- Change usbmuxd_t to dontaudit attempts to read chr_file

- Add mysld_safe_exec_t for libra domains to be able to start private mysql dom - Allow pppd to search /var/lock dir - Add rhsmcertd policy
2011-06-30 17:55:41 +02:00 · 2011-06-30 17:55:41 +02:00 · 975370d58e
commit 975370d58e
parent 81fbb0fccd
3 changed files with 596 additions and 62 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -2410,3 +2410,10 @@ dspam = module
 # lldpad - Link Layer Discovery Protocol (LLDP) agent daemon
 #
 lldpad = module
 # Layer: services
 # Module: rhsmcertd
 #
 # Subscription Management Certificate Daemon policy
 #
 rhsmcertd = module
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -2359,7 +2359,7 @@ index d0604cf..3089f30 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
-index 8966ec9..f4e6c4b 100644
+index 8966ec9..8fbe943 100644
 --- a/policy/modules/admin/shutdown.te
 +++ b/policy/modules/admin/shutdown.te
@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
@ -2406,7 +2406,7 @@ index 8966ec9..f4e6c4b 100644
 init_stream_connect(shutdown_t)
 init_telinit(shutdown_t)
-@@ -54,10 +58,20 @@ logging_send_audit_msgs(shutdown_t)
+@@ -54,10 +58,24 @@ logging_send_audit_msgs(shutdown_t)
 miscfiles_read_localization(shutdown_t)
 optional_policy(`
@ -2423,6 +2423,10 @@ index 8966ec9..f4e6c4b 100644
 +    oddjob_sigchld(shutdown_t)
 +')
 +
 +optional_policy(`
 +	rhev_sigchld_agentd(shutdown_t)
 +')
 +
 +optional_policy(`
 	xserver_dontaudit_write_log(shutdown_t)
 +	xserver_xdm_append_log(shutdown_t)
@ -8487,10 +8491,10 @@ index 0000000..6efdeca
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..d6d2f78
+index 0000000..61a5e86
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,492 @@
+@@ -0,0 +1,493 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@ -8667,6 +8671,7 @@ index 0000000..d6d2f78
 +allow sandbox_x_domain self:msgq create_msgq_perms;
 +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
 +allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
 +allow sandbox_x_domain self:netlink_selinux_socket { create_socket_perms };
 +
 +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
 +
@ -9169,7 +9174,7 @@ index 7590165..9a7ebe5 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-index 3cfb128..de71ea8 100644
+index 3cfb128..cfeed29 100644
 --- a/policy/modules/apps/telepathy.if
 +++ b/policy/modules/apps/telepathy.if
@@ -11,7 +11,6 @@
@ -9197,7 +9202,18 @@ index 3cfb128..de71ea8 100644
 	gen_require(`
 		attribute telepathy_domain;
 		type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -179,3 +179,75 @@ interface(`telepathy_salut_stream_connect', `
+@@ -78,6 +78,10 @@ template(`telepathy_role', `
 	dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
 ')
 +    optional_policy(`
 +        telepathy_dbus_chat($2)
 +    ')
 +
 ########################################
 ## <summary>
 ##	Stream connect to Telepathy Gabble
@@ -179,3 +183,75 @@ interface(`telepathy_salut_stream_connect', `
 	stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
 	files_search_tmp($1)
 ')
@ -9274,7 +9290,7 @@ index 3cfb128..de71ea8 100644
 +    ')
 +')
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..f41eb44 100644
+index 2533ea0..f605e0a 100644
 --- a/policy/modules/apps/telepathy.te
 +++ b/policy/modules/apps/telepathy.te
@@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t)
@ -9301,7 +9317,18 @@ index 2533ea0..f41eb44 100644
 corenet_all_recvfrom_netlabel(telepathy_gabble_t)
 corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
 corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
-@@ -168,6 +178,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -112,6 +122,10 @@ optional_policy(`
 	dbus_system_bus_client(telepathy_gabble_t)
 ')
 +optional_policy(`
 +        gnome_read_home_config(telepathy_gabble_t)
 +')
