- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there

- bluetooth says they do not use /tmp and want to remove the type - Allow init to transition to colord - Mongod needs to read /proc/sys/vm/zone_reclaim_mode - Allow postfix_smtpd_t to connect to spamd - Add boolean to allow ftp to connect to all ports > 1023 - Allow sendmain to write to inherited dovecot tmp files
2012-01-20 14:43:02 +01:00 · 2012-01-20 14:43:02 +01:00 · de9114f624
parent 291b1f5075
commit de9114f624
2 changed files with 204 additions and 84 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -24370,7 +24370,7 @@ index 0b827c5..7f57a98 100644
 +	dontaudit $1 abrt_t:sock_file write;
 +')
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..939e294 100644
+index 30861ec..c66fd4a 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@ -24510,16 +24510,17 @@ index 30861ec..939e294 100644
 files_read_var_symlinks(abrt_t)
 files_read_var_lib_files(abrt_t)
 files_read_usr_files(abrt_t)
-@@ -121,6 +175,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +175,9 @@ files_read_generic_tmp_files(abrt_t)
 files_read_kernel_modules(abrt_t)
 files_dontaudit_list_default(abrt_t)
 files_dontaudit_read_default_files(abrt_t)
 +files_dontaudit_read_all_symlinks(abrt_t)
 +files_dontaudit_getattr_all_sockets(abrt_t)
 +files_list_mnt(abrt_t)
 fs_list_inotifyfs(abrt_t)
 fs_getattr_all_fs(abrt_t)
-@@ -131,22 +187,26 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +188,26 @@ fs_read_nfs_files(abrt_t)
 fs_read_nfs_symlinks(abrt_t)
 fs_search_all(abrt_t)
@ -24552,7 +24553,7 @@ index 30861ec..939e294 100644
 ')
 optional_policy(`
-@@ -167,6 +227,7 @@ optional_policy(`
+@@ -167,6 +228,7 @@ optional_policy(`
 	rpm_exec(abrt_t)
 	rpm_dontaudit_manage_db(abrt_t)
 	rpm_manage_cache(abrt_t)
@ -24560,7 +24561,7 @@ index 30861ec..939e294 100644
 	rpm_manage_pid_files(abrt_t)
 	rpm_read_db(abrt_t)
 	rpm_signull(abrt_t)
-@@ -178,12 +239,35 @@ optional_policy(`
+@@ -178,12 +240,35 @@ optional_policy(`
 ')
 optional_policy(`
@ -24597,7 +24598,7 @@ index 30861ec..939e294 100644
 #
 allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +284,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +285,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
 read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@ -24626,7 +24627,7 @@ index 30861ec..939e294 100644
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +307,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +308,128 @@ ifdef(`hide_broken_symptoms', `
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -28429,7 +28430,7 @@ index 0000000..bccefc9
 +	gnome_search_gconf(blueman_t)
 +')
 diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
-index 3e45431..a726c09 100644
+index 3e45431..58b9ece 100644
 --- a/policy/modules/services/bluetooth.if
 +++ b/policy/modules/services/bluetooth.if
@@ -14,6 +14,7 @@
@ -28519,11 +28520,13 @@ index 3e45431..a726c09 100644
 ')
 ########################################
-@@ -194,14 +222,17 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -193,23 +221,23 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 #
 interface(`bluetooth_admin',`
 	gen_require(`
- 		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+-		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
 -		type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
 +		type bluetooth_t, bluetooth_lock_t;
 +		type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
 		type bluetooth_conf_t, bluetooth_conf_rw_t;
 -		type bluetooth_initrc_exec_t;
@ -28540,7 +28543,15 @@ index 3e45431..a726c09 100644
 	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 bluetooth_initrc_exec_t system_r;
-@@ -217,9 +248,6 @@ interface(`bluetooth_admin',`
+ 	allow $2 system_r;
 -	files_list_tmp($1)
 -	admin_pattern($1, bluetooth_tmp_t)
 -
 	files_list_var($1)
 	admin_pattern($1, bluetooth_lock_t)
@@ -217,9 +245,6 @@ interface(`bluetooth_admin',`
 	admin_pattern($1, bluetooth_conf_t)
 	admin_pattern($1, bluetooth_conf_rw_t)
@ -28551,7 +28562,7 @@ index 3e45431..a726c09 100644
 	admin_pattern($1, bluetooth_var_lib_t)
 diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 215b86b..2bb14b2 100644
+index 215b86b..76ab538 100644
 --- a/policy/modules/services/bluetooth.te
 +++ b/policy/modules/services/bluetooth.te
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
@ -28569,7 +28580,28 @@ index 215b86b..2bb14b2 100644
 type bluetooth_conf_rw_t;
 files_type(bluetooth_conf_rw_t)
-@@ -147,6 +148,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+@@ -39,9 +40,6 @@ init_script_file(bluetooth_initrc_exec_t)
 type bluetooth_lock_t;
 files_lock_file(bluetooth_lock_t)
 -type bluetooth_tmp_t;
 -files_tmp_file(bluetooth_tmp_t)
 -
 type bluetooth_var_lib_t;
 files_type(bluetooth_var_lib_t)
@@ -80,10 +78,6 @@ can_exec(bluetooth_t, bluetooth_helper_exec_t)
 allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
 files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
 -manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
 -manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
 -files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
 -
 manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
 manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
 files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
@@ -147,6 +141,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
 optional_policy(`
@ -28580,7 +28612,7 @@ index 215b86b..2bb14b2 100644
 	dbus_system_bus_client(bluetooth_t)
 	dbus_connect_system_bus(bluetooth_t)
-@@ -190,7 +195,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+@@ -190,7 +188,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
 allow bluetooth_helper_t self:shm create_shm_perms;
 allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow bluetooth_helper_t self:tcp_socket create_socket_perms;
@ -28588,7 +28620,7 @@ index 215b86b..2bb14b2 100644
 allow bluetooth_helper_t bluetooth_t:socket { read write };
-@@ -220,6 +224,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
+@@ -220,6 +217,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
 files_read_usr_files(bluetooth_helper_t)
 files_dontaudit_list_default(bluetooth_helper_t)
@ -28597,7 +28629,7 @@ index 215b86b..2bb14b2 100644
 locallogin_dontaudit_use_fds(bluetooth_helper_t)
 logging_send_syslog_msg(bluetooth_helper_t)
-@@ -236,9 +242,5 @@ optional_policy(`
+@@ -236,9 +235,5 @@ optional_policy(`
 ')
 optional_policy(`
@ -31101,10 +31133,10 @@ index 0000000..7f55959
 +')
 diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
 new file mode 100644
-index 0000000..2be12fd
+index 0000000..8b32b57
 --- /dev/null
 +++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,222 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@ -31278,6 +31310,8 @@ index 0000000..2be12fd
 +corenet_tcp_bind_generic_node(mongod_t)
 +corenet_tcp_bind_mongod_port(mongod_t)
 +
 +kernel_read_vm_sysctls(mongod_t)
 +
 +files_read_usr_files(mongod_t)
 +
 +optional_policy(`
@ -32115,10 +32149,18 @@ index 0000000..ca71d08
 +')
 +
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..be3683b 100644
+index 74505cc..029adf3 100644
 --- a/policy/modules/services/colord.te
 +++ b/policy/modules/services/colord.te
-@@ -23,9 +23,11 @@ files_type(colord_var_lib_t)
+@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
 type colord_t;
 type colord_exec_t;
 dbus_system_domain(colord_t, colord_exec_t)
 +init_daemon_domain(colord_t, colord_exec_t)
 type colord_tmp_t;
 files_tmp_file(colord_tmp_t)
@@ -23,9 +24,11 @@ files_type(colord_var_lib_t)
 # colord local policy
 #
 allow colord_t self:capability { dac_read_search dac_override };
@ -32130,7 +32172,7 @@ index 74505cc..be3683b 100644
 allow colord_t self:udp_socket create_socket_perms;
 allow colord_t self:unix_dgram_socket create_socket_perms;
-@@ -41,8 +43,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,8 +44,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@ -32146,7 +32188,7 @@ index 74505cc..be3683b 100644
 corenet_all_recvfrom_unlabeled(colord_t)
 corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +58,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +59,8 @@ corenet_udp_bind_generic_node(colord_t)
