- Allow httpd_t to connect to osapi_compute port using httpd_use_openstac

- Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Allow consolehelper more access discovered by Tom London - Allow fsdaemon to send signull to all domain - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface
2013-04-08 14:05:50 +02:00 · 2013-04-08 14:05:50 +02:00 · d8b4fa387f
parent a48e548c78
commit d8b4fa387f
3 changed files with 202 additions and 108 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5074,7 +5074,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..fba95c8 100644
+index 4edc40d..a69e038 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@ -5259,7 +5259,7 @@ index 4edc40d..fba95c8 100644
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
 network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -188,13 +220,13 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -188,21 +220,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
 network_port(nessus, tcp,1241,s0)
 network_port(netport, tcp,3129,s0, udp,3129,s0)
 network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@ -5276,7 +5276,9 @@ index 4edc40d..fba95c8 100644
 network_port(ocsp, tcp,9080,s0)
 network_port(openhpid, tcp,4743,s0, udp,4743,s0)
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -203,6 +235,12 @@ network_port(pegasus_http, tcp,5988,s0)
+network_port(osapi_compute, tcp, 8774, s0)
+ network_port(pdps, tcp,1314,s0, udp,1314,s0)
+ network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pingd, tcp,9125,s0)
@ -5289,7 +5291,7 @@ index 4edc40d..fba95c8 100644
 network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +252,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +253,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
@ -5337,7 +5339,7 @@ index 4edc40d..fba95c8 100644
 network_port(ssh, tcp,22,s0)
 network_port(stunnel) # no defined portcon
 network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +298,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +299,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
 network_port(tcs, tcp, 30003, s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
@ -5348,7 +5350,7 @@ index 4edc40d..fba95c8 100644
 network_port(transproxy, tcp,8081,s0)
 network_port(trisoap, tcp,10200,s0, udp,10200,s0)
 network_port(ups, tcp,3493,s0)
-@@ -268,10 +310,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +311,10 @@ network_port(varnishd, tcp,6081-6082,s0)
 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
 network_port(virt_migration, tcp,49152-49216,s0)
@ -5361,7 +5363,7 @@ index 4edc40d..fba95c8 100644
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +334,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +335,16 @@ network_port(zope, tcp,8021,s0)
 # Defaults for reserved ports.	Earlier portcon entries take precedence;
 # these entries just cover any remaining reserved ports not otherwise declared.
 
@ -5380,7 +5382,7 @@ index 4edc40d..fba95c8 100644
 
 ########################################
 #
-@@ -330,6 +376,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +377,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
@ -5389,7 +5391,7 @@ index 4edc40d..fba95c8 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -342,9 +390,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +391,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -7747,7 +7749,7 @@ index 6a1e4d1..adafd25 100644
 +	dontaudit $1 domain:socket_class_set { read write };
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..274ef6d 100644
+index cf04cb5..dc4207f 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -7873,7 +7875,7 @@ index cf04cb5..274ef6d 100644
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,265 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 
@ -8014,6 +8016,7 @@ index cf04cb5..274ef6d 100644
 +	systemd_login_reboot(unconfined_domain_type)
 +	systemd_login_halt(unconfined_domain_type)
 +	systemd_login_undefined(unconfined_domain_type)
+    systemd_filetrans_named_hostname(unconfined_domain_type)
 +')
 +
 +optional_policy(`
@ -35717,10 +35720,10 @@ index 0000000..4e12420
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..2927875
+index 0000000..16c7767
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1103 @@
+@@ -0,0 +1,1122 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -36574,6 +36577,25 @@ index 0000000..2927875
 +
 +########################################
 +## <summary>
+##	Transition to systemd named content for /etc/hostname
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_filetrans_named_hostname',`
+	gen_require(`
+		type hostname_etc_t;
+	')
+
+	files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
+	files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
+')
+
+########################################
+## <summary>
 +##	Get the system status information from systemd_login
 +## </summary>
 +## <param name="domain">
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -3048,7 +3048,7 @@ index 550a69e..78579c0 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index 83e899c..e3bed6a 100644
+index 83e899c..c0ece1b 100644
 --- a/apache.if
 +++ b/apache.if
@@ -1,9 +1,9 @@
@ -3865,7 +3865,7 @@ index 83e899c..e3bed6a 100644
 interface(`apache_manage_sys_content',`
 	gen_require(`
 		type httpd_sys_content_t;
-@@ -855,32 +922,78 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +922,98 @@ interface(`apache_manage_sys_content',`
 	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 ')
 
