- Allow nagios plugins to read usr files

- Allow mysqld-safe to send system log messages - Fixes fpr ddclient policy - Fix sasl_admin interface - Allow apache to search zarafa config - Allow munin plugins to search /var/lib directory - Allow gpsd to read sysfs_t - Fix labels on /etc/mcelog/triggers to bin_t
2010-11-15 18:27:23 +01:00 · 2010-11-15 18:27:23 +01:00 · cbb8d59931
parent 763342ad3a
commit cbb8d59931
2 changed files with 213 additions and 72 deletions
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -3957,7 +3957,7 @@ index 9a6d67d..b0c1197 100644
 ##	mozilla over dbus.
 ## </summary>
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..9024e9a 100644
+index cbf4bec..62796d8 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@ -4030,7 +4030,7 @@ index cbf4bec..9024e9a 100644
 	pulseaudio_exec(mozilla_t)
 	pulseaudio_stream_connect(mozilla_t)
 	pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,128 @@ optional_policy(`
+@@ -266,3 +291,129 @@ optional_policy(`
 optional_policy(`
 	thunderbird_domtrans(mozilla_t)
 ')
@ -4101,6 +4101,7 @@ index cbf4bec..9024e9a 100644
 +
 +miscfiles_read_localization(mozilla_plugin_t)
 +miscfiles_read_fonts(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
 +
 +sysnet_dns_name_resolve(mozilla_plugin_t)
 +
@ -7385,10 +7386,21 @@ index 82842a0..369c3b5 100644
 		dbus_system_bus_client($1_wm_t)
 		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..94ec653 100644
+index 34c9d01..4842e56 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
-@@ -128,8 +128,8 @@ ifdef(`distro_debian',`
+@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
+ /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
+ /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
+-/etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/cache-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/triggers(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
+ 
+@@ -128,8 +130,8 @@ ifdef(`distro_debian',`
 
 /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@ -7398,7 +7410,7 @@ index 34c9d01..94ec653 100644
 /lib/udev/scsi_id		--	gen_context(system_u:object_r:bin_t,s0)
 /lib/upstart(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-@@ -307,6 +307,7 @@ ifdef(`distro_redhat', `
+@@ -307,6 +309,7 @@ ifdef(`distro_redhat', `
 /usr/lib64/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib64/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@ -13273,7 +13285,7 @@ index 9e39aa5..3bfac20 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..ef353c7 100644
+index c9e1a44..1a1ba36 100644
 --- a/policy/modules/services/apache.if
 +++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@ -13541,7 +13553,7 @@ index c9e1a44..ef353c7 100644
 ##	Apache cache.
 ## </summary>
 ## <param name="domain">
-@@ -544,6 +580,27 @@ interface(`apache_delete_cache_files',`
+@@ -544,6 +580,26 @@ interface(`apache_delete_cache_files',`
 
 ########################################
 ## <summary>
@ -13553,7 +13565,6 @@ index c9e1a44..ef353c7 100644
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`apache_search_config',`
 +	gen_require(`
@ -13569,7 +13580,7 @@ index c9e1a44..ef353c7 100644
 ##	Allow the specified domain to read
 ##	apache configuration files.
 ## </summary>
-@@ -694,7 +751,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -694,7 +750,7 @@ interface(`apache_dontaudit_append_log',`
 		type httpd_log_t;
 	')
 
@ -13578,7 +13589,7 @@ index c9e1a44..ef353c7 100644
 ')
 
 ########################################
-@@ -740,6 +797,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -740,6 +796,25 @@ interface(`apache_dontaudit_search_modules',`
 
 ########################################
 ## <summary>
@ -13604,7 +13615,7 @@ index c9e1a44..ef353c7 100644
 ##	Allow the specified domain to list
 ##	the contents of the apache modules
 ##	directory.
-@@ -756,6 +832,7 @@ interface(`apache_list_modules',`
+@@ -756,6 +831,7 @@ interface(`apache_list_modules',`
 	')
 
 	allow $1 httpd_modules_t:dir list_dir_perms;
@ -13612,7 +13623,7 @@ index c9e1a44..ef353c7 100644
 ')
 