 corenet_udp_bind_ipp_port(colord_t)
 corenet_tcp_connect_ipp_port(colord_t)
@ -32155,7 +32197,7 @@ index 74505cc..be3683b 100644
 dev_read_video_dev(colord_t)
 dev_write_video_dev(colord_t)
 dev_rw_printer(colord_t)
-@@ -65,19 +75,33 @@ files_list_mnt(colord_t)
+@@ -65,19 +76,33 @@ files_list_mnt(colord_t)
 files_read_etc_files(colord_t)
 files_read_usr_files(colord_t)
@ -32190,7 +32232,7 @@ index 74505cc..be3683b 100644
 	fs_read_cifs_files(colord_t)
 ')
-@@ -89,6 +113,12 @@ optional_policy(`
+@@ -89,6 +114,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -32203,7 +32245,7 @@ index 74505cc..be3683b 100644
 	policykit_dbus_chat(colord_t)
 	policykit_domtrans_auth(colord_t)
 	policykit_read_lib(colord_t)
-@@ -96,5 +126,16 @@ optional_policy(`
+@@ -96,5 +127,16 @@ optional_policy(`
 ')
 optional_policy(`
@ -33310,7 +33352,7 @@ index 35241ed..7a0913c 100644
 +	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 ')
 diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..a4d25d9 100644
+index f7583ab..958bd54 100644
 --- a/policy/modules/services/cron.te
 +++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@ -33456,7 +33498,15 @@ index f7583ab..a4d25d9 100644
 allow crond_t self:process { setexec setfscreate };
 allow crond_t self:fd use;
 allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -187,12 +203,16 @@ fs_list_inotifyfs(crond_t)
+@@ -151,6 +167,7 @@ allow crond_t self:sem create_sem_perms;
 allow crond_t self:msgq create_msgq_perms;
 allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 +dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
 manage_files_pattern(crond_t, cron_log_t, cron_log_t)
 logging_log_filetrans(crond_t, cron_log_t, file)
@@ -187,12 +204,16 @@ fs_list_inotifyfs(crond_t)
 # need auth_chkpwd to check for locked accounts.
 auth_domtrans_chk_passwd(crond_t)
@ -33473,7 +33523,7 @@ index f7583ab..a4d25d9 100644
 files_read_usr_files(crond_t)
 files_read_etc_runtime_files(crond_t)
-@@ -203,11 +223,28 @@ files_list_usr(crond_t)
+@@ -203,11 +224,28 @@ files_list_usr(crond_t)
 files_search_var_lib(crond_t)
 files_search_default(crond_t)
@ -33502,7 +33552,7 @@ index f7583ab..a4d25d9 100644
 logging_send_syslog_msg(crond_t)
 logging_set_loginuid(crond_t)
-@@ -220,8 +257,11 @@ miscfiles_read_localization(crond_t)
+@@ -220,8 +258,11 @@ miscfiles_read_localization(crond_t)
 userdom_use_unpriv_users_fds(crond_t)
 # Not sure why this is needed
 userdom_list_user_home_dirs(crond_t)
@ -33514,7 +33564,7 @@ index f7583ab..a4d25d9 100644
 ifdef(`distro_debian',`
 	# pam_limits is used
-@@ -233,7 +273,7 @@ ifdef(`distro_debian',`
+@@ -233,7 +274,7 @@ ifdef(`distro_debian',`
 	')
 ')
@ -33523,7 +33573,7 @@ index f7583ab..a4d25d9 100644
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 	# via redirection of standard out.
 	optional_policy(`
-@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +291,27 @@ tunable_policy(`fcron_crond', `
 ')
 optional_policy(`
@ -33551,7 +33601,7 @@ index f7583ab..a4d25d9 100644
 	amanda_search_var_lib(crond_t)
 ')
-@@ -264,6 +320,8 @@ optional_policy(`
+@@ -264,6 +321,8 @@ optional_policy(`
 optional_policy(`
 	hal_dbus_chat(crond_t)
@ -33560,7 +33610,7 @@ index f7583ab..a4d25d9 100644
 ')
 optional_policy(`
-@@ -286,15 +344,25 @@ optional_policy(`
+@@ -286,15 +345,25 @@ optional_policy(`
 ')
 optional_policy(`
@ -33586,7 +33636,7 @@ index f7583ab..a4d25d9 100644
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +375,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 # This is to handle /var/lib/misc directory.  Used currently
 # by prelink var/lib files for cron 
@ -33607,7 +33657,7 @@ index f7583ab..a4d25d9 100644
 # The entrypoint interface is not used as this is not
 # a regular entrypoint.  Since crontab files are
 # not directly executed, crond must ensure that
-@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +407,7 @@ allow crond_t system_cronjob_t:fd use;
 allow system_cronjob_t crond_t:fd use;
 allow system_cronjob_t crond_t:fifo_file rw_file_perms;
 allow system_cronjob_t crond_t:process sigchld;