@ -3890,6 +3890,26 @@ index 83e899c..e3bed6a 100644
 +	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
+######################################
+## <summary>
+##	Allow the specified domain to read
+##	apache system content rw dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_dirs',`
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
+	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
 +######################################
 ## <summary>
 -##	Create, read, write, and delete
@ -3952,7 +3972,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -888,10 +1001,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1021,17 @@ interface(`apache_manage_sys_rw_content',`
 ##	</summary>
 ## </param>
 #
@ -3971,7 +3991,7 @@ index 83e899c..e3bed6a 100644
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1021,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1041,8 @@ interface(`apache_domtrans_sys_script',`
 
 ########################################
 ## <summary>
@ -3983,7 +4003,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -941,7 +1060,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1080,7 @@ interface(`apache_domtrans_all_scripts',`
 ########################################
 ## <summary>
 ##	Execute all user scripts in the user
@ -3992,7 +4012,7 @@ index 83e899c..e3bed6a 100644
 ##	to the specified role.
 ## </summary>
 ## <param name="domain">
-@@ -954,6 +1073,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1093,7 @@ interface(`apache_domtrans_all_scripts',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
@ -4000,7 +4020,7 @@ index 83e899c..e3bed6a 100644
 #
 interface(`apache_run_all_scripts',`
 	gen_require(`
-@@ -966,7 +1086,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1106,8 @@ interface(`apache_run_all_scripts',`
 
 ########################################
 ## <summary>
@ -4010,7 +4030,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -979,12 +1100,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1120,13 @@ interface(`apache_read_squirrelmail_data',`
 		type httpd_squirrelmail_t;
 	')
 
@ -4026,7 +4046,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1002,7 +1124,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1144,7 @@ interface(`apache_append_squirrelmail_data',`
 
 ########################################
 ## <summary>
@ -4035,7 +4055,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1015,13 +1137,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1157,12 @@ interface(`apache_search_sys_content',`
 		type httpd_sys_content_t;
 	')
 
@ -4050,7 +4070,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1041,7 +1162,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1182,7 @@ interface(`apache_read_sys_content',`
 
 ########################################
 ## <summary>
@ -4059,7 +4079,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1059,8 +1180,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1200,7 @@ interface(`apache_search_sys_scripts',`
 
 ########################################
 ## <summary>
@ -4069,7 +4089,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1070,13 +1190,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1210,22 @@ interface(`apache_search_sys_scripts',`
 ## <rolecap/>
 #
 interface(`apache_manage_all_user_content',`
@ -4095,7 +4115,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1094,7 +1223,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1243,8 @@ interface(`apache_search_sys_script_state',`
 
 ########################################
 ## <summary>
@ -4105,7 +4125,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1111,10 +1241,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1261,29 @@ interface(`apache_read_tmp_files',`
 	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
 ')
 
@ -4137,7 +4157,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1127,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',`
 		type httpd_tmp_t;
 	')
 
@ -4146,7 +4166,7 @@ index 83e899c..e3bed6a 100644
 ')
 
 ########################################
-@@ -1136,6 +1285,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1305,9 @@ interface(`apache_dontaudit_write_tmp_files',`
 ## </summary>
 ##	<desc>
 ##	<p>
@ -4156,7 +4176,7 @@ index 83e899c..e3bed6a 100644
 ##	This is an interface to support third party modules
 ##	and its use is not allowed in upstream reference
 ##	policy.
-@@ -1165,8 +1317,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1337,30 @@ interface(`apache_cgi_domain',`
 
 ########################################
 ## <summary>
@ -4189,7 +4209,7 @@ index 83e899c..e3bed6a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1183,18 +1357,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1377,19 @@ interface(`apache_cgi_domain',`
 interface(`apache_admin',`
 	gen_require(`
 		attribute httpdcontent, httpd_script_exec_type;
@ -4218,7 +4238,7 @@ index 83e899c..e3bed6a 100644
 
