- Allow all domains that can use cgroups to search tmpfs_t directory

- Allow init to send audit messages
2010-09-14 16:16:56 -04:00 · 2010-09-14 16:16:56 -04:00 · ba8c31f5cd
parent a0e8efd42c
commit ba8c31f5cd
2 changed files with 158 additions and 62 deletions
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -5473,10 +5473,10 @@ index 0000000..5dd356f
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..942bb30
+index 0000000..2251b02
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,400 @@
+@@ -0,0 +1,407 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@ -5741,6 +5741,13 @@ index 0000000..942bb30
 +	hal_dbus_chat(sandbox_x_client_t)
 +')
 +
+
+allow sandbox_web_t self:process setsched;
+
+optional_policy(`
+	nsplugin_read_rw_files(sandbox_web_t)
+')
+
 +########################################
 +#
 +# sandbox_web_client_t local policy
@ -8580,10 +8587,74 @@ index 59bae6a..16f0f9e 100644
 +/dev/hugepages	-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/dev/hugepages(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 437a42a..8d6d333 100644
+index 437a42a..4eecefb 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
-@@ -1241,7 +1241,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -646,6 +646,7 @@ interface(`fs_search_cgroup_dirs',`
+ 	')
+ 
+ 	search_dirs_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+ 	dev_search_sysfs($1)
+ ')
+ 
+@@ -665,6 +666,7 @@ interface(`fs_list_cgroup_dirs', `
+ 	')
+ 
+ 	list_dirs_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+ 	dev_search_sysfs($1)
+ ')
+ 
+@@ -684,6 +686,7 @@ interface(`fs_delete_cgroup_dirs', `
+ 	')
+ 
+ 	delete_dirs_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+ 	dev_search_sysfs($1)
+ ')
+ 
+@@ -704,6 +707,7 @@ interface(`fs_manage_cgroup_dirs',`
+ 	')
+ 
+ 	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+ 	dev_search_sysfs($1)
+ ')
+ 
+@@ -724,6 +728,7 @@ interface(`fs_read_cgroup_files',`
+ 	')
+ 
+ 	read_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+ 	dev_search_sysfs($1)
+ ')
+ 
+@@ -743,6 +748,7 @@ interface(`fs_write_cgroup_files', `
+ 	')
+ 
+ 	write_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+ 	dev_search_sysfs($1)
+ ')
+ 
+@@ -763,6 +769,7 @@ interface(`fs_rw_cgroup_files',`
+ 	')
+ 
+ 	rw_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+ 	dev_search_sysfs($1)
+ ')
+ 
+@@ -803,6 +810,7 @@ interface(`fs_manage_cgroup_files',`
+ 	')
+ 
+ 	manage_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+ 	dev_search_sysfs($1)
+ ')
+ 
+@@ -1241,7 +1249,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
 		type cifs_t;
 	')
 
@ -8592,7 +8663,7 @@ index 437a42a..8d6d333 100644
 ')
 
 ########################################
-@@ -1504,6 +1504,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1504,6 +1512,25 @@ interface(`fs_cifs_domtrans',`
 	domain_auto_transition_pattern($1, cifs_t, $2)
 ')
 
@ -8618,7 +8689,7 @@ index 437a42a..8d6d333 100644
 #######################################
 ## <summary>
 ##	Create, read, write, and delete dirs
-@@ -1931,7 +1950,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +1958,26 @@ interface(`fs_read_fusefs_symlinks',`
 
 ########################################
 ## <summary>
@ -8646,7 +8717,7 @@ index 437a42a..8d6d333 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1946,6 +1984,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +1992,41 @@ interface(`fs_rw_hugetlbfs_files',`
 
 	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
 ')
@ -8688,7 +8759,7 @@ index 437a42a..8d6d333 100644
 
 ########################################
 ## <summary>
-@@ -1999,6 +2072,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2080,7 @@ interface(`fs_list_inotifyfs',`
 	')
 
 	allow $1 inotifyfs_t:dir list_dir_perms;
@ -8696,7 +8767,7 @@ index 437a42a..8d6d333 100644
 ')
 
 ########################################
-@@ -2395,6 +2469,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2477,25 @@ interface(`fs_exec_nfs_files',`
 
 ########################################
 ## <summary>
@ -8722,7 +8793,7 @@ index 437a42a..8d6d333 100644
 ##	Append files
 ##	on a NFS filesystem.
 ## </summary>
-@@ -2449,7 +2542,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2550,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
 		type nfs_t;
 	')
 
@ -8731,7 +8802,7 @@ index 437a42a..8d6d333 100644
 ')
 