@ -33615,7 +33665,7 @@ index f7583ab..a4d25d9 100644
 # Write /var/lock/makewhatis.lock.
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +418,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +419,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
 files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@ -33630,7 +33680,7 @@ index f7583ab..a4d25d9 100644
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +447,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +448,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
 dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
 dev_read_urand(system_cronjob_t)
@ -33638,7 +33688,7 @@ index f7583ab..a4d25d9 100644
 fs_getattr_all_fs(system_cronjob_t)
 fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +474,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +475,7 @@ files_dontaudit_search_pids(system_cronjob_t)
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
 files_manage_generic_spool(system_cronjob_t)
@ -33646,7 +33696,7 @@ index f7583ab..a4d25d9 100644
 init_use_script_fds(system_cronjob_t)
 init_read_utmp(system_cronjob_t)
-@@ -413,8 +497,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +498,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
 seutil_read_config(system_cronjob_t)
@ -33658,7 +33708,7 @@ index f7583ab..a4d25d9 100644
 	# via redirection of standard out.
 	optional_policy(`
 		rpm_manage_log(system_cronjob_t)
-@@ -439,6 +525,8 @@ optional_policy(`
+@@ -439,6 +526,8 @@ optional_policy(`
 	apache_read_config(system_cronjob_t)
 	apache_read_log(system_cronjob_t)
 	apache_read_sys_content(system_cronjob_t)
@ -33667,7 +33717,7 @@ index f7583ab..a4d25d9 100644
 ')
 optional_policy(`
-@@ -446,6 +534,14 @@ optional_policy(`
+@@ -446,6 +535,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -33682,7 +33732,7 @@ index f7583ab..a4d25d9 100644
 	ftp_read_log(system_cronjob_t)
 ')
-@@ -456,6 +552,10 @@ optional_policy(`
+@@ -456,6 +553,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -33693,7 +33743,7 @@ index f7583ab..a4d25d9 100644
 	lpd_list_spool(system_cronjob_t)
 ')
-@@ -464,7 +564,9 @@ optional_policy(`
+@@ -464,7 +565,9 @@ optional_policy(`
 ')
 optional_policy(`
@ -33703,7 +33753,7 @@ index f7583ab..a4d25d9 100644
 ')
 optional_policy(`
-@@ -472,6 +574,10 @@ optional_policy(`
+@@ -472,6 +575,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -33714,7 +33764,7 @@ index f7583ab..a4d25d9 100644
 	postfix_read_config(system_cronjob_t)
 ')	
-@@ -480,7 +586,7 @@ optional_policy(`
+@@ -480,7 +587,7 @@ optional_policy(`
 	prelink_manage_lib(system_cronjob_t)
 	prelink_manage_log(system_cronjob_t)
 	prelink_read_cache(system_cronjob_t)
@ -33723,7 +33773,7 @@ index f7583ab..a4d25d9 100644
 ')
 optional_policy(`
-@@ -495,6 +601,7 @@ optional_policy(`
+@@ -495,6 +602,7 @@ optional_policy(`
 optional_policy(`
 	spamassassin_manage_lib_files(system_cronjob_t)
@ -33731,7 +33781,7 @@ index f7583ab..a4d25d9 100644
 ')
 optional_policy(`
-@@ -502,7 +609,13 @@ optional_policy(`
+@@ -502,7 +610,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -33745,7 +33795,7 @@ index f7583ab..a4d25d9 100644
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')
-@@ -595,9 +708,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +709,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
 #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
 list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@ -37431,7 +37481,7 @@ index bfc880b..9a1dcba 100644
 ')
 diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
-index e1d7dc5..0557be0 100644
+index e1d7dc5..13e4800 100644
 --- a/policy/modules/services/dovecot.if
 +++ b/policy/modules/services/dovecot.if
@@ -1,5 +1,24 @@
@ -37482,7 +37532,33 @@ index e1d7dc5..0557be0 100644
 	manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
 	manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
 ')
-@@ -93,16 +113,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
+@@ -74,6 +94,25 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
