- Add vnstat policy

- allow libvirt to send audit messages - Allow chrome-sandbox to search nfs_t
2010-09-16 18:00:00 -04:00 · 2010-09-16 18:00:00 -04:00 · ea3b7b5dff
commit ea3b7b5dff
parent a24e6a6700
4 changed files with 363 additions and 74 deletions
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -1,14 +1,14 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
-allow_execmem = false
+allow_execmem = true

 # Allow making a modified private filemapping executable (text relocation).
 # 
-allow_execmod = false
+allow_execmod = true

 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = false
+allow_execstack = true

 # Allow ftpd to read cifs directories.
 # 
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1825,6 +1825,13 @@ varnishd = module
 # 
 virt = module

+# Layer: services
+# Module: vnstatd
+#
+# Network traffic Monitor
+# 
+vnstatd = module
+
 # Layer: apps
 # Module: qemu
 #
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -349,10 +349,10 @@ index 66e486e..bfda8e9 100644
 ')
 
 diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 0b6123e..dd4cd30 100644
+index 0b6123e..d64682f 100644
 --- a/policy/modules/admin/logrotate.te
 +++ b/policy/modules/admin/logrotate.te
-@@ -119,6 +119,7 @@ seutil_dontaudit_read_config(logrotate_t)
+@@ -119,14 +119,20 @@ seutil_dontaudit_read_config(logrotate_t)
 userdom_use_user_terminals(logrotate_t)
 userdom_list_user_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
@ -360,8 +360,14 @@ index 0b6123e..dd4cd30 100644
 
 cron_system_entry(logrotate_t, logrotate_exec_t)
 cron_search_spool(logrotate_t)
-@@ -126,7 +127,7 @@ cron_search_spool(logrotate_t)
- mta_send_mail(logrotate_t)
+ 
+-mta_send_mail(logrotate_t)
+#mta_send_mail(logrotate_t)
+mta_base_mail_template(logrotate)
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+role system_r types logrotate_mail_t;
+logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
 
 ifdef(`distro_debian', `
 -	allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
@ -9504,7 +9510,7 @@ index ebe6a9c..e3a1987 100644
 ########################################
 #
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 1854002..b0d95d4 100644
+index 1854002..571c76e 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,46 @@ policy_module(staff, 2.1.2)
@ -9590,7 +9596,7 @@ index 1854002..b0d95d4 100644
 	oident_manage_user_content(staff_t)
 	oident_relabel_user_content(staff_t)
 ')
-@@ -36,21 +99,62 @@ optional_policy(`
+@@ -36,21 +99,66 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -9650,12 +9656,16 @@ index 1854002..b0d95d4 100644
 +')
 +
 +optional_policy(`
+	vnstatd_read_lib_files(staff_t)
+')
+
+optional_policy(`
 +	webadm_role_change(staff_r)
 +')
 
 optional_policy(`
 	xserver_role(staff_r, staff_t)
-@@ -138,10 +242,6 @@ ifndef(`distro_redhat',`
+@@ -138,10 +246,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -15636,7 +15646,7 @@ index 35241ed..9822074 100644
 +	manage_files_pattern($1, system_cronjob_var_lib_t,  system_cronjob_var_lib_t)
 ')
 diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..ff1a1c9 100644
+index f35b243..45f5a6f 100644
 --- a/policy/modules/services/cron.te
 +++ b/policy/modules/services/cron.te
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
@ -15772,7 +15782,17 @@ index f35b243..ff1a1c9 100644
 ')
 
 optional_policy(`
-@@ -290,6 +334,8 @@ optional_policy(`
+@@ -284,12 +328,18 @@ optional_policy(`
+ 	udev_read_db(crond_t)
+ ')
+ 
+optional_policy(`
+	vnstatd_search_lib(crond_t)
+')
+
+ ########################################
+ #
+ # System cron process domain
 #
 
 allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
@ -15781,7 +15801,7 @@ index f35b243..ff1a1c9 100644
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
-@@ -301,10 +347,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -301,10 +351,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
 # This is to handle /var/lib/misc directory.  Used currently
 # by prelink var/lib files for cron 
@ -15800,7 +15820,7 @@ index f35b243..ff1a1c9 100644
 # The entrypoint interface is not used as this is not
 # a regular entrypoint.  Since crontab files are
 # not directly executed, crond must ensure that
-@@ -324,6 +377,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -324,6 +381,7 @@ allow crond_t system_cronjob_t:fd use;
 allow system_cronjob_t crond_t:fd use;
 allow system_cronjob_t crond_t:fifo_file rw_file_perms;
 allow system_cronjob_t crond_t:process sigchld;
@ -15808,7 +15828,7 @@ index f35b243..ff1a1c9 100644
 
