- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.

- Label /etc/yum.repos.d as system_conf_t - Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t - Allow dac_override for sysadm_screen_t - Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. - Allow netlabel-config to read meminfo - Add interface to allow docker to mounton file_t - Add new interface to exec unlabeled files - Allow lvm to use docker semaphores - Setup transitons for .xsessions-errors.old - Change labels of files in /var/lib/*/.ssh to transition properly - Allow staff_t and user_t to look at logs using journalctl - pluto wants to manage own log file - Allow pluto running as ipsec_t to create pluto.log - Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Allow dmidecode to read/write /run/lock/subsys/rhsmcertd - Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. - Additional access for docker - Added more rules to sblim policy - Fix kdumpgui_run_bootloader boolean - Allow dspam to connect to lmtp port - Included sfcbd service into sblim policy - rhsmcertd wants to manaage /etc/pki/consumer dir - Add kdumpgui_run_bootloader boolean - Add support for /var/cache/watchdog - Remove virt_domain attribute for virt_qemu_ga_unconfined_t - Fixes for handling libvirt containes - Dontaudit attempts by mysql_safe to write content into / - Dontaudit attempts by system_mail to modify network config - Allow dspam to bind to lmtp ports - Add new policy to allow staff_t and user_t to look at logs using journalctl - Allow apache cgi scripts to list sysfs - Dontaudit attempts to write/delete user_tmp_t files
2013-11-06 09:11:46 +01:00 · 2013-11-06 09:11:46 +01:00 · c5e7e5bb30
parent 47a93c4a0b
commit c5e7e5bb30
3 changed files with 838 additions and 478 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -520,7 +520,7 @@ index 058d908..702b716 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index cc43d25..097a770 100644
+index cc43d25..924daba 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -1,4 +1,4 @@
@ -685,7 +685,7 @@ index cc43d25..097a770 100644
 
 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
 -dontaudit abrt_t self:capability sys_rawio;
-+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
 +dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
 allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
 +
@ -4707,7 +4707,7 @@ index 83e899c..fac6fe5 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..d0d7c0b 100644
+index 1a82e29..bfe87eb 100644
 --- a/apache.te
 +++ b/apache.te
@@ -1,297 +1,367 @@
@ -6417,7 +6417,7 @@ index 1a82e29..d0d7c0b 100644
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1333,104 @@ optional_policy(`
+@@ -1077,172 +1333,106 @@ optional_policy(`
 	')
 ')
 
@ -6437,13 +6437,13 @@ index 1a82e29..d0d7c0b 100644
 
 -allow httpd_script_domains self:fifo_file rw_file_perms;
 -allow httpd_script_domains self:unix_stream_socket connectto;
-+allow httpd_sys_script_t self:process getsched;
- 
+-
 -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
 -
 -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
 -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-
+allow httpd_sys_script_t self:process getsched;
+ 
 -kernel_dontaudit_search_sysctl(httpd_script_domains)
 -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
 -
@ -6451,29 +6451,30 @@ index 1a82e29..d0d7c0b 100644
 -corenet_all_recvfrom_netlabel(httpd_script_domains)
 -corenet_tcp_sendrecv_generic_if(httpd_script_domains)
 -corenet_tcp_sendrecv_generic_node(httpd_script_domains)
-
-corecmd_exec_all_executables(httpd_script_domains)
 +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
 +allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
+-corecmd_exec_all_executables(httpd_script_domains)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+ 
 -dev_read_rand(httpd_script_domains)
 -dev_read_urand(httpd_script_domains)
-+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 
 -files_exec_etc_files(httpd_script_domains)
 -files_read_etc_files(httpd_script_domains)
 -files_search_home(httpd_script_domains)
-+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
- 
-libs_exec_ld_so(httpd_script_domains)
-libs_exec_lib_files(httpd_script_domains)
 +allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 +read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
 +read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
 
-logging_search_logs(httpd_script_domains)
+-libs_exec_ld_so(httpd_script_domains)
+-libs_exec_lib_files(httpd_script_domains)
 +kernel_read_kernel_sysctls(httpd_sys_script_t)
 
