- Add initial policy for system-setup-keyboard which is now daemon

- Label /var/lock/subsys/shorewall as shorewall_lock_t - Allow users to communicate with the gpg_agent_t - Dontaudit mozilla_plugin_t using the inherited terminal - Allow sambagui to read files in /usr - webalizer manages squid log files - Allow unconfined domains to bind ports to raw_ip_sockets - Allow abrt to manage rpm logs when running yum - Need labels for /var/run/bittlebee - Label .ssh under amanda - Remove unused genrequires for virt_domain_template - Allow virt_domain to use fd inherited from virtd_t - Allow iptables to read shorewall config
2011-01-05 10:08:57 +00:00 · 2011-01-05 10:08:57 +00:00 · b559c4ec49
commit b559c4ec49
parent b96903aaa0
3 changed files with 310 additions and 77 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -2321,3 +2321,10 @@ pingd = module
 # 
 milter = module

+# Layer: services
+# Module: keyboardd
+#
+# system-setup-keyboard is a keyboard layout daemon that monitors 
+# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet
+#
+keyboardd = module
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -1537,6 +1537,17 @@ index 47a8f7d..31f474e 100644
 
 	optional_policy(`
 		java_domtrans_unconfined(rpm_script_t)
+diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
+index 029cb7e..48d1363 100644
+--- a/policy/modules/admin/shorewall.fc
+++ b/policy/modules/admin/shorewall.fc
+@@ -11,4 +11,6 @@
+ /var/lib/shorewall6(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+ /var/lib/shorewall-lite(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+ 
+/var/lock/subsys/shorewall		--	gen_context(system_u:object_r:shorewall_lock_t,s0)
+
+ /var/log/shorewall.*				gen_context(system_u:object_r:shorewall_log_t,s0)
 diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
 index 0948921..f198119 100644
 --- a/policy/modules/admin/shorewall.if
@ -3442,10 +3453,10 @@ index e9853d4..717d163 100644
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
-index 40e0a2a..13d939a 100644
+index 40e0a2a..f4a103c 100644
 --- a/policy/modules/apps/gpg.if
 +++ b/policy/modules/apps/gpg.if
-@@ -54,6 +54,8 @@ interface(`gpg_role',`
+@@ -54,10 +54,13 @@ interface(`gpg_role',`
 	manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 	relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 
@ -3454,7 +3465,12 @@ index 40e0a2a..13d939a 100644
 	optional_policy(`
 		gpg_pinentry_dbus_chat($2)
 	')
-@@ -85,6 +87,43 @@ interface(`gpg_domtrans',`
+ 
+	allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
+ 	ifdef(`hide_broken_symptoms',`
+ 		#Leaked File Descriptors
+ 		dontaudit gpg_t $2:socket_class_set { getattr read write };
+@@ -85,6 +88,43 @@ interface(`gpg_domtrans',`
 	domtrans_pattern($1, gpg_exec_t, gpg_t)
 ')
 
@ -3886,7 +3902,7 @@ index e6d84e8..b027189 100644
 
 ########################################
 diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
-index 167950d..97853ff 100644
+index 167950d..ef63b20 100644
 --- a/policy/modules/apps/java.te
 +++ b/policy/modules/apps/java.te
@@ -82,12 +82,12 @@ dev_read_urand(java_t)
@ -3903,7 +3919,7 @@ index 167950d..97853ff 100644
 
 fs_getattr_xattr_fs(java_t)
 fs_dontaudit_rw_tmpfs_files(java_t)
-@@ -143,12 +143,15 @@ optional_policy(`
+@@ -143,14 +143,21 @@ optional_policy(`
 	# execheap is needed for itanium/BEA jrocket
 	allow unconfined_java_t self:process { execstack execmem execheap };
 
