- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper

- Allow tuned to search all file system directories
- Allow alsa_t to sys_nice, to get top performance for sound management
- Add support for MySQL/PostgreSQL for amavis
- Allow openvpn_t to manage openvpn_var_log_t files.
- Allow dirsrv_t to create tmpfs_t directories
- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label
- Dontaudit leaked unix_stream_sockets into gnome keyring
- Allow telepathy domains to inhibit pipes on telepathy domains
- Allow cloud-init to domtrans to rpm
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- Allow nsswitch domains to manage own process key
- Fix labeling for mgetty.* logs
- Allow systemd to dbus chat with upower
- Allow ipsec to send signull to itself
- Allow setgid cap for ipsec_t
- Match upstream labeling
This commit is contained in:
Miroslav Grepl 2013-09-30 18:06:46 +02:00
parent 381d00a4ba
commit dc36731280
3 changed files with 763 additions and 653 deletions

File diff suppressed because it is too large Load Diff

View File

@ -520,7 +520,7 @@ index 058d908..702b716 100644
+') +')
+ +
diff --git a/abrt.te b/abrt.te diff --git a/abrt.te b/abrt.te
index cc43d25..f71a133 100644 index cc43d25..097a770 100644
--- a/abrt.te --- a/abrt.te
+++ b/abrt.te +++ b/abrt.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -705,7 +705,7 @@ index cc43d25..f71a133 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file) logging_log_filetrans(abrt_t, abrt_var_log_t, file)
@@ -112,23 +138,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) @@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@ -727,14 +727,17 @@ index cc43d25..f71a133 100644
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
-can_exec(abrt_t, abrt_tmp_t) -can_exec(abrt_t, abrt_tmp_t)
- +manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
kernel_read_ring_buffer(abrt_t) kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t) -kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t) +kernel_read_network_state(abrt_t)
kernel_request_load_module(abrt_t) kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t) kernel_rw_kernel_sysctl(abrt_t)
@@ -137,16 +165,14 @@ corecmd_exec_shell(abrt_t) @@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t) corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t) corenet_all_recvfrom_netlabel(abrt_t)
@ -753,7 +756,7 @@ index cc43d25..f71a133 100644
dev_getattr_all_chr_files(abrt_t) dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t) dev_getattr_all_blk_files(abrt_t)
@@ -163,29 +189,37 @@ files_getattr_all_files(abrt_t) @@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t) files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t) files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t) files_read_var_symlinks(abrt_t)
@ -794,7 +797,7 @@ index cc43d25..f71a133 100644
tunable_policy(`abrt_anon_write',` tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t) miscfiles_manage_public_files(abrt_t)
@@ -193,15 +227,11 @@ tunable_policy(`abrt_anon_write',` @@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(` optional_policy(`
apache_list_modules(abrt_t) apache_list_modules(abrt_t)
@ -811,7 +814,7 @@ index cc43d25..f71a133 100644
') ')
optional_policy(` optional_policy(`
@@ -209,6 +239,16 @@ optional_policy(` @@ -209,6 +243,16 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -828,7 +831,7 @@ index cc43d25..f71a133 100644
policykit_domtrans_auth(abrt_t) policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t) policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t) policykit_read_reload(abrt_t)
@@ -220,6 +260,7 @@ optional_policy(` @@ -220,6 +264,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t) corecmd_exec_all_executables(abrt_t)
') ')
@ -836,7 +839,7 @@ index cc43d25..f71a133 100644
optional_policy(` optional_policy(`
rpm_exec(abrt_t) rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t) rpm_dontaudit_manage_db(abrt_t)
@@ -230,6 +271,7 @@ optional_policy(` @@ -230,6 +275,7 @@ optional_policy(`
rpm_signull(abrt_t) rpm_signull(abrt_t)
') ')
@ -844,7 +847,7 @@ index cc43d25..f71a133 100644
optional_policy(` optional_policy(`
sendmail_domtrans(abrt_t) sendmail_domtrans(abrt_t)
') ')
@@ -240,9 +282,17 @@ optional_policy(` @@ -240,9 +286,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t) sosreport_delete_tmp_files(abrt_t)
') ')
@ -863,7 +866,7 @@ index cc43d25..f71a133 100644
# #
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -253,9 +303,13 @@ tunable_policy(`abrt_handle_event',` @@ -253,9 +307,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t) can_exec(abrt_t, abrt_handle_event_exec_t)
') ')
@ -878,7 +881,7 @@ index cc43d25..f71a133 100644
# #
allow abrt_helper_t self:capability { chown setgid sys_nice }; allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -268,6 +322,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) @@ -268,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@ -886,7 +889,7 @@ index cc43d25..f71a133 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -276,15 +331,20 @@ corecmd_read_all_executables(abrt_helper_t) @@ -276,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t)
@ -907,7 +910,7 @@ index cc43d25..f71a133 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -292,11 +352,25 @@ ifdef(`hide_broken_symptoms',` @@ -292,11 +356,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -934,7 +937,7 @@ index cc43d25..f71a133 100644
