- Until we figure out how to fix systemd issues, allow all apps that send syslog messag

- Add init_access_check() interface - Fix label on /usr/bin/pingus to not be labeled as ping_exec_t - Allow tcpdump to create a netlink_socket - Label newusers like useradd - Change xdm log files to be labeled xdm_log_t - Allow sshd_t with privsep to work in MLS - Allow freshclam to update databases thru HTTP proxy - Allow s-m-config to access check on systemd - Allow abrt to read public files by default - Fix amavis_create_pid_files() interface - Add labeling and filename transition for dbomatic.log - Allow system_dbusd_t to stream connect to bluetooth, and use its socket - Allow amavisd to execute fsav - Allow tuned to use sys_admin and sys_nice capabilities - Add php-fpm policy from Bryan - Add labeling for aeolus-configserver-thinwrapper - Allow thin domains to execute shell - Fix gnome_role_gkeyringd() interface description - Lot of interface fixes - Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files - Allow OpenMPI job to use kerberos - Make deltacloudd_t as nsswitch_domain
2012-07-11 16:45:33 +02:00 · 2012-07-11 16:45:33 +02:00 · 98ec5a124e
parent 770036a507
commit 98ec5a124e
3 changed files with 612 additions and 189 deletions
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@ -58436,6 +58436,20 @@ index f477c7f..d80599b 100644
 +	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));
 +
 ') dnl end enable_mcs
+diff --git a/policy/mls b/policy/mls
+index d218387..c406594 100644
+--- a/policy/mls
+++ b/policy/mls
+@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
+ 	(( l1 eq l2 ) or 
+ 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+-	 ( t1 == mlsnetwrite ));
+	 ( t1 == mlsnetwrite ) or
+	 ( t2 == mlstrustedobject ));
+ 
+ # used by netlabel to restrict normal domains to same level connections
+ mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
 diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
 index 7a6f06f..48fc840 100644
 --- a/policy/modules/admin/bootloader.fc
@ -58906,10 +58920,18 @@ index c6ca761..46e0767 100644
 ')
 
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..9f49d01 100644
+index e0791b9..98d188e 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
-@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+@@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms;
+ allow netutils_t self:udp_socket create_socket_perms;
+ allow netutils_t self:tcp_socket create_stream_socket_perms;
+ allow netutils_t self:socket create_socket_perms;
+allow netutils_t self:netlink_socket create_socket_perms;
+ 
+ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+@@ -48,6 +49,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
 
 kernel_search_proc(netutils_t)
 kernel_read_all_sysctls(netutils_t)
@ -58918,7 +58940,7 @@ index e0791b9..9f49d01 100644
 
 corenet_all_recvfrom_unlabeled(netutils_t)
 corenet_all_recvfrom_netlabel(netutils_t)
-@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+@@ -64,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
 corenet_udp_bind_generic_node(netutils_t)
 
 dev_read_sysfs(netutils_t)
@ -58928,7 +58950,7 @@ index e0791b9..9f49d01 100644
 
 fs_getattr_xattr_fs(netutils_t)
 
-@@ -83,7 +88,7 @@ logging_send_syslog_msg(netutils_t)
+@@ -83,7 +89,7 @@ logging_send_syslog_msg(netutils_t)
 miscfiles_read_localization(netutils_t)
 
 term_dontaudit_use_console(netutils_t)
@ -58937,7 +58959,7 @@ index e0791b9..9f49d01 100644
 userdom_use_all_users_fds(netutils_t)
 
 optional_policy(`
-@@ -104,6 +109,8 @@ optional_policy(`
+@@ -104,6 +110,8 @@ optional_policy(`
 #
 
 allow ping_t self:capability { setuid net_raw };
@ -58946,7 +58968,7 @@ index e0791b9..9f49d01 100644
 dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-@@ -134,8 +141,6 @@ logging_send_syslog_msg(ping_t)
+@@ -134,8 +142,6 @@ logging_send_syslog_msg(ping_t)
 
 miscfiles_read_localization(ping_t)
 
@ -58955,7 +58977,7 @@ index e0791b9..9f49d01 100644
 ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
 
-@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
@ -58981,7 +59003,7 @@ index e0791b9..9f49d01 100644
 	pcmcia_use_cardmgr_fds(ping_t)
 ')
 