 +
 #######################################
 #
 # Telepathy Idle local policy.
@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_files(telepathy_logger_t)
 ')
@ -9313,7 +9340,7 @@ index 2533ea0..f41eb44 100644
 #######################################
 #
 # Telepathy Mission-Control local policy.
-@@ -176,6 +191,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',`
 manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
 manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
 userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@ -9321,7 +9348,7 @@ index 2533ea0..f41eb44 100644
 dev_read_rand(telepathy_mission_control_t)
-@@ -194,6 +210,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -194,6 +214,12 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_files(telepathy_mission_control_t)
 ')
@ -9334,7 +9361,7 @@ index 2533ea0..f41eb44 100644
 #######################################
 #
 # Telepathy Butterfly and Haze local policy.
-@@ -205,8 +227,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +231,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
 manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@ -9346,7 +9373,7 @@ index 2533ea0..f41eb44 100644
 corenet_all_recvfrom_netlabel(telepathy_msn_t)
 corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +271,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +275,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
 ')
 optional_policy(`
@ -9357,7 +9384,15 @@ index 2533ea0..f41eb44 100644
 	dbus_system_bus_client(telepathy_msn_t)
 	optional_policy(`
-@@ -376,5 +405,23 @@ optional_policy(`
+@@ -365,6 +398,7 @@ dev_read_urand(telepathy_domain)
 kernel_read_system_state(telepathy_domain)
 +fs_getattr_all_fs(telepathy_domain)
 fs_search_auto_mountpoints(telepathy_domain)
 auth_use_nsswitch(telepathy_domain)
@@ -376,5 +410,23 @@ optional_policy(`
 ')
 optional_policy(`
@ -9374,13 +9409,13 @@ index 2533ea0..f41eb44 100644
 ')
 +
 +# Just for F15
-+#optional_policy(`
+optional_policy(`
-+#    gen_require(`
+    gen_require(`
-+#        role unconfined_r;
+        role unconfined_r;
-+#    ')
+    ')
-+#
+
-+#    role unconfined_r types telepathy_domain;
+    role unconfined_r types telepathy_domain;
-+#')
+')
 diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
 index 11fe4f2..98bfbf3 100644
 --- a/policy/modules/apps/tvtime.te
@ -18486,7 +18521,7 @@ index 0ecc786..dbf2710 100644
 userdom_dontaudit_search_user_home_dirs(webadm_t)
 diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..4b5f106 100644
+index e88b95f..0eb55db 100644
 --- a/policy/modules/roles/xguest.te
 +++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@ -18557,7 +18592,7 @@ index e88b95f..4b5f106 100644
 	')
 ')
-@@ -76,23 +87,98 @@ optional_policy(`
+@@ -76,23 +87,102 @@ optional_policy(`
 ')
 optional_policy(`
@ -18575,10 +18610,9 @@ index e88b95f..4b5f106 100644
 +
 +optional_policy(`
 +	gnome_role(xguest_r, xguest_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	mozilla_role(xguest_r, xguest_t)
 +	gnomeclock_dontaudit_dbus_chat(xguest_t)
 +')
 +
@ -18596,11 +18630,16 @@ index e88b95f..4b5f106 100644
 +
 +optional_policy(`
 +	nsplugin_role(xguest_r, xguest_t)
 ')
 optional_policy(`
 -	mozilla_role(xguest_r, xguest_t)
 +	pcscd_read_pub_files(xguest_usertype)
 +	pcscd_stream_connect(xguest_usertype)
 +')
 +
 +optional_policy(`
-+	pcscd_read_pub_files(xguest_usertype)
+	rhsmcertd_dontaudit_dbus_chat(xguest_t)
 +	pcscd_stream_connect(xguest_usertype)
 ')
 optional_policy(`
@ -18643,7 +18682,7 @@ index e88b95f..4b5f106 100644
