- Fix up corecommands.fc to match upstream

- Make sure /lib/systemd/* is labeled init_exec_t
- mount wants to setattr on all mountpoints
- dovecot auth wants to read dovecot etc files
- nscd daemon looks at the exe file of the comunicating daemon
- openvpn wants to read utmp file
- postfix apps now set sys_nice and lower limits
- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
- Also resolves nsswitch
- Fix labels on /etc/hosts.*
- Cleanup to make upsteam patch work
- allow abrt to read etc_runtime_t

policy-F15.patch

@@ -8173,7 +8173,7 @@ index 099f57f..5843cad 100644
 +# broken kernel
 +dontaudit can_change_object_identity can_change_object_identity:key link;
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 3517db2..bd4c23d 100644
+index 3517db2..4dd4bef 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
 @@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -8269,12 +8269,14 @@ index 3517db2..bd4c23d 100644
  /var/tmp/.*			<<none>>
  /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/tmp/lost\+found/.*		<<none>>
-@@ -258,3 +268,5 @@ ifndef(`distro_redhat',`
+@@ -258,3 +268,7 @@ ifndef(`distro_redhat',`
  ifdef(`distro_debian',`
  /var/run/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
  ')
 +/nsr(/.*)?						gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?						gen_context(system_u:object_r:var_log_t,s0)
++
++/usr/lib/debug			<<none>>
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
 index 5302dac..9b828ee 100644
 --- a/policy/modules/kernel/files.if
@@ -9313,7 +9315,7 @@ index 59bae6a..2e55e71 100644
 +/dev/hugepages	-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/dev/hugepages(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 437a42a..54a884b 100644
+index 437a42a..b9e3aa9 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -9542,7 +9544,23 @@ index 437a42a..54a884b 100644
  ')
  
  ########################################
-@@ -2395,6 +2514,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2331,6 +2450,7 @@ interface(`fs_read_nfs_files',`
+ 		type nfs_t;
+ 	')
+ 
++	fs_search_auto_mountpoints($1)
+ 	allow $1 nfs_t:dir list_dir_perms;
+ 	read_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2369,6 +2489,7 @@ interface(`fs_write_nfs_files',`
+ 		type nfs_t;
+ 	')
+ 
++	fs_search_auto_mountpoints($1)
+ 	allow $1 nfs_t:dir list_dir_perms;
+ 	write_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2395,6 +2516,25 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -9568,7 +9586,7 @@ index 437a42a..54a884b 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2435,6 +2573,24 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2435,6 +2575,24 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -9593,7 +9611,7 @@ index 437a42a..54a884b 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2449,7 +2605,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2607,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -9602,7 +9620,7 @@ index 437a42a..54a884b 100644
  ')
  
  ########################################
-@@ -2637,6 +2793,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2795,24 @@ interface(`fs_dontaudit_read_removable_files',`
  
  ########################################
  ## <summary>
@@ -9627,7 +9645,23 @@ index 437a42a..54a884b 100644
  ##	Read removable storage symbolic links.
  ## </summary>
  ## <param name="domain">
-@@ -2845,7 +3019,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2779,6 +2955,7 @@ interface(`fs_manage_nfs_dirs',`
+ 		type nfs_t;
+ 	')
+ 
++	fs_search_auto_mountpoints($1)
+ 	allow $1 nfs_t:dir manage_dir_perms;
+ ')
+ 
+@@ -2819,6 +2996,7 @@ interface(`fs_manage_nfs_files',`
+ 		type nfs_t;
+ 	')
+ 
++	fs_search_auto_mountpoints($1)
+ 	manage_files_pattern($1, nfs_t, nfs_t)
+ ')
+ 
+@@ -2845,7 +3023,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
  #########################################
  ## <summary>
  ##	Create, read, write, and delete symbolic links
@@ -9636,7 +9670,15 @@ index 437a42a..54a884b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3970,6 +4144,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -2859,6 +3037,7 @@ interface(`fs_manage_nfs_symlinks',`
+ 		type nfs_t;
+ 	')
+ 
++	fs_search_auto_mountpoints($1)
+ 	manage_lnk_files_pattern($1, nfs_t, nfs_t)
+ ')
+ 
+@@ -3970,6 +4149,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -9679,7 +9721,7 @@ index 437a42a..54a884b 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4252,6 +4462,8 @@ interface(`fs_mount_all_fs',`
+@@ -4252,6 +4467,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -9688,7 +9730,7 @@ index 437a42a..54a884b 100644
  ')
  
