- fetchmail can use kerberos

- ksmtuned reads in shell programs - gnome_systemctl_t reads the process state of ntp - dnsmasq_t asks the kernel to load multiple kernel mod - Add rules for domains executing systemctl - Bogus text within fc file
2011-08-04 22:32:55 +02:00 · 2011-08-04 22:32:55 +02:00 · 913fabe1c8
parent 8becfd3523
commit 913fabe1c8
2 changed files with 185 additions and 105 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -1084,7 +1084,7 @@ index 3c7b1e8..1e155f5 100644
 +
 +/var/run/epylog\.pid		gen_context(system_u:object_r:logwatch_var_run_t,s0)
 diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..b48b383 100644
+index 75ce30f..7db2988 100644
 --- a/policy/modules/admin/logwatch.te
 +++ b/policy/modules/admin/logwatch.te
@@ -19,6 +19,12 @@ files_lock_file(logwatch_lock_t)
@ -1143,7 +1143,7 @@ index 75ce30f..b48b383 100644
 	files_getattr_all_file_type_fs(logwatch_t)
 ')
 
-@@ -145,3 +160,22 @@ optional_policy(`
+@@ -145,3 +160,23 @@ optional_policy(`
 	samba_read_log(logwatch_t)
 	samba_read_share_files(logwatch_t)
 ')
@ -1158,6 +1158,7 @@ index 75ce30f..b48b383 100644
 +manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
 +
 +dev_read_rand(logwatch_mail_t)
+dev_read_sysfs(logwatch_mail_t)
 +
 +logging_read_all_logs(logwatch_mail_t)
 +
@ -6678,7 +6679,7 @@ index 93ac529..35b51ab 100644
 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 +/usr/lib/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..170963f 100644
+index fbb5c5a..2339227 100644
 --- a/policy/modules/apps/mozilla.if
 +++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@ -6716,7 +6717,7 @@ index fbb5c5a..170963f 100644
 ')
 
 ########################################
-@@ -228,6 +238,33 @@ interface(`mozilla_run_plugin',`
+@@ -228,6 +238,35 @@ interface(`mozilla_run_plugin',`
 
 	mozilla_domtrans_plugin($1)
 	role $2 types mozilla_plugin_t;
@ -6725,6 +6726,8 @@ index fbb5c5a..170963f 100644
 +	allow $1 mozilla_plugin_t:fd use;
 +
 +	allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+	allow mozilla_plugin_t $1:shm rw_shm_perms;
+	allow mozilla_plugin_t $1:sem create_sem_perms;
 +
 +	ps_process_pattern($1, mozilla_plugin_t)
 +	allow $1 mozilla_plugin_t:process { ptrace signal_perms };
@ -6750,7 +6753,7 @@ index fbb5c5a..170963f 100644
 ')
 
 ########################################
-@@ -269,9 +306,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +308,27 @@ interface(`mozilla_rw_tcp_sockets',`
 	allow $1 mozilla_t:tcp_socket rw_socket_perms;
 ')
 
@ -6779,7 +6782,7 @@ index fbb5c5a..170963f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -279,28 +334,28 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +336,28 @@ interface(`mozilla_rw_tcp_sockets',`
 ##	</summary>
 ## </param>
 #
@ -16004,7 +16007,7 @@ index 6346378..edbe041 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..9740613 100644
+index d91c62f..848f59b 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@ -16024,12 +16027,21 @@ index d91c62f..9740613 100644
 