 +		corenet_tcp_connect_speech_port(xguest_usertype)
 +		corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
 +		corenet_tcp_connect_transproxy_port(xguest_usertype)
- 	')
+	')
 +
 +	#optional_policy(`
 +	#	telepathy_dbus_session_role(xguest_r, xguest_t)
@ -18653,7 +18692,7 @@ index e88b95f..4b5f106 100644
 +optional_policy(`
 +	gen_require(`
 +		type mozilla_t;
-+	')
+ 	')
 +
 +	allow xguest_t mozilla_t:process transition;
 +	role xguest_r types mozilla_t;
@ -24050,14 +24089,17 @@ index 6077339..d10acd2 100644
 dev_read_lvm_control(clogd_t)
 dev_manage_generic_blk_files(clogd_t)
 diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
-index 049e2b6..e500fa5 100644
+index 049e2b6..dcc7de8 100644
 --- a/policy/modules/services/cmirrord.fc
 +++ b/policy/modules/services/cmirrord.fc
-@@ -1,3 +1,4 @@
+@@ -1,5 +1,6 @@
 +
 /etc/rc\.d/init\.d/cmirrord	--	gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
- /usr/sbin/cmirrord		--	gen_context(system_u:object_r:cmirrord_exec_t,s0)
+-/usr/sbin/cmirrord		--	gen_context(system_u:object_r:cmirrord_exec_t,s0)
 +/usr/sbin/cmirrord			--	gen_context(system_u:object_r:cmirrord_exec_t,s0)
 /var/run/cmirrord\.pid		--	gen_context(system_u:object_r:cmirrord_var_run_t,s0)
 diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
 index f8463c0..bed51fb 100644
 --- a/policy/modules/services/cmirrord.if
@ -24536,12 +24578,15 @@ index 0258b48..8535cc6 100644
 manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
 manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..101c266 100644
+index 74505cc..a58903f 100644
 --- a/policy/modules/services/colord.te
 +++ b/policy/modules/services/colord.te
-@@ -43,6 +43,7 @@ files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+@@ -41,8 +41,9 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
- kernel_getattr_proc_files(colord_t)
+-kernel_getattr_proc_files(colord_t)
 +kernel_read_system_state(colord_t)
 kernel_read_device_sysctls(colord_t)
 +kernel_request_load_module(colord_t)
@ -24767,11 +24812,14 @@ index e67a003..192332a 100644
 	unconfined_stream_connect(consolekit_t)
 ')
 diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
-index 3a6d7eb..2098ee9 100644
+index 3a6d7eb..3f0e601 100644
 --- a/policy/modules/services/corosync.fc
 +++ b/policy/modules/services/corosync.fc
-@@ -3,6 +3,7 @@
+@@ -1,8 +1,10 @@
 /etc/rc\.d/init\.d/corosync	--	gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
 /usr/sbin/corosync		--	gen_context(system_u:object_r:corosync_exec_t,s0)
 +/usr/sbin/corosync-notifyd      --      gen_context(system_u:object_r:corosync_exec_t,s0)
 /usr/sbin/ccs_tool		--	gen_context(system_u:object_r:corosync_exec_t,s0)
 +/usr/sbin/cman_tool		--	gen_context(system_u:object_r:corosync_exec_t,s0)
@ -35836,7 +35884,7 @@ index f17583b..6b17513 100644
 +
 +miscfiles_read_localization(munin_plugin_domain)
 diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..f11e4f2 100644
+index e9c0982..14af30a 100644
 --- a/policy/modules/services/mysql.if
 +++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@ -35897,7 +35945,7 @@ index e9c0982..f11e4f2 100644
 	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
 	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
 ')
-@@ -252,7 +289,7 @@ interface(`mysql_write_log',`
+@@ -252,12 +289,12 @@ interface(`mysql_write_log',`
 	')
 	logging_search_logs($1)
@ -35906,7 +35954,38 @@ index e9c0982..f11e4f2 100644
 ')
 ######################################
-@@ -329,10 +366,9 @@ interface(`mysql_search_pid_files',`
+ ## <summary>
 -##	Execute MySQL server in the mysql domain.
