* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3

- PolicyKit path has changed
- Allow httpd connect to dirsrv socket
- Allow tuned to write generic kernel sysctls
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Make condor_startd and rgmanager as initrc domain
- Allow virsh to read /etc/passwd
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
- Fix files_filetrans_named_content() interface
- Add new attribute - initrc_domain
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
This commit is contained in:
Miroslav Grepl 2012-06-12 14:33:10 +02:00
parent 4415dfa1a8
commit c8f96d3d71
3 changed files with 320 additions and 213 deletions

File diff suppressed because it is too large Load Diff

View File

@ -2453,7 +2453,7 @@ index 6480167..d0bf548 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
') ')
diff --git a/apache.te b/apache.te diff --git a/apache.te b/apache.te
index a36a01d..777623e 100644 index a36a01d..f6aad32 100644
--- a/apache.te --- a/apache.te
+++ b/apache.te +++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.3.2) @@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
@ -3072,10 +3072,16 @@ index a36a01d..777623e 100644
cobbler_search_lib(httpd_t) cobbler_search_lib(httpd_t)
') ')
@@ -540,6 +832,18 @@ optional_policy(` @@ -540,6 +832,24 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t) daemontools_service_domain(httpd_t, httpd_exec_t)
') ')
+optional_policy(`
+ # needed by FreeIPA
+ dirsrv_stream_connect(httpd_t)
+ ldap_stream_connect(httpd_t)
+')
+
+optional_policy(` +optional_policy(`
+ dirsrv_manage_config(httpd_t) + dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t) + dirsrv_manage_log(httpd_t)
@ -3091,7 +3097,7 @@ index a36a01d..777623e 100644
optional_policy(` optional_policy(`
dbus_system_bus_client(httpd_t) dbus_system_bus_client(httpd_t)
@@ -549,12 +853,21 @@ optional_policy(` @@ -549,12 +859,21 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -3114,7 +3120,7 @@ index a36a01d..777623e 100644
kerberos_keytab_template(httpd, httpd_t) kerberos_keytab_template(httpd, httpd_t)
') ')
@@ -568,7 +881,21 @@ optional_policy(` @@ -568,7 +887,21 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -3136,7 +3142,7 @@ index a36a01d..777623e 100644
mysql_stream_connect(httpd_t) mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t) mysql_rw_db_sockets(httpd_t)
@@ -579,6 +906,7 @@ optional_policy(` @@ -579,6 +912,7 @@ optional_policy(`
optional_policy(` optional_policy(`
nagios_read_config(httpd_t) nagios_read_config(httpd_t)
@ -3144,7 +3150,7 @@ index a36a01d..777623e 100644
') ')
optional_policy(` optional_policy(`
@@ -589,6 +917,33 @@ optional_policy(` @@ -589,6 +923,33 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -3178,7 +3184,7 @@ index a36a01d..777623e 100644
# Allow httpd to work with postgresql # Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t) postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t) postgresql_unpriv_client(httpd_t)
@@ -603,6 +958,11 @@ optional_policy(` @@ -603,6 +964,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -3190,7 +3196,7 @@ index a36a01d..777623e 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
') ')
@@ -615,6 +975,12 @@ optional_policy(` @@ -615,6 +981,12 @@ optional_policy(`
yam_read_content(httpd_t) yam_read_content(httpd_t)
') ')
@ -3203,7 +3209,7 @@ index a36a01d..777623e 100644
######################################## ########################################
# #
# Apache helper local policy # Apache helper local policy
@@ -628,7 +994,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; @@ -628,7 +1000,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t) logging_send_syslog_msg(httpd_helper_t)
@ -3216,7 +3222,7 @@ index a36a01d..777623e 100644
######################################## ########################################
# #
@@ -666,28 +1036,30 @@ libs_exec_lib_files(httpd_php_t) @@ -666,28 +1042,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
@ -3260,7 +3266,7 @@ index a36a01d..777623e 100644
') ')
######################################## ########################################
@@ -697,6 +1069,7 @@ optional_policy(` @@ -697,6 +1075,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:process signal_perms;