 ########################################
-@@ -2637,6 +2730,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2738,24 @@ interface(`fs_dontaudit_read_removable_files',`
 
 ########################################
 ## <summary>
@ -8756,7 +8827,7 @@ index 437a42a..8d6d333 100644
 ##	Read removable storage symbolic links.
 ## </summary>
 ## <param name="domain">
-@@ -2845,7 +2956,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +2964,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
 #########################################
 ## <summary>
 ##	Create, read, write, and delete symbolic links
@ -8765,7 +8836,7 @@ index 437a42a..8d6d333 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3970,6 +4081,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3970,6 +4089,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 
 ########################################
 ## <summary>
@ -8790,7 +8861,7 @@ index 437a42a..8d6d333 100644
 ##	Relabel character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
-@@ -4662,3 +4791,24 @@ interface(`fs_unconfined',`
+@@ -4662,3 +4799,24 @@ interface(`fs_unconfined',`
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
@ -22626,7 +22697,7 @@ index 06e37d4..87043e1 100644
 +userdom_home_filetrans_user_home_dir(postfix_virtual_t)
 +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
 diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index c0652ec..a5b6508 100644
+index c0652ec..0ed1671 100644
 --- a/policy/modules/services/postgresql.te
 +++ b/policy/modules/services/postgresql.te
@@ -202,9 +202,10 @@ manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
@ -22641,6 +22712,16 @@ index c0652ec..a5b6508 100644
 
 kernel_read_kernel_sysctls(postgresql_t)
 kernel_read_system_state(postgresql_t)
+@@ -250,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+ domain_use_interactive_fds(postgresql_t)
+ 
+ files_dontaudit_search_home(postgresql_t)
+-files_manage_etc_files(postgresql_t)
+-files_search_etc(postgresql_t)
+files_read_etc_files(postgresql_t)
+ files_read_etc_runtime_files(postgresql_t)
+ files_read_usr_files(postgresql_t)
+ 
 diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
 index 2c066b0..afaf453 100644
 --- a/policy/modules/services/postgrey.te
@ -26969,7 +27050,7 @@ index 7c5d8d8..1a0701b 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..f38e1ce 100644
+index 3eca020..91a1d0a 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
@ -27191,7 +27272,7 @@ index 3eca020..f38e1ce 100644
 
 fs_list_auto_mountpoints(virtd_t)
 fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +315,17 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +315,18 @@ fs_rw_anon_inodefs_files(virtd_t)
 fs_list_inotifyfs(virtd_t)
 fs_manage_cgroup_dirs(virtd_t)
 fs_rw_cgroup_files(virtd_t)
@ -27201,6 +27282,7 @@ index 3eca020..f38e1ce 100644
 +mls_fd_share_all_levels(virtd_t)
 +mls_file_read_to_clearance(virtd_t)
 +mls_file_write_to_clearance(virtd_t)
+mls_process_read_to_clearance(virtd_t)
 +mls_process_write_to_clearance(virtd_t)
 +mls_net_write_within_range(virtd_t)
 +mls_socket_write_to_clearance(virtd_t)
@ -27209,7 +27291,7 @@ index 3eca020..f38e1ce 100644
 
 mcs_process_set_categories(virtd_t)
 
-@@ -286,15 +350,24 @@ modutils_manage_module_config(virtd_t)
+@@ -286,15 +351,24 @@ modutils_manage_module_config(virtd_t)
 
 logging_send_syslog_msg(virtd_t)
 
@ -27234,7 +27316,7 @@ index 3eca020..f38e1ce 100644
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +438,8 @@ optional_policy(`
+@@ -365,6 +439,8 @@ optional_policy(`
 	qemu_signal(virtd_t)
 	qemu_kill(virtd_t)
 	qemu_setsched(virtd_t)
@ -27243,7 +27325,7 @@ index 3eca020..f38e1ce 100644
 ')
 
 optional_policy(`
-@@ -402,6 +477,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+@@ -402,6 +478,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
 allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
 allow virt_domain self:tcp_socket create_stream_socket_perms;
 
@ -27263,7 +27345,7 @@ index 3eca020..f38e1ce 100644
 append_files_pattern(virt_domain, virt_log_t, virt_log_t)
 
 append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +510,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +511,7 @@ corenet_rw_tun_tap_dev(virt_domain)
 corenet_tcp_bind_virt_migration_port(virt_domain)
 corenet_tcp_connect_virt_migration_port(virt_domain)
 
