- Fixes for cloudform policies which need to connect to random ports

- Make sure if an admin creates modules content it creates them with the correct label - Add port 8953 as a dns port used by unbound - Fix file name transition for alsa and confined users
2011-10-24 10:57:01 +02:00 · 2011-10-24 10:57:01 +02:00 · b6ae8086ef
commit b6ae8086ef
parent fbfb5e985d
4 changed files with 129 additions and 99 deletions
--- a/default_trans.patch
+++ b/default_trans.patch
@ -9,17 +9,3 @@ index ed7a0c1..90d0b1e 100644
 #
 # Define sensitivities 
 #
-diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index e117271..58b782e 100644
--- a/policy/modules/admin/bootloader.fc
-+++ b/policy/modules/admin/bootloader.fc
-@@ -3,9 +3,7 @@
- /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
- 
- /sbin/grub.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/installkernel	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
- /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/new-kernel-pkg	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
- /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
- 
- /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
--- a/execmem.patch
+++ b/execmem.patch
@ -367,17 +367,3 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.execmem serefpol
 		mount_run_fusermount($1_t, $1_r)
 		mount_read_pid_files($1_t)
 	')
-diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index e117271..58b782e 100644
--- a/policy/modules/admin/bootloader.fc
-+++ b/policy/modules/admin/bootloader.fc
-@@ -3,9 +3,7 @@
- /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
- 
- /sbin/grub.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/installkernel	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
- /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/new-kernel-pkg	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
- /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
- 
- /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -322,10 +322,18 @@ index 63ef90e..a535b31 100644
 ')
 
 diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 1392679..7793407 100644
+index 1392679..407f9f7 100644
 --- a/policy/modules/admin/alsa.if
 +++ b/policy/modules/admin/alsa.if
-@@ -206,3 +206,47 @@ interface(`alsa_read_lib',`
+@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
+ 
+ 	userdom_search_user_home_dirs($1)
+ 	allow $1 alsa_home_t:file manage_file_perms;
+	alsa_filetrans_home_content(unpriv_userdomain)
+ ')
+ 
+ ########################################
+@@ -206,3 +207,46 @@ interface(`alsa_read_lib',`
 	files_search_var_lib($1)
 	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
 ')
@ -365,7 +373,6 @@ index 1392679..7793407 100644
 +		type alsa_var_lib_t;
 +	')
 +
-+	userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
 +	files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
 +	files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
 +	files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
@ -519,10 +526,10 @@ index 0bfc958..af95b7a 100644
 optional_policy(`
 	cron_system_entry(backup_t, backup_exec_t)
 diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..e117271 100644
+index 7a6f06f..58b782e 100644
 --- a/policy/modules/admin/bootloader.fc
 +++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,11 @@
+@@ -1,8 +1,8 @@
 -
 +/etc/default/grub	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
@ -530,12 +537,9 @@ index 7a6f06f..e117271 100644
 
 -/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/sbin/grub.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/sbin/installkernel	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/sbin/new-kernel-pkg	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
- /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
 index 63eb96b..d7a6063 100644
 --- a/policy/modules/admin/bootloader.if
@ -13854,7 +13858,7 @@ index 4f3b542..cf422f4 100644
 	corenet_udp_recvfrom_labeled($1, $2)
 	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..30e6f47 100644
+index 99b71cb..ff28a20 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@ -13961,8 +13965,9 @@ index 99b71cb..30e6f47 100644
 network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
 network_port(dict, tcp,2628,s0)
 network_port(distccd, tcp,3632,s0)
+-network_port(dns, udp,53,s0, tcp,53,s0)
 +network_port(dogtag, tcp,7390,s0)
- network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(dns, udp,53,s0, tcp,53,s0, tcp,8953,s0 )
 network_port(epmap, tcp,135,s0, udp,135,s0)
 +network_port(epmd, tcp,4369,s0, udp,4369,s0)
 +network_port(festival, tcp,1314,s0)
@ -14095,19 +14100,20 @@ index 99b71cb..30e6f47 100644
 network_port(tcs, tcp, 30003, s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
-@@ -215,9 +278,10 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +278,11 @@ network_port(uucpd, tcp,540,s0)
 network_port(varnishd, tcp,6081-6082,s0)
 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(virt_migration, tcp,49152-49216,s0)
 -network_port(vnc, tcp,5900,s0)
 +network_port(vnc, tcp,5900-5999,s0)
 network_port(wccp, udp,2048,s0)
+network_port(websm, tcp,9090,s0, udp,9090,s0)
 network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
 +network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
 network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)
 network_port(xfs, tcp,7100,s0)
-@@ -229,6 +293,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +294,7 @@ network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
 network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@ -14115,7 +14121,7 @@ index 99b71cb..30e6f47 100644
 network_port(zope, tcp,8021,s0)
 