@ -3919,6 +3935,12 @@ index 167950d..97853ff 100644
 
 	optional_policy(`
 		rpm_domtrans(unconfined_java_t)
+ 	')
+
+	optional_policy(`
+        wine_domtrans(unconfined_java_t)
+    ')
+ ')
 diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
 index f63c4c2..3812a46 100644
 --- a/policy/modules/apps/kdumpgui.te
@ -4298,7 +4320,7 @@ index 9a6d67d..5ac3ea5 100644
 ##	mozilla over dbus.
 ## </summary>
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..451a1c0 100644
+index 2a91fa8..593cefa 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@ -4380,7 +4402,7 @@ index 2a91fa8..451a1c0 100644
 	pulseaudio_exec(mozilla_t)
 	pulseaudio_stream_connect(mozilla_t)
 	pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,149 @@ optional_policy(`
+@@ -266,3 +291,151 @@ optional_policy(`
 optional_policy(`
 	thunderbird_domtrans(mozilla_t)
 ')
@ -4426,6 +4448,7 @@ index 2a91fa8..451a1c0 100644
 +corecmd_exec_bin(mozilla_plugin_t)
 +corecmd_exec_shell(mozilla_plugin_t)
 +
+corenet_tcp_connect_generic_port(mozilla_plugin_t)
 +corenet_tcp_connect_flash_port(mozilla_plugin_t)
 +corenet_tcp_connect_streaming_port(mozilla_plugin_t)
 +corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
@ -4471,6 +4494,7 @@ index 2a91fa8..451a1c0 100644
 +userdom_delete_user_tmpfs_files(mozilla_plugin_t)
 +userdom_stream_connect(mozilla_plugin_t)
 +userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
 +userdom_manage_user_tmp_sockets(mozilla_plugin_t)
 +
 +userdom_list_user_tmp(mozilla_plugin_t)
@ -5993,11 +6017,14 @@ index c605046..15c17a0 100644
 +miscfiles_read_localization(rssh_chroot_helper_t)
 +
 diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index 9ec1478..26bb71c 100644
+index 9ec1478..ceec04a 100644
 --- a/policy/modules/apps/sambagui.te
 +++ b/policy/modules/apps/sambagui.te
-@@ -29,7 +29,7 @@ dev_dontaudit_read_urand(sambagui_t)
+@@ -27,9 +27,10 @@ corecmd_exec_bin(sambagui_t)
 
+ dev_dontaudit_read_urand(sambagui_t)
+ 
+files_read_usr_files(sambagui_t)
 files_read_etc_files(sambagui_t)
 files_search_var_lib(sambagui_t)
 -files_search_usr(sambagui_t)
@ -6005,7 +6032,7 @@ index 9ec1478..26bb71c 100644
 
 auth_use_nsswitch(sambagui_t)
 
-@@ -39,6 +39,8 @@ miscfiles_read_localization(sambagui_t)
+@@ -39,6 +40,8 @@ miscfiles_read_localization(sambagui_t)
 
 nscd_dontaudit_search_pid(sambagui_t)
 
@ -6014,7 +6041,7 @@ index 9ec1478..26bb71c 100644
 # handling with samba conf files
 samba_append_log(sambagui_t)
 samba_manage_config(sambagui_t)
-@@ -53,5 +55,9 @@ optional_policy(`
+@@ -53,5 +56,9 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -7701,6 +7728,18 @@ index c76ceb2..d7df452 100644
 ')
 
 optional_policy(`
+diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
+index f79314b..8325a8d 100644
+--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
+@@ -103,3 +103,7 @@ optional_policy(`
+ optional_policy(`
+ 	nscd_socket_use(webalizer_t)
+ ')
+
+optional_policy(`
+	squid_manage_logs(webalizer_t)
+')
 diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
 index 9d24449..2666317 100644
 --- a/policy/modules/apps/wine.fc
@ -8028,7 +8067,7 @@ index b06df19..c0763c2 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index edefaf3..7548158 100644
+index edefaf3..e9599e0 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type;
@ -8237,6 +8276,13 @@ index edefaf3..7548158 100644
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
+@@ -274,5 +315,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+ 
+ # Bind to any network address.
+-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
+ allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
 index 3b2da10..7c29e17 100644
 --- a/policy/modules/kernel/devices.fc
@ -8881,7 +8927,7 @@ index bc534c1..778d512 100644
 +# broken kernel
 +dontaudit can_change_object_identity can_change_object_identity:key link;
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 3517db2..4dd4bef 100644
+index 3517db2..ebf38e4 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@ -8906,17 +8952,19 @@ index 3517db2..4dd4bef 100644
 /etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
 