@ -27271,7 +27353,7 @@ index 3eca020..f38e1ce 100644
 dev_read_rand(virt_domain)
 dev_read_sound(virt_domain)
 dev_read_urand(virt_domain)
-@@ -429,10 +518,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +519,12 @@ dev_write_sound(virt_domain)
 dev_rw_ksm(virt_domain)
 dev_rw_kvm(virt_domain)
 dev_rw_qemu(virt_domain)
@ -27284,7 +27366,7 @@ index 3eca020..f38e1ce 100644
 files_read_usr_files(virt_domain)
 files_read_var_files(virt_domain)
 files_search_all(virt_domain)
-@@ -440,6 +531,11 @@ files_search_all(virt_domain)
+@@ -440,6 +532,11 @@ files_search_all(virt_domain)
 fs_getattr_tmpfs(virt_domain)
 fs_rw_anon_inodefs_files(virt_domain)
 fs_rw_tmpfs_files(virt_domain)
@ -27296,7 +27378,7 @@ index 3eca020..f38e1ce 100644
 
 term_use_all_terms(virt_domain)
 term_getattr_pty_fs(virt_domain)
-@@ -457,8 +553,121 @@ optional_policy(`
+@@ -457,8 +554,121 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30493,7 +30575,7 @@ index f6aafe7..447aaec 100644
 +	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 698c11e..e0dc975 100644
+index 698c11e..1b6733f 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@ -30590,7 +30672,14 @@ index 698c11e..e0dc975 100644
 files_rw_generic_pids(init_t)
 files_dontaudit_search_isid_type_dirs(init_t)
 files_manage_etc_runtime_files(init_t)
-@@ -168,6 +197,8 @@ seutil_read_config(init_t)
+@@ -162,12 +191,15 @@ init_domtrans_script(init_t)
+ libs_rw_ld_so_cache(init_t)
+ 
+ logging_send_syslog_msg(init_t)
+logging_send_audit_msgs(init_t)
+ logging_rw_generic_logs(init_t)
+ 
+ seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
@ -30599,7 +30688,7 @@ index 698c11e..e0dc975 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
 ')
-@@ -178,7 +209,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +210,7 @@ ifdef(`distro_redhat',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
 ')
 
@ -30608,7 +30697,7 @@ index 698c11e..e0dc975 100644
 	corecmd_shell_domtrans(init_t, initrc_t)
 ',`
 	# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +217,74 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +218,74 @@ tunable_policy(`init_upstart',`
 	sysadm_shell_domtrans(init_t)
 ')
 
@ -30683,7 +30772,7 @@ index 698c11e..e0dc975 100644
 ')
 
 optional_policy(`
-@@ -199,10 +292,19 @@ optional_policy(`
+@@ -199,10 +293,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30703,7 +30792,7 @@ index 698c11e..e0dc975 100644
 	unconfined_domain(init_t)
 ')
 
-@@ -212,7 +314,7 @@ optional_policy(`
+@@ -212,7 +315,7 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -30712,7 +30801,7 @@ index 698c11e..e0dc975 100644
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -241,6 +343,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +344,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -30720,7 +30809,7 @@ index 698c11e..e0dc975 100644
 
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +361,22 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +362,22 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -30743,7 +30832,7 @@ index 698c11e..e0dc975 100644
 
 corecmd_exec_all_executables(initrc_t)
 
-@@ -291,6 +405,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +406,7 @@ dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_rw_lvm_control(initrc_t)
@ -30751,7 +30840,7 @@ index 698c11e..e0dc975 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -298,13 +413,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +414,13 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -30767,7 +30856,7 @@ index 698c11e..e0dc975 100644
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-@@ -323,8 +438,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +439,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -30779,7 +30868,7 @@ index 698c11e..e0dc975 100644
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
-@@ -340,8 +457,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +458,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -30793,7 +30882,7 @@ index 698c11e..e0dc975 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -351,6 +472,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +473,8 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -30802,7 +30891,7 @@ index 698c11e..e0dc975 100644
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
-@@ -363,6 +486,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +487,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -30810,7 +30899,7 @@ index 698c11e..e0dc975 100644
 
 selinux_get_enforce_mode(initrc_t)
 