@ -3268,7 +3274,7 @@ index a36a01d..777623e 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
@@ -711,14 +1084,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) @@ -711,14 +1090,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -3292,7 +3298,7 @@ index a36a01d..777623e 100644
# for shell scripts # for shell scripts
corecmd_exec_bin(httpd_suexec_t) corecmd_exec_bin(httpd_suexec_t)
corecmd_exec_shell(httpd_suexec_t) corecmd_exec_shell(httpd_suexec_t)
@@ -752,13 +1134,31 @@ tunable_policy(`httpd_can_network_connect',` @@ -752,13 +1140,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t)
') ')
@ -3325,7 +3331,7 @@ index a36a01d..777623e 100644
fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t)
@@ -781,6 +1181,25 @@ optional_policy(` @@ -781,6 +1187,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
') ')
@ -3351,7 +3357,7 @@ index a36a01d..777623e 100644
######################################## ########################################
# #
# Apache system script local policy # Apache system script local policy
@@ -801,12 +1220,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp @@ -801,12 +1226,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t) kernel_read_kernel_sysctls(httpd_sys_script_t)
@ -3369,7 +3375,7 @@ index a36a01d..777623e 100644
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms; allow httpd_sys_script_t httpd_log_t:file append_file_perms;
') ')
@@ -815,18 +1239,50 @@ tunable_policy(`httpd_can_sendmail',` @@ -815,18 +1245,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t) mta_send_mail(httpd_sys_script_t)
') ')
@ -3426,7 +3432,7 @@ index a36a01d..777623e 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t)
@@ -834,14 +1290,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` @@ -834,14 +1296,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
') ')
tunable_policy(`httpd_enable_homedirs',` tunable_policy(`httpd_enable_homedirs',`
@ -3467,7 +3473,7 @@ index a36a01d..777623e 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -854,10 +1335,20 @@ optional_policy(` @@ -854,10 +1341,20 @@ optional_policy(`
optional_policy(` optional_policy(`
mysql_stream_connect(httpd_sys_script_t) mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t)
@ -3488,7 +3494,7 @@ index a36a01d..777623e 100644
') ')
######################################## ########################################
@@ -903,11 +1394,146 @@ optional_policy(` @@ -903,11 +1400,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',` tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint; allow httpd_user_script_t httpdcontent:file entrypoint;
@ -10086,10 +10092,10 @@ index 0000000..168f664
+') +')
diff --git a/condor.te b/condor.te diff --git a/condor.te b/condor.te
new file mode 100644 new file mode 100644
index 0000000..4eb7bd9 index 0000000..1bba4b7
--- /dev/null --- /dev/null
+++ b/condor.te +++ b/condor.te
@@ -0,0 +1,231 @@ @@ -0,0 +1,232 @@
+policy_module(condor, 1.0.0) +policy_module(condor, 1.0.0)
+ +
+######################################## +########################################
@ -10308,6 +10314,7 @@ index 0000000..4eb7bd9
+auth_use_nsswitch(condor_startd_t) +auth_use_nsswitch(condor_startd_t)
+ +
+init_domtrans_script(condor_startd_t) +init_domtrans_script(condor_startd_t)
+init_initrc_domain(condor_startd_t)
+ +
+libs_exec_lib_files(condor_startd_t) +libs_exec_lib_files(condor_startd_t)
+ +
@ -13263,7 +13270,7 @@ index c43ff4c..5da88b5 100644
init_labeled_script_domtrans($1, cvs_initrc_exec_t) init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
diff --git a/cvs.te b/cvs.te diff --git a/cvs.te b/cvs.te
index 88e7e97..1c723fb 100644 index 88e7e97..08d7ec0 100644
--- a/cvs.te --- a/cvs.te
+++ b/cvs.te +++ b/cvs.te
@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0) @@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
@ -13298,8 +13305,12 @@ index 88e7e97..1c723fb 100644
logging_send_syslog_msg(cvs_t) logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t) logging_send_audit_msgs(cvs_t)
@@ -90,7 +92,7 @@ mta_send_mail(cvs_t) @@ -88,9 +90,11 @@ miscfiles_read_localization(cvs_t)
mta_send_mail(cvs_t)
+userdom_dontaudit_search_user_home_dirs(cvs_t)