 ########################################
-@@ -814,6 +891,7 @@ interface(`apache_list_sys_content',`
+@@ -814,6 +890,7 @@ interface(`apache_list_sys_content',`
 	')
 
 	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@ -13620,7 +13631,7 @@ index c9e1a44..ef353c7 100644
 	files_search_var($1)
 ')
 
-@@ -841,6 +919,74 @@ interface(`apache_manage_sys_content',`
+@@ -841,6 +918,74 @@ interface(`apache_manage_sys_content',`
 	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 ')
 
@ -13695,7 +13706,7 @@ index c9e1a44..ef353c7 100644
 ########################################
 ## <summary>
 ##	Execute all web scripts in the system
-@@ -857,7 +1003,11 @@ interface(`apache_manage_sys_content',`
+@@ -857,7 +1002,11 @@ interface(`apache_manage_sys_content',`
 interface(`apache_domtrans_sys_script',`
 	gen_require(`
 		attribute httpdcontent;
@ -13708,7 +13719,7 @@ index c9e1a44..ef353c7 100644
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -916,9 +1066,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -916,9 +1065,10 @@ interface(`apache_domtrans_all_scripts',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -13720,7 +13731,7 @@ index c9e1a44..ef353c7 100644
 #
 interface(`apache_run_all_scripts',`
 	gen_require(`
-@@ -945,7 +1096,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -945,7 +1095,7 @@ interface(`apache_read_squirrelmail_data',`
 		type httpd_squirrelmail_t;
 	')
 
@ -13729,7 +13740,7 @@ index c9e1a44..ef353c7 100644
 ')
 
 ########################################
-@@ -1086,6 +1237,25 @@ interface(`apache_read_tmp_files',`
+@@ -1086,6 +1236,25 @@ interface(`apache_read_tmp_files',`
 	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
 ')
 
@ -13755,7 +13766,7 @@ index c9e1a44..ef353c7 100644
 ########################################
 ## <summary>
 ##	Dontaudit attempts to write
-@@ -1102,7 +1272,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1102,7 +1271,7 @@ interface(`apache_dontaudit_write_tmp_files',`
 		type httpd_tmp_t;
 	')
 
@ -13764,7 +13775,7 @@ index c9e1a44..ef353c7 100644
 ')
 
 ########################################
-@@ -1165,17 +1335,14 @@ interface(`apache_cgi_domain',`
+@@ -1165,17 +1334,14 @@ interface(`apache_cgi_domain',`
 #
 interface(`apache_admin',`
 	gen_require(`
@ -13786,7 +13797,7 @@ index c9e1a44..ef353c7 100644
 	ps_process_pattern($1, httpd_t)
 
 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1186,10 +1353,10 @@ interface(`apache_admin',`
+@@ -1186,10 +1352,10 @@ interface(`apache_admin',`
 	apache_manage_all_content($1)
 	miscfiles_manage_public_files($1)
 
@ -13799,7 +13810,7 @@ index c9e1a44..ef353c7 100644
 	admin_pattern($1, httpd_log_t)
 
 	admin_pattern($1, httpd_modules_t)
-@@ -1200,14 +1367,43 @@ interface(`apache_admin',`
+@@ -1200,14 +1366,43 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
 
@ -13849,7 +13860,7 @@ index c9e1a44..ef353c7 100644
 +	dontaudit $1 httpd_tmp_t:file { read write };
 ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..973fdf0 100644
+index 08dfa0c..84e9bea 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@ -14453,18 +14464,19 @@ index 08dfa0c..973fdf0 100644
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -603,6 +800,10 @@ optional_policy(`
+@@ -603,6 +800,11 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
 +optional_policy(`
 +	zarafa_stream_connect_server(httpd_t)
+	zarafa_search_config(httpd_t)
 +')
 +
 ########################################
 #
 # Apache helper local policy
-@@ -618,6 +819,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +820,10 @@ logging_send_syslog_msg(httpd_helper_t)
 
 userdom_use_user_terminals(httpd_helper_t)
 