-@@ -157,6 +176,10 @@ optional_policy(`
+@@ -157,6 +177,10 @@ optional_policy(`
 	hotplug_use_fds(ping_t)
 ')
 
@ -58992,7 +59014,7 @@ index e0791b9..9f49d01 100644
 ########################################
 #
 # Traceroute local policy
-@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +218,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
 domain_use_interactive_fds(traceroute_t)
 
 files_read_etc_files(traceroute_t)
@ -59000,7 +59022,7 @@ index e0791b9..9f49d01 100644
 files_dontaudit_search_var(traceroute_t)
 
 init_use_fds(traceroute_t)
-@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +229,16 @@ logging_send_syslog_msg(traceroute_t)
 
 miscfiles_read_localization(traceroute_t)
 
@ -59359,6 +59381,18 @@ index 1bd7d84..4f57935 100644
 +optional_policy(`
 +	fprintd_dbus_chat(sudodomain)
 +')
+diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
+index f82f0ce..204bdc8 100644
+--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
+@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
+ /usr/sbin/groupmod	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/sbin/grpconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/grpunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/newusers	--	gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/pwconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/pwunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/useradd	--	gen_context(system_u:object_r:useradd_exec_t,s0)
 diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
 index 98b8b2d..da75471 100644
 --- a/policy/modules/admin/usermanage.if
@ -60162,7 +60196,7 @@ index 7590165..59539e8 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..b77f19f 100644
+index db981df..b0ff71c 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@ -60240,7 +60274,7 @@ index db981df..b77f19f 100644
 
 /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 
-@@ -174,53 +183,76 @@ ifdef(`distro_gentoo',`
+@@ -174,53 +183,77 @@ ifdef(`distro_gentoo',`
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
 
@ -60261,7 +60295,8 @@ index db981df..b77f19f 100644
 -/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/bin/mksh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/mountpoint			--	gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/mountpoint		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/pingus			--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/bin/yash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -60334,7 +60369,7 @@ index db981df..b77f19f 100644
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +267,15 @@ ifdef(`distro_gentoo',`
+@@ -235,10 +268,15 @@ ifdef(`distro_gentoo',`
 /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@ -60350,7 +60385,7 @@ index db981df..b77f19f 100644
 /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +288,18 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +289,18 @@ ifdef(`distro_gentoo',`
 
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
@ -60370,7 +60405,7 @@ index db981df..b77f19f 100644
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,6 +315,10 @@ ifdef(`distro_gentoo',`
+@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',`
 /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@ -60381,7 +60416,7 @@ index db981df..b77f19f 100644
 /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -290,15 +338,19 @@ ifdef(`distro_gentoo',`
+@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',`
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
@ -60402,7 +60437,7 @@ index db981df..b77f19f 100644
 
 ifdef(`distro_debian',`
 /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +366,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +367,12 @@ ifdef(`distro_redhat', `
 /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
 /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
 
@ -60415,7 +60450,7 @@ index db981df..b77f19f 100644
 /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +381,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +382,11 @@ ifdef(`distro_redhat', `
 /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@ -60427,7 +60462,7 @@ index db981df..b77f19f 100644
 /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +434,14 @@ ifdef(`distro_suse', `
+@@ -376,11 +435,14 @@ ifdef(`distro_suse', `
 #
 # /var
 #
@ -60443,7 +60478,7 @@ index db981df..b77f19f 100644
 /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
 
 /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +451,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +452,12 @@ ifdef(`distro_suse', `
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -72824,10 +72859,10 @@ index fe0c682..93ec53f 100644
 +	userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..d193a52 100644
+index b17e27a..9dbbafe 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
-@@ -6,26 +6,37 @@ policy_module(ssh, 2.3.0)
+@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
 #
 
 ## <desc>
@ -72872,13 +72907,14 @@ index b17e27a..d193a52 100644
 
 type sshd_exec_t;
 corecmd_executable_file(sshd_exec_t)
-@@ -33,17 +44,12 @@ corecmd_executable_file(sshd_exec_t)
+ 
 ssh_server_template(sshd)
 init_daemon_domain(sshd_t, sshd_exec_t)
- 
+mls_trusted_object(sshd_t)
+
 +type sshd_initrc_exec_t;
 +init_script_file(sshd_initrc_exec_t)
-+
+ 
 type sshd_key_t;
 files_type(sshd_key_t)
 