+
# cjp: typeattribute doesnt work in conditionals yet # cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t) auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',` -tunable_policy(`allow_cvs_read_shadow',`
@ -13307,7 +13318,7 @@ index 88e7e97..1c723fb 100644
allow cvs_t self:capability dac_override; allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t) auth_tunable_read_shadow(cvs_t)
') ')
@@ -112,4 +114,5 @@ optional_policy(` @@ -112,4 +116,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@ -16520,7 +16531,7 @@ index e1d7dc5..df96c0d 100644
admin_pattern($1, dovecot_var_run_t) admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te diff --git a/dovecot.te b/dovecot.te
index 2df7766..ef8b0d7 100644 index 2df7766..53efc0b 100644
--- a/dovecot.te --- a/dovecot.te
+++ b/dovecot.te +++ b/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@ -16751,7 +16762,7 @@ index 2df7766..ef8b0d7 100644
miscfiles_read_localization(dovecot_deliver_t) miscfiles_read_localization(dovecot_deliver_t)
@@ -283,24 +338,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) @@ -283,24 +338,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@ -16779,6 +16790,7 @@ index 2df7766..ef8b0d7 100644
optional_policy(` optional_policy(`
mta_manage_spool(dovecot_deliver_t) mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t) + mta_read_queue(dovecot_deliver_t)
+ mta_read_home_rw(dovecot_deliver_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -20106,16 +20118,17 @@ index 4afb81f..842165a 100644
- -
-libs_exec_ldconfig(glance_api_t) -libs_exec_ldconfig(glance_api_t)
diff --git a/gnome.fc b/gnome.fc diff --git a/gnome.fc b/gnome.fc
index 00a19e3..d776f66 100644 index 00a19e3..17006fc 100644
--- a/gnome.fc --- a/gnome.fc
+++ b/gnome.fc +++ b/gnome.fc
@@ -1,9 +1,53 @@ @@ -1,9 +1,54 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) +HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0) +HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
@ -20166,7 +20179,7 @@ index 00a19e3..d776f66 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if diff --git a/gnome.if b/gnome.if
index f5afe78..581c9dd 100644 index f5afe78..e283f63 100644
--- a/gnome.if --- a/gnome.if
+++ b/gnome.if +++ b/gnome.if
@@ -1,44 +1,937 @@ @@ -1,44 +1,937 @@
@ -21276,7 +21289,7 @@ index f5afe78..581c9dd 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -122,17 +1068,62 @@ interface(`gnome_stream_connect_gconf',` @@ -122,17 +1068,80 @@ interface(`gnome_stream_connect_gconf',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -21292,6 +21305,24 @@ index f5afe78..581c9dd 100644
+ gnome_filetrans_gstreamer_home_content($1) + gnome_filetrans_gstreamer_home_content($1)
+') +')
+ +
+######################################
+## <summary>
+## Allow to execute gstreamer home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_gstreamer_home_files',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ can_exec($1, gstreamer_home_t)
+')
+
+####################################### +#######################################
+## <summary> +## <summary>
+## file name transition gstreamer home content files. +## file name transition gstreamer home content files.
@ -21343,7 +21374,7 @@ index f5afe78..581c9dd 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -140,51 +1131,306 @@ interface(`gnome_domtrans_gconfd',` @@ -140,51 +1149,307 @@ interface(`gnome_domtrans_gconfd',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -21564,6 +21595,7 @@ index f5afe78..581c9dd 100644
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") + userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine") + userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") + userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde") + userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") + userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") + userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
@ -26044,10 +26076,10 @@ index 0000000..8bc2c6d
+') +')
diff --git a/l2tpd.te b/l2tpd.te diff --git a/l2tpd.te b/l2tpd.te
new file mode 100644 new file mode 100644
index 0000000..4786fde index 0000000..1b720ad
--- /dev/null --- /dev/null