@ -14475,7 +14487,7 @@ index 08dfa0c..973fdf0 100644
 ########################################
 #
 # Apache PHP script local policy
-@@ -654,28 +859,27 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +860,27 @@ libs_exec_lib_files(httpd_php_t)
 userdom_use_unpriv_users_fds(httpd_php_t)
 
 tunable_policy(`httpd_can_network_connect_db',`
@ -14516,7 +14528,7 @@ index 08dfa0c..973fdf0 100644
 ')
 
 ########################################
-@@ -699,17 +903,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +904,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 
@ -14542,7 +14554,7 @@ index 08dfa0c..973fdf0 100644
 
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +949,20 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +950,20 @@ tunable_policy(`httpd_can_network_connect',`
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
 
@ -14564,7 +14576,7 @@ index 08dfa0c..973fdf0 100644
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +988,25 @@ optional_policy(`
+@@ -769,6 +989,25 @@ optional_policy(`
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
 
@ -14590,7 +14602,7 @@ index 08dfa0c..973fdf0 100644
 ########################################
 #
 # Apache system script local policy
-@@ -792,9 +1030,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +1031,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
 files_search_var_lib(httpd_sys_script_t)
 files_search_spool(httpd_sys_script_t)
 
@ -14604,7 +14616,7 @@ index 08dfa0c..973fdf0 100644
 ifdef(`distro_redhat',`
 	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
 ')
-@@ -803,6 +1045,33 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1046,33 @@ tunable_policy(`httpd_can_sendmail',`
 	mta_send_mail(httpd_sys_script_t)
 ')
 
@ -14638,7 +14650,7 @@ index 08dfa0c..973fdf0 100644
 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
 	allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1091,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,7 +1092,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 ')
 
 tunable_policy(`httpd_enable_homedirs',`
@ -14647,7 +14659,7 @@ index 08dfa0c..973fdf0 100644
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1099,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1100,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
@ -14668,7 +14680,7 @@ index 08dfa0c..973fdf0 100644
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1125,20 @@ optional_policy(`
+@@ -842,10 +1126,20 @@ optional_policy(`
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -14689,7 +14701,7 @@ index 08dfa0c..973fdf0 100644
 ')
 
 ########################################
-@@ -891,11 +1184,21 @@ optional_policy(`
+@@ -891,11 +1185,21 @@ optional_policy(`
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_user_script_t httpdcontent:file entrypoint;
@ -18812,6 +18824,55 @@ index 0a1a61b..da508f4 100644
 	')
 