# #
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -314,10 +388,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) @@ -314,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t)
@ -948,7 +951,7 @@ index cc43d25..f71a133 100644
optional_policy(` optional_policy(`
rpm_exec(abrt_retrace_coredump_t) rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -330,10 +406,11 @@ optional_policy(` @@ -330,10 +410,11 @@ optional_policy(`
####################################### #######################################
# #
@ -962,7 +965,7 @@ index cc43d25..f71a133 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -352,46 +429,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) @@ -352,46 +433,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t)
@ -1024,7 +1027,7 @@ index cc43d25..f71a133 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
@@ -400,16 +487,47 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) @@ -400,16 +491,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t) corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t)
@ -1046,17 +1049,20 @@ index cc43d25..f71a133 100644
-files_read_etc_files(abrt_domain) -files_read_etc_files(abrt_domain)
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir}) +files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+ +
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t) +read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
+
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
-logging_send_syslog_msg(abrt_domain) -logging_send_syslog_msg(abrt_domain)
+manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t)
+
+corecmd_exec_bin(abrt_upload_watch_t) +corecmd_exec_bin(abrt_upload_watch_t)
+ +
+dev_read_urand(abrt_upload_watch_t) +dev_read_urand(abrt_upload_watch_t)
+ +
+files_search_spool(abrt_upload_watch_t)
+
+auth_read_passwd(abrt_upload_watch_t) +auth_read_passwd(abrt_upload_watch_t)
+ +
+tunable_policy(`abrt_upload_watch_anon_write',` +tunable_policy(`abrt_upload_watch_anon_write',`
@ -1953,7 +1959,7 @@ index 708b743..c2edd9a 100644
+ ps_process_pattern($1, alsa_t) + ps_process_pattern($1, alsa_t)
+') +')
diff --git a/alsa.te b/alsa.te diff --git a/alsa.te b/alsa.te
index cda6d20..fbe259e 100644 index cda6d20..443ce3c 100644
--- a/alsa.te --- a/alsa.te
+++ b/alsa.te +++ b/alsa.te
@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t) @@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
@ -1974,8 +1980,9 @@ index cda6d20..fbe259e 100644
# Local policy # Local policy
# #
allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; -allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin; -dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
+dontaudit alsa_t self:capability { sys_tty_config sys_admin }; +dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+allow alsa_t self:process { getsched setsched signal_perms }; +allow alsa_t self:process { getsched setsched signal_perms };
allow alsa_t self:sem create_sem_perms; allow alsa_t self:sem create_sem_perms;
@ -2011,10 +2018,17 @@ index cda6d20..fbe259e 100644
userdom_manage_unpriv_user_shared_mem(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t) userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.fc b/amanda.fc diff --git a/amanda.fc b/amanda.fc
index 7f4dfbc..4d750fa 100644 index 7f4dfbc..e5c9f45 100644
--- a/amanda.fc --- a/amanda.fc
+++ b/amanda.fc +++ b/amanda.fc
@@ -13,6 +13,8 @@ @@ -1,5 +1,6 @@
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
# empty m4 string so the index macro is not invoked
@@ -13,6 +14,8 @@
/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
@ -2692,10 +2706,10 @@ index 0000000..df5b3be
+') +')
diff --git a/antivirus.te b/antivirus.te diff --git a/antivirus.te b/antivirus.te
new file mode 100644 new file mode 100644
index 0000000..fd48ed9 index 0000000..784557c
--- /dev/null --- /dev/null
+++ b/antivirus.te +++ b/antivirus.te
@@ -0,0 +1,269 @@ @@ -0,0 +1,274 @@
+policy_module(antivirus, 1.0.0) +policy_module(antivirus, 1.0.0)
+ +
+######################################## +########################################
@ -2847,6 +2861,10 @@ index 0000000..fd48ed9
+corenet_tcp_connect_http_cache_port(antivirus_domain) +corenet_tcp_connect_http_cache_port(antivirus_domain)
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain) +corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
+ +
+#support for MySQL/PostgreSQL
+corenet_tcp_connect_mysqld_port(antivirus_domain)
+corenet_tcp_connect_postgresql_port(antivirus_domain)
+
+corenet_sendrecv_snmp_client_packets(antivirus_domain) +corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain) +corenet_tcp_connect_snmp_port(antivirus_domain)
+ +
@ -2936,6 +2954,7 @@ index 0000000..fd48ed9
+ +
+optional_policy(` +optional_policy(`
+ mysql_stream_connect(antivirus_domain) + mysql_stream_connect(antivirus_domain)
+ corenet_tcp_connect_mysqld_port(antivirus_domain)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -11851,10 +11870,10 @@ index 0000000..8ac848b
+') +')
diff --git a/cloudform.te b/cloudform.te diff --git a/cloudform.te b/cloudform.te
new file mode 100644 new file mode 100644
index 0000000..0f133be index 0000000..4e41e84
--- /dev/null --- /dev/null
+++ b/cloudform.te +++ b/cloudform.te
@@ -0,0 +1,297 @@ @@ -0,0 +1,298 @@
+policy_module(cloudform, 1.0) +policy_module(cloudform, 1.0)