  ########################################
-@@ -4662,3 +4874,24 @@ interface(`fs_unconfined',`
+@@ -4662,3 +4879,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -14885,6 +14927,19 @@ index 4deca04..0bde225 100644
  ')
  
  optional_policy(`
+diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
+index 5f239ca..29de096 100644
+--- a/policy/modules/services/bitlbee.te
++++ b/policy/modules/services/bitlbee.te
+@@ -28,7 +28,7 @@ files_type(bitlbee_var_t)
+ #
+ 
+ allow bitlbee_t self:capability { setgid setuid };
+-allow bitlbee_t self:process signal;
++allow bitlbee_t self:process { setsched signal };
+ allow bitlbee_t self:udp_socket create_socket_perms;
+ allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+ allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
 diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
 index 3e45431..fa57a6f 100644
 --- a/policy/modules/services/bluetooth.if
@@ -15908,7 +15963,7 @@ index 7a6e5ba..d664be8 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index 1a65b5e..e281c74 100644
+index 1a65b5e..1bc0bc7 100644
 --- a/policy/modules/services/certmonger.te
 +++ b/policy/modules/services/certmonger.te
 @@ -24,6 +24,7 @@ files_type(certmonger_var_lib_t)
@@ -15919,7 +15974,7 @@ index 1a65b5e..e281c74 100644
  allow certmonger_t self:process { getsched setsched sigkill };
  allow certmonger_t self:fifo_file rw_file_perms;
  allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
-@@ -32,7 +33,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -32,16 +33,19 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
  
  manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
  manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -15928,7 +15983,19 @@ index 1a65b5e..e281c74 100644
  
  manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
  manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
-@@ -51,6 +52,8 @@ files_read_etc_files(certmonger_t)
+ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
+ 
++corecmd_exec_bin(certmonger_t)
++
+ corenet_tcp_sendrecv_generic_if(certmonger_t)
+ corenet_tcp_sendrecv_generic_node(certmonger_t)
+ corenet_tcp_sendrecv_all_ports(certmonger_t)
+ corenet_tcp_connect_certmaster_port(certmonger_t)
++corenet_tcp_connect_http_port(certmonger_t)
+ 
+ dev_read_urand(certmonger_t)
+ 
+@@ -51,6 +55,8 @@ files_read_etc_files(certmonger_t)
  files_read_usr_files(certmonger_t)
  files_list_tmp(certmonger_t)
  
@@ -15937,7 +16004,7 @@ index 1a65b5e..e281c74 100644
  logging_send_syslog_msg(certmonger_t)
  
  miscfiles_read_localization(certmonger_t)
-@@ -58,6 +61,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,6 +64,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
  
  sysnet_dns_name_resolve(certmonger_t)
  
@@ -15954,7 +16021,7 @@ index 1a65b5e..e281c74 100644
  optional_policy(`
  	dbus_system_bus_client(certmonger_t)
  	dbus_connect_system_bus(certmonger_t)
-@@ -68,5 +81,7 @@ optional_policy(`
+@@ -68,5 +84,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29139,7 +29206,7 @@ index 2855a44..0456b11 100644
  		type puppet_tmp_t;
  	')
 diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..80c1f5d 100644
+index 64c5f95..76da005 100644
 --- a/policy/modules/services/puppet.te
 +++ b/policy/modules/services/puppet.te
 @@ -6,10 +6,10 @@ policy_module(puppet, 1.0.0)
@@ -29198,7 +29265,7 @@ index 64c5f95..80c1f5d 100644
  
  corecmd_exec_bin(puppetmaster_t)
  corecmd_exec_shell(puppetmaster_t)
-@@ -214,13 +219,19 @@ domain_read_all_domains_state(puppetmaster_t)
+@@ -214,13 +219,20 @@ domain_read_all_domains_state(puppetmaster_t)
  files_read_etc_files(puppetmaster_t)
  files_search_var_lib(puppetmaster_t)
  