 	allow $1 ddclient_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
+index 24ba98a..0910356 100644
+--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
+@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
+ type ddclient_log_t;
+ logging_log_file(ddclient_log_t)
+ 
+type ddclient_tmp_t;
+files_tmp_file(ddclient_tmp_t)
+
+ type ddclient_var_t;
+ files_type(ddclient_var_t)
+ 
+@@ -37,12 +40,16 @@ allow ddclient_t self:process signal_perms;
+ allow ddclient_t self:fifo_file rw_fifo_file_perms;
+ allow ddclient_t self:tcp_socket create_socket_perms;
+ allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ allow ddclient_t ddclient_etc_t:file read_file_perms;
+ 
+ allow ddclient_t ddclient_log_t:file manage_file_perms;
+ logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+ 
+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
+
+ manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+ manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+ manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+@@ -74,6 +81,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+ corenet_udp_sendrecv_generic_node(ddclient_t)
+ corenet_tcp_sendrecv_all_ports(ddclient_t)
+ corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_bind_generic_node(ddclient_t)
+corenet_udp_bind_generic_node(ddclient_t)
+ corenet_tcp_connect_all_ports(ddclient_t)
+ corenet_sendrecv_all_client_packets(ddclient_t)
+ 
+@@ -89,6 +98,8 @@ files_read_usr_files(ddclient_t)
+ fs_getattr_all_fs(ddclient_t)
+ fs_search_auto_mountpoints(ddclient_t)
+ 
+mta_send_mail(ddclient_t)
+
+ logging_send_syslog_msg(ddclient_t)
+ 
+ miscfiles_read_localization(ddclient_t)
 diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
 index 567865f..9c9e65c 100644
 --- a/policy/modules/services/denyhosts.if
@ -21686,10 +21747,19 @@ index a627b34..c899c61 100644
 optional_policy(`
 	seutil_sigchld_newrole(gpm_t)
 diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..7b9c543 100644
+index 03742d8..2a87d1e 100644
 --- a/policy/modules/services/gpsd.te
 +++ b/policy/modules/services/gpsd.te
-@@ -56,6 +56,10 @@ logging_send_syslog_msg(gpsd_t)
+@@ -46,6 +46,8 @@ corenet_tcp_sendrecv_all_ports(gpsd_t)
+ corenet_tcp_bind_all_nodes(gpsd_t)
+ corenet_tcp_bind_gpsd_port(gpsd_t)
+ 
+dev_read_sysfs(gpsd_t)
+
+ term_use_unallocated_ttys(gpsd_t)
+ term_setattr_unallocated_ttys(gpsd_t)
+ 
+@@ -56,6 +58,10 @@ logging_send_syslog_msg(gpsd_t)
 miscfiles_read_localization(gpsd_t)
 
 optional_policy(`
@ -24631,7 +24701,7 @@ index 343cee3..2f948ad 100644
 +	')
 +')
 diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..1acd149 100644
+index 64268e4..6543734 100644
 --- a/policy/modules/services/mta.te
 +++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@ -24645,13 +24715,14 @@ index 64268e4..1acd149 100644
 
 type mqueue_spool_t;
 files_mountpoint(mqueue_spool_t)
-@@ -50,22 +50,9 @@ ubac_constrained(user_mail_tmp_t)
+@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t)
 
 # newalias required this, not sure if it is needed in 'if' file
 allow system_mail_t self:capability { dac_override fowner };
 -allow system_mail_t self:fifo_file rw_fifo_file_perms;
-
+ 
 -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+allow system_mail_t mail_home_t:file manage_file_perms;
 
 read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
 
@ -24668,7 +24739,7 @@ index 64268e4..1acd149 100644
 dev_read_sysfs(system_mail_t)
 dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)
-@@ -82,6 +69,10 @@ init_use_script_ptys(system_mail_t)
+@@ -82,6 +71,10 @@ init_use_script_ptys(system_mail_t)
 
 userdom_use_user_terminals(system_mail_t)
 userdom_dontaudit_search_user_home_dirs(system_mail_t)
@ -24679,7 +24750,7 @@ index 64268e4..1acd149 100644
 
 optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +83,28 @@ optional_policy(`
+@@ -92,17 +85,28 @@ optional_policy(`
 	apache_dontaudit_rw_stream_sockets(system_mail_t)
 	apache_dontaudit_rw_tcp_sockets(system_mail_t)
 	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@ -24709,7 +24780,7 @@ index 64268e4..1acd149 100644
 	clamav_stream_connect(system_mail_t)
 	clamav_append_log(system_mail_t)
 ')
-@@ -111,6 +113,8 @@ optional_policy(`
+@@ -111,6 +115,8 @@ optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
 	cron_dontaudit_write_pipes(system_mail_t)
 	cron_rw_system_job_stream_sockets(system_mail_t)
@ -24718,7 +24789,7 @@ index 64268e4..1acd149 100644
 ')
 
 optional_policy(`
-@@ -124,12 +128,8 @@ optional_policy(`
+@@ -124,12 +130,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24732,7 +24803,7 @@ index 64268e4..1acd149 100644
 ')
 
 optional_policy(`
-@@ -146,6 +146,10 @@ optional_policy(`
+@@ -146,6 +148,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24743,7 +24814,7 @@ index 64268e4..1acd149 100644
 	nagios_read_tmp_files(system_mail_t)
 ')
 