+######################################## +########################################
+# +#
@ -12017,6 +12036,7 @@ index 0000000..0f133be
+') +')
+ +
+optional_policy(` +optional_policy(`
+ rpm_domtrans(cloud_init_t)
+ unconfined_domain(cloud_init_t) + unconfined_domain(cloud_init_t)
+') +')
+ +
@ -20938,10 +20958,10 @@ index 0000000..b214253
+') +')
diff --git a/dirsrv.te b/dirsrv.te diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644 new file mode 100644
index 0000000..05c070d index 0000000..73d1b46
--- /dev/null --- /dev/null
+++ b/dirsrv.te +++ b/dirsrv.te
@@ -0,0 +1,194 @@ @@ -0,0 +1,196 @@
+policy_module(dirsrv,1.0.0) +policy_module(dirsrv,1.0.0)
+ +
+######################################## +########################################
@ -21000,8 +21020,10 @@ index 0000000..05c070d
+allow dirsrv_t self:sem create_sem_perms; +allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms; +allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+ +
+manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) +manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) +manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
+ +
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
@ -25929,10 +25951,10 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if diff --git a/gnome.if b/gnome.if
index d03fd43..237de86 100644 index d03fd43..e814f72 100644
--- a/gnome.if --- a/gnome.if
+++ b/gnome.if +++ b/gnome.if
@@ -1,123 +1,155 @@ @@ -1,123 +1,157 @@
-## <summary>GNU network object model environment.</summary> -## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary> +## <summary>GNU network object model environment (GNOME)</summary>
@ -26049,39 +26071,40 @@ index d03fd43..237de86 100644
+ ubac_constrained($1_gkeyringd_t) + ubac_constrained($1_gkeyringd_t)
domain_user_exemption_target($1_gkeyringd_t) domain_user_exemption_target($1_gkeyringd_t)
- role $2 types $1_gkeyringd_t;
+ userdom_home_manager($1_gkeyringd_t) + userdom_home_manager($1_gkeyringd_t)
+
role $2 types $1_gkeyringd_t;
- ######################################## - ########################################
- # - #
- # Gconf policy - # Gconf policy
- # - #
+ role $2 types $1_gkeyringd_t; + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- domtrans_pattern($3, gconfd_exec_t, gconfd_t) - domtrans_pattern($3, gconfd_exec_t, gconfd_t)
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) + allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") - userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") - userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
- allow $3 gconfd_t:process { ptrace signal_perms };
- ps_process_pattern($3, gconfd_t)
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms }; + allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
- ######################################## - allow $3 gconfd_t:process { ptrace signal_perms };
- # - ps_process_pattern($3, gconfd_t)
- # Gkeyringd policy
- #
+ corecmd_bin_domtrans($1_gkeyringd_t, $1_t) + corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
+ corecmd_shell_domtrans($1_gkeyringd_t, $1_t) + corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
+ allow $1_gkeyringd_t $3:process sigkill; + allow $1_gkeyringd_t $3:process sigkill;
+ allow $3 $1_gkeyringd_t:fd use; + allow $3 $1_gkeyringd_t:fd use;
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms; + allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
- ########################################
- #
- # Gkeyringd policy
- #
- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+ kernel_read_system_state($1_gkeyringd_t) + kernel_read_system_state($1_gkeyringd_t)
@ -26102,12 +26125,12 @@ index d03fd43..237de86 100644
ps_process_pattern($3, $1_gkeyringd_t) ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; - allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
-
- corecmd_bin_domtrans($1_gkeyringd_t, $3)
- corecmd_shell_domtrans($1_gkeyringd_t, $3)
+ allow $3 $1_gkeyringd_t:process signal_perms; + allow $3 $1_gkeyringd_t:process signal_perms;
+ dontaudit $3 gkeyringd_exec_t:file entrypoint; + dontaudit $3 gkeyringd_exec_t:file entrypoint;
- corecmd_bin_domtrans($1_gkeyringd_t, $3)
- corecmd_shell_domtrans($1_gkeyringd_t, $3)
-
- gnome_stream_connect_gkeyringd($1, $3) - gnome_stream_connect_gkeyringd($1, $3)
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) + stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
@ -26165,7 +26188,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -125,18 +157,18 @@ template(`gnome_role_template',` @@ -125,18 +159,18 @@ template(`gnome_role_template',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26189,7 +26212,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',` @@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26346,7 +26369,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',` @@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26373,7 +26396,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',` @@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26481,7 +26504,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',` @@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26505,7 +26528,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -354,22 +422,18 @@ interface(`gnome_manage_config',` @@ -354,22 +424,18 @@ interface(`gnome_manage_config',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26533,7 +26556,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',` @@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26595,7 +26618,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',` @@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26618,7 +26641,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -449,23 +498,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` @@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26646,7 +26669,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -473,82 +517,73 @@ interface(`gnome_read_generic_gconf_home_content',` @@ -473,82 +519,73 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26753,7 +26776,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## </param> ## </param>