+-logging_search_logs(httpd_script_domains)
+dev_list_sysfs(httpd_sys_script_t)
+ 
 -miscfiles_read_fonts(httpd_script_domains)
 -miscfiles_read_public_files(httpd_script_domains)
 +files_read_var_symlinks(httpd_sys_script_t)
@ -6653,7 +6654,7 @@ index 1a82e29..d0d7c0b 100644
 ')
 
 tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
@ -6750,7 +6751,7 @@ index 1a82e29..d0d7c0b 100644
 
 ########################################
 #
-@@ -1315,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
@ -6767,7 +6768,7 @@ index 1a82e29..d0d7c0b 100644
 ')
 
 ########################################
-@@ -1324,49 +1529,38 @@ optional_policy(`
+@@ -1324,49 +1531,38 @@ optional_policy(`
 # User content local policy
 #
 
@ -6832,7 +6833,7 @@ index 1a82e29..d0d7c0b 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1570,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
@ -21394,15 +21395,19 @@ index 41c3f67..653a1ec 100644
 ## <summary>
 ##	Execute dmidecode in the dmidecode
 diff --git a/dmidecode.te b/dmidecode.te
-index c947c2c..441d3f4 100644
+index c947c2c..8d4d843 100644
 --- a/dmidecode.te
 +++ b/dmidecode.te
-@@ -29,4 +29,4 @@ files_list_usr(dmidecode_t)
+@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t)
 
 locallogin_use_fds(dmidecode_t)
 
 -userdom_use_user_terminals(dmidecode_t)
 +userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+    rhsmcertd_rw_inherited_lock_files(dmidecode_t)
+')
 diff --git a/dnsmasq.fc b/dnsmasq.fc
 index 23ab808..4a801b5 100644
 --- a/dnsmasq.fc
@ -22127,10 +22132,10 @@ index 0000000..097c75c
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..939365d
+index 0000000..1229d66
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,133 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@ -22212,6 +22217,7 @@ index 0000000..939365d
 +mount_domtrans(docker_t)
 +
 +sysnet_dns_name_resolve(docker_t)
+sysnet_exec_ifconfig(docker_t)
 +
 +optional_policy(`
 +	fstools_domtrans(docker_t)
@ -22226,7 +22232,7 @@ index 0000000..939365d
 +#
 +
 +allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
-+allow docker_t self:process setsched;
+allow docker_t self:process { setsched signal_perms };
 +allow docker_t self:netlink_route_socket nlmsg_write;
 +allow docker_t self:unix_dgram_socket create_socket_perms;
 +
@ -22236,6 +22242,8 @@ index 0000000..939365d
 +
 +dev_getattr_all_blk_files(docker_t)
 +dev_read_urand(docker_t)
+dev_read_lvm_control(docker_t)
+dev_read_sysfs(docker_t)
 +
 +files_manage_isid_type_dirs(docker_t)
 +files_manage_isid_type_files(docker_t)
@ -22255,12 +22263,12 @@ index 0000000..939365d
 +term_use_ptmx(docker_t)
 +term_getattr_pty_fs(docker_t)
 +
-+dev_read_lvm_control(docker_t)
+modutils_domtrans_insmod(docker_t)
 +
-+gen_require(`
-+type lvm_t;
+optional_policy(`
+	virt_read_config(docker_t)
+	virt_exec(docker_t)
 +')
-+docker_rw_sem(lvm_t)
 diff --git a/dovecot.fc b/dovecot.fc
 index c880070..4448055 100644
 --- a/dovecot.fc
@ -23429,7 +23437,7 @@ index 18f2452..a446210 100644
 +
 ')
 diff --git a/dspam.te b/dspam.te
-index 266cb8f..c736297 100644
+index 266cb8f..b619351 100644
 --- a/dspam.te
 +++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@ -23442,17 +23450,20 @@ index 266cb8f..c736297 100644
 allow dspam_t self:fifo_file rw_fifo_file_perms;
 allow dspam_t self:unix_stream_socket { accept listen };
 