@@ -29207,9 +29274,10 @@ index 64c5f95..80c1f5d 100644
  logging_send_syslog_msg(puppetmaster_t)
  
  miscfiles_read_localization(puppetmaster_t)
- 
++miscfiles_read_certs(puppetmaster_t)
-+seutil_read_file_contexts(puppetmaster_t)
 +
++seutil_read_file_contexts(puppetmaster_t)
+ 
  sysnet_dns_name_resolve(puppetmaster_t)
  sysnet_run_ifconfig(puppetmaster_t, system_r)
  
@@ -29218,6 +29286,15 @@ index 64c5f95..80c1f5d 100644
  optional_policy(`
  	hostname_exec(puppetmaster_t)
  ')
+@@ -231,3 +243,8 @@ optional_policy(`
+ 	rpm_exec(puppetmaster_t)
+ 	rpm_read_db(puppetmaster_t)
+ ')
++
++optional_policy(`
++	usermanage_domtrans_groupadd(puppetmaster_t)
++	usermanage_domtrans_useradd(puppetmaster_t)
++')
 diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
 index d4a7750..705196e 100644
 --- a/policy/modules/services/pyzor.fc
@@ -29866,10 +29943,10 @@ index 0000000..c403abc
 +')
 diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te
 new file mode 100644
-index 0000000..43639a0
+index 0000000..d9c56d4
 --- /dev/null
 +++ b/policy/modules/services/qpidd.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,64 @@
 +policy_module(qpidd, 1.0.0)
 +
 +########################################
@@ -29929,6 +30006,11 @@ index 0000000..43639a0
 +miscfiles_read_localization(qpidd_t)
 +
 +sysnet_dns_name_resolve(qpidd_t)
++
++optional_policy(`
++	corosync_stream_connect(qpidd_t)
++')
++
 diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
 index 9a78598..8f132e7 100644
 --- a/policy/modules/services/radius.if
@@ -39262,7 +39344,7 @@ index 88df85d..2fa3974 100644
  	ssh_sigchld(application_domain_type)
  	ssh_rw_stream_sockets(application_domain_type)
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 1c4b1e7..2997dd7 100644
+index 1c4b1e7..8d326d4 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
 @@ -10,6 +10,7 @@
@@ -39273,7 +39355,7 @@ index 1c4b1e7..2997dd7 100644
  /sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
  /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ifdef(`distro_suse', `
-@@ -27,6 +28,7 @@ ifdef(`distro_gentoo', `
+@@ -27,12 +28,14 @@ ifdef(`distro_gentoo', `
  
  /var/db/shadow.*	--	gen_context(system_u:object_r:shadow_t,s0)
  
@@ -39281,6 +39363,13 @@ index 1c4b1e7..2997dd7 100644
  /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  
+ /var/log/btmp.*		--	gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/faillog	--	gen_context(system_u:object_r:faillog_t,s0)
++/var/log/faillock(/.*)?		gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/lastlog	--	gen_context(system_u:object_r:lastlog_t,s0)
+ /var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/tallylog	--	gen_context(system_u:object_r:faillog_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
 index bea0ade..6f47773 100644
 --- a/policy/modules/system/authlogin.if

selinux-policy.spec

@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.8
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,20 @@ exit 0
 %endif
 
 %changelog
+* Tue Nov 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-3
+- Fix up corecommands.fc to match upstream
+- Make sure /lib/systemd/* is labeled init_exec_t
+- mount wants to setattr on all mountpoints
+- dovecot auth wants to read dovecot etc files
+- nscd daemon looks at the exe file of the comunicating daemon
+- openvpn wants to read utmp file
+- postfix apps now set sys_nice and lower limits
+- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
+- Also resolves nsswitch
+- Fix labels on /etc/hosts.*
+- Cleanup to make upsteam patch work
+- allow abrt to read etc_runtime_t
+
 * Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-2
 - Add conflicts for dirsrv package