## <param name="name" optional="true"> ## <param name="name" optional="true">
@@ -557,52 +592,76 @@ interface(`gnome_home_filetrans_gconf_home',` @@ -557,52 +594,76 @@ interface(`gnome_home_filetrans_gconf_home',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -26851,7 +26874,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -610,93 +669,126 @@ interface(`gnome_gconf_home_filetrans',` @@ -610,93 +671,126 @@ interface(`gnome_gconf_home_filetrans',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -27012,7 +27035,7 @@ index d03fd43..237de86 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -704,12 +796,851 @@ interface(`gnome_stream_connect_gkeyringd',` @@ -704,12 +798,851 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -28189,19 +28212,21 @@ index 20f726b..c6ff2a1 100644
+ +
+userdom_use_inherited_user_terminals(gnomedomain) +userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc diff --git a/gnomeclock.fc b/gnomeclock.fc
index b687443..5d92f4e 100644 index b687443..e4c1b83 100644
--- a/gnomeclock.fc --- a/gnomeclock.fc
+++ b/gnomeclock.fc +++ b/gnomeclock.fc
@@ -1,5 +1,7 @@ @@ -1,5 +1,9 @@
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+ +
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
+/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if diff --git a/gnomeclock.if b/gnomeclock.if
index 3f55702..25c7ab8 100644 index 3f55702..25c7ab8 100644
--- a/gnomeclock.if --- a/gnomeclock.if
@ -52500,7 +52525,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r; role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te diff --git a/openvpn.te b/openvpn.te
index 3270ff9..60a7af6 100644 index 3270ff9..5b046fe 100644
--- a/openvpn.te --- a/openvpn.te
+++ b/openvpn.te +++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@ -52560,7 +52585,7 @@ index 3270ff9..60a7af6 100644
allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto; allow openvpn_t self:unix_dgram_socket sendto;
@@ -62,6 +83,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) @@ -62,10 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms; allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
@ -52571,9 +52596,14 @@ index 3270ff9..60a7af6 100644
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file }) +files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
+ +
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
@@ -83,7 +110,6 @@ kernel_request_load_module(openvpn_t) -setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
@@ -83,7 +108,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t) corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t) corecmd_exec_shell(openvpn_t)
@ -52581,7 +52611,7 @@ index 3270ff9..60a7af6 100644
corenet_all_recvfrom_netlabel(openvpn_t) corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t)
@@ -103,13 +129,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) @@ -103,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t) corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t) corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t) corenet_sendrecv_http_client_packets(openvpn_t)
@ -52598,7 +52628,7 @@ index 3270ff9..60a7af6 100644
corenet_rw_tun_tap_dev(openvpn_t) corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t) dev_read_rand(openvpn_t)
@@ -121,18 +149,24 @@ fs_search_auto_mountpoints(openvpn_t) @@ -121,18 +147,24 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t) auth_use_pam(openvpn_t)
@ -52626,7 +52656,7 @@ index 3270ff9..60a7af6 100644
') ')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
@@ -143,6 +177,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` @@ -143,6 +175,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(openvpn_t) fs_read_cifs_files(openvpn_t)
') ')
@ -52637,7 +52667,7 @@ index 3270ff9..60a7af6 100644
optional_policy(` optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t) daemontools_service_domain(openvpn_t, openvpn_exec_t)
') ')
@@ -155,3 +193,27 @@ optional_policy(` @@ -155,3 +191,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t) networkmanager_dbus_chat(openvpn_t)
') ')
') ')
@ -73188,7 +73218,7 @@ index 3bd6446..8bde316 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms; + allow $1 var_lib_nfs_t:file relabel_file_perms;
') ')
diff --git a/rpc.te b/rpc.te diff --git a/rpc.te b/rpc.te
index e5212e6..97bb4a0 100644 index e5212e6..022f7fc 100644
--- a/rpc.te --- a/rpc.te
+++ b/rpc.te +++ b/rpc.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -73206,7 +73236,7 @@ index e5212e6..97bb4a0 100644
-## generic user temporary content. -## generic user temporary content.