 /etc/ipsec\.d/examples(/.*)?	gen_context(system_u:object_r:etc_t,s0)
-@@ -74,7 +82,8 @@ ifdef(`distro_suse',`
+@@ -74,7 +82,10 @@ ifdef(`distro_suse',`
 
 /etc/sysconfig/hwconf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
 -/etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
 +
 +/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf --	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf --    gen_context(system_u:object_r:etc_runtime_t,s0)
+
 
 ifdef(`distro_gentoo', `
 /etc/profile\.env	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -95,7 +104,7 @@ ifdef(`distro_suse',`
+@@ -95,7 +106,7 @@ ifdef(`distro_suse',`
 # HOME_ROOT
 # expanded by genhomedircon
 #
@ -8925,7 +8973,7 @@ index 3517db2..4dd4bef 100644
 HOME_ROOT/\.journal		<<none>>
 HOME_ROOT/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 HOME_ROOT/lost\+found/.*		<<none>>
-@@ -159,6 +168,12 @@ HOME_ROOT/lost\+found/.*		<<none>>
+@@ -159,6 +170,12 @@ HOME_ROOT/lost\+found/.*		<<none>>
 /proc			-d	<<none>>
 /proc/.*			<<none>>
 
@ -8938,7 +8986,7 @@ index 3517db2..4dd4bef 100644
 #
 # /selinux
 #
-@@ -172,12 +187,6 @@ HOME_ROOT/lost\+found/.*		<<none>>
+@@ -172,12 +189,6 @@ HOME_ROOT/lost\+found/.*		<<none>>
 /srv/.*				gen_context(system_u:object_r:var_t,s0)
 
 #
@ -8951,7 +8999,7 @@ index 3517db2..4dd4bef 100644
 # /tmp
 #
 /tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-@@ -217,7 +226,6 @@ HOME_ROOT/lost\+found/.*		<<none>>
+@@ -217,7 +228,6 @@ HOME_ROOT/lost\+found/.*		<<none>>
 
 ifndef(`distro_redhat',`
 /usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
@ -8959,7 +9007,7 @@ index 3517db2..4dd4bef 100644
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 ')
-@@ -233,6 +241,8 @@ ifndef(`distro_redhat',`
+@@ -233,6 +243,8 @@ ifndef(`distro_redhat',`
 
 /var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
 
@ -8968,7 +9016,7 @@ index 3517db2..4dd4bef 100644
 /var/lib(/.*)?			gen_context(system_u:object_r:var_lib_t,s0)
 
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
-@@ -249,7 +259,7 @@ ifndef(`distro_redhat',`
+@@ -249,7 +261,7 @@ ifndef(`distro_redhat',`
 /var/spool(/.*)?			gen_context(system_u:object_r:var_spool_t,s0)
 /var/spool/postfix/etc(/.*)?	gen_context(system_u:object_r:etc_t,s0)
 
@ -8977,7 +9025,7 @@ index 3517db2..4dd4bef 100644
 /var/tmp/.*			<<none>>
 /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/tmp/lost\+found/.*		<<none>>
-@@ -258,3 +268,7 @@ ifndef(`distro_redhat',`
+@@ -258,3 +270,7 @@ ifndef(`distro_redhat',`
 ifdef(`distro_debian',`
 /var/run/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
@ -13521,7 +13569,7 @@ index 0b827c5..8961dba 100644
 	admin_pattern($1, abrt_tmp_t)
 ')
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..7065b02 100644
+index 30861ec..d3996c8 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@ -13629,7 +13677,15 @@ index 30861ec..7065b02 100644
 	policykit_dbus_chat(abrt_t)
 	policykit_domtrans_auth(abrt_t)
 	policykit_read_lib(abrt_t)
-@@ -178,12 +205,18 @@ optional_policy(`
+@@ -167,6 +194,7 @@ optional_policy(`
+ 	rpm_exec(abrt_t)
+ 	rpm_dontaudit_manage_db(abrt_t)
+ 	rpm_manage_cache(abrt_t)
+	rpm_manage_log(abrt_t)
+ 	rpm_manage_pid_files(abrt_t)
+ 	rpm_read_db(abrt_t)
+ 	rpm_signull(abrt_t)
+@@ -178,12 +206,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -13649,7 +13705,7 @@ index 30861ec..7065b02 100644
 #
 
 allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +236,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -203,6 +237,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
 domain_read_all_domains_state(abrt_helper_t)
 
 files_read_etc_files(abrt_helper_t)
@ -13657,7 +13713,7 @@ index 30861ec..7065b02 100644
 
 fs_list_inotifyfs(abrt_helper_t)
 fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +250,8 @@ miscfiles_read_localization(abrt_helper_t)
+@@ -216,7 +251,8 @@ miscfiles_read_localization(abrt_helper_t)
 term_dontaudit_use_all_ttys(abrt_helper_t)
 term_dontaudit_use_all_ptys(abrt_helper_t)
 
@ -13667,7 +13723,7 @@ index 30861ec..7065b02 100644
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +259,18 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +260,18 @@ ifdef(`hide_broken_symptoms', `
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -16123,19 +16179,74 @@ index 4deca04..42aa033 100644
 ')
 
 optional_policy(`
+diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc
+index 0197980..f8bce2c 100644
+--- a/policy/modules/services/bitlbee.fc
+++ b/policy/modules/services/bitlbee.fc
+@@ -4,3 +4,6 @@
+ /usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
+ 
+ /var/lib/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_var_t,s0)
+
+/var/run/bitlbee\.pid	--	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/var/run/bitlbee\.sock	-s	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
 diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f4e7ad3..6591639 100644
+index f4e7ad3..68aebc4 100644
 --- a/policy/modules/services/bitlbee.te
 +++ b/policy/modules/services/bitlbee.te
-@@ -28,7 +28,7 @@ files_type(bitlbee_var_t)
+@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t)
+ type bitlbee_var_t;
+ files_type(bitlbee_var_t)
+ 
+type bitlbee_var_run_t;
+files_type(bitlbee_var_run_t)
+
+ ########################################
+ #
+ # Local policy
 #
 
- allow bitlbee_t self:capability { setgid setuid };
+-allow bitlbee_t self:capability { setgid setuid };
 -allow bitlbee_t self:process signal;
+allow bitlbee_t self:capability { setgid setuid sys_nice };
 +allow bitlbee_t self:process { setsched signal };
+
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
 allow bitlbee_t self:udp_socket create_socket_perms;
 allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
 allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+-allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ bitlbee_read_config(bitlbee_t)
+ 
+ # tmp files
+ manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+-files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
+manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
+ 
+ # user account information is read and edited at runtime; give the usual
+ # r/w access to bitlbee_var_t
+ manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+ files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+ 
+manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
+
+ kernel_read_system_state(bitlbee_t)
+ 
+ corenet_all_recvfrom_unlabeled(bitlbee_t)
+@@ -52,6 +63,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
+ corenet_udp_sendrecv_generic_node(bitlbee_t)
+ corenet_tcp_sendrecv_generic_if(bitlbee_t)
+ corenet_tcp_sendrecv_generic_node(bitlbee_t)
+corenet_tcp_bind_generic_node(bitlbee_t)
+ # Allow bitlbee to connect to jabber servers
+ corenet_tcp_connect_jabber_client_port(bitlbee_t)
+ corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
 diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
 index 3e45431..fa57a6f 100644
 --- a/policy/modules/services/bluetooth.if
@ -19695,10 +19806,34 @@ index 0f28095..cf33683 100644
 logging_send_syslog_msg(hplip_t)
 
 diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
-index c43ff4c..5bf3e60 100644
+index c43ff4c..a9783e3 100644
 --- a/policy/modules/services/cvs.if
 +++ b/policy/modules/services/cvs.if
-@@ -58,9 +58,8 @@ interface(`cvs_exec',`
+@@ -1,5 +1,23 @@
+ ## <summary>Concurrent versions system</summary>
+ 
+######################################
+## <summary>
+##  Dontaudit Attempts to list the CVS data and metadata.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cvs_dontaudit_list_data',`
+    gen_require(`
+        type cvs_data_t;
+    ')
+
+    dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
+ ########################################
+ ## <summary>
+ ##	Read the CVS data and metadata.
+@@ -58,9 +76,8 @@ interface(`cvs_exec',`
 #
 interface(`cvs_admin',`
 	gen_require(`
@ -24337,6 +24472,75 @@ index 835b16b..dd32883 100644
 +	files_list_tmp($1)
 	admin_pattern($1, kerneloops_tmp_t)
 ')
+diff --git a/policy/modules/services/keyboardd.fc b/policy/modules/services/keyboardd.fc
+new file mode 100644
+index 0000000..485aacc
+--- /dev/null
+++ b/policy/modules/services/keyboardd.fc
+@@ -0,0 +1,2 @@
+
+/usr/bin/system-setup-keyboard		--	gen_context(system_u:object_r:keyboardd_exec_t,s0)
+diff --git a/policy/modules/services/keyboardd.if b/policy/modules/services/keyboardd.if
+new file mode 100644
+index 0000000..26391e6
+--- /dev/null
+++ b/policy/modules/services/keyboardd.if
+@@ -0,0 +1,21 @@
+
+## <summary>policy for system-setup-keyboard daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run keyboard setup daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`keyboardd_domtrans',`
+	gen_require(`
+		type keyboardd_t, keyboardd_exec_t;
+	')
+
+	domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
+')
+
+diff --git a/policy/modules/services/keyboardd.te b/policy/modules/services/keyboardd.te
+new file mode 100644
+index 0000000..a2bf9c3
+--- /dev/null
+++ b/policy/modules/services/keyboardd.te
+@@ -0,0 +1,28 @@
+
+policy_module(keyboardd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type keyboardd_t;
+type keyboardd_exec_t;
+init_daemon_domain(keyboardd_t, keyboardd_exec_t)
+
+permissive keyboardd_t;
+
+########################################
+#
+# keyboardd local policy
+#
+
+allow keyboardd_t self:fifo_file rw_fifo_file_perms;
+allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
+
+files_rw_etc_runtime_files(keyboardd_t)
+files_etc_filetrans_etc_runtime(keyboardd_t, file)
+
+files_read_etc_files(keyboardd_t)
+
+miscfiles_read_localization(keyboardd_t)
 diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc
 index 9c0c835..8360166 100644
 --- a/policy/modules/services/ksmtuned.fc
@ -35712,20 +35916,21 @@ index 4b2230e..d45dc67 100644
 	sysnet_dns_name_resolve(httpd_squid_script_t)
 
 diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..06da5f7 100644
+index 078bcd7..2d60774 100644
 --- a/policy/modules/services/ssh.fc
 +++ b/policy/modules/services/ssh.fc
-@@ -1,4 +1,9 @@
+@@ -1,4 +1,10 @@
 HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +HOME_DIR/\.shosts			gen_context(system_u:object_r:ssh_home_t,s0)
 +
+/var/lib/amanda/\.ssh(/.*)?		gen_context(system_u:object_r:ssh_home_t,s0)
 +/var/lib/gitolite/\.ssh(/.*)?		gen_context(system_u:object_r:ssh_home_t,s0)
 +
 +/etc/rc\.d/init\.d/sshd        --  gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
 
 /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
 /etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -14,3 +19,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
+@@ -14,3 +20,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
 
 /var/run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
@ -36023,7 +36228,7 @@ index 22adaca..784c363 100644
 +	allow $1 sshd_t:process signull;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..4cdb5c2 100644
+index 2dad3c8..f4626c0 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@ -36243,7 +36448,7 @@ index 2dad3c8..4cdb5c2 100644
 
 	dev_read_urand(ssh_keysign_t)
 