+++ b/l2tpd.te +++ b/l2tpd.te
@@ -0,0 +1,99 @@ @@ -0,0 +1,101 @@
+policy_module(l2tpd, 1.0.0) +policy_module(l2tpd, 1.0.0)
+ +
+######################################## +########################################
@ -26136,6 +26168,8 @@ index 0000000..4786fde
+ +
+term_use_ptmx(l2tpd_t) +term_use_ptmx(l2tpd_t)
+ +
+auth_read_passwd(l2tpd_t)
+
+logging_send_syslog_msg(l2tpd_t) +logging_send_syslog_msg(l2tpd_t)
+ +
+miscfiles_read_localization(l2tpd_t) +miscfiles_read_localization(l2tpd_t)
@ -27129,7 +27163,7 @@ index 3c7b1e8..1e155f5 100644
+ +
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/logwatch.te b/logwatch.te diff --git a/logwatch.te b/logwatch.te
index 75ce30f..671d4e1 100644 index 75ce30f..47aa9f5 100644
--- a/logwatch.te --- a/logwatch.te
+++ b/logwatch.te +++ b/logwatch.te
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0) @@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@ -27171,16 +27205,18 @@ index 75ce30f..671d4e1 100644
files_read_usr_files(logwatch_t) files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t) files_search_spool(logwatch_t)
files_search_mnt(logwatch_t) files_search_mnt(logwatch_t)
@@ -70,6 +81,8 @@ fs_getattr_all_fs(logwatch_t) @@ -70,6 +81,10 @@ fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t) fs_list_inotifyfs(logwatch_t)
+storage_dontaudit_getattr_fixed_disk_dev(logwatch_t)
+
+mls_file_read_to_clearance(logwatch_t) +mls_file_read_to_clearance(logwatch_t)
+ +
term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t) term_dontaudit_list_ptys(logwatch_t)
@@ -92,11 +105,14 @@ sysnet_dns_name_resolve(logwatch_t) @@ -92,11 +107,14 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t) sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t)
@ -27196,7 +27232,7 @@ index 75ce30f..671d4e1 100644
files_getattr_all_file_type_fs(logwatch_t) files_getattr_all_file_type_fs(logwatch_t)
') ')
@@ -145,3 +161,24 @@ optional_policy(` @@ -145,3 +163,24 @@ optional_policy(`
samba_read_log(logwatch_t) samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t) samba_read_share_files(logwatch_t)
') ')
@ -28700,7 +28736,7 @@ index ee72cbe..bf5fc09 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+') +')
diff --git a/milter.te b/milter.te diff --git a/milter.te b/milter.te
index 26101cb..db61a30 100644 index 26101cb..7393387 100644
--- a/milter.te --- a/milter.te
+++ b/milter.te +++ b/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0) @@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
@ -28717,7 +28753,7 @@ index 26101cb..db61a30 100644
# currently-supported milters are milter-greylist, milter-regex and spamass-milter # currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist) milter_template(greylist)
milter_template(regex) milter_template(regex)
@@ -20,6 +27,23 @@ milter_template(spamass) @@ -20,6 +27,24 @@ milter_template(spamass)
type spamass_milter_state_t; type spamass_milter_state_t;
files_type(spamass_milter_state_t) files_type(spamass_milter_state_t)
@ -28728,6 +28764,7 @@ index 26101cb..db61a30 100644
+ +
+allow dkim_milter_t self:capability { kill setgid setuid }; +allow dkim_milter_t self:capability { kill setgid setuid };
+allow dkim_milter_t self:process signal; +allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; +allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
+ +
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
@ -28741,7 +28778,7 @@ index 26101cb..db61a30 100644
######################################## ########################################
# #
# milter-greylist local policy # milter-greylist local policy
@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t) @@ -33,11 +58,19 @@ files_type(spamass_milter_state_t)
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched }; allow greylist_milter_t self:process { setsched getsched };
@ -32982,7 +33019,7 @@ index a648982..59f096b 100644
') ')
+ +
diff --git a/ncftool.te b/ncftool.te diff --git a/ncftool.te b/ncftool.te
index f19ca0b..8c48c33 100644 index f19ca0b..dfc1ba2 100644
--- a/ncftool.te --- a/ncftool.te
+++ b/ncftool.te +++ b/ncftool.te
@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0) @@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0)