-@@ -58,20 +61,42 @@ corenet_tcp_bind_spamd_port(dspam_t)
+@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
+ corenet_tcp_bind_spamd_port(dspam_t)
 corenet_tcp_connect_spamd_port(dspam_t)
 corenet_tcp_sendrecv_spamd_port(dspam_t)
- 
+corenet_tcp_bind_lmtp_port(dspam_t)
+corenet_tcp_connect_lmtp_port(dspam_t)
+
 +kernel_read_system_state(dspam_t)
 +
 +corecmd_exec_shell(dspam_t)
-+
+ 
 files_search_spool(dspam_t)
 
- auth_use_nsswitch(dspam_t)
+@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
 
 logging_send_syslog_msg(dspam_t)
 
@ -23489,7 +23500,7 @@ index 266cb8f..c736297 100644
 ')
 
 optional_policy(`
-@@ -87,3 +112,12 @@ optional_policy(`
+@@ -87,3 +114,12 @@ optional_policy(`
 
 	postgresql_tcp_connect(dspam_t)
 ')
@ -32392,6 +32403,145 @@ index d59ec10..dec1b3b 100644
 	modutils_read_module_config(jockey_t)
 +	modutils_list_module_config(jockey_t)
 ')
+diff --git a/journalctl.fc b/journalctl.fc
+new file mode 100644
+index 0000000..f270652
+--- /dev/null
+++ b/journalctl.fc
+@@ -0,0 +1 @@
+/usr/bin/journalctl		--	gen_context(system_u:object_r:journalctl_exec_t,s0)
+diff --git a/journalctl.if b/journalctl.if
+new file mode 100644
+index 0000000..9d32f23
+--- /dev/null
+++ b/journalctl.if
+@@ -0,0 +1,76 @@
+
+## <summary>policy for journalctl</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the journalctl domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`journalctl_domtrans',`
+	gen_require(`
+		type journalctl_t, journalctl_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, journalctl_exec_t, journalctl_t)
+')
+
+########################################
+## <summary>
+##	Execute journalctl in the journalctl domain, and
+##	allow the specified role the journalctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the journalctl domain.
+##	</summary>
+## </param>
+#
+interface(`journalctl_run',`
+	gen_require(`
+		type journalctl_t;
+		attribute_role journalctl_roles;
+	')
+
+	journalctl_domtrans($1)
+	roleattribute $2 journalctl_roles;
+')
+
+########################################
+## <summary>
+##	Role access for journalctl
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`journalctl_role',`
+	gen_require(`
+		type journalctl_t;
+		attribute_role journalctl_roles;
+	')
+
+	roleattribute $1 journalctl_roles;
+
+	journalctl_domtrans($2)
+
+	ps_process_pattern($2, journalctl_t)
+	allow $2 journalctl_t:process { signull signal sigkill };
+')
+diff --git a/journalctl.te b/journalctl.te
+new file mode 100644
+index 0000000..5de3229
+--- /dev/null
+++ b/journalctl.te
+@@ -0,0 +1,44 @@
+policy_module(journalctl, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role journalctl_roles;
+roleattribute system_r journalctl_roles;
+
+type journalctl_t;
+type journalctl_exec_t;
+application_domain(journalctl_t, journalctl_exec_t)
+
+role journalctl_roles types journalctl_t;
+
+########################################
+#
+# journalctl local policy
+#
+allow journalctl_t self:process { fork signal_perms };
+
+allow journalctl_t self:fifo_file manage_fifo_file_perms;
+allow journalctl_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(journalctl_t)
+
+corecmd_exec_bin(journalctl_t)
+
+domain_use_interactive_fds(journalctl_t)
+
+files_read_etc_files(journalctl_t)
+
+fs_getattr_all_fs(journalctl_t)
+
+userdom_list_user_home_dirs(journalctl_t)
+userdom_read_user_home_content_files(journalctl_t)
+userdom_use_inherited_user_ptys(journalctl_t)
+userdom_write_inherited_user_tmp_files(journalctl_t)
+userdom_rw_inherited_user_tmpfs_files(journalctl_t)
+userdom_rw_inherited_user_home_content_files(journalctl_t)
+
+miscfiles_read_localization(journalctl_t)
+logging_read_generic_logs(journalctl_t)
 diff --git a/kde.fc b/kde.fc
 new file mode 100644
 index 0000000..25e4b68
@ -32965,17 +33115,25 @@ index 182ab8b..8b1d9c2 100644
 +')
 +
 diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..1a8d69e 100644
+index e7f5c81..8c75bc8 100644
 --- a/kdumpgui.te
 +++ b/kdumpgui.te
-@@ -1,4 +1,4 @@
+@@ -1,83 +1,92 @@
 -policy_module(kdumpgui, 1.1.4)
 +policy_module(kdumpgui, 1.1.0)
 