-@@ -232,33 +287,39 @@ optional_policy(`
+@@ -232,33 +287,43 @@ optional_policy(`
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
@ -36289,10 +36494,14 @@ index 2dad3c8..4cdb5c2 100644
 -',`
 -	userdom_spec_domtrans_unpriv_users(sshd_t)
 -	userdom_signal_unpriv_users(sshd_t)
+')
+
+optional_policy(`
+	amanda_search_lib(sshd_t)
 ')
 
 optional_policy(`
-@@ -266,11 +327,24 @@ optional_policy(`
+@@ -266,11 +331,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36318,7 +36527,7 @@ index 2dad3c8..4cdb5c2 100644
 ')
 
 optional_policy(`
-@@ -284,6 +358,11 @@ optional_policy(`
+@@ -284,6 +362,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36330,7 +36539,7 @@ index 2dad3c8..4cdb5c2 100644
 	unconfined_shell_domtrans(sshd_t)
 ')
 
-@@ -292,26 +371,26 @@ optional_policy(`
+@@ -292,26 +375,26 @@ optional_policy(`
 ')
 
 ifdef(`TODO',`
@ -36376,7 +36585,7 @@ index 2dad3c8..4cdb5c2 100644
 ') dnl endif TODO
 
 ########################################
-@@ -324,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +407,6 @@ tunable_policy(`ssh_sysadm_login',`
 
 dontaudit ssh_keygen_t self:capability sys_tty_config;
 allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@ -36384,7 +36593,7 @@ index 2dad3c8..4cdb5c2 100644
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 
 allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +431,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +435,6 @@ logging_send_syslog_msg(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 
 optional_policy(`
@ -37483,13 +37692,14 @@ index 2124b6a..6546d6e 100644
 
 /var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
 diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..8822e63 100644
+index 7c5d8d8..5e2f264 100644
 --- a/policy/modules/services/virt.if
 +++ b/policy/modules/services/virt.if
-@@ -14,13 +14,14 @@
+@@ -13,14 +13,14 @@
+ #
 template(`virt_domain_template',`
 	gen_require(`
- 		type virtd_t;
+-		type virtd_t;
 -		attribute virt_image_type;
 -		attribute virt_domain;
 +		attribute virt_image_type, virt_domain;
@ -37503,7 +37713,7 @@ index 7c5d8d8..8822e63 100644
 	role system_r types $1_t;
 
 	type $1_devpts_t;
-@@ -35,17 +36,18 @@ template(`virt_domain_template',`
+@@ -35,17 +35,18 @@ template(`virt_domain_template',`
 	type $1_image_t, virt_image_type;
 	files_type($1_image_t)
 	dev_node($1_image_t)
@ -37526,7 +37736,7 @@ index 7c5d8d8..8822e63 100644
 
 	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +59,6 @@ template(`virt_domain_template',`
+@@ -57,18 +58,6 @@ template(`virt_domain_template',`
 	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
 	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
 
@ -37545,7 +37755,7 @@ index 7c5d8d8..8822e63 100644
 	optional_policy(`
 		xserver_rw_shm($1_t)
 	')
-@@ -101,9 +91,9 @@ interface(`virt_image',`
+@@ -101,9 +90,9 @@ interface(`virt_image',`
 ##	Execute a domain transition to run virt.
 ## </summary>
 ## <param name="domain">
@ -37557,7 +37767,7 @@ index 7c5d8d8..8822e63 100644
 ## </param>
 #
 interface(`virt_domtrans',`
-@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',`
 #
 interface(`virt_read_config',`
 	gen_require(`
@ -37573,7 +37783,7 @@ index 7c5d8d8..8822e63 100644
 ')
 
 ########################################
-@@ -185,13 +175,13 @@ interface(`virt_read_config',`
+@@ -185,13 +174,13 @@ interface(`virt_read_config',`
 #
 interface(`virt_manage_config',`
 	gen_require(`
@ -37589,7 +37799,7 @@ index 7c5d8d8..8822e63 100644
 ')
 
 ########################################
-@@ -231,6 +221,24 @@ interface(`virt_read_content',`
+@@ -231,6 +220,24 @@ interface(`virt_read_content',`
 
 ########################################
 ## <summary>
@ -37614,7 +37824,7 @@ index 7c5d8d8..8822e63 100644
 ##	Read virt PID files.
 ## </summary>
 ## <param name="domain">
-@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +276,36 @@ interface(`virt_manage_pid_files',`
 