 # These initial sids are no longer used, and can be removed:
 sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -247,6 +250,9 @@ dev_delete_generic_blk_files(kernel_t)
- dev_create_generic_chr_files(kernel_t)
- dev_delete_generic_chr_files(kernel_t)
+@@ -242,11 +245,14 @@ dev_search_usbfs(kernel_t)
+ # devtmpfs handling:
+ dev_create_generic_dirs(kernel_t)
+ dev_delete_generic_dirs(kernel_t)
+-dev_create_generic_blk_files(kernel_t)
+-dev_delete_generic_blk_files(kernel_t)
+-dev_create_generic_chr_files(kernel_t)
+-dev_delete_generic_chr_files(kernel_t)
+dev_create_all_blk_files(kernel_t)
+dev_delete_all_blk_files(kernel_t)
+dev_create_all_chr_files(kernel_t)
+dev_delete_all_chr_files(kernel_t)
 dev_mounton(kernel_t)
 +dev_filetrans_all_named_dev(kernel_t)
-+#storage_filetrans_all_named_dev(kernel_t)
+storage_filetrans_all_named_dev(kernel_t)
 +term_filetrans_all_named_dev(kernel_t)
 
 # Mount root file system. Used when loading a policy
@ -18983,7 +18995,7 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..fc2c9ec
+index 0000000..db35ff1
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,553 @@
@ -19364,9 +19376,9 @@ index 0000000..fc2c9ec
 +	lpd_run_checkpc(unconfined_t, unconfined_r)
 +')
 +
-+optional_policy(`
-+	mock_role(unconfined_r, unconfined_t)
-+')
+#optional_policy(`
+#	mock_role(unconfined_r, unconfined_t)
+#')
 +
 +optional_policy(`
 +	modutils_run_update_mods(unconfined_t, unconfined_r)
@ -30896,10 +30908,10 @@ index 9bd812b..c4abec3 100644
 ##	an dnsmasq environment
 ## </summary>
 diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..df87ba8 100644
+index fdaeeba..d707dde 100644
 --- a/policy/modules/services/dnsmasq.te
 +++ b/policy/modules/services/dnsmasq.te
-@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
 manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
 logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
 
@ -30910,7 +30922,11 @@ index fdaeeba..df87ba8 100644
 
 kernel_read_kernel_sysctls(dnsmasq_t)
 kernel_read_system_state(dnsmasq_t)
-@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t)
+kernel_request_load_module(dnsmasq_t)
+ 
+ corenet_all_recvfrom_unlabeled(dnsmasq_t)
+ corenet_all_recvfrom_netlabel(dnsmasq_t)
+@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t)
 
 miscfiles_read_localization(dnsmasq_t)
 
@ -30919,7 +30935,7 @@ index fdaeeba..df87ba8 100644
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
 userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
 
-@@ -96,7 +99,16 @@ optional_policy(`
+@@ -96,7 +100,16 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30936,7 +30952,7 @@ index fdaeeba..df87ba8 100644
 ')
 
 optional_policy(`
-@@ -114,4 +126,5 @@ optional_policy(`
+@@ -114,4 +127,5 @@ optional_policy(`
 optional_policy(`
 	virt_manage_lib_files(dnsmasq_t)
 	virt_read_pid_files(dnsmasq_t)
@ -32449,6 +32465,21 @@ index 6537214..7d64c0a 100644
 	ps_process_pattern($1, fetchmail_t)
 
 	files_list_etc($1)
+diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
+index 3459d93..c39305a 100644
+--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
+@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+ userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+ 
+ optional_policy(`
+	kerberos_use(fetchmail_t)
+')
+
+optional_policy(`
+ 	procmail_domtrans(fetchmail_t)
+ ')
+ 
 diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
 index 9b7036a..4770f61 100644
 --- a/policy/modules/services/finger.te
@ -33797,7 +33828,7 @@ index 671d8fd..25c7ab8 100644
 +	dontaudit gnomeclock_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..b9032a7 100644
+index 4fde46b..eac72e4 100644
 --- a/policy/modules/services/gnomeclock.te
 +++ b/policy/modules/services/gnomeclock.te
@@ -9,24 +9,32 @@ type gnomeclock_t;
@ -33836,7 +33867,7 @@ index 4fde46b..b9032a7 100644
 
 miscfiles_read_localization(gnomeclock_t)
 miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +43,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +43,47 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
 userdom_read_all_users_state(gnomeclock_t)
 