 ########################################
 #
-@@ -7,77 +7,73 @@ policy_module(kdumpgui, 1.1.4)
+ # Declarations
+ #
 
+## <desc>
+## <p>
+## Allow s-c-kdump to run bootloader in bootloader_t.
+## </p>
+## </desc>
+gen_tunable(kdumpgui_run_bootloader, false)
+
 type kdumpgui_t;
 type kdumpgui_exec_t;
 -init_system_domain(kdumpgui_t, kdumpgui_exec_t)
@ -33054,8 +33212,14 @@ index e7f5c81..1a8d69e 100644
 
 optional_policy(`
 -	consoletype_exec(kdumpgui_t)
-+	bootloader_exec(kdumpgui_t)
-+	bootloader_manage_config(kdumpgui_t)
+    tunable_policy(`kdumpgui_run_bootloader',`
+        bootloader_domtrans(kdumpgui_t)
+        #if s-c-kdump is involved
+        bootloader_manage_config(kdumpgui_t)
+    ',`
+        bootloader_exec(kdumpgui_t)
+        bootloader_manage_config(kdumpgui_t)
+    ')
 ')
 
 optional_policy(`
@ -33067,7 +33231,7 @@ index e7f5c81..1a8d69e 100644
 ')
 
 optional_policy(`
-@@ -87,4 +83,10 @@ optional_policy(`
+@@ -87,4 +96,10 @@ optional_policy(`
 optional_policy(`
 	kdump_manage_config(kdumpgui_t)
 	kdump_initrc_domtrans(kdumpgui_t)
@ -43460,7 +43624,7 @@ index ed81cac..566684a 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index afd2fad..79fe381 100644
+index afd2fad..09ebbbe 100644
 --- a/mta.te
 +++ b/mta.te
@@ -1,4 +1,4 @@
@ -43490,7 +43654,7 @@ index afd2fad..79fe381 100644
 
 type sendmail_exec_t;
 mta_agent_executable(sendmail_exec_t)
-@@ -43,178 +43,78 @@ role system_r types system_mail_t;
+@@ -43,178 +43,79 @@ role system_r types system_mail_t;
 mta_base_mail_template(user)
 typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
 typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
@ -43624,11 +43788,12 @@ index afd2fad..79fe381 100644
 
 +# newalias required this, not sure if it is needed in 'if' file
 allow system_mail_t self:capability { dac_override fowner };
- 
+-
 -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
 -
 -read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-
+dontaudit system_mail_t self:capability net_admin;
+ 
 allow system_mail_t mail_home_t:file manage_file_perms;
 -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
 -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
@ -43705,7 +43870,7 @@ index afd2fad..79fe381 100644
 ')
 
 optional_policy(`
-@@ -223,18 +123,18 @@ optional_policy(`
+@@ -223,18 +124,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -43727,7 +43892,7 @@ index afd2fad..79fe381 100644
 	courier_manage_spool_dirs(system_mail_t)
 	courier_manage_spool_files(system_mail_t)
 	courier_rw_spool_pipes(system_mail_t)
-@@ -245,13 +145,8 @@ optional_policy(`
+@@ -245,13 +146,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -43742,7 +43907,7 @@ index afd2fad..79fe381 100644
 	fail2ban_rw_inherited_tmp_files(system_mail_t)
 ')
 
-@@ -264,10 +159,15 @@ optional_policy(`
+@@ -264,10 +160,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -43758,7 +43923,7 @@ index afd2fad..79fe381 100644
 	nagios_read_tmp_files(system_mail_t)
 ')
 