-@@ -158,18 +162,6 @@ optional_policy(`
+@@ -158,18 +164,6 @@ optional_policy(`
 	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
 
 	domain_use_interactive_fds(system_mail_t)
@ -24762,7 +24833,7 @@ index 64268e4..1acd149 100644
 ')
 
 optional_policy(`
-@@ -189,6 +181,10 @@ optional_policy(`
+@@ -189,6 +183,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24773,7 +24844,7 @@ index 64268e4..1acd149 100644
 	smartmon_read_tmp_files(system_mail_t)
 ')
 
-@@ -199,7 +195,7 @@ optional_policy(`
+@@ -199,7 +197,7 @@ optional_policy(`
 	arpwatch_search_data(mailserver_delivery)
 	arpwatch_manage_tmp_files(mta_user_agent)
 
@ -24782,7 +24853,7 @@ index 64268e4..1acd149 100644
 		arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
 	')
 
-@@ -220,7 +216,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +218,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 
@ -24792,7 +24863,7 @@ index 64268e4..1acd149 100644
 
 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
 
-@@ -249,11 +246,16 @@ optional_policy(`
+@@ -249,11 +248,16 @@ optional_policy(`
 	mailman_read_data_symlinks(mailserver_delivery)
 ')
 
@ -24809,7 +24880,7 @@ index 64268e4..1acd149 100644
 domain_use_interactive_fds(user_mail_t)
 
 userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +294,44 @@ optional_policy(`
+@@ -292,3 +296,44 @@ optional_policy(`
 	postfix_read_config(user_mail_t)
 	postfix_list_spool(user_mail_t)
 ')
@ -24955,7 +25026,7 @@ index c358d8f..92c9dca 100644
 
 	allow $1 munin_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..6f8b0fd 100644
+index f17583b..0dc6344 100644
 --- a/policy/modules/services/munin.te
 +++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@ -25105,7 +25176,7 @@ index f17583b..6f8b0fd 100644
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
 
-@@ -313,3 +317,29 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +317,30 @@ init_read_utmp(system_munin_plugin_t)
 sysnet_exec_ifconfig(system_munin_plugin_t)
 
 term_getattr_unallocated_ttys(system_munin_plugin_t)
@ -25129,6 +25200,7 @@ index f17583b..6f8b0fd 100644
 +corecmd_exec_bin(munin_plugin_domain)
 +corecmd_exec_shell(munin_plugin_domain)
 +
+files_search_var_lib(munin_plugin_domain)
 +files_read_etc_files(munin_plugin_domain)
 +files_read_usr_files(munin_plugin_domain)
 +
@ -25189,7 +25261,7 @@ index e9c0982..4d3b208 100644
 	admin_pattern($1, mysqld_tmp_t)
 ')
 diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..086df22 100644
+index 0a0d63c..d02b476 100644
 --- a/policy/modules/services/mysql.te
 +++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@ -25257,8 +25329,17 @@ index 0a0d63c..086df22 100644
 files_read_etc_files(mysqld_safe_t)
 files_read_usr_files(mysqld_safe_t)
 files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+@@ -183,6 +186,8 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+ 
+ hostname_exec(mysqld_safe_t)
+ 
+logging_send_syslog_msg(mysqld_safe_t)
+
+ miscfiles_read_localization(mysqld_safe_t)
+ 
+ mysql_manage_db_files(mysqld_safe_t)
 diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
-index 8581040..89e1edf 100644
+index 8581040..f54b3b8 100644
 --- a/policy/modules/services/nagios.if
 +++ b/policy/modules/services/nagios.if
@@ -12,10 +12,8 @@
@ -25281,7 +25362,16 @@ index 8581040..89e1edf 100644
 