 # Write /var/lock/makewhatis.lock.
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -335,9 +389,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -335,9 +393,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
 files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
 
@ -15823,7 +15843,7 @@ index f35b243..ff1a1c9 100644
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
-@@ -360,6 +418,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -360,6 +422,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
 dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
 dev_read_urand(system_cronjob_t)
@ -15831,7 +15851,7 @@ index f35b243..ff1a1c9 100644
 
 fs_getattr_all_fs(system_cronjob_t)
 fs_getattr_all_files(system_cronjob_t)
-@@ -386,6 +445,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -386,6 +449,7 @@ files_dontaudit_search_pids(system_cronjob_t)
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
 files_manage_generic_spool(system_cronjob_t)
@ -15839,7 +15859,7 @@ index f35b243..ff1a1c9 100644
 
 init_use_script_fds(system_cronjob_t)
 init_read_utmp(system_cronjob_t)
-@@ -410,6 +470,8 @@ seutil_read_config(system_cronjob_t)
+@@ -410,6 +474,8 @@ seutil_read_config(system_cronjob_t)
 
 ifdef(`distro_redhat', `
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@ -15848,7 +15868,7 @@ index f35b243..ff1a1c9 100644
 	# via redirection of standard out.
 	optional_policy(`
 		rpm_manage_log(system_cronjob_t)
-@@ -434,6 +496,8 @@ optional_policy(`
+@@ -434,6 +500,8 @@ optional_policy(`
 	apache_read_config(system_cronjob_t)
 	apache_read_log(system_cronjob_t)
 	apache_read_sys_content(system_cronjob_t)
@ -15857,7 +15877,7 @@ index f35b243..ff1a1c9 100644
 ')
 
 optional_policy(`
-@@ -441,6 +505,14 @@ optional_policy(`
+@@ -441,6 +509,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -15872,7 +15892,7 @@ index f35b243..ff1a1c9 100644
 	ftp_read_log(system_cronjob_t)
 ')
 
-@@ -451,15 +523,24 @@ optional_policy(`
+@@ -451,15 +527,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -15897,7 +15917,7 @@ index f35b243..ff1a1c9 100644
 ')
 
 optional_policy(`
-@@ -475,7 +556,7 @@ optional_policy(`
+@@ -475,7 +560,7 @@ optional_policy(`
 	prelink_manage_lib(system_cronjob_t)
 	prelink_manage_log(system_cronjob_t)
 	prelink_read_cache(system_cronjob_t)
@ -15906,7 +15926,7 @@ index f35b243..ff1a1c9 100644
 ')
 
 optional_policy(`
-@@ -490,6 +571,7 @@ optional_policy(`
+@@ -490,6 +575,7 @@ optional_policy(`
 
 optional_policy(`
 	spamassassin_manage_lib_files(system_cronjob_t)
@ -15914,7 +15934,7 @@ index f35b243..ff1a1c9 100644
 ')
 
 optional_policy(`
-@@ -497,7 +579,13 @@ optional_policy(`
+@@ -497,7 +583,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -15928,7 +15948,7 @@ index f35b243..ff1a1c9 100644
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')
 
-@@ -590,7 +678,10 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -590,7 +682,10 @@ userdom_manage_user_home_content_sockets(cronjob_t)
 #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
 
 list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@ -16152,7 +16172,7 @@ index e182bf4..f80e725 100644
 	snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
 	snmp_stream_connect(cyrus_t)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..87fc055 100644
+index 39e901a..7852441 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
@@ -42,8 +42,10 @@ template(`dbus_role_template',`
@ -16184,7 +16204,7 @@ index 39e901a..87fc055 100644
 	allow $1_dbusd_t $3:process sigkill;
 	allow $3 $1_dbusd_t:fd use;
 	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -149,13 +151,20 @@ template(`dbus_role_template',`
+@@ -149,17 +151,25 @@ template(`dbus_role_template',`
 
 	term_use_all_terms($1_dbusd_t)
 
@ -16206,7 +16226,12 @@ index 39e901a..87fc055 100644
 		hal_dbus_chat($1_dbusd_t)
 	')
 