 optional_policy(`
@ -33876,17 +33907,13 @@ index 4fde46b..b9032a7 100644
 +files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t)
 +files_manage_etc_symlinks(gnomeclock_systemctl_t)
 +
-+fs_dontaudit_search_cgroup_dirs(gnomeclock_systemctl_t)
-+
-+# needed by systemctl
-+init_stream_connect(gnomeclock_systemctl_t)
-+init_read_state(gnomeclock_systemctl_t)
-+init_list_pid_dirs(gnomeclock_systemctl_t)
+miscfiles_read_localization(gnomeclock_systemctl_t)
 +
 +systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
 +
 +optional_policy(`
-+	ntpd_read_unit_file(gnomeclock_systemctl_t)
+	ntp_read_unit_file(gnomeclock_systemctl_t)
+	ntp_read_state(gnomeclock_systemctl_t)
 +')
 diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
 index 7d97298..d6b2959 100644
@ -35215,7 +35242,7 @@ index da2127e..6538d66 100644
 +
 +sysnet_read_config(jabberd_domain)
 diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index 3525d24..74ec098 100644
+index 3525d24..e065744 100644
 --- a/policy/modules/services/kerberos.fc
 +++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
@ -35227,13 +35254,12 @@ index 3525d24..74ec098 100644
 /etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-@@ -30,4 +30,8 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
+@@ -30,4 +30,7 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
 /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
 /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
 
 +/var/cache/krb5rcache(/.*)?	 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +
-+krb5_host_rcache_t
 /var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
@ -35798,7 +35824,7 @@ index 6fd0b4c..b733e45 100644
 -
 ')
 diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
-index a73b7a1..7fa55e8 100644
+index a73b7a1..677998f 100644
 --- a/policy/modules/services/ksmtuned.te
 +++ b/policy/modules/services/ksmtuned.te
@@ -9,6 +9,9 @@ type ksmtuned_t;
@ -35822,13 +35848,14 @@ index a73b7a1..7fa55e8 100644
 manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
 files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
 
-@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t)
+@@ -31,9 +38,17 @@ kernel_read_system_state(ksmtuned_t)
 dev_rw_sysfs(ksmtuned_t)
 
 domain_read_all_domains_state(ksmtuned_t)
 +domain_dontaudit_read_all_domains_state(ksmtuned_t)
 
 corecmd_exec_bin(ksmtuned_t)
+corecmd_exec_shell(ksmtuned_t)
 
 files_read_etc_files(ksmtuned_t)
 
@ -36263,7 +36290,7 @@ index 49e04e5..69db026 100644
 /usr/sbin/lircd		--	gen_context(system_u:object_r:lircd_exec_t,s0)
 
 diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
-index 6a78de1..0aebce6 100644
+index 6a78de1..a32fbe8 100644
 --- a/policy/modules/services/lircd.te
 +++ b/policy/modules/services/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@ -36283,7 +36310,7 @@ index 6a78de1..0aebce6 100644
 allow lircd_t self:fifo_file rw_fifo_file_perms;
 allow lircd_t self:unix_dgram_socket create_socket_perms;
 allow lircd_t self:tcp_socket create_stream_socket_perms;
-@@ -44,13 +45,13 @@ corenet_tcp_bind_lirc_port(lircd_t)
+@@ -44,13 +45,14 @@ corenet_tcp_bind_lirc_port(lircd_t)
 corenet_tcp_sendrecv_all_ports(lircd_t)
 corenet_tcp_connect_lirc_port(lircd_t)
 
@ -36293,6 +36320,7 @@ index 6a78de1..0aebce6 100644
 dev_filetrans_lirc(lircd_t)
 dev_rw_lirc(lircd_t)
 dev_rw_input_dev(lircd_t)
+dev_read_sysfs(lircd_t)
 