-@@ -278,6 +178,15 @@ optional_policy(`
+@@ -278,6 +179,15 @@ optional_policy(`
 	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@ -43774,7 +43939,7 @@ index afd2fad..79fe381 100644
 ')
 
 optional_policy(`
-@@ -293,42 +202,36 @@ optional_policy(`
+@@ -293,42 +203,36 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -43827,7 +43992,7 @@ index afd2fad..79fe381 100644
 
 allow mailserver_delivery mail_spool_t:dir list_dir_perms;
 create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +240,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 
@ -43876,7 +44041,7 @@ index afd2fad..79fe381 100644
 	files_search_var_lib(mailserver_delivery)
 
 	mailman_domtrans(mailserver_delivery)
-@@ -387,24 +276,173 @@ optional_policy(`
+@@ -387,24 +277,173 @@ optional_policy(`
 
 ########################################
 #
@ -45201,7 +45366,7 @@ index 687af38..404ed6d 100644
 +	mysql_stream_connect($1)
 ')
 diff --git a/mysql.te b/mysql.te
-index 9f6179e..cc14cbc 100644
+index 9f6179e..4383f87 100644
 --- a/mysql.te
 +++ b/mysql.te
@@ -1,4 +1,4 @@
@ -45412,7 +45577,7 @@ index 9f6179e..cc14cbc 100644
 
 kernel_read_system_state(mysqld_safe_t)
 kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +185,26 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
 corecmd_exec_bin(mysqld_safe_t)
 corecmd_exec_shell(mysqld_safe_t)
 
@ -45427,6 +45592,7 @@ index 9f6179e..cc14cbc 100644
 -files_dontaudit_getattr_all_dirs(mysqld_safe_t)
 files_dontaudit_search_all_mountpoints(mysqld_safe_t)
 +files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+files_dontaudit_write_root_dirs(mysqld_safe_t)
 
 +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 logging_send_syslog_msg(mysqld_safe_t)
@ -45445,7 +45611,7 @@ index 9f6179e..cc14cbc 100644
 
 optional_policy(`
 	hostname_exec(mysqld_safe_t)
-@@ -205,7 +212,7 @@ optional_policy(`
+@@ -205,7 +213,7 @@ optional_policy(`
 
 ########################################
 #
@ -45454,7 +45620,7 @@ index 9f6179e..cc14cbc 100644
 #
 
 allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +221,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
 allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
 allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
 
@ -45472,7 +45638,7 @@ index 9f6179e..cc14cbc 100644
 
 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
 
-@@ -226,31 +234,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
 manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
 filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
 
@ -72825,7 +72991,7 @@ index 0000000..0e965c3
 +	rpm_domtrans(rhnsd_t)
 +')
 diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 6dbc905..d803796 100644
+index 6dbc905..78746ef 100644
 --- a/rhsmcertd.if
 +++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
@ -72921,26 +73087,47 @@ index 6dbc905..d803796 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -198,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',`
+@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',`
+ 	allow $1 rhsmcertd_var_run_t:file read_file_perms;
+ ')
 
- ####################################
+-####################################
+########################################
 ## <summary>
 -##	Connect to rhsmcertd with a
 -##	unix domain stream socket.
-+##  Connect to rhsmcertd over a unix domain
-+##  stream socket.
+##	Read/wirte inherited lock files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+ ##	<summary>
+@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',`
+ ##	</summary>
+ ## </param>
+ #
+interface(`rhsmcertd_rw_inherited_lock_files',`
+	gen_require(`
+		type rhsmcertd_lock_t;
+	')
+
+	files_search_locks($1)
+	allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
+')
+
+####################################
+## <summary>
+##  Connect to rhsmcertd over a unix domain
+##  stream socket.
+## </summary>
+## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
+## </param>
+#
 interface(`rhsmcertd_stream_connect',`
-@@ -239,30 +235,29 @@ interface(`rhsmcertd_dbus_chat',`
+ 	gen_require(`
+ 		type rhsmcertd_t, rhsmcertd_var_run_t;
+@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',`
 