-@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
+ 	optional_policy(`
+		xserver_search_xdm_lib($1_dbusd_t)
+ 		xserver_use_xdm_fds($1_dbusd_t)
+ 		xserver_rw_xdm_pipes($1_dbusd_t)
+ 	')
+@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',`
 		type system_dbusd_t, system_dbusd_t;
 		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
 		class dbus send_msg;
@ -16219,7 +16244,7 @@ index 39e901a..87fc055 100644
 
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 	files_search_var_lib($1)
-@@ -431,13 +442,26 @@ interface(`dbus_system_domain',`
+@@ -431,13 +443,26 @@ interface(`dbus_system_domain',`
 
 	domtrans_pattern(system_dbusd_t, $2, $1)
 
@ -16246,7 +16271,7 @@ index 39e901a..87fc055 100644
 	ifdef(`hide_broken_symptoms', `
 		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
 	')
-@@ -479,3 +503,22 @@ interface(`dbus_unconfined',`
+@@ -479,3 +504,22 @@ interface(`dbus_unconfined',`
 
 	typeattribute $1 dbusd_unconfined;
 ')
@ -23987,10 +24012,10 @@ index 00fa514..9ab1d80 100644
 	mysql_stream_connect(rgmanager_t)
 ')
 diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
-index c2ba53b..a8676c7 100644
+index c2ba53b..d862e7e 100644
 --- a/policy/modules/services/rhcs.fc
 +++ b/policy/modules/services/rhcs.fc
-@@ -1,6 +1,7 @@
+@@ -1,14 +1,17 @@
 /usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
 /usr/sbin/fenced			--	gen_context(system_u:object_r:fenced_exec_t,s0)
 /usr/sbin/fence_node			--	gen_context(system_u:object_r:fenced_exec_t,s0)
@ -23998,8 +24023,10 @@ index c2ba53b..a8676c7 100644
 /usr/sbin/gfs_controld			--	gen_context(system_u:object_r:gfs_controld_exec_t,s0)
 /usr/sbin/groupd			--	gen_context(system_u:object_r:groupd_exec_t,s0)
 /usr/sbin/qdiskd			--	gen_context(system_u:object_r:qdiskd_exec_t,s0)
-@@ -9,6 +10,7 @@
 
+ /var/lock/fence_manual\.lock		--	gen_context(system_u:object_r:fenced_lock_t,s0)
+ 
+/var/lib/cluster(/.*)?				gen_context(system_u:object_r:cluster_var_lib_t,s0)
 /var/lib/qdiskd(/.*)?				gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
 
 +/var/log/cluster/.*\.*log			<<none>>
@ -27997,7 +28024,7 @@ index 7c5d8d8..e584e21 100644
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
 +')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..fec701f 100644
+index 3eca020..8dac607 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
@ -28239,9 +28266,11 @@ index 3eca020..fec701f 100644
 
 mcs_process_set_categories(virtd_t)
 
-@@ -286,15 +351,24 @@ modutils_manage_module_config(virtd_t)
+@@ -285,16 +350,26 @@ modutils_read_module_config(virtd_t)
+ modutils_manage_module_config(virtd_t)
 
 logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
 
 +selinux_validate_context(virtd_t)
 +
@ -28264,7 +28293,7 @@ index 3eca020..fec701f 100644
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +439,8 @@ optional_policy(`
+@@ -365,6 +440,8 @@ optional_policy(`
 	qemu_signal(virtd_t)
 	qemu_kill(virtd_t)
 	qemu_setsched(virtd_t)
@ -28273,7 +28302,7 @@ index 3eca020..fec701f 100644
 ')
 
 optional_policy(`
-@@ -402,6 +478,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+@@ -402,6 +479,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
 allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
 allow virt_domain self:tcp_socket create_stream_socket_perms;
 
@ -28293,7 +28322,7 @@ index 3eca020..fec701f 100644
 append_files_pattern(virt_domain, virt_log_t, virt_log_t)
 
 append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +511,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +512,7 @@ corenet_rw_tun_tap_dev(virt_domain)
 corenet_tcp_bind_virt_migration_port(virt_domain)
 corenet_tcp_connect_virt_migration_port(virt_domain)
 