 # Defaults for reserved ports.	Earlier portcon entries take precedence;
-@@ -238,6 +303,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +304,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@ -14128,7 +14134,7 @@ index 99b71cb..30e6f47 100644
 
 ########################################
 #
-@@ -282,9 +353,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +354,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -16100,7 +16106,7 @@ index c19518a..12e8e9c 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..4262f4a 100644
+index ff006ea..11b67d7 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@ -16460,6 +16466,15 @@ index ff006ea..4262f4a 100644
 +	dontaudit $1 mnt_t:file_class_set audit_access;
 ')
 
+ ########################################
+@@ -3804,7 +3964,7 @@ interface(`files_kernel_modules_filetrans',`
+ 		type modules_object_t;
+ 	')
+ 
+-	filetrans_pattern($1, modules_object_t, $2, $3)
+	filetrans_pattern($1, modules_object_t, $2, $3, $4)
+ ')
+ 
 ########################################
@@ -3900,6 +4060,99 @@ interface(`files_read_world_readable_sockets',`
 	allow $1 readable_t:sock_file read_sock_file_perms;
@ -20670,10 +20685,10 @@ index be4de58..7e8b6ec 100644
 init_exec(secadm_t)
 
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..a1913e8 100644
+index 2be17d2..2c588ca 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,59 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
 role staff_r;
 
 userdom_unpriv_user_template(staff)
@ -20725,15 +20740,11 @@ index 2be17d2..a1913e8 100644
 +optional_policy(`
 +	abrt_read_cache(staff_t)
 +')
-+
-+optional_policy(`
-+    alsa_filetrans_home_content(staff_t)
-+')
 +
 optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
-@@ -27,19 +74,113 @@ optional_policy(`
+@@ -27,19 +70,113 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20849,7 +20860,7 @@ index 2be17d2..a1913e8 100644
 ')
 
 optional_policy(`
-@@ -48,10 +189,48 @@ optional_policy(`
+@@ -48,10 +185,48 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20898,7 +20909,7 @@ index 2be17d2..a1913e8 100644
 	xserver_role(staff_r, staff_t)
 ')
 
-@@ -89,18 +268,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +264,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -20917,7 +20928,7 @@ index 2be17d2..a1913e8 100644
 		java_role(staff_r, staff_t)
 	')
 
-@@ -121,10 +292,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +288,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -20928,7 +20939,7 @@ index 2be17d2..a1913e8 100644
 		pyzor_role(staff_r, staff_t)
 	')
 
-@@ -137,10 +304,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +300,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -20939,7 +20950,7 @@ index 2be17d2..a1913e8 100644
 		spamassassin_role(staff_r, staff_t)
 	')
 
-@@ -172,3 +335,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +331,7 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
@ -20948,7 +20959,7 @@ index 2be17d2..a1913e8 100644
 +	userdom_execmod_user_home_files(staff_usertype)
 +')
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..f2aac71 100644
+index e14b961..2d6db89 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
@ -21104,11 +21115,12 @@ index e14b961..f2aac71 100644
 ')
 
 optional_policy(`
-@@ -198,22 +259,19 @@ optional_policy(`
+@@ -198,22 +259,20 @@ optional_policy(`
 	modutils_run_depmod(sysadm_t, sysadm_r)
 	modutils_run_insmod(sysadm_t, sysadm_r)
 	modutils_run_update_mods(sysadm_t, sysadm_r)
 +	modutils_read_module_deps(sysadm_t)
+	modules_filetrans_named_content(sysadm_t)
 ')
 
 optional_policy(`
@ -21132,7 +21144,7 @@ index e14b961..f2aac71 100644
 ')
 