 ######################################
 ## <summary>
@ -72984,7 +73171,7 @@ index 6dbc905..d803796 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -270,35 +265,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
+@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -73016,24 +73203,24 @@ index 6dbc905..d803796 100644
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 rhsmcertd_t:process ptrace;
 +	')
-+
+ 
+-	logging_search_logs($1)
+-	admin_pattern($1, rhsmcertd_log_t)
 +    rhsmcertd_initrc_domtrans($1)
 +    domain_system_change_exemption($1)
 +    role_transition $2 rhsmcertd_initrc_exec_t system_r;
 +    allow $2 system_r;
 
-	logging_search_logs($1)
-	admin_pattern($1, rhsmcertd_log_t)
+-	files_search_var_lib($1)
+-	admin_pattern($1, rhsmcertd_var_lib_t)
 +    logging_search_logs($1)
 +    admin_pattern($1, rhsmcertd_log_t)
 
-	files_search_var_lib($1)
-	admin_pattern($1, rhsmcertd_var_lib_t)
-+    files_search_var_lib($1)
-+    admin_pattern($1, rhsmcertd_var_lib_t)
- 
 -	files_search_pids($1)
 -	admin_pattern($1, rhsmcertd_var_run_t)
+    files_search_var_lib($1)
+    admin_pattern($1, rhsmcertd_var_lib_t)
+
 +    files_search_pids($1)
 +    admin_pattern($1, rhsmcertd_var_run_t)
 +
@ -73044,10 +73231,10 @@ index 6dbc905..d803796 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
 ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..6508b1e 100644
+index 1cedd70..0369e30 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
-@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
 #
 
 allow rhsmcertd_t self:capability sys_nice;
@ -73057,7 +73244,15 @@ index 1cedd70..6508b1e 100644
 allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
 allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
 
-@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+ manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+-append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+-create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+-setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+ 
+ manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
+ files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
+@@ -52,21 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
 kernel_read_network_state(rhsmcertd_t)
 kernel_read_system_state(rhsmcertd_t)
 
@ -73075,6 +73270,7 @@ index 1cedd70..6508b1e 100644
 -files_read_etc_files(rhsmcertd_t)
 -files_read_usr_files(rhsmcertd_t)
 +files_manage_generic_locks(rhsmcertd_t)
+files_manage_system_conf_files(rhsmcertd_t)
 +
 +auth_read_passwd(rhsmcertd_t)
 
@ -73084,7 +73280,8 @@ index 1cedd70..6508b1e 100644
 +
 +logging_send_syslog_msg(rhsmcertd_t)
 +
-+miscfiles_read_certs(rhsmcertd_t)
+miscfiles_manage_cert_files(rhsmcertd_t)
+miscfiles_manage_cert_dirs(rhsmcertd_t)
 
 sysnet_dns_name_resolve(rhsmcertd_t)
 
@ -80756,6 +80953,21 @@ index a63b875..1c9e41b 100644
 ')
 
 optional_policy(`
+diff --git a/sblim.fc b/sblim.fc
+index 68a550d..e976fc6 100644
+--- a/sblim.fc
+++ b/sblim.fc
+@@ -1,6 +1,10 @@
+ /etc/rc\.d/init\.d/gatherer	--	gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sblim-sfcbd     --      gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
+ 
+ /usr/sbin/gatherd	--	gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
+ /usr/sbin/reposd	--	gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
+/usr/sbin/sfcbd         --      gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0)
+
+/var/lib/sfcb(/.*)?             gen_context(system_u:object_r:sblim_var_lib_t,s0)
+ 
+ /var/run/gather(/.*)?	gen_context(system_u:object_r:sblim_var_run_t,s0)
 diff --git a/sblim.if b/sblim.if
 index 98c9e0a..df51942 100644
 --- a/sblim.if
@ -80858,10 +81070,10 @@ index 98c9e0a..df51942 100644
 	files_search_pids($1)
 	admin_pattern($1, sblim_var_run_t)
 diff --git a/sblim.te b/sblim.te
-index 4a23d84..d90604c 100644
+index 4a23d84..fcd1610 100644
 --- a/sblim.te
 +++ b/sblim.te
-@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3)
+@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
 
 attribute sblim_domain;
 