@ -28301,7 +28330,7 @@ index 3eca020..fec701f 100644
 dev_read_rand(virt_domain)
 dev_read_sound(virt_domain)
 dev_read_urand(virt_domain)
-@@ -429,10 +519,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +520,12 @@ dev_write_sound(virt_domain)
 dev_rw_ksm(virt_domain)
 dev_rw_kvm(virt_domain)
 dev_rw_qemu(virt_domain)
@ -28314,7 +28343,7 @@ index 3eca020..fec701f 100644
 files_read_usr_files(virt_domain)
 files_read_var_files(virt_domain)
 files_search_all(virt_domain)
-@@ -440,6 +532,11 @@ files_search_all(virt_domain)
+@@ -440,6 +533,11 @@ files_search_all(virt_domain)
 fs_getattr_tmpfs(virt_domain)
 fs_rw_anon_inodefs_files(virt_domain)
 fs_rw_tmpfs_files(virt_domain)
@ -28326,7 +28355,7 @@ index 3eca020..fec701f 100644
 
 term_use_all_terms(virt_domain)
 term_getattr_pty_fs(virt_domain)
-@@ -457,8 +554,121 @@ optional_policy(`
+@@ -457,8 +555,121 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28448,6 +28477,249 @@ index 3eca020..fec701f 100644
 +	userdom_search_admin_dir(virsh_ssh_t)
 +')
 +
+diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
+new file mode 100644
+index 0000000..7667c31
+--- /dev/null
+++ b/policy/modules/services/vnstatd.fc
+@@ -0,0 +1,6 @@
+
+/usr/bin/vnstat		--	gen_context(system_u:object_r:vnstat_exec_t,s0)
+
+/usr/sbin/vnstatd	--	gen_context(system_u:object_r:vnstatd_exec_t,s0)
+
+/var/lib/vnstat(/.*)?		gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
+diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
+new file mode 100644
+index 0000000..85dba86
+--- /dev/null
+++ b/policy/modules/services/vnstatd.if
+@@ -0,0 +1,150 @@
+
+## <summary>policy for vnstatd</summary>
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run vnstatd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vnstatd_domtrans',`
+	gen_require(`
+		type vnstatd_t, vnstatd_exec_t;
+	')
+
+	domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
+')
+
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run vnstat.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vnstatd_domtrans_vnstat',`
+	gen_require(`
+		type vnstat_t, vnstat_exec_t;
+	')
+
+	domtrans_pattern($1, vnstat_exec_t, vnstat_t)
+')
+
+########################################
+## <summary>
+##	Search vnstatd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_search_lib',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	allow $1 vnstatd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read vnstatd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_read_lib_files',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	vnstatd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_manage_lib_files',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage vnstatd lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_manage_lib_dirs',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an vnstatd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vnstatd_admin',`
+	gen_require(`
+		type vnstatd_t;
+                type vnstatd_var_lib_t;
+	')
+
+	allow $1 vnstatd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, vnstatd_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, vnstatd_var_lib_t)
+
+')
+diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
+new file mode 100644
+index 0000000..db526e6
+--- /dev/null
+++ b/policy/modules/services/vnstatd.te
+@@ -0,0 +1,69 @@
+policy_module(vnstatd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vnstatd_t;
+type vnstatd_exec_t;
+init_daemon_domain(vnstatd_t, vnstatd_exec_t)
+
+permissive vnstatd_t;
+
+type vnstatd_var_lib_t;
+files_type(vnstatd_var_lib_t)
+
+type vnstat_t;
+type vnstat_exec_t;
+application_domain(vnstat_t, vnstat_exec_t)
+cron_system_entry(vnstat_t, vnstat_exec_t)
+
+########################################
+#
+# vnstatd local policy
+#
+allow vnstatd_t self:process { fork signal };
+
+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
+
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
+
+########################################
+#
+# vnstat local policy
+#
+allow vnstat_t self:process { signal };
+
+allow vnstat_t self:fifo_file rw_fifo_file_perms;
+allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
+
+kernel_read_network_state(vnstat_t)
+kernel_read_system_state(vnstat_t)
+
+domain_use_interactive_fds(vnstat_t)
+
+files_read_etc_files(vnstat_t)
+
+fs_getattr_xattr_fs(vnstat_t)
+
+logging_send_syslog_msg(vnstat_t)
+
+miscfiles_read_localization(vnstat_t)
+
+
 diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
 index 1174ad8..f4c4c1b 100644
 --- a/policy/modules/services/w3c.te
@ -29441,7 +29713,7 @@ index da2601a..f34a53f 100644
 +	manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..5fbf38f 100644
+index e226da4..29d5384 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@ -29616,7 +29888,7 @@ index e226da4..5fbf38f 100644
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(iceauth_t)
-@@ -246,30 +292,64 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -246,50 +292,105 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_files(iceauth_t)
 ')
 
@ -29683,8 +29955,13 @@ index e226da4..5fbf38f 100644
 +fs_getattr_all_fs(xauth_t)
 fs_search_auto_mountpoints(xauth_t)
 