-## </p> -## </p>
+## <p> +## <p>
+## Allow gssd to read temp directory. For access to kerberos tgt. +## Allow gssd to list tmp directories and read the kerberos credential cache.
+## </p> +## </p>
## </desc> ## </desc>
-gen_tunable(allow_gssd_read_tmp, false) -gen_tunable(allow_gssd_read_tmp, false)
@ -86630,7 +86660,7 @@ index 42946bc..741f2f4 100644
+ can_exec($1, telepathy_executable) + can_exec($1, telepathy_executable)
') ')
diff --git a/telepathy.te b/telepathy.te diff --git a/telepathy.te b/telepathy.te
index e9c0964..8d5bbdd 100644 index e9c0964..5a41683 100644
--- a/telepathy.te --- a/telepathy.te
+++ b/telepathy.te +++ b/telepathy.te
@@ -1,29 +1,28 @@ @@ -1,29 +1,28 @@
@ -87134,7 +87164,7 @@ index e9c0964..8d5bbdd 100644
optional_policy(` optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t) xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t) xserver_stream_connect(telepathy_sunshine_t)
@@ -452,31 +385,48 @@ optional_policy(` @@ -452,31 +385,49 @@ optional_policy(`
####################################### #######################################
# #
@ -87180,6 +87210,7 @@ index e9c0964..8d5bbdd 100644
+ +
+optional_policy(` +optional_policy(`
+ systemd_dbus_chat_logind(telepathy_domain) + systemd_dbus_chat_logind(telepathy_domain)
+ systemd_write_inhibit_pipes(telepathy_domain)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -89177,7 +89208,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r; role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te diff --git a/tuned.te b/tuned.te
index 7116181..971952e 100644 index 7116181..b957a0f 100644
--- a/tuned.te --- a/tuned.te
+++ b/tuned.te +++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@ -89231,7 +89262,7 @@ index 7116181..971952e 100644
corecmd_exec_bin(tuned_t) corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t) corecmd_exec_shell(tuned_t)
@@ -64,31 +73,52 @@ corecmd_exec_shell(tuned_t) @@ -64,31 +73,53 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t) dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t) dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t) dev_read_urand(tuned_t)
@ -89246,6 +89277,7 @@ index 7116181..971952e 100644
-fs_getattr_xattr_fs(tuned_t) -fs_getattr_xattr_fs(tuned_t)
+fs_getattr_all_fs(tuned_t) +fs_getattr_all_fs(tuned_t)
+fs_search_all(tuned_t)
+ +
+auth_use_nsswitch(tuned_t) +auth_use_nsswitch(tuned_t)
@ -92611,7 +92643,7 @@ index 9dec06c..73549fd 100644
+ virt_stream_connect($1) + virt_stream_connect($1)
') ')
diff --git a/virt.te b/virt.te diff --git a/virt.te b/virt.te
index 1f22fba..924d71c 100644 index 1f22fba..a35bf47 100644
--- a/virt.te --- a/virt.te
+++ b/virt.te +++ b/virt.te
@@ -1,147 +1,166 @@ @@ -1,147 +1,166 @@
@ -92854,7 +92886,7 @@ index 1f22fba..924d71c 100644
ifdef(`enable_mcs',` ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
') ')
@@ -150,295 +169,139 @@ ifdef(`enable_mls',` @@ -150,295 +169,140 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
') ')
@ -93217,6 +93249,7 @@ index 1f22fba..924d71c 100644
-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu") -filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; +allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use; +allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write }; +dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms }; +allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
@ -93233,7 +93266,7 @@ index 1f22fba..924d71c 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -448,42 +311,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) @@ -448,42 +312,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -93280,7 +93313,7 @@ index 1f22fba..924d71c 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir }) logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
@@ -496,16 +346,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) @@ -496,16 +347,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@ -93302,7 +93335,7 @@ index 1f22fba..924d71c 100644
kernel_read_system_state(virtd_t) kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t) kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t) kernel_rw_net_sysctls(virtd_t)
