+ ## All of the rules required to administrate
+@@ -93,16 +132,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
#
interface(`dovecot_admin',`
gen_require(`
@@ -37507,7 +37583,7 @@ index e1d7dc5..0557be0 100644
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -112,8 +133,11 @@ interface(`dovecot_admin',`
+@@ -112,8 +152,11 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
@@ -37521,7 +37597,7 @@ index e1d7dc5..0557be0 100644
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
-@@ -121,6 +145,9 @@ interface(`dovecot_admin',`
+@@ -121,6 +164,9 @@ interface(`dovecot_admin',`
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
@@ -39585,24 +39661,31 @@ index 9d3201b..41c2c99 100644
+ ftp_systemctl($1)
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..6c4a30d 100644
+index 8a74a83..84fe0c6 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
-@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
+@@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false)
##
##
-+## Allow ftp servers to use connect to mysql database
++## Allow ftp servers to connect to mysql database ports
+##
+##
+gen_tunable(ftpd_connect_db, false)
+
+##
++##
++## Allow ftp servers to connect to all ports > 1023
++##
++##
++gen_tunable(ftpd_connect_all_unreserved, false)
++
++##
+##
## Allow ftp to read and write files in the user home directories
##
##
-@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false)
+@@ -70,6 +84,14 @@ gen_tunable(sftpd_enable_homedirs, false)
##
gen_tunable(sftpd_full_access, false)
@@ -39617,7 +39700,7 @@ index 8a74a83..6c4a30d 100644
type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
-@@ -85,6 +100,9 @@ files_config_file(ftpd_etc_t)
+@@ -85,6 +107,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -39627,7 +39710,7 @@ index 8a74a83..6c4a30d 100644
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
-@@ -115,6 +133,10 @@ ifdef(`enable_mcs',`
+@@ -115,6 +140,10 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')
@@ -39638,7 +39721,7 @@ index 8a74a83..6c4a30d 100644
########################################
#
# anon-sftp local policy
-@@ -122,6 +144,7 @@ ifdef(`enable_mcs',`
+@@ -122,6 +151,7 @@ ifdef(`enable_mcs',`
files_read_etc_files(anon_sftpd_t)
@@ -39646,7 +39729,7 @@ index 8a74a83..6c4a30d 100644
miscfiles_read_public_files(anon_sftpd_t)
tunable_policy(`sftpd_anon_write',`
-@@ -133,7 +156,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +163,7 @@ tunable_policy(`sftpd_anon_write',`
# ftpd local policy
#
@@ -39655,7 +39738,7 @@ index 8a74a83..6c4a30d 100644
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +174,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +181,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -39663,7 +39746,7 @@ index 8a74a83..6c4a30d 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +185,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +192,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -39679,7 +39762,7 @@ index 8a74a83..6c4a30d 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -196,9 +218,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
+@@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
@@ -39691,7 +39774,7 @@ index 8a74a83..6c4a30d 100644
corenet_sendrecv_ftp_server_packets(ftpd_t)
domain_use_interactive_fds(ftpd_t)
-@@ -212,13 +233,11 @@ fs_search_auto_mountpoints(ftpd_t)
+@@ -212,13 +240,11 @@ fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)
@@ -39707,16 +39790,20 @@ index 8a74a83..6c4a30d 100644
init_rw_utmp(ftpd_t)
-@@ -261,7 +280,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+@@ -261,7 +287,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
- auth_manage_all_files_except_shadow(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
++')
++
++tunable_policy(`ftpd_connect_all_unreserved',`
++ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
-@@ -270,10 +289,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +300,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -39734,7 +39821,7 @@ index 8a74a83..6c4a30d 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,6 +331,10 @@ optional_policy(`
+@@ -309,6 +342,10 @@ optional_policy(`
')
optional_policy(`
@@ -39745,7 +39832,7 @@ index 8a74a83..6c4a30d 100644
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
-@@ -316,6 +342,25 @@ optional_policy(`
+@@ -316,6 +353,25 @@ optional_policy(`
')
optional_policy(`