 -files_read_etc_files(lircd_t)
 +files_read_config_files(lircd_t)
@ -37663,15 +37691,14 @@ index 47e3612..ece07ab 100644
 # The milter runs from /var/lib/spamass-milter
 diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
 new file mode 100644
-index 0000000..68ad33f
+index 0000000..8d0e473
 --- /dev/null
 +++ b/policy/modules/services/mock.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,5 @@
 +
 +/usr/sbin/mock		--	gen_context(system_u:object_r:mock_exec_t,s0)
 +
-+/var/lib/mock		-d	gen_context(system_u:object_r:mock_var_lib_t,s0)
-+/var/lib/mock(/.*)?		<<none>>
+/var/lib/mock(/.*)?		gen_context(system_u:object_r:mock_var_lib_t,s0)
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
 new file mode 100644
@ -40576,7 +40603,7 @@ index e79dccc..50202ef 100644
 /usr/sbin/ntpdate		--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 
 diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..be0d107 100644
+index e80f8c0..d90ed98 100644
 --- a/policy/modules/services/ntp.if
 +++ b/policy/modules/services/ntp.if
@@ -98,6 +98,25 @@ interface(`ntp_initrc_domtrans',`
@ -40593,7 +40620,7 @@ index e80f8c0..be0d107 100644
 +##      </summary>
 +## </param>
 +#
-+interface(`ntpd_read_unit_file',`
+interface(`ntp_read_unit_file',`
 +        gen_require(`
 +                type ntpd_unit_file_t;
 +        ')
@ -40605,7 +40632,33 @@ index e80f8c0..be0d107 100644
 ########################################
 ## <summary>
 ##	Read and write ntpd shared memory.
-@@ -140,11 +159,10 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +141,25 @@ interface(`ntp_rw_shm',`
+ 
+ ########################################
+ ## <summary>
+##	Allow the domain to read ntpd state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_read_state',`
+	gen_require(`
+		type ntpd_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, ntpd_t)
+')
+
+########################################
+## <summary>
+ ##	All of the rules required to administrate
+ ##	an ntp environment
+ ## </summary>
+@@ -140,11 +178,10 @@ interface(`ntp_rw_shm',`
 interface(`ntp_admin',`
 	gen_require(`
 		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@ -49859,7 +49912,7 @@ index adea9f9..d5b2d93 100644
 
 	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
 diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 606a098..f00a814 100644
+index 606a098..5e4d100 100644
 --- a/policy/modules/services/smartmon.te
 +++ b/policy/modules/services/smartmon.te
@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
@ -49867,7 +49920,7 @@ index 606a098..f00a814 100644
 #
 
 -allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
-+allow fsdaemon_t self:capability { dac_override setpcap setgid sys_rawio sys_admin };
+allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
 dontaudit fsdaemon_t self:capability sys_tty_config;
 allow fsdaemon_t self:process { getcap setcap signal_perms };
 allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
@ -57262,7 +57315,7 @@ index 21ae664..3e448dd 100644
 +    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
 +')
 diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..16b2616 100644
+index 9fb4747..a59cfc2 100644
 --- a/policy/modules/services/zarafa.te
 +++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@ -57285,7 +57338,7 @@ index 9fb4747..16b2616 100644
 ########################################
 #
 # zarafa-deliver local policy
-@@ -57,6 +63,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
 corenet_tcp_bind_generic_node(zarafa_gateway_t)
 corenet_tcp_bind_pop_port(zarafa_gateway_t)
 
@ -57302,12 +57355,11 @@ index 9fb4747..16b2616 100644
 +
 +manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
 +manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
-+
 +
 #######################################
 #
 # zarafa-ical local policy
-@@ -136,6 +157,34 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
+@@ -136,6 +156,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
 corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
 corenet_tcp_connect_smtp_port(zarafa_spooler_t)
 