 optional_policy(`
-@@ -225,25 +283,47 @@ optional_policy(`
+@@ -225,25 +284,47 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -21180,7 +21192,7 @@ index e14b961..f2aac71 100644
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
 ')
-@@ -253,19 +333,19 @@ optional_policy(`
+@@ -253,19 +334,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -21204,7 +21216,7 @@ index e14b961..f2aac71 100644
 ')
 
 optional_policy(`
-@@ -274,10 +354,7 @@ optional_policy(`
+@@ -274,10 +355,7 @@ optional_policy(`
 
 optional_policy(`
 	rpm_run(sysadm_t, sysadm_r)
@ -21216,7 +21228,7 @@ index e14b961..f2aac71 100644
 ')
 
 optional_policy(`
-@@ -302,12 +379,18 @@ optional_policy(`
+@@ -302,12 +380,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -21236,7 +21248,7 @@ index e14b961..f2aac71 100644
 ')
 
 optional_policy(`
-@@ -332,7 +415,10 @@ optional_policy(`
+@@ -332,7 +416,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -21248,7 +21260,7 @@ index e14b961..f2aac71 100644
 ')
 
 optional_policy(`
-@@ -343,19 +429,15 @@ optional_policy(`
+@@ -343,19 +430,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -21270,7 +21282,7 @@ index e14b961..f2aac71 100644
 ')
 
 optional_policy(`
-@@ -367,45 +449,45 @@ optional_policy(`
+@@ -367,45 +450,45 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -21327,7 +21339,7 @@ index e14b961..f2aac71 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
 
-@@ -418,10 +500,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +501,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -21338,7 +21350,7 @@ index e14b961..f2aac71 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 	')
 
-@@ -439,6 +517,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +518,7 @@ ifndef(`distro_redhat',`
 
 	optional_policy(`
 		gnome_role(sysadm_r, sysadm_t)
@ -21346,7 +21358,7 @@ index e14b961..f2aac71 100644
 	')
 
 	optional_policy(`
-@@ -446,11 +525,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +526,66 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -22125,10 +22137,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..50c38f9
+index 0000000..b1e60db
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,498 @@
+@@ -0,0 +1,499 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -22483,6 +22495,7 @@ index 0000000..50c38f9
 +
 +optional_policy(`
 +	modutils_run_update_mods(unconfined_t, unconfined_r)
+	modules_filetrans_named_content(unconfined_t)
 +')
 +
 +optional_policy(`
@ -22628,10 +22641,10 @@ index 0000000..50c38f9
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 +
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..59f013e 100644
+index e5bfdd4..50e49e6 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,97 @@ role user_r;
+@@ -12,15 +12,93 @@ role user_r;
 
 userdom_unpriv_user_template(user)
 
@ -22648,10 +22661,6 @@ index e5bfdd4..59f013e 100644
 +optional_policy(`
 +	abrt_read_cache(user_t)
 +')
-+
-+optional_policy(`
-+	alsa_filetrans_home_content(user_t)
-+')
 +
 optional_policy(`
 	apache_role(user_r, user_t)
@ -22729,7 +22738,7 @@ index e5bfdd4..59f013e 100644
 	vlock_run(user_t, user_r)
 ')
 
-@@ -62,19 +144,11 @@ ifndef(`distro_redhat',`
+@@ -62,19 +140,11 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -22750,7 +22759,7 @@ index e5bfdd4..59f013e 100644
 	')
 
 	optional_policy(`
-@@ -98,10 +172,6 @@ ifndef(`distro_redhat',`
+@@ -98,10 +168,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -22761,7 +22770,7 @@ index e5bfdd4..59f013e 100644
 		postgresql_role(user_r, user_t)
 	')
 