 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -1204,10 +1379,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1399,10 @@ interface(`apache_admin',`
 	apache_manage_all_content($1)
 	miscfiles_manage_public_files($1)
 
@ -4232,7 +4252,7 @@ index 83e899c..e3bed6a 100644
 	admin_pattern($1, httpd_log_t)
 
 	admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1393,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1413,129 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
 
@ -4367,7 +4387,7 @@ index 83e899c..e3bed6a 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..5e167ca 100644
+index 1a82e29..dfaef83 100644
 --- a/apache.te
 +++ b/apache.te
@@ -1,297 +1,353 @@
@ -6034,13 +6054,13 @@ index 1a82e29..5e167ca 100644
 -
 -kernel_dontaudit_search_sysctl(httpd_script_domains)
 -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-+allow httpd_sys_script_t self:process getsched;
- 
+-
 -corenet_all_recvfrom_unlabeled(httpd_script_domains)
 -corenet_all_recvfrom_netlabel(httpd_script_domains)
 -corenet_tcp_sendrecv_generic_if(httpd_script_domains)
 -corenet_tcp_sendrecv_generic_node(httpd_script_domains)
-
+allow httpd_sys_script_t self:process getsched;
+ 
 -corecmd_exec_all_executables(httpd_script_domains)
 +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
 +allow httpd_sys_script_t httpd_t:tcp_socket { read write };
@ -6173,8 +6193,7 @@ index 1a82e29..5e167ca 100644
 -#
 -
 -allow httpd_sys_script_t self:tcp_socket { accept listen };
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- 
+-
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 -
 -dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -6204,7 +6223,8 @@ index 1a82e29..5e167ca 100644
 -	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
 -	corenet_tcp_connect_pop_port(httpd_sys_script_t)
 -	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ 
 -	mta_send_mail(httpd_sys_script_t)
 -	mta_signal_system_mail(httpd_sys_script_t)
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@ -6417,7 +6437,7 @@ index 1a82e29..5e167ca 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1501,94 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1501,99 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
@ -6435,23 +6455,33 @@ index 1a82e29..5e167ca 100644
 +systemd_manage_passwd_run(httpd_passwd_t)
 +systemd_manage_passwd_run(httpd_t)
 +#systemd_passwd_agent_dev_template(httpd)
-+
+ 
+-allow httpd_gpg_t self:process setrlimit;
 +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
 +dontaudit httpd_passwd_t httpd_config_t:file read;
-+
+ 
+-allow httpd_gpg_t httpd_t:fd use;
+-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
+-allow httpd_gpg_t httpd_t:process sigchld;
 +search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
 +corecmd_shell_entry_type(httpd_script_type)
-+
+ 
+-dev_read_rand(httpd_gpg_t)
+-dev_read_urand(httpd_gpg_t)
 +allow httpd_script_type self:fifo_file rw_file_perms;
 +allow httpd_script_type self:unix_stream_socket connectto;
-+
+ 
+-files_read_usr_files(httpd_gpg_t)
 +allow httpd_script_type httpd_t:fifo_file write;
 +# apache should set close-on-exec
 +apache_dontaudit_leaks(httpd_script_type)
-+
+ 
+-miscfiles_read_localization(httpd_gpg_t)
 +append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
 +logging_search_logs(httpd_script_type)
-+
+ 
+-tunable_policy(`httpd_gpg_anon_write',`
+-	miscfiles_manage_public_files(httpd_gpg_t)
 +kernel_dontaudit_search_sysctl(httpd_script_type)
 +kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
 +
@ -6466,34 +6496,24 @@ index 1a82e29..5e167ca 100644
 +
 +libs_exec_ld_so(httpd_script_type)
 +libs_exec_lib_files(httpd_script_type)
- 
-allow httpd_gpg_t self:process setrlimit;
+
 +miscfiles_read_fonts(httpd_script_type)
 +miscfiles_read_public_files(httpd_script_type)
- 
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+
 +allow httpd_t httpd_script_type:unix_stream_socket connectto;
- 
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+
 +allow httpd_t httpd_script_exec_type:file read_file_perms;
 +allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
 +allow httpd_t httpd_script_type:process { signal sigkill sigstop };
 +allow httpd_t httpd_script_exec_type:dir list_dir_perms;
- 
-files_read_usr_files(httpd_gpg_t)
+
 +allow httpd_script_type self:process { setsched signal_perms };
 +allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
 +allow httpd_script_type self:unix_dgram_socket create_socket_perms;
- 
-miscfiles_read_localization(httpd_gpg_t)
+
 +allow httpd_script_type httpd_t:fd use;
 +allow httpd_script_type httpd_t:process sigchld;
- 
-tunable_policy(`httpd_gpg_anon_write',`
-	miscfiles_manage_public_files(httpd_gpg_t)
+
 +dontaudit httpd_script_type httpd_t:tcp_socket { read write };
 +
 +fs_getattr_xattr_fs(httpd_script_type)
@ -6531,6 +6551,11 @@ index 1a82e29..5e167ca 100644
 +	corenet_tcp_connect_keystone_port(httpd_sys_script_t)
 +	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
 +	corenet_tcp_connect_glance_port(httpd_sys_script_t)
+	corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_openstack',`
+    corenet_tcp_connect_osapi_compute_port(httpd_t)
 ')
 diff --git a/apcupsd.fc b/apcupsd.fc
 index 5ec0e13..2da2368 100644
@ -9565,10 +9590,10 @@ index 0c53b18..ef29f6e 100644
 	domain_system_change_exemption($1)
 	role_transition $2 certmaster_initrc_exec_t system_r;
 diff --git a/certmaster.te b/certmaster.te
-index bf82163..5397bb9 100644
+index bf82163..2b571c7 100644
 --- a/certmaster.te
 +++ b/certmaster.te
-@@ -65,11 +65,8 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
+@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
 dev_read_urand(certmaster_t)
 