 	dontaudit $1 dovecot_var_lib_t:file unlink;
 ')
 +######################################
 +## <summary>
 +##	Allow attempts to write inherited
 +##	dovecot tmp files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`dovecot_write_inherited_tmp_files',`
 +	gen_require(`
 +		type dovecot_tmp_t;
 +	')
 +
 +	allow $1 dovecot_tmp_t:file write;
 +')
 +
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
@@ -93,16 +132,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
 #
 interface(`dovecot_admin',`
 	gen_require(`
@ -37507,7 +37583,7 @@ index e1d7dc5..0557be0 100644
 	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -112,8 +133,11 @@ interface(`dovecot_admin',`
+@@ -112,8 +152,11 @@ interface(`dovecot_admin',`
 	files_list_etc($1)
 	admin_pattern($1, dovecot_etc_t)
@ -37521,7 +37597,7 @@ index e1d7dc5..0557be0 100644
 	files_list_spool($1)
 	admin_pattern($1, dovecot_spool_t)
-@@ -121,6 +145,9 @@ interface(`dovecot_admin',`
+@@ -121,6 +164,9 @@ interface(`dovecot_admin',`
 	files_list_var_lib($1)
 	admin_pattern($1, dovecot_var_lib_t)
@ -39585,24 +39661,31 @@ index 9d3201b..41c2c99 100644
 +	ftp_systemctl($1)
 ')
 diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..6c4a30d 100644
+index 8a74a83..84fe0c6 100644
 --- a/policy/modules/services/ftp.te
 +++ b/policy/modules/services/ftp.te
-@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
+@@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false)
 ## <desc>
 ## <p>
-+## Allow ftp servers to use connect to mysql database
+## Allow ftp servers to connect to mysql database ports
 +## </p>
 +## </desc>
 +gen_tunable(ftpd_connect_db, false)
 +
 +## <desc>
 +## <p>
 +## Allow ftp servers to connect to all ports > 1023
 +## </p>
 +## </desc>
 +gen_tunable(ftpd_connect_all_unreserved, false)
 +
 +## <desc>
 +## <p>
 ## Allow ftp to read and write files in the user home directories
 ## </p>
 ## </desc>
-@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false)
+@@ -70,6 +84,14 @@ gen_tunable(sftpd_enable_homedirs, false)
 ## </desc>
 gen_tunable(sftpd_full_access, false)
@ -39617,7 +39700,7 @@ index 8a74a83..6c4a30d 100644
 type anon_sftpd_t;
 typealias anon_sftpd_t alias sftpd_anon_t;
 domain_type(anon_sftpd_t)
-@@ -85,6 +100,9 @@ files_config_file(ftpd_etc_t)
+@@ -85,6 +107,9 @@ files_config_file(ftpd_etc_t)
 type ftpd_initrc_exec_t;
 init_script_file(ftpd_initrc_exec_t)
@ -39627,7 +39710,7 @@ index 8a74a83..6c4a30d 100644
 type ftpd_lock_t;
 files_lock_file(ftpd_lock_t)
-@@ -115,6 +133,10 @@ ifdef(`enable_mcs',`
+@@ -115,6 +140,10 @@ ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
 ')
@ -39638,7 +39721,7 @@ index 8a74a83..6c4a30d 100644
 ########################################
 #
 # anon-sftp local policy
-@@ -122,6 +144,7 @@ ifdef(`enable_mcs',`
+@@ -122,6 +151,7 @@ ifdef(`enable_mcs',`
 files_read_etc_files(anon_sftpd_t)
@ -39646,7 +39729,7 @@ index 8a74a83..6c4a30d 100644
 miscfiles_read_public_files(anon_sftpd_t)
 tunable_policy(`sftpd_anon_write',`
-@@ -133,7 +156,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +163,7 @@ tunable_policy(`sftpd_anon_write',`
 # ftpd local policy
 #
@ -39655,7 +39738,7 @@ index 8a74a83..6c4a30d 100644
 dontaudit ftpd_t self:capability sys_tty_config;
 allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
 allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +174,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +181,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
 manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
 manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@ -39663,7 +39746,7 @@ index 8a74a83..6c4a30d 100644
 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +185,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +192,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
 manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
 manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
 manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@ -39679,7 +39762,7 @@ index 8a74a83..6c4a30d 100644