@ -80874,12 +81086,38 @@ index 4a23d84..d90604c 100644
 -type sblim_reposd_exec_t;
 -init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
 +sblim_domain_template(reposd)
+
+sblim_domain_template(sfcbd)
 
 type sblim_initrc_exec_t;
 init_script_file(sblim_initrc_exec_t)
-@@ -33,10 +29,7 @@ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+@@ -21,6 +19,12 @@ init_script_file(sblim_initrc_exec_t)
+ type sblim_var_run_t;
+ files_pid_file(sblim_var_run_t)
+ 
+type sblim_var_lib_t;
+files_type(sblim_var_lib_t)
+
+type sblim_tmp_t;
+files_tmp_file(sblim_tmp_t)
+
+ ######################################
+ #
+ # Common sblim domain local policy
+@@ -32,11 +36,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
 manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
 
+manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+files_var_lib_filetrans(sblim_domain, sblim_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
+
 kernel_read_network_state(sblim_domain)
 -kernel_read_system_state(sblim_domain)
 
@ -80888,7 +81126,7 @@ index 4a23d84..d90604c 100644
 corenet_tcp_sendrecv_generic_if(sblim_domain)
 corenet_tcp_sendrecv_generic_node(sblim_domain)
 
-@@ -44,19 +37,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
+@@ -44,19 +55,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
 
 dev_read_sysfs(sblim_domain)
 
@ -80911,7 +81149,7 @@ index 4a23d84..d90604c 100644
 allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
 allow sblim_gatherd_t self:unix_stream_socket { accept listen };
 
-@@ -84,6 +73,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -84,6 +91,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
 
 init_read_utmp(sblim_gatherd_t)
 
@ -80920,7 +81158,7 @@ index 4a23d84..d90604c 100644
 sysnet_dns_name_resolve(sblim_gatherd_t)
 
 term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +94,9 @@ optional_policy(`
+@@ -103,8 +112,9 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -80931,7 +81169,7 @@ index 4a23d84..d90604c 100644
 ')
 
 optional_policy(`
-@@ -117,6 +109,10 @@ optional_policy(`
+@@ -117,6 +127,25 @@ optional_policy(`
 # Reposd local policy
 #
 
@ -80943,6 +81181,21 @@ index 4a23d84..d90604c 100644
 +
 +logging_send_syslog_msg(sblim_reposd_t)
 +
+#######################################
+#
+# Sfcbd local policy
+#
+
+allow sblim_sfcbd_t self:capability { sys_ptrace setgid };
+allow sblim_sfcbd_t self:process signal;
+
+auth_use_nsswitch(sblim_sfcbd_t)
+
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
+
 diff --git a/screen.fc b/screen.fc
 index ac04d27..b73334e 100644
 --- a/screen.fc
@ -89522,10 +89775,10 @@ index 0000000..c1fd8b4
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..1a7c61d
+index 0000000..b57cc3c
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,149 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@ -89625,7 +89878,8 @@ index 0000000..1a7c61d
 +userdom_read_user_tmp_files(thumb_t)
 +userdom_read_user_home_content_files(thumb_t)
 +userdom_exec_user_home_content_files(thumb_t)
-+userdom_write_user_tmp_files(thumb_t)
+userdom_dontaudit_write_user_tmp_files(thumb_t)
+userdom_dontaudit_delete_user_tmp_files(thumb_t)
 +userdom_read_home_audio_files(thumb_t)
 +userdom_home_reader(thumb_t)
 +
@ -94024,7 +94278,7 @@ index 9dec06c..73549fd 100644
 +	virt_stream_connect($1)
 ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..d798c85 100644
+index 1f22fba..62390bf 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,147 +1,167 @@
@ -95921,7 +96175,7 @@ index 1f22fba..d798c85 100644
 +#
 +
 +optional_policy(`
-+    type virt_qemu_ga_unconfined_t, virt_domain;
+    type virt_qemu_ga_unconfined_t;
 +    domain_type(virt_qemu_ga_unconfined_t)
 +
 +    domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
@ -96446,13 +96700,40 @@ index 9329eae..824e86f 100644
 -optional_policy(`
 -	seutil_use_newrole_fds(vpnc_t)
 -')
+diff --git a/watchdog.fc b/watchdog.fc
+index eecd0e0..50248a7 100644
+--- a/watchdog.fc
+++ b/watchdog.fc
+@@ -2,6 +2,8 @@
+ 
+ /usr/sbin/watchdog	--	gen_context(system_u:object_r:watchdog_exec_t,s0)
+ 
+/var/cache/watchdog(/.*)?   gen_context(system_u:object_r:watchdog_cache_t,s0)
+
+ /var/log/watchdog.*	gen_context(system_u:object_r:watchdog_log_t,s0)
+ 
+ /var/run/watchdog\.pid	--	gen_context(system_u:object_r:watchdog_var_run_t,s0)
 diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..9e403ee 100644
+index 29f79e8..1d43690 100644
 --- a/watchdog.te
 +++ b/watchdog.te
-@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms;
+@@ -12,6 +12,9 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
+ type watchdog_initrc_exec_t;
+ init_script_file(watchdog_initrc_exec_t)
+ 
+type watchdog_cache_t;
+files_type(watchdog_cache_t)
+
+ type watchdog_log_t;
+ logging_log_file(watchdog_log_t)
+ 
+@@ -29,8 +32,12 @@ allow watchdog_t self:process { setsched signal_perms };
+ allow watchdog_t self:fifo_file rw_fifo_file_perms;
 allow watchdog_t self:tcp_socket { accept listen };
 