@ -72893,7 +72929,7 @@ index b17e27a..d193a52 100644
 type ssh_t;
 type ssh_exec_t;
 typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
-@@ -73,6 +79,11 @@ type ssh_home_t;
+@@ -73,6 +80,11 @@ type ssh_home_t;
 typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
 typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
 userdom_user_home_content(ssh_home_t)
@ -72905,7 +72941,7 @@ index b17e27a..d193a52 100644
 
 ##############################
 #
-@@ -83,6 +94,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -83,6 +95,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
 allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow ssh_t self:fd use;
 allow ssh_t self:fifo_file rw_fifo_file_perms;
@ -72913,7 +72949,7 @@ index b17e27a..d193a52 100644
 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
 allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +102,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -90,15 +103,11 @@ allow ssh_t self:sem create_sem_perms;
 allow ssh_t self:msgq create_msgq_perms;
 allow ssh_t self:msg { send receive };
 allow ssh_t self:tcp_socket create_stream_socket_perms;
@ -72930,7 +72966,7 @@ index b17e27a..d193a52 100644
 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -108,20 +116,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -108,20 +117,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
 manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
 manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
 userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@ -72960,7 +72996,7 @@ index b17e27a..d193a52 100644
 
 kernel_read_kernel_sysctls(ssh_t)
 kernel_read_system_state(ssh_t)
-@@ -133,7 +147,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -133,7 +148,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
 corenet_tcp_sendrecv_all_ports(ssh_t)
 corenet_tcp_connect_ssh_port(ssh_t)
 corenet_sendrecv_ssh_client_packets(ssh_t)
@ -72972,7 +73008,7 @@ index b17e27a..d193a52 100644
 dev_read_urand(ssh_t)
 
 fs_getattr_all_fs(ssh_t)
-@@ -157,37 +175,36 @@ logging_read_generic_logs(ssh_t)
+@@ -157,37 +176,36 @@ logging_read_generic_logs(ssh_t)
 auth_use_nsswitch(ssh_t)
 
 miscfiles_read_localization(ssh_t)
@ -73027,7 +73063,7 @@ index b17e27a..d193a52 100644
 ')
 
 optional_policy(`
-@@ -195,28 +212,24 @@ optional_policy(`
+@@ -195,28 +213,24 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')
 
@ -73060,7 +73096,7 @@ index b17e27a..d193a52 100644
 #################################
 #
 # sshd local policy
-@@ -227,33 +240,46 @@ optional_policy(`
+@@ -227,33 +241,46 @@ optional_policy(`
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
@ -73116,7 +73152,7 @@ index b17e27a..d193a52 100644
 ')
 
 optional_policy(`
-@@ -261,11 +287,24 @@ optional_policy(`
+@@ -261,11 +288,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -73142,7 +73178,7 @@ index b17e27a..d193a52 100644
 ')
 
 optional_policy(`
-@@ -283,6 +322,15 @@ optional_policy(`
+@@ -283,6 +323,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -73158,7 +73194,7 @@ index b17e27a..d193a52 100644
 	unconfined_shell_domtrans(sshd_t)
 ')
 
-@@ -290,6 +338,29 @@ optional_policy(`
+@@ -290,6 +339,29 @@ optional_policy(`
 	xserver_domtrans_xauth(sshd_t)
 ')
 
@ -73188,7 +73224,7 @@ index b17e27a..d193a52 100644
 ########################################
 #
 # ssh_keygen local policy
-@@ -298,19 +369,26 @@ optional_policy(`
+@@ -298,19 +370,26 @@ optional_policy(`
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
 