@ -33058,7 +33095,7 @@ index f19ca0b..8c48c33 100644
optional_policy(` optional_policy(`
consoletype_exec(ncftool_t) consoletype_exec(ncftool_t)
') ')
@@ -69,13 +83,17 @@ optional_policy(` @@ -69,13 +83,18 @@ optional_policy(`
optional_policy(` optional_policy(`
iptables_initrc_domtrans(ncftool_t) iptables_initrc_domtrans(ncftool_t)
@ -33066,6 +33103,7 @@ index f19ca0b..8c48c33 100644
') ')
optional_policy(` optional_policy(`
+ modutils_list_module_config(ncftool_t)
modutils_read_module_config(ncftool_t) modutils_read_module_config(ncftool_t)
- modutils_run_insmod(ncftool_t, ncftool_roles) - modutils_run_insmod(ncftool_t, ncftool_roles)
+ modutils_domtrans_insmod(ncftool_t) + modutils_domtrans_insmod(ncftool_t)
@ -38034,16 +38072,17 @@ index 4cffb07..3436696 100644
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms; allow podsleuth_t self:sem create_sem_perms;
diff --git a/policykit.fc b/policykit.fc diff --git a/policykit.fc b/policykit.fc
index 63d0061..c65d18f 100644 index 63d0061..4718a93 100644
--- a/policykit.fc --- a/policykit.fc
+++ b/policykit.fc +++ b/policykit.fc
@@ -1,16 +1,18 @@ @@ -1,16 +1,20 @@
/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) -/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) /usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) /usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) -/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@ -38051,11 +38090,12 @@ index 63d0061..c65d18f 100644
-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) -/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
@ -38203,7 +38243,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal; + allow $1 policykit_auth_t:process signal;
') ')
diff --git a/policykit.te b/policykit.te diff --git a/policykit.te b/policykit.te
index 44db896..67a2c44 100644 index 44db896..11800bb 100644
--- a/policykit.te --- a/policykit.te
+++ b/policykit.te +++ b/policykit.te
@@ -1,51 +1,73 @@ @@ -1,51 +1,73 @@
@ -38293,7 +38333,7 @@ index 44db896..67a2c44 100644
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
policykit_domtrans_resolve(policykit_t) policykit_domtrans_resolve(policykit_t)
@@ -56,56 +78,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) @@ -56,56 +78,111 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@ -38337,6 +38377,10 @@ index 44db896..67a2c44 100644
+') +')
+ +
+optional_policy(` +optional_policy(`
+ kerberos_manage_host_rcache(policykit_t)
+')
+
+optional_policy(`
+ gnome_read_config(policykit_t) + gnome_read_config(policykit_t)
+') +')
+ +
@ -38413,10 +38457,14 @@ index 44db896..67a2c44 100644
dbus_session_bus_client(policykit_auth_t) dbus_session_bus_client(policykit_auth_t)
optional_policy(` optional_policy(`
@@ -118,14 +191,21 @@ optional_policy(` @@ -118,14 +195,25 @@ optional_policy(`
hal_read_state(policykit_auth_t) hal_read_state(policykit_auth_t)
') ')
+optional_policy(`
+ kerberos_manage_host_rcache(policykit_auth_t)
+')
+
+optional_policy(` +optional_policy(`
+ xserver_stream_connect(policykit_auth_t) + xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t) + xserver_xdm_append_log(policykit_auth_t)
@ -38437,7 +38485,7 @@ index 44db896..67a2c44 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
@@ -145,19 +225,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t @@ -145,19 +233,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
files_read_etc_files(policykit_grant_t) files_read_etc_files(policykit_grant_t)
files_read_usr_files(policykit_grant_t) files_read_usr_files(policykit_grant_t)
@ -38462,7 +38510,7 @@ index 44db896..67a2c44 100644
consolekit_dbus_chat(policykit_grant_t) consolekit_dbus_chat(policykit_grant_t)
') ')
') ')
@@ -167,9 +246,8 @@ optional_policy(` @@ -167,9 +254,8 @@ optional_policy(`
# polkit_resolve local policy # polkit_resolve local policy
# #
@ -38474,7 +38522,7 @@ index 44db896..67a2c44 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
@@ -185,14 +263,8 @@ corecmd_search_bin(policykit_resolve_t) @@ -185,14 +271,8 @@ corecmd_search_bin(policykit_resolve_t)
files_read_etc_files(policykit_resolve_t) files_read_etc_files(policykit_resolve_t)
files_read_usr_files(policykit_resolve_t) files_read_usr_files(policykit_resolve_t)