+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
+
 allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 -logging_log_filetrans(watchdog_t, watchdog_log_t, file)
 +manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
@ -96460,7 +96741,7 @@ index 29f79e8..9e403ee 100644
 
 manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
 files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
-@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t)
+@@ -63,7 +70,6 @@ domain_signull_all_domains(watchdog_t)
 domain_signal_all_domains(watchdog_t)
 domain_kill_all_domains(watchdog_t)
 
@ -96468,7 +96749,7 @@ index 29f79e8..9e403ee 100644
 files_manage_etc_runtime_files(watchdog_t)
 files_etc_filetrans_etc_runtime(watchdog_t, file)
 
-@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t)
+@@ -75,8 +81,6 @@ auth_append_login_records(watchdog_t)
 
 logging_send_syslog_msg(watchdog_t)
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 96%{?dist}
+Release: 97%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -573,6 +573,44 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Nov 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-97
+- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
+- Label /etc/yum.repos.d as system_conf_t
+- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
+- Allow dac_override for sysadm_screen_t
+- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
+- Allow netlabel-config to read meminfo
+- Add interface to allow docker to mounton file_t
+- Add new interface to exec unlabeled files
+- Allow lvm to use docker semaphores
+- Setup transitons for .xsessions-errors.old
+- Change labels of files in /var/lib/*/.ssh to transition properly
+- Allow staff_t and user_t to look at logs using journalctl
+- pluto wants to manage own log file
+- Allow pluto running as ipsec_t to create pluto.log
+- Fix alias decl in corenetwork.te.in
+- Add support for fuse.glusterfs
+- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
+- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
+- Additional access for docker
+- Added more rules to sblim policy
+- Fix kdumpgui_run_bootloader boolean
+- Allow dspam to connect to lmtp port
+- Included sfcbd service into sblim policy
+- rhsmcertd wants to manaage /etc/pki/consumer dir
+- Add kdumpgui_run_bootloader boolean
+- Add support for /var/cache/watchdog
+- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
+- Fixes for handling libvirt containes
+- Dontaudit attempts by mysql_safe to write content into /
+- Dontaudit attempts by system_mail to modify network config
+- Allow dspam to bind to lmtp ports
+- Add new policy to allow staff_t and user_t to look at logs using journalctl
+- Allow apache cgi scripts to list sysfs
+- Dontaudit attempts to write/delete user_tmp_t files
+- Allow all antivirus domains to manage also own log dirs
+- Allow pegasus_openlmi_services_t to stream connect to sssd_t
+
 * Fri Nov 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96
 - Add missing permission checks for nscd