@@ -513,6 +359,7 @@ kernel_read_kernel_sysctls(virtd_t) @@ -513,6 +360,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t) kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t) kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t) kernel_setsched(virtd_t)
@ -93310,7 +93343,7 @@ index 1f22fba..924d71c 100644
corecmd_exec_bin(virtd_t) corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t) corecmd_exec_shell(virtd_t)
@@ -520,24 +367,16 @@ corecmd_exec_shell(virtd_t) @@ -520,24 +368,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t) corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t)
@ -93338,7 +93371,7 @@ index 1f22fba..924d71c 100644
dev_rw_sysfs(virtd_t) dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t) dev_read_urand(virtd_t)
dev_read_rand(virtd_t) dev_read_rand(virtd_t)
@@ -548,22 +387,24 @@ dev_rw_vhost(virtd_t) @@ -548,22 +388,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t) dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t)
@ -93354,6 +93387,9 @@ index 1f22fba..924d71c 100644
files_read_usr_src_files(virtd_t) files_read_usr_src_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t) +files_relabelto_system_conf_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t) +files_relabelfrom_system_conf_files(virtd_t)
+files_relabelfrom_boot_files(virtd_t)
+files_relabelto_boot_files(virtd_t)
+files_manage_boot_files(virtd_t)
# Manages /etc/sysconfig/system-config-firewall # Manages /etc/sysconfig/system-config-firewall
-# files_relabelto_system_conf_files(virtd_t) -# files_relabelto_system_conf_files(virtd_t)
@ -93368,7 +93404,7 @@ index 1f22fba..924d71c 100644
fs_rw_anon_inodefs_files(virtd_t) fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t) fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t) fs_manage_cgroup_dirs(virtd_t)
@@ -594,15 +435,18 @@ term_use_ptmx(virtd_t) @@ -594,15 +439,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t) auth_use_nsswitch(virtd_t)
@ -93388,7 +93424,7 @@ index 1f22fba..924d71c 100644
selinux_validate_context(virtd_t) selinux_validate_context(virtd_t)
@@ -613,18 +457,26 @@ seutil_read_file_contexts(virtd_t) @@ -613,18 +461,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t) sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t)
@ -93425,7 +93461,7 @@ index 1f22fba..924d71c 100644
tunable_policy(`virt_use_nfs',` tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t) fs_manage_nfs_dirs(virtd_t)
@@ -633,7 +485,7 @@ tunable_policy(`virt_use_nfs',` @@ -633,7 +489,7 @@ tunable_policy(`virt_use_nfs',`
') ')
tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_samba',`
@ -93434,7 +93470,7 @@ index 1f22fba..924d71c 100644
fs_manage_cifs_files(virtd_t) fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t) fs_read_cifs_symlinks(virtd_t)
') ')
@@ -658,20 +510,12 @@ optional_policy(` @@ -658,20 +514,12 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -93455,7 +93491,7 @@ index 1f22fba..924d71c 100644
') ')
optional_policy(` optional_policy(`
@@ -684,14 +528,20 @@ optional_policy(` @@ -684,14 +532,20 @@ optional_policy(`
dnsmasq_kill(virtd_t) dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t) dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t) dnsmasq_create_pid_dirs(virtd_t)
@ -93478,7 +93514,7 @@ index 1f22fba..924d71c 100644
iptables_manage_config(virtd_t) iptables_manage_config(virtd_t)
') ')
@@ -704,11 +554,13 @@ optional_policy(` @@ -704,11 +558,13 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -93492,7 +93528,7 @@ index 1f22fba..924d71c 100644
policykit_domtrans_auth(virtd_t) policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t) policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t) policykit_read_lib(virtd_t)
@@ -719,10 +571,18 @@ optional_policy(` @@ -719,10 +575,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -93511,7 +93547,7 @@ index 1f22fba..924d71c 100644
kernel_read_xen_state(virtd_t) kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t) kernel_write_xen_state(virtd_t)
@@ -737,44 +597,262 @@ optional_policy(` @@ -737,44 +601,262 @@ optional_policy(`
udev_read_db(virtd_t) udev_read_db(virtd_t)
') ')
@ -93673,7 +93709,7 @@ index 1f22fba..924d71c 100644
+optional_policy(` +optional_policy(`
+ ptchown_domtrans(virt_domain) + ptchown_domtrans(virt_domain)
+') +')
+