@ -73216,7 +73252,7 @@ index b17e27a..d193a52 100644
 dev_read_urand(ssh_keygen_t)
 
 term_dontaudit_use_console(ssh_keygen_t)
-@@ -327,9 +405,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -327,9 +406,11 @@ auth_use_nsswitch(ssh_keygen_t)
 logging_send_syslog_msg(ssh_keygen_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@ -73230,7 +73266,7 @@ index b17e27a..d193a52 100644
 ')
 
 optional_policy(`
-@@ -339,3 +419,83 @@ optional_policy(`
+@@ -339,3 +420,83 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
@ -73315,7 +73351,7 @@ index b17e27a..d193a52 100644
 +    ssh_rw_dgram_sockets(chroot_user_t)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..f393f76 100644
+index fc86b7c..3347d48 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@ -73421,11 +73457,12 @@ index fc86b7c..f393f76 100644
 -/var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 -/var/log/lxdm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
 -/var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mkwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/slim\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mkwx]dm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
 +/var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/lxdm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mg]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
- /var/log/slim\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/[mg]dm(/.*)?		gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log	--	gen_context(system_u:object_r:xdm_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 +/var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
@ -77506,7 +77543,7 @@ index d2e40b8..3ba2e4c 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..3ff8fef 100644
+index d26fe81..3f3a57f 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@ -77748,7 +77785,7 @@ index d26fe81..3ff8fef 100644
 #
 interface(`init_exec',`
 	gen_require(`
-@@ -451,6 +522,29 @@ interface(`init_exec',`
+@@ -451,6 +522,48 @@ interface(`init_exec',`
 
 	corecmd_search_bin($1)
 	can_exec($1, init_exec_t)
@ -77760,6 +77797,25 @@ index d26fe81..3ff8fef 100644
 +
 +#######################################
 +## <summary>
+##  Check access to the init/systemd executable.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_access_check',`
+    gen_require(`
+        type init_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    allow $1 init_exec_t:file { getattr_file_perms execute };
+')
+
+#######################################
+## <summary>
 +##  Dontaudit getattr on the init program.
 +## </summary>
 +## <param name="domain">
@ -77778,7 +77834,7 @@ index d26fe81..3ff8fef 100644
 ')
 
 ########################################
-@@ -539,6 +633,24 @@ interface(`init_sigchld',`
+@@ -539,6 +652,24 @@ interface(`init_sigchld',`
 
 ########################################
 ## <summary>
@ -77803,7 +77859,7 @@ index d26fe81..3ff8fef 100644
 ##	Connect to init with a unix socket.
 ## </summary>
 ## <param name="domain">
-@@ -549,10 +661,66 @@ interface(`init_sigchld',`
+@@ -549,10 +680,66 @@ interface(`init_sigchld',`
 #
 interface(`init_stream_connect',`
 	gen_require(`
@ -77872,7 +77928,7 @@ index d26fe81..3ff8fef 100644
 ')
 
 ########################################
-@@ -718,19 +886,25 @@ interface(`init_telinit',`
+@@ -718,19 +905,25 @@ interface(`init_telinit',`
 		type initctl_t;
 	')
 
@ -77899,7 +77955,7 @@ index d26fe81..3ff8fef 100644
 	')
 ')
 
-@@ -760,7 +934,7 @@ interface(`init_rw_initctl',`
+@@ -760,7 +953,7 @@ interface(`init_rw_initctl',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -77908,7 +77964,7 @@ index d26fe81..3ff8fef 100644
 ##	</summary>
 ## </param>
 #
-@@ -803,11 +977,12 @@ interface(`init_script_file_entry_type',`
+@@ -803,11 +996,12 @@ interface(`init_script_file_entry_type',`
 #
 interface(`init_spec_domtrans_script',`
 	gen_require(`
@ -77923,7 +77979,7 @@ index d26fe81..3ff8fef 100644
 
 	ifdef(`distro_gentoo',`
 		gen_require(`
-@@ -818,11 +993,11 @@ interface(`init_spec_domtrans_script',`
+@@ -818,11 +1012,11 @@ interface(`init_spec_domtrans_script',`
 	')
 
 	ifdef(`enable_mcs',`
@ -77937,7 +77993,7 @@ index d26fe81..3ff8fef 100644
 	')
 ')
 
-@@ -838,19 +1013,41 @@ interface(`init_spec_domtrans_script',`
+@@ -838,19 +1032,41 @@ interface(`init_spec_domtrans_script',`
 #
 interface(`init_domtrans_script',`
 	gen_require(`
@ -77983,7 +78039,7 @@ index d26fe81..3ff8fef 100644
 ')
 