@ -38489,7 +38537,7 @@ index 44db896..67a2c44 100644
userdom_read_all_users_state(policykit_resolve_t) userdom_read_all_users_state(policykit_resolve_t)
optional_policy(` optional_policy(`
@@ -207,4 +279,3 @@ optional_policy(` @@ -207,4 +287,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t) kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t) hal_read_state(policykit_resolve_t)
') ')
@ -44832,7 +44880,7 @@ index 7dc38d1..808f9c6 100644
+ admin_pattern($1, rgmanager_var_run_t) + admin_pattern($1, rgmanager_var_run_t)
+') +')
diff --git a/rgmanager.te b/rgmanager.te diff --git a/rgmanager.te b/rgmanager.te
index 07333db..53bff36 100644 index 07333db..91ef567 100644
--- a/rgmanager.te --- a/rgmanager.te
+++ b/rgmanager.te +++ b/rgmanager.te
@@ -14,9 +14,11 @@ gen_tunable(rgmanager_can_network_connect, false) @@ -14,9 +14,11 @@ gen_tunable(rgmanager_can_network_connect, false)
@ -44882,7 +44930,7 @@ index 07333db..53bff36 100644
# need to write to /dev/misc/dlm-control # need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t) dev_rw_dlm_control(rgmanager_t)
@@ -76,31 +78,36 @@ dev_search_sysfs(rgmanager_t) @@ -76,31 +78,37 @@ dev_search_sysfs(rgmanager_t)
domain_read_all_domains_state(rgmanager_t) domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t) domain_getattr_all_domains(rgmanager_t)
@ -44914,6 +44962,7 @@ index 07333db..53bff36 100644
auth_use_nsswitch(rgmanager_t) auth_use_nsswitch(rgmanager_t)
+init_domtrans_script(rgmanager_t) +init_domtrans_script(rgmanager_t)
+init_initrc_domain(rgmanager_t)
+ +
logging_send_syslog_msg(rgmanager_t) logging_send_syslog_msg(rgmanager_t)
@ -44924,7 +44973,7 @@ index 07333db..53bff36 100644
tunable_policy(`rgmanager_can_network_connect',` tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t) corenet_tcp_connect_all_ports(rgmanager_t)
@@ -118,6 +125,14 @@ optional_policy(` @@ -118,6 +126,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -44939,7 +44988,7 @@ index 07333db..53bff36 100644
fstools_domtrans(rgmanager_t) fstools_domtrans(rgmanager_t)
') ')
@@ -140,6 +155,16 @@ optional_policy(` @@ -140,6 +156,16 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -44956,7 +45005,7 @@ index 07333db..53bff36 100644
mysql_domtrans_mysql_safe(rgmanager_t) mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t) mysql_stream_connect(rgmanager_t)
') ')
@@ -165,6 +190,8 @@ optional_policy(` @@ -165,6 +191,8 @@ optional_policy(`
optional_policy(` optional_policy(`
rpc_initrc_domtrans_nfsd(rgmanager_t) rpc_initrc_domtrans_nfsd(rgmanager_t)
rpc_initrc_domtrans_rpcd(rgmanager_t) rpc_initrc_domtrans_rpcd(rgmanager_t)
@ -47948,19 +47997,20 @@ index a07b2f4..36b4903 100644
+ +
+userdom_getattr_user_terminals(rwho_t) +userdom_getattr_user_terminals(rwho_t)
diff --git a/samba.fc b/samba.fc diff --git a/samba.fc b/samba.fc
index 69a6074..3d65472 100644 index 69a6074..c9dbc93 100644
--- a/samba.fc --- a/samba.fc
+++ b/samba.fc +++ b/samba.fc
@@ -14,6 +14,8 @@ @@ -14,6 +14,9 @@
# #
# /usr # /usr
# #
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) +/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+ +
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
@@ -36,6 +38,10 @@ @@ -36,6 +39,10 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
@ -47971,7 +48021,7 @@ index 69a6074..3d65472 100644
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
@@ -48,6 +54,11 @@ @@ -48,6 +55,11 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
@ -54328,7 +54378,7 @@ index 0000000..9127cec
+') +')
diff --git a/thumb.te b/thumb.te diff --git a/thumb.te b/thumb.te
new file mode 100644 new file mode 100644
index 0000000..a0d188c index 0000000..7eea9cd
--- /dev/null --- /dev/null
+++ b/thumb.te +++ b/thumb.te
@@ -0,0 +1,105 @@ @@ -0,0 +1,105 @@
@ -54435,7 +54485,7 @@ index 0000000..a0d188c
+ gnome_read_generic_data_home_files(thumb_t) + gnome_read_generic_data_home_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t) + gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t) + gnome_manage_gstreamer_home_dirs(thumb_t)
+ #gnome_exec_gstreamer_home_files(thumb_t) + gnome_exec_gstreamer_home_files(thumb_t)
+') +')
diff --git a/thunderbird.te b/thunderbird.te diff --git a/thunderbird.te b/thunderbird.te