-@@ -118,11 +188,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +184,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -22774,7 +22783,7 @@ index e5bfdd4..59f013e 100644
 	')
 
 	optional_policy(`
-@@ -157,3 +223,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +219,4 @@ ifndef(`distro_redhat',`
 		wireshark_role(user_r, user_t)
 	')
 ')
@ -29143,7 +29152,7 @@ index 0000000..917f8d4
 +')
 diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
 new file mode 100644
-index 0000000..1fb3787
+index 0000000..1852397
 --- /dev/null
 +++ b/policy/modules/services/cloudform.te
@@ -0,0 +1,201 @@
@ -29264,8 +29273,8 @@ index 0000000..1fb3787
 +kernel_read_system_state(iwhd_t)
 +
 +corenet_tcp_bind_generic_node(iwhd_t)
-+#type=AVC msg=audit(1319039371.089:62273): avc:  denied  { name_connect } for pid=9628 comm="iwhd" dest=27017 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
-+#type=AVC msg=audit(1319039371.089:62274): avc:  denied  { name_bind } for pid=9625 comm="iwhd" src=9090 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
+corenet_tcp_bind_websm_port(iwhd_t)
+corenet_tcp_connect_all_ports(iwhd_t)
 +
 +dev_read_rand(iwhd_t)
 +dev_read_urand(iwhd_t)
@ -29334,7 +29343,7 @@ index 0000000..1fb3787
 +corenet_tcp_bind_generic_node(thin_t)
 +corenet_tcp_bind_ntop_port(thin_t)
 +corenet_tcp_connect_postgresql_port(thin_t)
-+#type=AVC msg=audit(1319039370.469:62271): avc:  denied  { name_connect } for pid=9540 comm="thin" dest=3002 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
+corenet_tcp_connect_all_ports(iwhd_t)
 +
 +files_read_usr_files(thin_t)
 +
@ -38984,7 +38993,7 @@ index 7cf6763..ce32fe5 100644
 +	dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
 +')
 diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
-index 24c6253..0771a37 100644
+index 24c6253..bc08625 100644
 --- a/policy/modules/services/hal.te
 +++ b/policy/modules/services/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
@ -39022,7 +39031,15 @@ index 24c6253..0771a37 100644
 files_rw_etc_runtime_files(hald_t)
 files_manage_mnt_dirs(hald_t)
 files_manage_mnt_files(hald_t)
-@@ -186,8 +191,6 @@ term_use_unallocated_ttys(hald_t)
+@@ -165,6 +170,7 @@ fs_manage_fusefs_dirs(hald_t)
+ fs_rw_removable_blk_files(hald_t)
+ 
+ files_getattr_all_mountpoints(hald_t)
+files_read_kernel_modules(hald_t)
+ 
+ mls_file_read_all_levels(hald_t)
+ 
+@@ -186,8 +192,6 @@ term_use_unallocated_ttys(hald_t)
 
 auth_use_nsswitch(hald_t)
 
@ -39031,7 +39048,7 @@ index 24c6253..0771a37 100644
 init_domtrans_script(hald_t)
 init_read_utmp(hald_t)
 #hal runs shutdown, probably need a shutdown domain
-@@ -204,20 +207,25 @@ logging_search_logs(hald_t)
+@@ -204,20 +208,25 @@ logging_search_logs(hald_t)
 miscfiles_read_localization(hald_t)
 miscfiles_read_hwdata(hald_t)
 
@ -39061,7 +39078,7 @@ index 24c6253..0771a37 100644
 
 optional_policy(`
 	alsa_domtrans(hald_t)
-@@ -252,8 +260,7 @@ optional_policy(`
+@@ -252,8 +261,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -39071,7 +39088,7 @@ index 24c6253..0771a37 100644
 
 	init_dbus_chat_script(hald_t)
 
-@@ -263,15 +270,28 @@ optional_policy(`
+@@ -263,15 +271,28 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -39100,7 +39117,7 @@ index 24c6253..0771a37 100644
 	hotplug_read_config(hald_t)
 ')
 
-@@ -280,6 +300,11 @@ optional_policy(`
+@@ -280,6 +301,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -39112,7 +39129,7 @@ index 24c6253..0771a37 100644
 	mount_domtrans(hald_t)
 ')
 
-@@ -302,7 +327,7 @@ optional_policy(`
+@@ -302,7 +328,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -39121,7 +39138,7 @@ index 24c6253..0771a37 100644
 	policykit_domtrans_auth(hald_t)
 	policykit_domtrans_resolve(hald_t)
 	policykit_read_lib(hald_t)
-@@ -318,6 +343,10 @@ optional_policy(`
+@@ -318,6 +344,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -39132,7 +39149,7 @@ index 24c6253..0771a37 100644
 	udev_domtrans(hald_t)
 	udev_read_db(hald_t)
 ')
-@@ -338,6 +367,10 @@ optional_policy(`
+@@ -338,6 +368,10 @@ optional_policy(`
 	virt_manage_images(hald_t)
 ')
 
