @@ interface(`auth_run_chk_passwd',`
 
 	auth_domtrans_chk_passwd($1)
 	role $2 types chkpwd_t;
@ -45205,7 +45246,7 @@ index 42b4f0f..e6b751b 100644
 ')
 
 ########################################
-@@ -694,7 +752,7 @@ interface(`auth_relabel_shadow',`
+@@ -694,7 +753,7 @@ interface(`auth_relabel_shadow',`
 	')
 
 	files_search_etc($1)
@ -45214,7 +45255,7 @@ index 42b4f0f..e6b751b 100644
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
 
-@@ -736,6 +794,43 @@ interface(`auth_rw_faillog',`
+@@ -736,6 +795,45 @@ interface(`auth_rw_faillog',`
 	allow $1 faillog_t:file rw_file_perms;
 ')
 
@ -45252,13 +45293,15 @@ index 42b4f0f..e6b751b 100644
 +	')
 +
 +	logging_search_logs($1)
+	files_search_pids($1)
+	allow $1 faillog_t:dir manage_dir_perms;
 +	allow $1 faillog_t:file manage_file_perms;
 +')
 +
 #######################################
 ## <summary>
 ##	Read the last logins log.
-@@ -874,6 +969,46 @@ interface(`auth_exec_pam',`
+@@ -874,6 +972,46 @@ interface(`auth_exec_pam',`
 
 ########################################
 ## <summary>
@ -45305,7 +45348,7 @@ index 42b4f0f..e6b751b 100644
 ##	Manage var auth files. Used by various other applications
 ##	and pam applets etc.
 ## </summary>
-@@ -896,6 +1031,26 @@ interface(`auth_manage_var_auth',`
+@@ -896,6 +1034,26 @@ interface(`auth_manage_var_auth',`
 
 ########################################
 ## <summary>
@ -45332,7 +45375,7 @@ index 42b4f0f..e6b751b 100644
 ##	Read PAM PID files.
 ## </summary>
 ## <param name="domain">
-@@ -1093,6 +1248,24 @@ interface(`auth_delete_pam_console_data',`
+@@ -1093,6 +1251,24 @@ interface(`auth_delete_pam_console_data',`
 
 ########################################
 ## <summary>
@ -45357,7 +45400,7 @@ index 42b4f0f..e6b751b 100644
 ##	Read all directories on the filesystem, except
 ##	the shadow passwords and listed exceptions.
 ## </summary>
-@@ -1326,6 +1499,25 @@ interface(`auth_setattr_login_records',`
+@@ -1326,6 +1502,25 @@ interface(`auth_setattr_login_records',`
 
 ########################################
 ## <summary>
@ -45383,7 +45426,7 @@ index 42b4f0f..e6b751b 100644
 ##	Read login records files (/var/log/wtmp).
 ## </summary>
 ## <param name="domain">
-@@ -1500,28 +1692,36 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1695,36 @@ interface(`auth_manage_login_records',`
 #
 interface(`auth_use_nsswitch',`
 
@ -45427,7 +45470,7 @@ index 42b4f0f..e6b751b 100644
 	optional_policy(`
 		kerberos_use($1)
 	')
-@@ -1531,7 +1731,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1734,15 @@ interface(`auth_use_nsswitch',`
 	')
 
 	optional_policy(`
@ -51291,10 +51334,10 @@ index 0000000..1d17a7b
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..23d4b0c
+index 0000000..17f7ea8
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,138 @@
+@@ -0,0 +1,144 @@
 +
 +policy_module(systemd, 1.0.0)
 +
@ -51397,6 +51440,11 @@ index 0000000..23d4b0c
 +
 +seutil_read_file_contexts(systemd_tmpfiles_t)
 +
+mcs_file_read_all(systemd_tmpfiles_t)
+mcs_file_write_all(systemd_tmpfiles_t)
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_write_all_levels(systemd_tmpfiles_t)
+
 +logging_create_devlog_dev(systemd_tmpfiles_t)
 +logging_send_syslog_msg(systemd_tmpfiles_t)
 +
@ -51409,6 +51457,7 @@ index 0000000..23d4b0c
 +')
 +
 +optional_policy(`
+	rpm_read_db(systemd_tmpfiles_t)
 +	rpm_delete_db(systemd_tmpfiles_t)
 +')
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -472,6 +472,13 @@ exit 0
 %endif

 %changelog
+* Thu Mar 10 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-2
+- Add policykit fixes from Tim Waugh
+- dontaudit sandbox domains sandbox_file_t:dir mounton
+- Add new dontaudit rules for sysadm_dbusd_t
+- Change label for /var/run/faillock
+	* other fixes which relate with this change
+
 * Tue Mar 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-1
 - Update to upstream
 - Fixes for telepathy