 ########################################
-@@ -906,9 +1103,14 @@ interface(`init_script_file_domtrans',`
+@@ -906,9 +1122,14 @@ interface(`init_script_file_domtrans',`
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
 		type initrc_t;
@ -77998,7 +78054,7 @@ index d26fe81..3ff8fef 100644
 	files_search_etc($1)
 ')
 
-@@ -999,7 +1201,9 @@ interface(`init_ptrace',`
+@@ -999,7 +1220,9 @@ interface(`init_ptrace',`
 		type init_t;
 	')
 
@ -78009,7 +78065,7 @@ index d26fe81..3ff8fef 100644
 ')
 
 ########################################
-@@ -1117,6 +1321,24 @@ interface(`init_read_all_script_files',`
+@@ -1117,6 +1340,24 @@ interface(`init_read_all_script_files',`
 
 #######################################
 ## <summary>
@ -78034,7 +78090,7 @@ index d26fe81..3ff8fef 100644
 ##	Dontaudit read all init script files.
 ## </summary>
 ## <param name="domain">
-@@ -1168,12 +1390,7 @@ interface(`init_read_script_state',`
+@@ -1168,12 +1409,7 @@ interface(`init_read_script_state',`
 	')
 
 	kernel_search_proc($1)
@ -78048,7 +78104,7 @@ index d26fe81..3ff8fef 100644
 ')
 
 ########################################
-@@ -1413,6 +1630,27 @@ interface(`init_dbus_send_script',`
+@@ -1413,6 +1649,27 @@ interface(`init_dbus_send_script',`
 ########################################
 ## <summary>
 ##	Send and receive messages from
@ -78076,7 +78132,7 @@ index d26fe81..3ff8fef 100644
 ##	init scripts over dbus.
 ## </summary>
 ## <param name="domain">
-@@ -1499,6 +1737,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1499,6 +1756,25 @@ interface(`init_getattr_script_status_files',`
 
 ########################################
 ## <summary>
@ -78102,7 +78158,7 @@ index d26fe81..3ff8fef 100644
 ##	Do not audit attempts to read init script
 ##	status files.
 ## </summary>
-@@ -1557,6 +1814,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1557,6 +1833,24 @@ interface(`init_rw_script_tmp_files',`
 
 ########################################
 ## <summary>
@ -78127,7 +78183,7 @@ index d26fe81..3ff8fef 100644
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>
-@@ -1629,6 +1904,43 @@ interface(`init_read_utmp',`
+@@ -1629,6 +1923,43 @@ interface(`init_read_utmp',`
 
 ########################################
 ## <summary>
@ -78171,7 +78227,7 @@ index d26fe81..3ff8fef 100644
 ##	Do not audit attempts to write utmp.
 ## </summary>
 ## <param name="domain">
-@@ -1717,7 +2029,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1717,7 +2048,7 @@ interface(`init_dontaudit_rw_utmp',`
 		type initrc_var_run_t;
 	')
 
@ -78180,7 +78236,7 @@ index d26fe81..3ff8fef 100644
 ')
 
 ########################################
-@@ -1758,6 +2070,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1758,6 +2089,128 @@ interface(`init_pid_filetrans_utmp',`
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 ')
 
@ -78309,7 +78365,7 @@ index d26fe81..3ff8fef 100644
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2226,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1792,3 +2245,284 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
@ -81014,7 +81070,7 @@ index 02f4c97..54c74fe 100644
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 +
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 321bb13..4d8e1a9 100644
+index 321bb13..e9c2da9 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -81099,10 +81155,17 @@ index 321bb13..4d8e1a9 100644
 ########################################
 ## <summary>
 ##	Send system log messages.
-@@ -550,6 +607,45 @@ interface(`logging_send_syslog_msg',`
- 
- ########################################
- ## <summary>
+@@ -546,6 +603,48 @@ interface(`logging_send_syslog_msg',`
+ 	# will write to the console.
+ 	term_write_console($1)
+ 	term_dontaudit_read_console($1)
+	ifdef(`hide_broken_symptoms',`
+		kernel_dgram_send($1)
+	')
+')
+
+########################################
+## <summary>
 +##	Connect to the syslog control unix stream socket.
 +## </summary>
 +## <param name="domain">
@ -81138,14 +81201,10 @@ index 321bb13..4d8e1a9 100644
 +
 +	files_search_pids($1)
 +	stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Read the auditd configuration files.
- ## </summary>
- ## <param name="domain">
-@@ -739,7 +835,25 @@ interface(`logging_append_all_logs',`
+ ')
+ 
+ ########################################
+@@ -739,7 +838,25 @@ interface(`logging_append_all_logs',`
 	')
 
 	files_search_var($1)
@ -81172,7 +81231,7 @@ index 321bb13..4d8e1a9 100644
 ')
 