@ -57321,6 +57373,8 @@ index 9fb4747..16b2616 100644
 +allow zarafa_gateway_t self:capability { chown kill };
 +allow zarafa_gateway_t self:process setrlimit;
 +
+dev_read_rand(zarafa_gateway_t)
+
 +corenet_tcp_bind_pop_port(zarafa_gateway_t)
 +
 +#######################################
@ -57342,7 +57396,7 @@ index 9fb4747..16b2616 100644
 ########################################
 #
 # zarafa domains local policy
-@@ -156,6 +205,4 @@ kernel_read_system_state(zarafa_domain)
+@@ -156,6 +206,4 @@ kernel_read_system_state(zarafa_domain)
 
 files_read_etc_files(zarafa_domain)
 
@ -59254,7 +59308,7 @@ index 94fd8dd..417ec32 100644
 +	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..4d20828 100644
+index 29a9565..2163271 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@ -59330,7 +59384,7 @@ index 29a9565..4d20828 100644
 # is ~sys_module really needed? observed:
 # sys_boot
 # sys_tty_config
-@@ -100,11 +134,15 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -100,11 +134,16 @@ allow init_t self:fifo_file rw_fifo_file_perms;
 # Re-exec itself
 can_exec(init_t, init_exec_t)
 
@ -59347,10 +59401,11 @@ index 29a9565..4d20828 100644
 +manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
 +manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
 +files_pid_filetrans(init_t, init_var_run_t, { dir file })
+allow init_t init_var_run_t:dir mounton;
 
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -114,25 +152,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -114,25 +153,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
@ -59385,7 +59440,7 @@ index 29a9565..4d20828 100644
 files_etc_filetrans_etc_runtime(init_t, file)
 # Run /etc/X11/prefdm:
 files_exec_etc_files(init_t)
-@@ -151,10 +198,19 @@ mls_file_read_all_levels(init_t)
+@@ -151,10 +199,19 @@ mls_file_read_all_levels(init_t)
 mls_file_write_all_levels(init_t)
 mls_process_write_down(init_t)
 mls_fd_use_all_levels(init_t)
@ -59406,7 +59461,7 @@ index 29a9565..4d20828 100644
 
 # Run init scripts.
 init_domtrans_script(init_t)
-@@ -162,12 +218,16 @@ init_domtrans_script(init_t)
+@@ -162,12 +219,16 @@ init_domtrans_script(init_t)
 libs_rw_ld_so_cache(init_t)
 
 logging_send_syslog_msg(init_t)
@ -59423,7 +59478,7 @@ index 29a9565..4d20828 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
 ')
-@@ -178,7 +238,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +239,7 @@ ifdef(`distro_redhat',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
 ')
 
@ -59432,7 +59487,7 @@ index 29a9565..4d20828 100644
 	corecmd_shell_domtrans(init_t, initrc_t)
 ',`
 	# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +246,136 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +247,137 @@ tunable_policy(`init_upstart',`
 	sysadm_shell_domtrans(init_t)
 ')
 
@ -59497,6 +59552,7 @@ index 29a9565..4d20828 100644
 +	files_create_lock_dirs(init_t)
 +	files_relabel_all_lock_dirs(init_t)
 +
+	fs_getattr_all_fs(init_t)
 +	fs_manage_cgroup_dirs(init_t)
 +	fs_manage_cgroup_files(init_t)
 +	fs_manage_hugetlbfs_dirs(init_t)
@ -59571,7 +59627,7 @@ index 29a9565..4d20828 100644
 ')
 
 optional_policy(`
-@@ -203,6 +383,17 @@ optional_policy(`
+@@ -203,6 +385,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -59589,7 +59645,7 @@ index 29a9565..4d20828 100644
 	unconfined_domain(init_t)
 ')
 
-@@ -212,7 +403,7 @@ optional_policy(`
+@@ -212,7 +405,7 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -59598,7 +59654,7 @@ index 29a9565..4d20828 100644
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -59614,7 +59670,7 @@ index 29a9565..4d20828 100644
 
 init_write_initctl(initrc_t)
 