 ########################################
 ## <summary>
@ -37651,7 +37861,7 @@ index 7c5d8d8..8822e63 100644
 ##	Search virt lib directories.
 ## </summary>
 ## <param name="domain">
-@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +345,24 @@ interface(`virt_read_lib_files',`
 
 ########################################
 ## <summary>
@ -37676,7 +37886,7 @@ index 7c5d8d8..8822e63 100644
 ##	Create, read, write, and delete
 ##	virt lib files.
 ## </summary>
-@@ -352,9 +408,9 @@ interface(`virt_read_log',`
+@@ -352,9 +407,9 @@ interface(`virt_read_log',`
 ##	virt log files.
 ## </summary>
 ## <param name="domain">
@ -37688,7 +37898,7 @@ index 7c5d8d8..8822e63 100644
 ## </param>
 #
 interface(`virt_append_log',`
-@@ -424,6 +480,24 @@ interface(`virt_read_images',`
+@@ -424,6 +479,24 @@ interface(`virt_read_images',`
 
 ########################################
 ## <summary>
@ -37713,7 +37923,7 @@ index 7c5d8d8..8822e63 100644
 ##	Create, read, write, and delete
 ##	svirt cache files.
 ## </summary>
-@@ -433,15 +507,15 @@ interface(`virt_read_images',`
+@@ -433,15 +506,15 @@ interface(`virt_read_images',`
 ##	</summary>
 ## </param>
 #
@ -37734,7 +37944,7 @@ index 7c5d8d8..8822e63 100644
 ')
 
 ########################################
-@@ -516,3 +590,51 @@ interface(`virt_admin',`
+@@ -516,3 +589,51 @@ interface(`virt_admin',`
 
 	virt_manage_log($1)
 ')
@ -37787,7 +37997,7 @@ index 7c5d8d8..8822e63 100644
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
 +')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..333a07f 100644
+index 3eca020..191efb7 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@ -37986,7 +38196,7 @@ index 3eca020..333a07f 100644
 	xen_rw_image_files(svirt_t)
 ')
 
-@@ -174,22 +209,28 @@ optional_policy(`
+@@ -174,21 +209,28 @@ optional_policy(`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@ -38009,17 +38219,17 @@ index 3eca020..333a07f 100644
 manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
 
 allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
- 
+allow virt_domain virtd_t:fd use;
+
 +allow virtd_t qemu_var_run_t:file relabel_file_perms;
 +manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
 +manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
 +manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
 +stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
-+
+ 
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
- 
-@@ -200,8 +241,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +242,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 
 manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@ -38036,7 +38246,7 @@ index 3eca020..333a07f 100644
 
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +267,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +268,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
@ -38044,7 +38254,7 @@ index 3eca020..333a07f 100644
 kernel_request_load_module(virtd_t)
 kernel_search_debugfs(virtd_t)
 
-@@ -239,22 +287,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +288,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
 corenet_rw_tun_tap_dev(virtd_t)
 
 dev_rw_sysfs(virtd_t)
@ -38078,7 +38288,7 @@ index 3eca020..333a07f 100644
 
 fs_list_auto_mountpoints(virtd_t)
 fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +320,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +321,18 @@ fs_rw_anon_inodefs_files(virtd_t)
 fs_list_inotifyfs(virtd_t)
 fs_manage_cgroup_dirs(virtd_t)
 fs_rw_cgroup_files(virtd_t)
@ -38097,7 +38307,7 @@ index 3eca020..333a07f 100644
 
 mcs_process_set_categories(virtd_t)
 
-@@ -285,16 +355,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +356,30 @@ modutils_read_module_config(virtd_t)
 modutils_manage_module_config(virtd_t)
 
 logging_send_syslog_msg(virtd_t)
@ -38128,7 +38338,7 @@ index 3eca020..333a07f 100644
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +449,8 @@ optional_policy(`
+@@ -365,6 +450,8 @@ optional_policy(`
 	qemu_signal(virtd_t)
 	qemu_kill(virtd_t)
 	qemu_setsched(virtd_t)
@ -38137,7 +38347,7 @@ index 3eca020..333a07f 100644
 ')
 
 optional_policy(`
-@@ -396,12 +482,25 @@ optional_policy(`
+@@ -396,12 +483,25 @@ optional_policy(`
 
 allow virt_domain self:capability { dac_read_search dac_override kill };
 allow virt_domain self:process { execmem execstack signal getsched signull };
@ -38164,7 +38374,7 @@ index 3eca020..333a07f 100644
 append_files_pattern(virt_domain, virt_log_t, virt_log_t)
 
 append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +521,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +522,7 @@ corenet_rw_tun_tap_dev(virt_domain)
 corenet_tcp_bind_virt_migration_port(virt_domain)
 corenet_tcp_connect_virt_migration_port(virt_domain)
 