 files_list_var(certmaster_t)
@ -9580,6 +9605,8 @@ index bf82163..5397bb9 100644
 -miscfiles_read_localization(certmaster_t)
 miscfiles_manage_generic_cert_dirs(certmaster_t)
 miscfiles_manage_generic_cert_files(certmaster_t)
+
+mta_send_mail(certmaster_t)
 diff --git a/certmonger.fc b/certmonger.fc
 index ed298d8..cd8eb4d 100644
 --- a/certmonger.fc
@ -16063,7 +16090,7 @@ index 06da9a0..ca832e1 100644
 +	ps_process_pattern($1, cupsd_t)
 ')
 diff --git a/cups.te b/cups.te
-index 9f34c2e..3b03f21 100644
+index 9f34c2e..fb69e2c 100644
 --- a/cups.te
 +++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@ -16160,8 +16187,8 @@ index 9f34c2e..3b03f21 100644
 +# Cups general local policy
 +#
 +
-+allow cups_domain self:capability { setuid setgid };
-+allow cups_domain self:process signal_perms;
+allow cups_domain self:capability { setuid setgid sys_nice };
+allow cups_domain self:process { getsched setsched signal_perms };
 +allow cups_domain self:fifo_file rw_fifo_file_perms;
 +allow cups_domain self:tcp_socket { accept listen };
 +
@ -32942,7 +32969,7 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..ed36684 100644
+index 7bab8e5..3baae66 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -1,20 +1,18 @@
@ -33126,7 +33153,13 @@ index 7bab8e5..ed36684 100644
 ')
 
 optional_policy(`
-@@ -140,11 +159,11 @@ optional_policy(`
+@@ -135,16 +154,17 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	apache_read_config(logrotate_t)
+    apache_read_sys_content_rw_dirs(logrotate_t)
+ 	apache_domtrans(logrotate_t)
+ 	apache_signull(logrotate_t)
 ')
 
 optional_policy(`
@ -33140,7 +33173,7 @@ index 7bab8e5..ed36684 100644
 ')
 
 optional_policy(`
-@@ -178,7 +197,7 @@ optional_policy(`
+@@ -178,7 +198,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -33149,7 +33182,7 @@ index 7bab8e5..ed36684 100644
 ')
 
 optional_policy(`
-@@ -198,21 +217,22 @@ optional_policy(`
+@@ -198,21 +218,22 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -33176,7 +33209,7 @@ index 7bab8e5..ed36684 100644
 ')
 
 optional_policy(`
-@@ -228,10 +248,20 @@ optional_policy(`
+@@ -228,10 +249,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -33197,7 +33230,7 @@ index 7bab8e5..ed36684 100644
 	su_exec(logrotate_t)
 ')
 