+optional_policy(` +optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain) + pulseaudio_dontaudit_exec(virt_domain)
+') +')
@ -93742,7 +93778,7 @@ index 1f22fba..924d71c 100644
+ xserver_stream_connect(virt_domain) + xserver_stream_connect(virt_domain)
+ ') + ')
+') +')
+
+######################################## +########################################
+# +#
+# xm local policy +# xm local policy
@ -93796,7 +93832,7 @@ index 1f22fba..924d71c 100644
kernel_read_system_state(virsh_t) kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t) kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t) kernel_read_kernel_sysctls(virsh_t)
@@ -785,25 +863,18 @@ kernel_write_xen_state(virsh_t) @@ -785,25 +867,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t) corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t) corecmd_exec_shell(virsh_t)
@ -93823,7 +93859,7 @@ index 1f22fba..924d71c 100644
fs_getattr_all_fs(virsh_t) fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t) fs_manage_xenfs_dirs(virsh_t)
@@ -812,24 +883,22 @@ fs_search_auto_mountpoints(virsh_t) @@ -812,24 +887,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t) storage_raw_read_fixed_disk(virsh_t)
@ -93855,7 +93891,7 @@ index 1f22fba..924d71c 100644
tunable_policy(`virt_use_nfs',` tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t) fs_manage_nfs_files(virsh_t)
@@ -847,14 +916,20 @@ optional_policy(` @@ -847,14 +920,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -93877,7 +93913,7 @@ index 1f22fba..924d71c 100644
xen_stream_connect(virsh_t) xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t) xen_stream_connect_xenstore(virsh_t)
') ')
@@ -879,49 +954,65 @@ optional_policy(` @@ -879,49 +958,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t) kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t)
@ -93961,7 +93997,7 @@ index 1f22fba..924d71c 100644
corecmd_exec_bin(virtd_lxc_t) corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t)
@@ -933,17 +1024,16 @@ dev_read_urand(virtd_lxc_t) @@ -933,17 +1028,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t)
@ -93981,7 +94017,7 @@ index 1f22fba..924d71c 100644
fs_getattr_all_fs(virtd_lxc_t) fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -955,8 +1045,23 @@ fs_rw_cgroup_files(virtd_lxc_t) @@ -955,8 +1049,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -94005,7 +94041,7 @@ index 1f22fba..924d71c 100644
selinux_get_enforce_mode(virtd_lxc_t) selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t) selinux_validate_context(virtd_lxc_t)
@@ -965,194 +1070,251 @@ selinux_compute_create_context(virtd_lxc_t) @@ -965,194 +1074,264 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t)
@ -94034,12 +94070,12 @@ index 1f22fba..924d71c 100644
+optional_policy(` +optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t) + gnome_read_generic_cache_files(virtd_lxc_t)
+') +')
+
-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(` +optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t) + setrans_manage_pid_files(virtd_lxc_t)
+') +')
+
-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(` +optional_policy(`
+ unconfined_domain(virtd_lxc_t) + unconfined_domain(virtd_lxc_t)
+') +')
@ -94065,8 +94101,6 @@ index 1f22fba..924d71c 100644
+ +
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld; +allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
+allow svirt_sandbox_domain virtd_lxc_t:fd use; +allow svirt_sandbox_domain virtd_lxc_t:fd use;
+allow svirt_sandbox_domain virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_sandbox_domain virt_lxc_var_run_t:file read_file_perms;
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+ +
+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
@ -94135,6 +94169,10 @@ index 1f22fba..924d71c 100644
+ apache_exec_modules(svirt_sandbox_domain) + apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain)
+') +')
+
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@ -94219,21 +94257,17 @@ index 1f22fba..924d71c 100644
- -
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(` +optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) + ssh_use_ptys(svirt_sandbox_domain)
+') +')
optional_policy(` optional_policy(`
- udev_read_pid_files(svirt_lxc_domain) - udev_read_pid_files(svirt_lxc_domain)
+ ssh_use_ptys(svirt_sandbox_domain) + udev_read_pid_files(svirt_sandbox_domain)