@ -38172,7 +38382,7 @@ index 3eca020..333a07f 100644
 dev_read_rand(virt_domain)
 dev_read_sound(virt_domain)
 dev_read_urand(virt_domain)
-@@ -429,10 +529,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +530,12 @@ dev_write_sound(virt_domain)
 dev_rw_ksm(virt_domain)
 dev_rw_kvm(virt_domain)
 dev_rw_qemu(virt_domain)
@ -38185,7 +38395,7 @@ index 3eca020..333a07f 100644
 files_read_usr_files(virt_domain)
 files_read_var_files(virt_domain)
 files_search_all(virt_domain)
-@@ -440,6 +542,11 @@ files_search_all(virt_domain)
+@@ -440,6 +543,11 @@ files_search_all(virt_domain)
 fs_getattr_tmpfs(virt_domain)
 fs_rw_anon_inodefs_files(virt_domain)
 fs_rw_tmpfs_files(virt_domain)
@ -38197,7 +38407,7 @@ index 3eca020..333a07f 100644
 
 term_use_all_terms(virt_domain)
 term_getattr_pty_fs(virt_domain)
-@@ -457,8 +564,117 @@ optional_policy(`
+@@ -457,8 +565,117 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -43730,7 +43940,7 @@ index 5c94dfe..59bfb17 100644
 
 ########################################
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index a3fdcb3..bce3aea 100644
+index a3fdcb3..96b3872 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
@@ -13,9 +13,6 @@ role system_r types iptables_t;
@ -43814,11 +44024,12 @@ index a3fdcb3..bce3aea 100644
 ')
 
 optional_policy(`
-@@ -124,6 +135,7 @@ optional_policy(`
+@@ -124,6 +135,8 @@ optional_policy(`
 
 optional_policy(`
 	shorewall_rw_lib_files(iptables_t)
 +	shorewall_read_tmp_files(iptables_t)
+	shorewall_read_config(iptables_t)
 ')
 
 optional_policy(`
@ -44393,7 +44604,7 @@ index 3fb1915..26e9f79 100644
 -	nscd_socket_use(sulogin_t)
 -')
 diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 571599b..3644f0f 100644
+index 571599b..b323b73 100644
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
@@ -17,6 +17,10 @@
@ -44439,7 +44650,7 @@ index 571599b..3644f0f 100644
 /var/spool/plymouth/boot.log	gen_context(system_u:object_r:var_log_t,s0)
 /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 
-+/var/stockmaniac/templates_cache gen_context(system_u:object_r:var_log_t,s0)
+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
 +
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.12
-Release: 3%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -471,6 +471,21 @@ exit 0
 %endif

 %changelog
+* Wed Jan 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-5
+- Add initial policy for system-setup-keyboard which is now daemon
+- Label /var/lock/subsys/shorewall as shorewall_lock_t
+- Allow users to communicate with the gpg_agent_t
+- Dontaudit mozilla_plugin_t using the inherited terminal
+- Allow sambagui to read files in /usr
+- webalizer manages squid log files
+- Allow unconfined domains to bind ports to raw_ip_sockets
+- Allow abrt to manage rpm logs when running yum
+- Need labels for /var/run/bittlebee
+- Label .ssh under amanda
+- Remove unused genrequires for virt_domain_template
+- Allow virt_domain to use fd inherited from virtd_t
+- Allow iptables to read shorewall config
+
 * Tue Dec 28 2010 Dan Walsh <dwalsh@redhat.com> 3.9.12-4
 - Gnome apps list config_home_t
 - mpd creates lnk files in homedir