-@@ -241,13 +271,11 @@ optional_policy(`
+@@ -241,13 +272,11 @@ optional_policy(`
 
 #######################################
 #
@ -54684,7 +54717,7 @@ index 2e23946..41da729 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 ')
 diff --git a/postfix.te b/postfix.te
-index 191a66f..b11469c 100644
+index 191a66f..7ceaec2 100644
 --- a/postfix.te
 +++ b/postfix.te
@@ -1,4 +1,4 @@
@ -55284,7 +55317,7 @@ index 191a66f..b11469c 100644
 #
 
 allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +495,24 @@ optional_policy(`
+@@ -576,19 +495,25 @@ optional_policy(`
 
 ########################################
 #
@ -55301,6 +55334,7 @@ index 191a66f..b11469c 100644
 +allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
 
 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
 
 +postfix_list_spool(postfix_postdrop_t)
 manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@ -55314,7 +55348,7 @@ index 191a66f..b11469c 100644
 
 term_dontaudit_use_all_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +527,7 @@ optional_policy(`
+@@ -603,10 +528,7 @@ optional_policy(`
 	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
 ')
 
@ -55326,7 +55360,7 @@ index 191a66f..b11469c 100644
 optional_policy(`
 	fstools_read_pipes(postfix_postdrop_t)
 ')
-@@ -621,17 +542,23 @@ optional_policy(`
+@@ -621,17 +543,23 @@ optional_policy(`
 
 #######################################
 #
@ -55353,7 +55387,7 @@ index 191a66f..b11469c 100644
 
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +574,77 @@ optional_policy(`
+@@ -647,67 +575,77 @@ optional_policy(`
 
 ########################################
 #
@ -55449,7 +55483,7 @@ index 191a66f..b11469c 100644
 ')
 
 optional_policy(`
-@@ -720,24 +657,27 @@ optional_policy(`
+@@ -720,24 +658,27 @@ optional_policy(`
 
 ########################################
 #
@ -55483,7 +55517,7 @@ index 191a66f..b11469c 100644
 fs_getattr_all_dirs(postfix_smtpd_t)
 fs_getattr_all_fs(postfix_smtpd_t)
 
-@@ -754,6 +694,7 @@ optional_policy(`
+@@ -754,6 +695,7 @@ optional_policy(`
 
 optional_policy(`
 	milter_stream_connect_all(postfix_smtpd_t)
@ -55491,7 +55525,7 @@ index 191a66f..b11469c 100644
 ')
 
 optional_policy(`
-@@ -764,31 +705,100 @@ optional_policy(`
+@@ -764,31 +706,100 @@ optional_policy(`
 	sasl_connect(postfix_smtpd_t)
 ')
 
@ -64957,7 +64991,7 @@ index 56bc01f..cbca7aa 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..bbe8875 100644
+index 2c2de9a..aa4480c 100644
 --- a/rhcs.te
 +++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@ -65257,7 +65291,16 @@ index 2c2de9a..bbe8875 100644
 ')
 
 #####################################
-@@ -98,6 +354,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -79,7 +335,7 @@ optional_policy(`
+ # dlm_controld local policy
+ #
+ 
+-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
+allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource };
+ allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+@@ -98,6 +354,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
 
 init_rw_script_tmp_files(dlm_controld_t)
 
@ -65266,11 +65309,15 @@ index 2c2de9a..bbe8875 100644
 +optional_policy(`
 +	corosync_rw_tmpfs(dlm_controld_t)
 +')
+
+optional_policy(`
+    rhcs_stream_connect_cluster(dlm_controld_t)
+')
 +
 #######################################
 #
 # fenced local policy
-@@ -105,9 +367,13 @@ init_rw_script_tmp_files(dlm_controld_t)
+@@ -105,9 +371,13 @@ init_rw_script_tmp_files(dlm_controld_t)
 
 allow fenced_t self:capability { sys_rawio sys_resource };
 allow fenced_t self:process { getsched signal_perms };
@ -65285,7 +65332,7 @@ index 2c2de9a..bbe8875 100644
 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
 files_lock_filetrans(fenced_t, fenced_lock_t, file)
 