') ')
optional_policy(` optional_policy(`
- apache_exec_modules(svirt_lxc_domain) - apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain)
+ udev_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain) + userhelper_dontaudit_write_config(svirt_sandbox_domain)
') ')
@ -94263,6 +94297,9 @@ index 1f22fba..924d71c 100644
+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+
kernel_read_network_state(svirt_lxc_net_t) kernel_read_network_state(svirt_lxc_net_t)
kernel_read_irq_sysctls(svirt_lxc_net_t) kernel_read_irq_sysctls(svirt_lxc_net_t)
@ -94339,6 +94376,18 @@ index 1f22fba..924d71c 100644
+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; +allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+ +
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
+
+dev_rw_kvm(svirt_qemu_net_t)
+
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_network_state(svirt_qemu_net_t) +kernel_read_network_state(svirt_qemu_net_t)
+kernel_read_irq_sysctls(svirt_qemu_net_t) +kernel_read_irq_sysctls(svirt_qemu_net_t)
+ +
@ -94346,7 +94395,8 @@ index 1f22fba..924d71c 100644
+dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t) +dev_read_urand(svirt_qemu_net_t)
+
-allow svirt_prot_exec_t self:process { execmem execstack };
+corenet_tcp_bind_generic_node(svirt_qemu_net_t) +corenet_tcp_bind_generic_node(svirt_qemu_net_t)
+corenet_udp_bind_generic_node(svirt_qemu_net_t) +corenet_udp_bind_generic_node(svirt_qemu_net_t)
+corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t) +corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t)
@ -94354,8 +94404,7 @@ index 1f22fba..924d71c 100644
+corenet_udp_bind_all_ports(svirt_qemu_net_t) +corenet_udp_bind_all_ports(svirt_qemu_net_t)
+corenet_tcp_bind_all_ports(svirt_qemu_net_t) +corenet_tcp_bind_all_ports(svirt_qemu_net_t)
+corenet_tcp_connect_all_ports(svirt_qemu_net_t) +corenet_tcp_connect_all_ports(svirt_qemu_net_t)
+
-allow svirt_prot_exec_t self:process { execmem execstack };
+files_read_kernel_modules(svirt_qemu_net_t) +files_read_kernel_modules(svirt_qemu_net_t)
+ +
+fs_noxattr_type(svirt_sandbox_file_t) +fs_noxattr_type(svirt_sandbox_file_t)
@ -94387,7 +94436,7 @@ index 1f22fba..924d71c 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1165,12 +1327,12 @@ dev_read_sysfs(virt_qmf_t) @@ -1165,12 +1344,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t) dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t) dev_read_urand(virt_qmf_t)
@ -94402,7 +94451,7 @@ index 1f22fba..924d71c 100644
sysnet_read_config(virt_qmf_t) sysnet_read_config(virt_qmf_t)
optional_policy(` optional_policy(`
@@ -1183,9 +1345,8 @@ optional_policy(` @@ -1183,9 +1362,8 @@ optional_policy(`
######################################## ########################################
# #
@ -94413,7 +94462,7 @@ index 1f22fba..924d71c 100644
allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1198,5 +1359,124 @@ kernel_read_network_state(virt_bridgehelper_t) @@ -1198,5 +1376,124 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 83%{?dist} Release: 84%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -571,6 +571,26 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Mon Sep 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-84
- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
- Allow tuned to search all file system directories
- Allow alsa_t to sys_nice, to get top performance for sound management
- Add support for MySQL/PostgreSQL for amavis
- Allow openvpn_t to manage openvpn_var_log_t files.
- Allow dirsrv_t to create tmpfs_t directories
- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label
- Dontaudit leaked unix_stream_sockets into gnome keyring
- Allow telepathy domains to inhibit pipes on telepathy domains
- Allow cloud-init to domtrans to rpm
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- Allow nsswitch domains to manage own process key
- Fix labeling for mgetty.* logs
- Allow systemd to dbus chat with upower
- Allow ipsec to send signull to itself
- Allow setgid cap for ipsec_t
- Match upstream labeling
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-83 * Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-83
- Do not build sanbox pkg on MLS - Do not build sanbox pkg on MLS