 # Create and modify /var/log/xferlog.
 manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -196,9 +218,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
+@@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
 corenet_tcp_bind_ftp_port(ftpd_t)
 corenet_tcp_bind_ftp_data_port(ftpd_t)
 corenet_tcp_bind_generic_port(ftpd_t)
@ -39691,7 +39774,7 @@ index 8a74a83..6c4a30d 100644
 corenet_sendrecv_ftp_server_packets(ftpd_t)
 domain_use_interactive_fds(ftpd_t)
-@@ -212,13 +233,11 @@ fs_search_auto_mountpoints(ftpd_t)
+@@ -212,13 +240,11 @@ fs_search_auto_mountpoints(ftpd_t)
 fs_getattr_all_fs(ftpd_t)
 fs_search_fusefs(ftpd_t)
@ -39707,16 +39790,20 @@ index 8a74a83..6c4a30d 100644
 init_rw_utmp(ftpd_t)
-@@ -261,7 +280,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+@@ -261,7 +287,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
 tunable_policy(`allow_ftpd_full_access',`
 	allow ftpd_t self:capability { dac_override dac_read_search };
 -	auth_manage_all_files_except_shadow(ftpd_t)
 +	files_manage_non_security_files(ftpd_t)
 +')
 +
 +tunable_policy(`ftpd_connect_all_unreserved',`
 +	corenet_tcp_connect_all_unreserved_ports(ftpd_t)
 ')
 tunable_policy(`ftp_home_dir',`
-@@ -270,10 +289,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +300,13 @@ tunable_policy(`ftp_home_dir',`
 	# allow access to /home
 	files_list_home(ftpd_t)
 	userdom_read_user_home_content_files(ftpd_t)
@ -39734,7 +39821,7 @@ index 8a74a83..6c4a30d 100644
 ')
 tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,6 +331,10 @@ optional_policy(`
+@@ -309,6 +342,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39745,7 +39832,7 @@ index 8a74a83..6c4a30d 100644
 	selinux_validate_context(ftpd_t)
 	kerberos_keytab_template(ftpd, ftpd_t)
-@@ -316,6 +342,25 @@ optional_policy(`
+@@ -316,6 +353,25 @@ optional_policy(`
 ')
 optional_policy(`
@ -39771,7 +39858,7 @@ index 8a74a83..6c4a30d 100644
 	inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
 	optional_policy(`
-@@ -347,16 +392,17 @@ optional_policy(`
+@@ -347,16 +403,17 @@ optional_policy(`
 # Allow ftpdctl to talk to ftpd over a socket connection
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@ -39791,7 +39878,7 @@ index 8a74a83..6c4a30d 100644
 ########################################
 #
-@@ -365,18 +411,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +422,33 @@ userdom_use_user_terminals(ftpdctl_t)
 files_read_etc_files(sftpd_t)
@ -39828,7 +39915,7 @@ index 8a74a83..6c4a30d 100644
 ')
 tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +455,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +466,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
 tunable_policy(`sftpd_full_access',`
 	allow sftpd_t self:capability { dac_override dac_read_search };
 	fs_read_noxattr_fs_files(sftpd_t)
@ -52606,7 +52693,7 @@ index 46bee12..1fbe0fa 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..c24aed3 100644
+index a32c4b3..dda5b86 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@ -52986,19 +53073,20 @@ index a32c4b3..c24aed3 100644
 ')
 optional_policy(`
-@@ -599,6 +689,11 @@ optional_policy(`
+@@ -599,6 +689,12 @@ optional_policy(`
 ')
 optional_policy(`
 +	milter_stream_connect_all(postfix_smtpd_t)
 +	spamassassin_read_pid_files(postfix_smtpd_t)
 +	spamd_stream_connect(postfix_smtpd_t)
 +')
 +
 +optional_policy(`
 	postgrey_stream_connect(postfix_smtpd_t)
 ')
-@@ -611,7 +706,6 @@ optional_policy(`
+@@ -611,7 +707,6 @@ optional_policy(`
 # Postfix virtual local policy
 #
@ -53006,7 +53094,7 @@ index a32c4b3..c24aed3 100644
 allow postfix_virtual_t self:process { setsched setrlimit };
 allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +724,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +725,8 @@ mta_delete_spool(postfix_virtual_t)