-@@ -118,9 +384,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +388,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
 
 stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 
@ -65296,7 +65343,7 @@ index 2c2de9a..bbe8875 100644
 
 corecmd_exec_bin(fenced_t)
 corecmd_exec_shell(fenced_t)
-@@ -148,9 +413,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +417,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
 
 dev_read_sysfs(fenced_t)
 dev_read_urand(fenced_t)
@ -65307,7 +65354,7 @@ index 2c2de9a..bbe8875 100644
 
 storage_raw_read_fixed_disk(fenced_t)
 storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +423,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +427,7 @@ term_getattr_pty_fs(fenced_t)
 term_use_generic_ptys(fenced_t)
 term_use_ptmx(fenced_t)
 
@ -65316,7 +65363,7 @@ index 2c2de9a..bbe8875 100644
 
 tunable_policy(`fenced_can_network_connect',`
 	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -190,10 +453,6 @@ optional_policy(`
+@@ -190,10 +457,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -65327,7 +65374,7 @@ index 2c2de9a..bbe8875 100644
 	lvm_domtrans(fenced_t)
 	lvm_read_config(fenced_t)
 ')
-@@ -203,6 +462,13 @@ optional_policy(`
+@@ -203,6 +466,13 @@ optional_policy(`
 	snmp_manage_var_lib_dirs(fenced_t)
 ')
 
@ -65341,7 +65388,7 @@ index 2c2de9a..bbe8875 100644
 #######################################
 #
 # foghorn local policy
-@@ -223,7 +489,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,7 +493,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
 
 dev_read_urand(foghorn_t)
 
@ -65351,7 +65398,7 @@ index 2c2de9a..bbe8875 100644
 
 optional_policy(`
 	dbus_connect_system_bus(foghorn_t)
-@@ -257,6 +524,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +528,8 @@ storage_getattr_removable_dev(gfs_controld_t)
 
 init_rw_script_tmp_files(gfs_controld_t)
 
@ -65360,7 +65407,7 @@ index 2c2de9a..bbe8875 100644
 optional_policy(`
 	lvm_exec(gfs_controld_t)
 	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +544,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +548,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
 
 dev_list_sysfs(groupd_t)
 
@ -65373,7 +65420,7 @@ index 2c2de9a..bbe8875 100644
 ######################################
 #
 # qdiskd local policy
-@@ -321,6 +590,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +594,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
 
 auth_use_nsswitch(qdiskd_t)
 
@ -73079,7 +73126,7 @@ index cd6c213..34b861a 100644
 +	allow $1 sanlock_unit_file_t:service all_service_perms;
 ')
 diff --git a/sanlock.te b/sanlock.te
-index a34eac4..25ad7ec 100644
+index a34eac4..b144d40 100644
 --- a/sanlock.te
 +++ b/sanlock.te
@@ -1,4 +1,4 @@
@ -73219,7 +73266,7 @@ index a34eac4..25ad7ec 100644
 optional_policy(`
 -	virt_kill_all_virt_domains(sanlock_t)
 +	virt_kill_svirt(sanlock_t)
-+    virt_kill(sanlock_t)
+	virt_kill(sanlock_t)
 	virt_manage_lib_files(sanlock_t)
 -	virt_signal_all_virt_domains(sanlock_t)
 +	virt_signal_svirt(sanlock_t)
@ -75771,7 +75818,7 @@ index e0644b5..ea347cc 100644
 	domain_system_change_exemption($1)
 	role_transition $2 fsdaemon_initrc_exec_t system_r;
 diff --git a/smartmon.te b/smartmon.te
-index 9ade9c5..efefceb 100644
+index 9ade9c5..60d6c41 100644
 --- a/smartmon.te
 +++ b/smartmon.te
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
@ -75804,15 +75851,17 @@ index 9ade9c5..efefceb 100644
 storage_raw_read_fixed_disk(fsdaemon_t)
 storage_raw_write_fixed_disk(fsdaemon_t)
 storage_raw_read_removable_device(fsdaemon_t)
-@@ -85,6 +91,8 @@ term_dontaudit_search_ptys(fsdaemon_t)
+@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t)
 