-@@ -394,13 +518,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +519,14 @@ logging_read_audit_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@ -30826,7 +30915,7 @@ index 698c11e..e0dc975 100644
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +598,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +599,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -30835,7 +30924,7 @@ index 698c11e..e0dc975 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -519,6 +644,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +645,19 @@ ifdef(`distro_redhat',`
 	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
@ -30855,7 +30944,7 @@ index 698c11e..e0dc975 100644
 	')
 
 	optional_policy(`
-@@ -526,10 +664,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +665,17 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -30873,7 +30962,7 @@ index 698c11e..e0dc975 100644
 	')
 
 	optional_policy(`
-@@ -544,6 +689,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +690,35 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -30909,7 +30998,7 @@ index 698c11e..e0dc975 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +730,8 @@ optional_policy(`
+@@ -556,6 +731,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -30918,7 +31007,7 @@ index 698c11e..e0dc975 100644
 ')
 
 optional_policy(`
-@@ -572,6 +748,7 @@ optional_policy(`
+@@ -572,6 +749,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -30926,7 +31015,7 @@ index 698c11e..e0dc975 100644
 ')
 
 optional_policy(`
-@@ -584,6 +761,11 @@ optional_policy(`
+@@ -584,6 +762,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30938,7 +31027,7 @@ index 698c11e..e0dc975 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -600,6 +782,9 @@ optional_policy(`
+@@ -600,6 +783,9 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -30948,7 +31037,7 @@ index 698c11e..e0dc975 100644
 
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
-@@ -701,7 +886,13 @@ optional_policy(`
+@@ -701,7 +887,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30962,7 +31051,7 @@ index 698c11e..e0dc975 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -724,6 +915,10 @@ optional_policy(`
+@@ -724,6 +916,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30973,7 +31062,7 @@ index 698c11e..e0dc975 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -745,6 +940,10 @@ optional_policy(`
+@@ -745,6 +941,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30984,7 +31073,7 @@ index 698c11e..e0dc975 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -766,8 +965,6 @@ optional_policy(`
+@@ -766,8 +966,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -30993,7 +31082,7 @@ index 698c11e..e0dc975 100644
 ')
 
 optional_policy(`
-@@ -776,14 +973,21 @@ optional_policy(`
+@@ -776,14 +974,21 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31015,7 +31104,7 @@ index 698c11e..e0dc975 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1009,19 @@ optional_policy(`
+@@ -805,11 +1010,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31036,7 +31125,7 @@ index 698c11e..e0dc975 100644
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1031,25 @@ optional_policy(`
+@@ -819,6 +1032,25 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -31062,7 +31151,7 @@ index 698c11e..e0dc975 100644
 ')
 
 optional_policy(`
-@@ -844,3 +1075,55 @@ optional_policy(`
+@@ -844,3 +1076,55 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -32835,7 +32924,7 @@ index 8b5c196..3490497 100644
 +    role $2 types showmount_t;
 ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..1f8fee9 100644
+index fca6947..0fcd4e7 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@ -33057,7 +33146,7 @@ index fca6947..1f8fee9 100644
 	ifdef(`hide_broken_symptoms',`
 		# for a bug in the X server
 		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,6 +271,15 @@ optional_policy(`
+@@ -180,13 +271,36 @@ optional_policy(`
 	')
 ')
 
@ -33073,7 +33162,8 @@ index fca6947..1f8fee9 100644
 # for kernel package installation
 optional_policy(`
 	rpm_rw_pipes(mount_t)
-@@ -187,6 +287,19 @@ optional_policy(`
+	rpm_dontaudit_leaks(mount_t)
+ ')
 
 optional_policy(`
 	samba_domtrans_smbmount(mount_t)
@ -33093,7 +33183,7 @@ index fca6947..1f8fee9 100644
 ')
 
 ########################################
-@@ -195,6 +308,42 @@ optional_policy(`
+@@ -195,6 +309,42 @@ optional_policy(`
 #
 
 optional_policy(`
@ -35645,10 +35735,10 @@ index f976344..4474379 100644
 -	')
 -')
 diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..61db6da 100644
+index db75976..392d1ee 100644
 --- a/policy/modules/system/userdomain.fc
 +++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,15 @@
+@@ -1,4 +1,17 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
@ -35656,6 +35746,7 @@ index db75976..61db6da 100644
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 +/root/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
+/root/\.debug(/.*)?	<<none>>
 +/dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 +HOME_DIR/bin(/.*)?	gen_context(system_u:object_r:home_bin_t,s0)
@ -35665,6 +35756,7 @@ index db75976..61db6da 100644
 +HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
+HOME_DIR/\.debug(/.*)?	<<none>>
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
 index 2aa8928..c67c8e8 100644
 --- a/policy/modules/system/userdomain.if
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -469,6 +469,10 @@ exit 0
 %endif

 %changelog
+* Tue Sep 14 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-2
+- Allow all domains that can use cgroups to search tmpfs_t directory
+- Allow init to send audit messages
+
 * Thu Sep 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-1
 - Update to upstream