-@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -59651,7 +59707,7 @@ index 29a9565..4d20828 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -59659,7 +59715,7 @@ index 29a9565..4d20828 100644
 dev_write_kmsg(initrc_t)
 dev_write_rand(initrc_t)
 dev_write_urand(initrc_t)
-@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -59670,7 +59726,7 @@ index 29a9565..4d20828 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -59687,7 +59743,7 @@ index 29a9565..4d20828 100644
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -59695,7 +59751,7 @@ index 29a9565..4d20828 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -59707,7 +59763,7 @@ index 29a9565..4d20828 100644
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
-@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -59721,7 +59777,7 @@ index 29a9565..4d20828 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -59730,7 +59786,7 @@ index 29a9565..4d20828 100644
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
-@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -59738,7 +59794,7 @@ index 29a9565..4d20828 100644
 
 selinux_get_enforce_mode(initrc_t)
 
-@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -59746,7 +59802,7 @@ index 29a9565..4d20828 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@ -59768,7 +59824,7 @@ index 29a9565..4d20828 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -59779,7 +59835,7 @@ index 29a9565..4d20828 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -478,7 +702,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +704,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -59788,7 +59844,7 @@ index 29a9565..4d20828 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -493,6 +717,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +719,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -59796,7 +59852,7 @@ index 29a9565..4d20828 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -522,8 +747,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +749,33 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -59830,7 +59886,7 @@ index 29a9565..4d20828 100644
 	')
 
 	optional_policy(`
-@@ -531,10 +781,26 @@ ifdef(`distro_redhat',`
+@@ -531,10 +783,26 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -59857,7 +59913,7 @@ index 29a9565..4d20828 100644
 	')
 
 	optional_policy(`
-@@ -549,6 +815,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +817,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -59897,7 +59953,7 @@ index 29a9565..4d20828 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +860,8 @@ optional_policy(`
+@@ -561,6 +862,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -59906,7 +59962,7 @@ index 29a9565..4d20828 100644
 ')
 
 optional_policy(`
-@@ -577,6 +878,7 @@ optional_policy(`
+@@ -577,6 +880,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -59914,7 +59970,7 @@ index 29a9565..4d20828 100644
 ')
 
 optional_policy(`
-@@ -589,6 +891,11 @@ optional_policy(`
+@@ -589,6 +893,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -59926,7 +59982,7 @@ index 29a9565..4d20828 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -605,9 +912,13 @@ optional_policy(`
+@@ -605,9 +914,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -59940,7 +59996,7 @@ index 29a9565..4d20828 100644
 	')
 
 	optional_policy(`
-@@ -649,6 +960,11 @@ optional_policy(`
+@@ -649,6 +962,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -59952,7 +60008,7 @@ index 29a9565..4d20828 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -689,6 +1005,7 @@ optional_policy(`
+@@ -689,6 +1007,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -59960,7 +60016,7 @@ index 29a9565..4d20828 100644
 ')
 
 optional_policy(`
-@@ -706,7 +1023,13 @@ optional_policy(`
+@@ -706,7 +1025,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -59974,7 +60030,7 @@ index 29a9565..4d20828 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -729,6 +1052,10 @@ optional_policy(`
+@@ -729,6 +1054,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -59985,7 +60041,7 @@ index 29a9565..4d20828 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -738,10 +1065,20 @@ optional_policy(`
+@@ -738,10 +1067,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -60006,7 +60062,7 @@ index 29a9565..4d20828 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -750,6 +1087,10 @@ optional_policy(`
+@@ -750,6 +1089,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -60017,7 +60073,7 @@ index 29a9565..4d20828 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -771,8 +1112,6 @@ optional_policy(`
+@@ -771,8 +1114,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -60026,7 +60082,7 @@ index 29a9565..4d20828 100644
 ')
 