 ########################################
-@@ -822,7 +936,7 @@ interface(`logging_manage_all_logs',`
+@@ -822,7 +939,7 @@ interface(`logging_manage_all_logs',`
 
 	files_search_var($1)
 	manage_files_pattern($1, logfile, logfile)
@ -81181,7 +81240,7 @@ index 321bb13..4d8e1a9 100644
 ')
 
 ########################################
-@@ -848,6 +962,44 @@ interface(`logging_read_generic_logs',`
+@@ -848,6 +965,44 @@ interface(`logging_read_generic_logs',`
 
 ########################################
 ## <summary>
@ -81226,7 +81285,7 @@ index 321bb13..4d8e1a9 100644
 ##	Write generic log files.
 ## </summary>
 ## <param name="domain">
-@@ -947,11 +1099,16 @@ interface(`logging_admin_audit',`
+@@ -947,11 +1102,16 @@ interface(`logging_admin_audit',`
 		type auditd_t, auditd_etc_t, auditd_log_t;
 		type auditd_var_run_t;
 		type auditd_initrc_exec_t;
@ -81244,7 +81303,7 @@ index 321bb13..4d8e1a9 100644
 	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
 
-@@ -967,6 +1124,33 @@ interface(`logging_admin_audit',`
+@@ -967,6 +1127,33 @@ interface(`logging_admin_audit',`
 	domain_system_change_exemption($1)
 	role_transition $2 auditd_initrc_exec_t system_r;
 	allow $2 system_r;
@ -81278,7 +81337,7 @@ index 321bb13..4d8e1a9 100644
 ')
 
 ########################################
-@@ -995,10 +1179,15 @@ interface(`logging_admin_syslog',`
+@@ -995,10 +1182,15 @@ interface(`logging_admin_syslog',`
 		type syslogd_initrc_exec_t;
 	')
 
@ -81296,7 +81355,7 @@ index 321bb13..4d8e1a9 100644
 
 	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
 	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1020,6 +1209,8 @@ interface(`logging_admin_syslog',`
+@@ -1020,6 +1212,8 @@ interface(`logging_admin_syslog',`
 	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 
 	logging_manage_all_logs($1)
@ -81305,7 +81364,7 @@ index 321bb13..4d8e1a9 100644
 
 	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -1048,3 +1239,25 @@ interface(`logging_admin',`
+@@ -1048,3 +1242,25 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.0
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -491,6 +491,37 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Jul 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-9
+- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
+- Add init_access_check() interface
+- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
+- Allow tcpdump to create a netlink_socket
+- Label newusers like useradd
+- Change xdm log files to be labeled xdm_log_t
+- Allow sshd_t with privsep to work in MLS
+- Allow freshclam to update databases thru HTTP proxy
+- Allow s-m-config to access check on systemd
+- Allow abrt to read public files by default
+- Fix amavis_create_pid_files() interface
+- Add labeling and filename transition for dbomatic.log
+- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
+- Allow amavisd to execute fsav
+- Allow tuned to use sys_admin and sys_nice capabilities
+- Add php-fpm policy from Bryan
+- Add labeling for aeolus-configserver-thinwrapper
+- Allow thin domains to execute shell
+- Fix gnome_role_gkeyringd() interface description
+- Lot of interface fixes
+- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
+- Allow OpenMPI job to use kerberos
+- Make deltacloudd_t as nsswitch_domain
+- Allow xend_t to run lsscsi
+- Allow qemu-dm running as xend_t to create tun_socket
+- Add labeling for /opt/brother/Printers(.*/)?inf
+- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
+- Fix clamscan_can_scan_system boolean
+- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
+
 * Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
 - initrc is calling exportfs which is not confined so it attempts to read nfsd_files
 - Fixes for passenger running within openshift.