 	# needed by command.cfg
 	domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-@@ -49,7 +48,6 @@ template(`nagios_plugin_template',`
+@@ -36,6 +35,8 @@ template(`nagios_plugin_template',`
+ 	dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+ 	dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+ 
+	files_read_usr_files(nagios_$1_plugin_t)
+
+ 	miscfiles_read_localization(nagios_$1_plugin_t)
+ ')
+ 
+@@ -49,7 +50,6 @@ template(`nagios_plugin_template',`
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
@ -25289,7 +25379,7 @@ index 8581040..89e1edf 100644
 #
 interface(`nagios_dontaudit_rw_pipes',`
 	gen_require(`
-@@ -159,6 +157,26 @@ interface(`nagios_read_tmp_files',`
+@@ -159,6 +159,26 @@ interface(`nagios_read_tmp_files',`
 
 ########################################
 ## <summary>
@ -25316,7 +25406,7 @@ index 8581040..89e1edf 100644
 ##	Execute the nagios NRPE with
 ##	a domain transition.
 ## </summary>
-@@ -195,11 +213,9 @@ interface(`nagios_domtrans_nrpe',`
+@@ -195,11 +215,9 @@ interface(`nagios_domtrans_nrpe',`
 #
 interface(`nagios_admin',`
 	gen_require(`
@ -25537,7 +25627,7 @@ index 2324d9e..8069487 100644
 +	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
 +')
 diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..4898ef8 100644
+index 0619395..5428249 100644
 --- a/policy/modules/services/networkmanager.te
 +++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@ -25640,10 +25730,14 @@ index 0619395..4898ef8 100644
 	optional_policy(`
 		consolekit_dbus_chat(NetworkManager_t)
 	')
-@@ -202,6 +230,13 @@ optional_policy(`
+@@ -202,6 +230,17 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gnome_dontaudit_search_config(NetworkManager_t)
+')
+
+optional_policy(`
 +	ipsec_domtrans_mgmt(NetworkManager_t)
 +	ipsec_kill_mgmt(NetworkManager_t)
 +	ipsec_signal_mgmt(NetworkManager_t)
@ -25654,7 +25748,7 @@ index 0619395..4898ef8 100644
 	iptables_domtrans(NetworkManager_t)
 ')
 
-@@ -219,6 +254,7 @@ optional_policy(`
+@@ -219,6 +258,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25662,7 +25756,7 @@ index 0619395..4898ef8 100644
 	openvpn_domtrans(NetworkManager_t)
 	openvpn_kill(NetworkManager_t)
 	openvpn_signal(NetworkManager_t)
-@@ -263,6 +299,7 @@ optional_policy(`
+@@ -263,6 +303,7 @@ optional_policy(`
 	vpn_kill(NetworkManager_t)
 	vpn_signal(NetworkManager_t)
 	vpn_signull(NetworkManager_t)
@ -32577,10 +32671,15 @@ index e30bb63..6e627d6 100644
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
 ')
 diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
-index f1aea88..c3ffa9d 100644
+index f1aea88..a5a75a8 100644
 --- a/policy/modules/services/sasl.if
 +++ b/policy/modules/services/sasl.if
-@@ -42,7 +42,7 @@ interface(`sasl_admin',`
+@@ -38,11 +38,11 @@ interface(`sasl_connect',`
+ #
+ interface(`sasl_admin',`
+ 	gen_require(`
+-		type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
+		type saslauthd_t, saslauthd_var_run_t;
 		type saslauthd_initrc_exec_t;
 	')
 