 optional_policy(`
-@@ -790,10 +1129,12 @@ optional_policy(`
+@@ -790,10 +1131,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -60039,7 +60095,7 @@ index 29a9565..4d20828 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1146,6 @@ optional_policy(`
+@@ -805,7 +1148,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -60047,7 +60103,7 @@ index 29a9565..4d20828 100644
 	udev_manage_pid_files(initrc_t)
 	udev_manage_rules_files(initrc_t)
 ')
-@@ -815,11 +1155,24 @@ optional_policy(`
+@@ -815,11 +1157,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -60073,7 +60129,7 @@ index 29a9565..4d20828 100644
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1182,25 @@ optional_policy(`
+@@ -829,6 +1184,25 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -60099,7 +60155,7 @@ index 29a9565..4d20828 100644
 ')
 
 optional_policy(`
-@@ -844,6 +1216,10 @@ optional_policy(`
+@@ -844,6 +1218,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -60110,7 +60166,7 @@ index 29a9565..4d20828 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -854,3 +1230,149 @@ optional_policy(`
+@@ -854,3 +1232,149 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -63233,7 +63289,7 @@ index 2cc4bda..167c358 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..7b10445 100644
+index 170e2c7..b85fc73 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
@@ -199,6 +199,10 @@ interface(`seutil_run_newrole',`
@ -63449,7 +63505,7 @@ index 170e2c7..7b10445 100644
 ##	Full management of the semanage
 ##	module store.
 ## </summary>
-@@ -1149,3 +1313,199 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1313,198 @@ interface(`seutil_dontaudit_libselinux_linked',`
 	selinux_dontaudit_get_fs_mount($1)
 	seutil_dontaudit_read_config($1)
 ')
@ -63527,7 +63583,6 @@ index 170e2c7..7b10445 100644
 +	seutil_get_semanage_read_lock($1)
 +
 +	userdom_dontaudit_write_user_home_content_files($1)
-+
 +')
 +
 +
@ -64708,10 +64763,10 @@ index 0000000..3248032
 +
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..7501ef8
+index 0000000..d46fb42
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,377 @@
+@@ -0,0 +1,376 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +#######################################
@ -64729,17 +64784,16 @@ index 0000000..7501ef8
 +        gen_require(`
 +                type systemd_systemctl_exec_t;
 +                role system_r;
+		attribute systemctl_domain;
 +        ')
 +
-+	type $1_systemctl_t;
+	type $1_systemctl_t, systemctl_domain;
 +	domain_type($1_systemctl_t)
 +	domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)	
 +
 +	role system_r types $1_systemctl_t;
 +
 +	domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
-+
-+	init_use_fds($1_t)
 +')
 +
 +########################################
@ -65091,10 +65145,10 @@ index 0000000..7501ef8
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..0185280
+index 0000000..d079aca
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,319 @@
+@@ -0,0 +1,337 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -65103,6 +65157,8 @@ index 0000000..0185280
 +#
 +
 +attribute systemd_unit_file_type;
+attribute systemd_domain;
+attribute systemctl_domain;
 +
 +# New in f16
 +permissive systemd_logger_t;
@ -65414,6 +65470,22 @@ index 0000000..0185280
 +logging_send_syslog_msg(systemd_logger_t)
 +
 +miscfiles_read_localization(systemd_logger_t)
+
+
+########################################
+#
+# systemd_sysctl domains local policy
+#
+fs_list_cgroup_dirs(systemctl_domain)
+fs_read_cgroup_files(systemctl_domain)
+
+# needed by systemctl
+init_stream_connect(systemctl_domain)
+init_read_state(systemctl_domain)
+init_list_pid_dirs(systemctl_domain)
+init_use_fds(systemctl_domain)
+
+miscfiles_read_localization(systemctl_domain)
 diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
 index 0291685..7e94f4b 100644
 --- a/policy/modules/system/udev.fc
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 14%{?dist}
+Release: 16%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -452,6 +452,14 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Thu Aug 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-16
+- fetchmail can use kerberos
+- ksmtuned reads in shell programs
+- gnome_systemctl_t reads the process state of ntp
+- dnsmasq_t asks the kernel to load multiple kernel modules
+- Add rules for domains executing systemctl
+- Bogus text within fc file
+
 * Wed Aug 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-14
 - Add cfengine policy