 +##	Execute MySQL safe script in the mysql safe domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -273,6 +310,24 @@ interface(`mysql_domtrans_mysql_safe',`
 	domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
 ')
 +######################################
 +## <summary>
 +##	Execute MySQL_safe in the coller domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`mysql_safe_exec',`
 +	gen_require(`
 +		type  mysqld_safe_exec_t;
 +	')
 +
 +	can_exec($1, mysqld_safe_exec_t)
 +')
 +
 #####################################
 ## <summary>
 ##	Read MySQL PID files.
@@ -329,10 +384,9 @@ interface(`mysql_search_pid_files',`
 #
 interface(`mysql_admin',`
 	gen_require(`
@ -35920,7 +35999,7 @@ index e9c0982..f11e4f2 100644
 	')
 	allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +379,19 @@ interface(`mysql_admin',`
+@@ -343,13 +397,19 @@ interface(`mysql_admin',`
 	role_transition $2 mysqld_initrc_exec_t system_r;
 	allow $2 system_r;
@ -39207,7 +39286,7 @@ index 69c331e..0555635 100644
 auth_rw_login_records(portslave_t)
 diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
-index a3e85c9..cb05623 100644
+index a3e85c9..6b97fa5 100644
 --- a/policy/modules/services/postfix.fc
 +++ b/policy/modules/services/postfix.fc
@@ -1,5 +1,6 @@
@ -39218,7 +39297,7 @@ index a3e85c9..cb05623 100644
 ifdef(`distro_redhat', `
 /usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 /usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-@@ -16,22 +17,24 @@ ifdef(`distro_redhat', `
+@@ -16,22 +17,23 @@ ifdef(`distro_redhat', `
 /usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
 /usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 ', `
@ -39252,11 +39331,10 @@ index a3e85c9..cb05623 100644
 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
 +/usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 +')
 /usr/sbin/postcat	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
 /usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -42,9 +45,10 @@ ifdef(`distro_redhat', `
+@@ -42,9 +44,10 @@ ifdef(`distro_redhat', `
 /usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
 /usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
@ -40352,7 +40430,7 @@ index b524673..9d90fb3 100644
 	admin_pattern($1, pptp_var_run_t)
 diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..79b1678 100644
+index 2af42e7..53f977a 100644
 --- a/policy/modules/services/ppp.te
 +++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@ -40390,7 +40468,7 @@ index 2af42e7..79b1678 100644
 allow pppd_t self:fifo_file rw_fifo_file_perms;
 allow pppd_t self:socket create_socket_perms;
 allow pppd_t self:unix_dgram_socket create_socket_perms;
-@@ -84,28 +84,28 @@ allow pppd_t self:packet_socket create_socket_perms;
+@@ -84,28 +84,29 @@ allow pppd_t self:packet_socket create_socket_perms;
 domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
@ -40409,6 +40487,7 @@ index 2af42e7..79b1678 100644
 -allow pppd_t pppd_lock_t:file manage_file_perms;
 -files_lock_filetrans(pppd_t, pppd_lock_t, file)
 +manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
 +files_search_locks(pppd_t)
 -allow pppd_t pppd_log_t:file manage_file_perms;
 +manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
@ -40425,7 +40504,7 @@ index 2af42e7..79b1678 100644
 allow pppd_t pptp_t:process signal;
-@@ -166,6 +166,8 @@ init_dontaudit_write_utmp(pppd_t)
+@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t)
 init_signal_script(pppd_t)
 auth_use_nsswitch(pppd_t)
@ -40434,7 +40513,7 @@ index 2af42e7..79b1678 100644
 logging_send_syslog_msg(pppd_t)
 logging_send_audit_msgs(pppd_t)
-@@ -176,7 +178,7 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,7 +179,7 @@ sysnet_exec_ifconfig(pppd_t)
 sysnet_manage_config(pppd_t)
 sysnet_etc_filetrans_config(pppd_t)
@ -40443,7 +40522,7 @@ index 2af42e7..79b1678 100644
 userdom_dontaudit_use_unpriv_user_fds(pppd_t)
 userdom_search_user_home_dirs(pppd_t)
-@@ -194,6 +196,8 @@ optional_policy(`