 # For reading spamassasin
 mta_read_config(postfix_virtual_t)
 mta_manage_spool(postfix_virtual_t)
@ -58747,10 +58835,19 @@ index d6d76e1..9cb5e25 100644
 +	nis_use_ypbind(rpcbind_t)
 +')
 diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
-index 0b405d1..cdf9184 100644
+index 0b405d1..e91eb53 100644
 --- a/policy/modules/services/rshd.te
 +++ b/policy/modules/services/rshd.te
-@@ -66,16 +66,9 @@ seutil_read_config(rshd_t)
+@@ -39,6 +39,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t)
 dev_read_urand(rshd_t)
 +domain_interactive_fd(rshd_t)
 +
 selinux_get_fs_mount(rshd_t)
 selinux_validate_context(rshd_t)
 selinux_compute_access_vector(rshd_t)
@@ -66,16 +68,9 @@ seutil_read_config(rshd_t)
 seutil_read_default_contexts(rshd_t)
 userdom_search_user_home_content(rshd_t)
@ -60460,7 +60557,7 @@ index 7e94c7c..ca74cd9 100644
 +	admin_pattern($1, mail_spool_t)
 +')
 diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..1c27bd6 100644
+index 22dac1f..75081a5 100644
 --- a/policy/modules/services/sendmail.te
 +++ b/policy/modules/services/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@ -60499,9 +60596,14 @@ index 22dac1f..1c27bd6 100644
 mta_read_config(sendmail_t)
 mta_etc_filetrans_aliases(sendmail_t)
-@@ -129,6 +130,9 @@ optional_policy(`
+@@ -128,7 +129,14 @@ optional_policy(`
 ')
 optional_policy(`
 +	dovecot_write_inherited_tmp_files(sendmail_t)
 +')
 +
 +optional_policy(`
 	exim_domtrans(sendmail_t)
 +	exim_manage_spool_files(sendmail_t)
 +	exim_manage_spool_dirs(sendmail_t)
@ -60509,7 +60611,7 @@ index 22dac1f..1c27bd6 100644
 ')
 optional_policy(`
-@@ -149,7 +153,9 @@ optional_policy(`
+@@ -149,7 +157,9 @@ optional_policy(`
 ')
 optional_policy(`
@ -60519,7 +60621,7 @@ index 22dac1f..1c27bd6 100644
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
 ')
-@@ -168,20 +174,13 @@ optional_policy(`
+@@ -168,20 +178,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -70043,7 +70145,7 @@ index c6fdab7..41198a4 100644
 	cron_sigchld(application_domain_type)
 ')
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..7a39e35 100644
+index 28ad538..29f3011 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
@@ -1,3 +1,5 @@
@ -70099,7 +70201,16 @@ index 28ad538..7a39e35 100644
 /var/log/btmp.*		--	gen_context(system_u:object_r:faillog_t,s0)
 /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
-@@ -45,5 +63,4 @@ ifdef(`distro_gentoo', `
+@@ -39,11 +57,13 @@ ifdef(`distro_gentoo', `
 /var/log/tallylog	--	gen_context(system_u:object_r:faillog_t,s0)
 /var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
 +/var/lib/rsa(/.*)? 		gen_context(system_u:object_r:var_auth_t,s0)
 +/var/rsa(/.*)?	 		gen_context(system_u:object_r:var_auth_t,s0)
 +
 /var/run/console(/.*)?	 	gen_context(system_u:object_r:pam_var_console_t,s0)
 /var/run/faillock(/.*)?		gen_context(system_u:object_r:faillog_t,s0)
 /var/run/pam_mount(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -16,7 +16,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 75%{?dist}
+Release: 76%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -471,6 +471,15 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Jan 20 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-76
 - Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there
 - bluetooth says they do not use /tmp and want to remove the type
 - Allow init to transition to colord
 - Mongod needs to read /proc/sys/vm/zone_reclaim_mode
 - Allow postfix_smtpd_t to connect to spamd
 - Add boolean to allow ftp to connect to all ports > 1023
 - Allow sendmain to write to inherited dovecot tmp files
 * Mon Jan 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-75
 - Merge systemd patch
 - systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online