@ -39143,7 +39160,7 @@ index 24c6253..0771a37 100644
 ########################################
 #
 # Hal acl local policy
-@@ -358,6 +391,7 @@ files_search_var_lib(hald_acl_t)
+@@ -358,6 +392,7 @@ files_search_var_lib(hald_acl_t)
 manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
 manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
 files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@ -39151,7 +39168,7 @@ index 24c6253..0771a37 100644
 
 corecmd_exec_bin(hald_acl_t)
 
-@@ -388,7 +422,7 @@ logging_send_syslog_msg(hald_acl_t)
+@@ -388,7 +423,7 @@ logging_send_syslog_msg(hald_acl_t)
 miscfiles_read_localization(hald_acl_t)
 
 optional_policy(`
@ -39160,7 +39177,7 @@ index 24c6253..0771a37 100644
 	policykit_domtrans_auth(hald_acl_t)
 	policykit_read_lib(hald_acl_t)
 	policykit_read_reload(hald_acl_t)
-@@ -470,6 +504,12 @@ files_read_usr_files(hald_keymap_t)
+@@ -470,6 +505,12 @@ files_read_usr_files(hald_keymap_t)
 
 miscfiles_read_localization(hald_keymap_t)
 
@ -39173,7 +39190,7 @@ index 24c6253..0771a37 100644
 ########################################
 #
 # Local hald dccm policy
-@@ -524,7 +564,9 @@ files_read_usr_files(hald_dccm_t)
+@@ -524,7 +565,9 @@ files_read_usr_files(hald_dccm_t)
 
 miscfiles_read_localization(hald_dccm_t)
 
@ -60026,7 +60043,7 @@ index 0000000..ac053f3
 +miscfiles_read_localization(uuidd_t)
 +
 diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
-index f9310f3..064171e 100644
+index f9310f3..7a350f1 100644
 --- a/policy/modules/services/varnishd.te
 +++ b/policy/modules/services/varnishd.te
@@ -6,10 +6,10 @@ policy_module(varnishd, 1.2.0)
@ -60053,6 +60070,15 @@ index f9310f3..064171e 100644
 
 type varnishd_tmp_t;
 files_tmp_file(varnishd_tmp_t)
+@@ -43,7 +43,7 @@ type varnishlog_var_run_t;
+ files_pid_file(varnishlog_var_run_t)
+ 
+ type varnishlog_log_t;
+-files_type(varnishlog_log_t)
+logging_log_file(varnishlog_log_t)
+ 
+ ########################################
+ #
 diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc
 new file mode 100644
 index 0000000..71d9784
@ -70139,7 +70165,7 @@ index 532181a..2410551 100644
 /sbin/depmod.*		--	gen_context(system_u:object_r:depmod_exec_t,s0)
 /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
 diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 9c0faab..4178c09 100644
+index 9c0faab..91360ac 100644
 --- a/policy/modules/system/modutils.if
 +++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@ -70211,6 +70237,32 @@ index 9c0faab..4178c09 100644
 ')
 
 ########################################
+@@ -335,3 +367,25 @@ interface(`modutils_exec_update_mods',`
+ 	corecmd_search_bin($1)
+ 	can_exec($1, update_modules_exec_t)
+ ')
+
+########################################
+## <summary>
+##	Transition to modutils named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modules_filetrans_named_content',`
+	gen_require(`
+		type modules_dep_t;
+		type modules_conf_t;
+	')
+
+	files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
+	files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
 index a0eef20..2273e1a 100644
 --- a/policy/modules/system/modutils.te
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 46.1%{?dist}
+Release: 47%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -480,6 +480,12 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Oct 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-47
+- Fixes for cloudform policies which need to connect to random ports
+- Make sure if an admin creates modules content it creates them with the correct label
+- Add port 8953 as a dns port used by unbound
+- Fix file name transition for alsa and confined users
+
 * Thu Oct 21 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-46.1
 - Turn on mock_t and thumb_t for unconfined domains