+@@ -194,6 +197,8 @@ optional_policy(`
 optional_policy(`
 	mta_send_mail(pppd_t)
@ -40452,7 +40531,7 @@ index 2af42e7..79b1678 100644
 ')
 optional_policy(`
-@@ -243,9 +247,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
 allow pptp_t pptp_log_t:file manage_file_perms;
 logging_log_filetrans(pptp_t, pptp_log_t, file)
@ -43028,10 +43107,10 @@ index 0000000..4e7605a
 +/var/run/rhev-agentd\.pid		--	gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
 diff --git a/policy/modules/services/rhev.if b/policy/modules/services/rhev.if
 new file mode 100644
-index 0000000..88f6a9e
+index 0000000..bf11e25
 --- /dev/null
 +++ b/policy/modules/services/rhev.if
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,76 @@
 +## <summary>rhev polic module contains policies for rhev apps</summary>
 +
 +#####################################
@ -43090,6 +43169,24 @@ index 0000000..88f6a9e
 +        files_search_pids($1)
 +        stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
 +')
 +
 +######################################
 +## <summary>
 +##  Send sigchld to rhev-agentd
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access
 +##  </summary>
 +## </param>
 +#
 +interface(`rhev_sigchld_agentd',`
 +    gen_require(`
 +              type rhev_agentd_t;
 +    ')
 +
 +    allow $1 rhev_agentd_t:process sigchld;
 +')
 diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
 new file mode 100644
 index 0000000..bc97a21
@ -43204,6 +43301,400 @@ index 0f262a7..4d10897 100644
 term_create_pty(rhgb_t, rhgb_devpts_t)
 manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
 diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc
 new file mode 100644
 index 0000000..5094d93
 --- /dev/null
 +++ b/policy/modules/services/rhsmcertd.fc
@@ -0,0 +1,12 @@
 +
 +/etc/rc\.d/init\.d/rhsmcertd	--	gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0)
 +
 +/usr/bin/rhsmcertd		--	gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
 +
 +/var/lib/rhsm(/.*)?		gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
 +
 +/var/log/rhsm(/.*)?		gen_context(system_u:object_r:rhsmcertd_log_t,s0)
 +
 +/var/lock/subsys/rhsmcertd	--	gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
 +
 +/var/run/rhsm(/.*)?		gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
 diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if
 new file mode 100644
 index 0000000..811c52e
 --- /dev/null
 +++ b/policy/modules/services/rhsmcertd.if
@@ -0,0 +1,305 @@
 +
 +## <summary>Subscription Management Certificate Daemon policy</summary>
 +
 +########################################
 +## <summary>
 +##	Transition to rhsmcertd.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`rhsmcertd_domtrans',`
 +	gen_require(`
 +		type rhsmcertd_t, rhsmcertd_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Execute rhsmcertd server in the rhsmcertd domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rhsmcertd_initrc_domtrans',`
 +	gen_require(`
 +		type rhsmcertd_initrc_exec_t;
 +	')
 +
 +	init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Read rhsmcertd's log files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`rhsmcertd_read_log',`
 +	gen_require(`
 +		type rhsmcertd_log_t;
 +	')
 +
 +	logging_search_logs($1)
 +	read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Append to rhsmcertd log files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rhsmcertd_append_log',`
 +	gen_require(`
 +		type rhsmcertd_log_t;
 +	')
 +
 +	logging_search_logs($1)
 +	append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage rhsmcertd log files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rhsmcertd_manage_log',`
 +	gen_require(`
 +		type rhsmcertd_log_t;
 +	')
 +
 +	logging_search_logs($1)
 +	manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
 +	manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
 +	manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Search rhsmcertd lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rhsmcertd_search_lib',`