@ -32589,6 +32688,16 @@ index f1aea88..c3ffa9d 100644
 	ps_process_pattern($1, saslauthd_t)
 
 	init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+@@ -50,9 +50,6 @@ interface(`sasl_admin',`
+ 	role_transition $2 saslauthd_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
+-	files_list_tmp($1)
+-	admin_pattern($1, saslauthd_tmp_t)
+-
+ 	files_list_pids($1)
+ 	admin_pattern($1, saslauthd_var_run_t)
+ ')
 diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
 index 22184ad..d87a3f0 100644
 --- a/policy/modules/services/sasl.te
@ -39095,10 +39204,10 @@ index 0000000..56cb5af
 +/var/run/zarafa-monitor\.pid    --      gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
 diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
 new file mode 100644
-index 0000000..4f2dde8
+index 0000000..8a909f5
 --- /dev/null
 +++ b/policy/modules/services/zarafa.if
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,122 @@
 +## <summary>policy for zarafa services</summary>
 +
 +######################################
@ -39201,6 +39310,26 @@ index 0000000..4f2dde8
 +	files_search_var_lib($1)
 +	stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
 +')
+
+######################################
+## <summary>
+##  Allow the specified domain to search
+##  zarafa configuration dirs.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`zarafa_search_config',`
+    gen_require(`
+        type zarafa_etc_t;
+    ')
+
+    files_search_etc($1)
+    allow $1 zarafa_etc_t:dir search_dir_perms;
+')
 diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
 new file mode 100644
 index 0000000..3ce4d86
@ -43010,14 +43139,16 @@ index 72c746e..e3d06fd 100644
 +/var/cache/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..3490497 100644
+index 8b5c196..b195f9d 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
-@@ -16,6 +16,14 @@ interface(`mount_domtrans',`
+@@ -16,6 +16,16 @@ interface(`mount_domtrans',`
 	')
 
 	domtrans_pattern($1, mount_exec_t, mount_t)
 +	mount_domtrans_fusermount($1)
+	
+	ps_process_pattern(mount_t, $1)
 +
 +ifdef(`hide_broken_symptoms', `
 +	dontaudit mount_t $1:unix_stream_socket { read write };
@ -43028,7 +43159,7 @@ index 8b5c196..3490497 100644
 ')
 
 ########################################
-@@ -45,12 +53,58 @@ interface(`mount_run',`
+@@ -45,12 +55,58 @@ interface(`mount_run',`
 	role $2 types mount_t;
 
 	optional_policy(`
@ -43088,7 +43219,7 @@ index 8b5c196..3490497 100644
 ##	Execute mount in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -84,9 +138,11 @@ interface(`mount_exec',`
+@@ -84,9 +140,11 @@ interface(`mount_exec',`
 interface(`mount_signal',`
 	gen_require(`
 		type mount_t;
@ -43100,7 +43231,7 @@ index 8b5c196..3490497 100644
 ')
 
 ########################################
-@@ -95,7 +151,7 @@ interface(`mount_signal',`
+@@ -95,7 +153,7 @@ interface(`mount_signal',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -43109,7 +43240,7 @@ index 8b5c196..3490497 100644
 ##	</summary>
 ## </param>
 #
-@@ -176,4 +232,109 @@ interface(`mount_run_unconfined',`
+@@ -176,4 +234,109 @@ interface(`mount_run_unconfined',`
 
 	mount_domtrans_unconfined($1)
 	role $2 types unconfined_mount_t;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.8
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -471,6 +471,16 @@ exit 0
 %endif

 %changelog
+* Mon Nov 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-7
+- Allow nagios plugins to read usr files
+- Allow mysqld-safe to send system log messages
+- Fixes fpr ddclient policy
+- Fix sasl_admin interface
+- Allow apache to search zarafa config
+- Allow munin plugins to search /var/lib directory
+- Allow gpsd to read sysfs_t
+- Fix labels on /etc/mcelog/triggers to bin_t
+
 * Fri Nov 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-6
 - Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
 - Allow saslauthd_t to create krb5_host_rcache_t files in /tmp