- application_signull(fsdaemon_t)
+ term_dontaudit_search_ptys(fsdaemon_t)
 
-+auth_read_passwd(fsdaemon_t)
+-application_signull(fsdaemon_t)
+domain_signull_all_domains(fsdaemon_t)
 +
+auth_read_passwd(fsdaemon_t)
+ 
 init_read_utmp(fsdaemon_t)
 
- libs_exec_ld_so(fsdaemon_t)
@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t)
 
 logging_send_syslog_msg(fsdaemon_t)
@ -76248,9 +76297,17 @@ index 0000000..92c3638
 +
 +sysnet_dns_name_resolve(smsd_t)
 diff --git a/snmp.fc b/snmp.fc
-index c73fa24..9018dbc 100644
+index c73fa24..408ff61 100644
 --- a/snmp.fc
 +++ b/snmp.fc
+@@ -1,6 +1,6 @@
+ /etc/rc\.d/init\.d/((snmpd)|(snmptrapd))	--	gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+ 
+-/usr/sbin/snmptrap	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/sbin/snmpd	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
+ /usr/sbin/snmptrapd	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
+ 
+ /usr/share/snmp/mibs/\.index	--	gen_context(system_u:object_r:snmpd_var_lib_t,s0)
@@ -10,9 +10,12 @@
 
 /var/lib/net-snmp(/.*)?	gen_context(system_u:object_r:snmpd_var_lib_t,s0)
@ -83495,7 +83552,7 @@ index cf118fd..cd80e83 100644
 +	can_exec($1, consolehelper_exec_t)
 +')
 diff --git a/userhelper.te b/userhelper.te
-index 274ed9c..9294dd6 100644
+index 274ed9c..57a9c3d 100644
 --- a/userhelper.te
 +++ b/userhelper.te
@@ -1,15 +1,12 @@
@ -83516,7 +83573,7 @@ index 274ed9c..9294dd6 100644
 
 type userhelper_conf_t;
 files_config_file(userhelper_conf_t)
-@@ -22,141 +19,71 @@ application_executable_file(consolehelper_exec_t)
+@@ -22,141 +19,72 @@ application_executable_file(consolehelper_exec_t)
 
 ########################################
 #
@ -83533,8 +83590,8 @@ index 274ed9c..9294dd6 100644
 -dontaudit consolehelper_type userhelper_conf_t:file audit_access;
 -read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
 +allow consolehelper_domain self:shm create_shm_perms;
-+allow consolehelper_domain self:capability { setgid setuid dac_override }; 
-+allow consolehelper_domain self:process signal;
+allow consolehelper_domain self:capability { setgid setuid dac_override sys_nice }; 
+allow consolehelper_domain self:process { signal_perms getsched setsched };
 
 -domain_use_interactive_fds(consolehelper_type)
 +allow consolehelper_domain  userhelper_conf_t:file audit_access;
@ -83600,6 +83657,7 @@ index 274ed9c..9294dd6 100644
 +userdom_use_user_ptys(consolehelper_domain)
 +userdom_use_user_ttys(consolehelper_domain)
 +userdom_read_user_home_content_files(consolehelper_domain)
+userdom_search_admin_dir(consolehelper_domain)
 
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_search_cifs(consolehelper_type)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 27%{?dist}
+Release: 28%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -526,6 +526,20 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Apr 8 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-28
+- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
+- Fixes for dlm_controld
+- Fix apache_read_sys_content_rw_dirs() interface
+- Allow logrotate to read /var/log/z-push dir
+- Allow postfix_postdrop to acces postfix_public socket
+- Allow sched_setscheduler for cupsd_t
+- Add missing context for /usr/sbin/snmpd
+- Allow consolehelper more access discovered by Tom London
+- Allow fsdaemon to send signull to all domain
+- Add port definition for osapi_compute port
+- Allow unconfined to create /etc/hostname with correct labeling
+- Add systemd_filetrans_named_hostname() interface
+
 * Sat Apr 6 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-27
 - Fix file_contexts.subs to label /run/lock correctly