 +	gen_require(`
 +		type rhsmcertd_var_lib_t;
 +	')
 +
 +	allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
 +	files_search_var_lib($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Read rhsmcertd lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rhsmcertd_read_lib_files',`
 +	gen_require(`
 +		type rhsmcertd_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage rhsmcertd lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rhsmcertd_manage_lib_files',`
 +	gen_require(`
 +		type rhsmcertd_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage rhsmcertd lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rhsmcertd_manage_lib_dirs',`
 +	gen_require(`
 +		type rhsmcertd_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Read rhsmcertd PID files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rhsmcertd_read_pid_files',`
 +	gen_require(`
 +		type rhsmcertd_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	allow $1 rhsmcertd_var_run_t:file read_file_perms;
 +')
 +
 +####################################
 +## <summary>
 +##  Connect to rhsmcertd over a unix domain
 +##  stream socket.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`rhsmcertd_stream_connect',`
 +	gen_require(`
 +		type rhsmcertd_t, rhsmcertd_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t)
 +')
 +
 +#######################################
 +## <summary>
 +##  Send and receive messages from
 +##  rhsmcertd over dbus.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`rhsmcertd_dbus_chat',`
 +	gen_require(`
 +		type rhsmcertd_t;
 +		class dbus send_msg;
 +	')
 +
 +	allow $1 rhsmcertd_t:dbus send_msg;
 +	allow rhsmcertd_t $1:dbus send_msg;
 +')
 +
 +######################################
 +## <summary>
 +##  Dontaudit Send and receive messages from
 +##  rhsmcertd over dbus.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`rhsmcertd_dontaudit_dbus_chat',`
 +    gen_require(`
 +        type rhsmcertd_t;
 +        class dbus send_msg;
 +    ')
 +
 +    dontaudit $1 rhsmcertd_t:dbus send_msg;
 +    dontaudit rhsmcertd_t $1:dbus send_msg;
 +')
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
 +##	an rhsmcertd environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	Role allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`rhsmcertd_admin',`
 +	gen_require(`
 +		type rhsmcertd_t;
 +	type rhsmcertd_initrc_exec_t;
 +	type rhsmcertd_log_t;
 +	type rhsmcertd_var_lib_t;
 +	type rhsmcertd_var_run_t;
 +	')
 +
 +	allow $1 rhsmcertd_t:process { ptrace signal_perms };
 +	ps_process_pattern($1, rhsmcertd_t)
 +
 +	rhsmcertd_initrc_domtrans($1)
 +	domain_system_change_exemption($1)
 +	role_transition $2 rhsmcertd_initrc_exec_t system_r;
 +	allow $2 system_r;
 +
 +	logging_search_logs($1)
 +	admin_pattern($1, rhsmcertd_log_t)
 +
 +	files_search_var_lib($1)
 +	admin_pattern($1, rhsmcertd_var_lib_t)
 +
 +	files_search_pids($1)
 +	admin_pattern($1, rhsmcertd_var_run_t)
 +
 +')
 +
 diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
 new file mode 100644
 index 0000000..19fe6b0
 --- /dev/null
 +++ b/policy/modules/services/rhsmcertd.te
@@ -0,0 +1,59 @@
 +policy_module(rhsmcertd, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +type rhsmcertd_t;
 +type rhsmcertd_exec_t;
 +init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t)
 +
 +permissive rhsmcertd_t;
 +
 +type rhsmcertd_initrc_exec_t;
 +init_script_file(rhsmcertd_initrc_exec_t)
 +
 +type rhsmcertd_log_t;
 +logging_log_file(rhsmcertd_log_t)
 +
 +type rhsmcertd_lock_t;
 +files_lock_file(rhsmcertd_lock_t)
 +
 +type rhsmcertd_var_lib_t;
 +files_type(rhsmcertd_var_lib_t)
 +
 +type rhsmcertd_var_run_t;
 +files_pid_file(rhsmcertd_var_run_t)
 +
 +########################################
 +#
 +# rhsmcertd local policy
 +#
 +
 +allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
 +allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
 +