@@ -39771,7 +39858,7 @@ index 8a74a83..6c4a30d 100644
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -347,16 +392,17 @@ optional_policy(`
+@@ -347,16 +403,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -39791,7 +39878,7 @@ index 8a74a83..6c4a30d 100644
########################################
#
-@@ -365,18 +411,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +422,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -39828,7 +39915,7 @@ index 8a74a83..6c4a30d 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +455,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +466,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -52606,7 +52693,7 @@ index 46bee12..1fbe0fa 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..c24aed3 100644
+index a32c4b3..dda5b86 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -52986,19 +53073,20 @@ index a32c4b3..c24aed3 100644
')
optional_policy(`
-@@ -599,6 +689,11 @@ optional_policy(`
+@@ -599,6 +689,12 @@ optional_policy(`
')
optional_policy(`
+ milter_stream_connect_all(postfix_smtpd_t)
+ spamassassin_read_pid_files(postfix_smtpd_t)
++ spamd_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +706,6 @@ optional_policy(`
+@@ -611,7 +707,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -53006,7 +53094,7 @@ index a32c4b3..c24aed3 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +724,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +725,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -58747,10 +58835,19 @@ index d6d76e1..9cb5e25 100644
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
-index 0b405d1..cdf9184 100644
+index 0b405d1..e91eb53 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
-@@ -66,16 +66,9 @@ seutil_read_config(rshd_t)
+@@ -39,6 +39,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t)
+
+ dev_read_urand(rshd_t)
+
++domain_interactive_fd(rshd_t)
++
+ selinux_get_fs_mount(rshd_t)
+ selinux_validate_context(rshd_t)
+ selinux_compute_access_vector(rshd_t)
+@@ -66,16 +68,9 @@ seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t)
userdom_search_user_home_content(rshd_t)
@@ -60460,7 +60557,7 @@ index 7e94c7c..ca74cd9 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..1c27bd6 100644
+index 22dac1f..75081a5 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -60499,9 +60596,14 @@ index 22dac1f..1c27bd6 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -129,6 +130,9 @@ optional_policy(`
+@@ -128,7 +129,14 @@ optional_policy(`
+ ')
optional_policy(`
++ dovecot_write_inherited_tmp_files(sendmail_t)
++')
++
++optional_policy(`
exim_domtrans(sendmail_t)
+ exim_manage_spool_files(sendmail_t)
+ exim_manage_spool_dirs(sendmail_t)
@@ -60509,7 +60611,7 @@ index 22dac1f..1c27bd6 100644
')
optional_policy(`
-@@ -149,7 +153,9 @@ optional_policy(`
+@@ -149,7 +157,9 @@ optional_policy(`
')
optional_policy(`
@@ -60519,7 +60621,7 @@ index 22dac1f..1c27bd6 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +174,13 @@ optional_policy(`
+@@ -168,20 +178,13 @@ optional_policy(`
')
optional_policy(`
@@ -70043,7 +70145,7 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..7a39e35 100644
+index 28ad538..29f3011 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,3 +1,5 @@
@@ -70099,7 +70201,16 @@ index 28ad538..7a39e35 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -45,5 +63,4 @@ ifdef(`distro_gentoo', `
+@@ -39,11 +57,13 @@ ifdef(`distro_gentoo', `
+ /var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
+
++/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++
+ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
+ /var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
+ /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 884a15ef..865308c2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 75%{?dist}
+Release: 76%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jan 20 2012 Miroslav Grepl 3.10.0-76
+- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there
+- bluetooth says they do not use /tmp and want to remove the type
+- Allow init to transition to colord
+- Mongod needs to read /proc/sys/vm/zone_reclaim_mode
+- Allow postfix_smtpd_t to connect to spamd
+- Add boolean to allow ftp to connect to all ports > 1023
+- Allow sendmain to write to inherited dovecot tmp files
+
* Mon Jan 16 2012 Miroslav Grepl 3.10.0-75
- Merge systemd patch
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online