index bf37d98..204ac7e 100644 index bf37d98..204ac7e 100644
@ -54764,7 +54814,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t) admin_pattern($1, tuned_var_run_t)
') ')
diff --git a/tuned.te b/tuned.te diff --git a/tuned.te b/tuned.te
index db9d2a5..da20967 100644 index db9d2a5..c7b09c0 100644
--- a/tuned.te --- a/tuned.te
+++ b/tuned.te +++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@ -54780,7 +54830,7 @@ index db9d2a5..da20967 100644
type tuned_log_t; type tuned_log_t;
logging_log_file(tuned_log_t) logging_log_file(tuned_log_t)
@@ -23,23 +29,38 @@ files_pid_file(tuned_var_run_t) @@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t)
# tuned local policy # tuned local policy
# #
@ -54809,10 +54859,12 @@ index db9d2a5..da20967 100644
kernel_read_system_state(tuned_t) kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t) kernel_read_network_state(tuned_t)
-
+kernel_read_kernel_sysctls(tuned_t) +kernel_read_kernel_sysctls(tuned_t)
+kernel_rw_kernel_sysctl(tuned_t)
+kernel_rw_hotplug_sysctls(tuned_t) +kernel_rw_hotplug_sysctls(tuned_t)
+kernel_rw_vm_sysctls(tuned_t) +kernel_rw_vm_sysctls(tuned_t)
+
+dev_getattr_all_blk_files(tuned_t) +dev_getattr_all_blk_files(tuned_t)
+dev_getattr_all_chr_files(tuned_t) +dev_getattr_all_chr_files(tuned_t)
+dev_dontaudit_getattr_all(tuned_t) +dev_dontaudit_getattr_all(tuned_t)
@ -54822,7 +54874,7 @@ index db9d2a5..da20967 100644
# to allow cpu tuning # to allow cpu tuning
dev_rw_netcontrol(tuned_t) dev_rw_netcontrol(tuned_t)
@@ -47,6 +68,10 @@ files_read_etc_files(tuned_t) @@ -47,6 +69,10 @@ files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t) files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t) files_dontaudit_search_home(tuned_t)
@ -54833,7 +54885,7 @@ index db9d2a5..da20967 100644
logging_send_syslog_msg(tuned_t) logging_send_syslog_msg(tuned_t)
miscfiles_read_localization(tuned_t) miscfiles_read_localization(tuned_t)
@@ -58,6 +83,14 @@ optional_policy(` @@ -58,6 +84,14 @@ optional_policy(`
fstools_domtrans(tuned_t) fstools_domtrans(tuned_t)
') ')
@ -56560,7 +56612,7 @@ index 7c5d8d8..85b7d8b 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
') ')
diff --git a/virt.te b/virt.te diff --git a/virt.te b/virt.te
index ad3068a..6713ab0 100644 index ad3068a..5759ef5 100644
--- a/virt.te --- a/virt.te
+++ b/virt.te +++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.2) @@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
@ -57154,7 +57206,7 @@ index ad3068a..6713ab0 100644
files_read_usr_files(virt_domain) files_read_usr_files(virt_domain)
files_read_var_files(virt_domain) files_read_var_files(virt_domain)
files_search_all(virt_domain) files_search_all(virt_domain)
@@ -449,25 +657,428 @@ files_search_all(virt_domain) @@ -449,25 +657,430 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain) fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain) fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain) fs_rw_tmpfs_files(virt_domain)
@ -57257,6 +57309,8 @@ index ad3068a..6713ab0 100644
+init_rw_script_stream_sockets(virsh_t) +init_rw_script_stream_sockets(virsh_t)
+init_use_fds(virsh_t) +init_use_fds(virsh_t)
+ +
+auth_read_passwd(virsh_t)
+
+miscfiles_read_localization(virsh_t) +miscfiles_read_localization(virsh_t)
+ +
+sysnet_dns_name_resolve(virsh_t) +sysnet_dns_name_resolve(virsh_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.11.0 Version: 3.11.0
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -491,6 +491,22 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
- PolicyKit path has changed
- Allow httpd connect to dirsrv socket
- Allow tuned to write generic kernel sysctls
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Make condor_startd and rgmanager as initrc domain
- Allow virsh to read /etc/passwd
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
- Fix files_filetrans_named_content() interface
- Add new attribute - initrc_domain
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
* Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2 * Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
- Rename boolean names to remove allow_ - Rename boolean names to remove allow_