 +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
 +manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
 +
 +manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
 +files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
 +
 +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 +manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 +
 +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
 +manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
 +
 +kernel_read_system_state(rhsmcertd_t)
 +
 +corecmd_exec_bin(rhsmcertd_t)
 +
 +dev_read_urand(rhsmcertd_t)
 +
 +files_read_etc_files(rhsmcertd_t)
 +files_read_usr_files(rhsmcertd_t)
 +
 +miscfiles_read_localization(rhsmcertd_t)
 +miscfiles_read_certs(rhsmcertd_t)
 diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
 index 5b08327..ed5dc05 100644
 --- a/policy/modules/services/ricci.fc
@ -48137,6 +48628,18 @@ index c2cf97e..037a1e8 100644
 allow uptimed_t uptimed_etc_t:file read_file_perms;
 files_search_etc(uptimed_t)
 diff --git a/policy/modules/services/usbmuxd.te b/policy/modules/services/usbmuxd.te
 index 4440aa6..34ffbfd 100644
 --- a/policy/modules/services/usbmuxd.te
 +++ b/policy/modules/services/usbmuxd.te
@@ -40,3 +40,7 @@ miscfiles_read_localization(usbmuxd_t)
 auth_use_nsswitch(usbmuxd_t)
 logging_send_syslog_msg(usbmuxd_t)
 +
 +optional_policy(`
 +	virt_dontaudit_read_chr_dev(usbmuxd_t)
 +')
 diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
 index d4349e9..4d112ba 100644
 --- a/policy/modules/services/uucp.te
@ -48497,7 +49000,7 @@ index 2124b6a..9682c44 100644
 +/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..7e8e54f 100644
+index 7c5d8d8..5c0a7a4 100644
 --- a/policy/modules/services/virt.if
 +++ b/policy/modules/services/virt.if
@@ -13,14 +13,15 @@
@ -48765,7 +49268,7 @@ index 7c5d8d8..7e8e54f 100644
 	')
 	allow $1 virtd_t:process { ptrace signal_perms };
-@@ -515,4 +590,170 @@ interface(`virt_admin',`
+@@ -515,4 +590,188 @@ interface(`virt_admin',`
 	virt_manage_lib_files($1)
 	virt_manage_log($1)
@ -48935,6 +49438,24 @@ index 7c5d8d8..7e8e54f 100644
 +
 +	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
 +	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
 +')
 +
 +########################################
 +## <summary>
 +##	Dontaudit attempts to Read virt_image_type devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`virt_dontaudit_read_chr_dev',`
 +	gen_require(`
 +		attribute virt_image_type;
 +	')
 +
 +	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
 ')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
 index 3eca020..4dec4ad 100644
@ -52264,7 +52785,7 @@ index 7f88f5f..bd6493d 100644
 sysnet_dns_name_resolve(zabbix_t)
 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
-index 3defaa1..7fc57b2 100644
+index 3defaa1..2ad2488 100644
 --- a/policy/modules/services/zarafa.fc
 +++ b/policy/modules/services/zarafa.fc
@@ -8,7 +8,8 @@
@ -56143,7 +56664,7 @@ index 831b909..57064ad 100644
 	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..7354066 100644
+index b6ec597..eedd444 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -20,6 +20,7 @@ files_security_file(auditd_log_t)
@ -56247,7 +56768,7 @@ index b6ec597..7354066 100644
 # sys_admin for the integrated klog of syslog-ng and metalog
 # cjp: why net_admin!
 -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid };
 dontaudit syslogd_t self:capability sys_tty_config;
 +allow syslogd_t self:capability2 syslog;
 # setpgid for metalog
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -449,6 +449,12 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Thu Jun 30 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-2
 - Change usbmuxd_t to dontaudit attempts to read chr_file
 - Add mysld_safe_exec_t for libra domains to be able to start private mysql domains
 - Allow pppd to search /var/lock dir
 - Add rhsmcertd policy
 * Mon Jun 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-1
 - Update to upstream