- # cjp: why?
-@@ -279,17 +359,37 @@ auth_use_nsswitch(xauth_t)
+-# cjp: why?
+-term_use_ptmx(xauth_t)
+# Probably a leak
+term_dontaudit_use_ptmx(xauth_t)
+term_dontaudit_use_console(xauth_t)
+ 
+ auth_use_nsswitch(xauth_t)
 
 userdom_use_user_terminals(xauth_t)
 userdom_read_user_tmp_files(xauth_t)
@ -29722,7 +29999,7 @@ index e226da4..5fbf38f 100644
 optional_policy(`
 	ssh_sigchld(xauth_t)
 	ssh_read_pipes(xauth_t)
-@@ -301,20 +401,33 @@ optional_policy(`
+@@ -301,20 +402,33 @@ optional_policy(`
 # XDM Local policy
 #
 
@ -29759,7 +30036,7 @@ index e226da4..5fbf38f 100644
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
-@@ -322,32 +435,55 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -322,32 +436,55 @@ can_exec(xdm_t, xdm_exec_t)
 allow xdm_t xdm_lock_t:file manage_file_perms;
 files_lock_filetrans(xdm_t, xdm_lock_t, file)
 
@ -29820,7 +30097,7 @@ index e226da4..5fbf38f 100644
 allow xdm_t xserver_t:unix_stream_socket connectto;
 
 allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -355,10 +491,13 @@ allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
+@@ -355,10 +492,13 @@ allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
 
 # transition to the xdm xserver
 domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@ -29834,7 +30111,7 @@ index e226da4..5fbf38f 100644
 
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -367,15 +506,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -367,15 +507,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
 delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 
@ -29858,7 +30135,7 @@ index e226da4..5fbf38f 100644
 
 corecmd_exec_shell(xdm_t)
 corecmd_exec_bin(xdm_t)
-@@ -390,18 +536,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -390,18 +537,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_generic_node(xdm_t)
 corenet_udp_bind_generic_node(xdm_t)
@ -29882,7 +30159,7 @@ index e226da4..5fbf38f 100644
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
-@@ -410,18 +560,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -410,18 +561,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
 dev_getattr_misc_dev(xdm_t)
 dev_setattr_misc_dev(xdm_t)
 dev_dontaudit_rw_misc(xdm_t)
@ -29909,7 +30186,7 @@ index e226da4..5fbf38f 100644
 
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -432,9 +587,17 @@ files_list_mnt(xdm_t)
+@@ -432,9 +588,17 @@ files_list_mnt(xdm_t)
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -29927,7 +30204,7 @@ index e226da4..5fbf38f 100644
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,28 +606,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -443,28 +607,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -29966,7 +30243,7 @@ index e226da4..5fbf38f 100644
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -473,6 +644,13 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -473,6 +645,13 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -29980,7 +30257,7 @@ index e226da4..5fbf38f 100644
 
 xserver_rw_session(xdm_t, xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
-@@ -504,11 +682,17 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -504,11 +683,17 @@ tunable_policy(`xdm_sysadm_login',`
 ')
 
 optional_policy(`
@ -29998,7 +30275,7 @@ index e226da4..5fbf38f 100644
 ')
 
 optional_policy(`
-@@ -516,12 +700,51 @@ optional_policy(`
+@@ -516,12 +701,51 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30050,7 +30327,7 @@ index e226da4..5fbf38f 100644
 	hostname_exec(xdm_t)
 ')
 
-@@ -539,20 +762,64 @@ optional_policy(`
+@@ -539,20 +763,64 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30117,7 +30394,7 @@ index e226da4..5fbf38f 100644
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -561,7 +828,6 @@ optional_policy(`
+@@ -561,7 +829,6 @@ optional_policy(`
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
 	')
@ -30125,7 +30402,7 @@ index e226da4..5fbf38f 100644
 
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +838,10 @@ optional_policy(`
+@@ -572,6 +839,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30136,7 +30413,7 @@ index e226da4..5fbf38f 100644
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -596,7 +866,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +867,7 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -30145,7 +30422,7 @@ index e226da4..5fbf38f 100644
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
-@@ -610,6 +880,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +881,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -30164,7 +30441,7 @@ index e226da4..5fbf38f 100644
 
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +911,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +912,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -30186,7 +30463,7 @@ index e226da4..5fbf38f 100644
 
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +931,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +932,7 @@ kernel_read_modprobe_sysctls(xserver_t)
 # Xorg wants to check if kernel is tainted
 kernel_read_kernel_sysctls(xserver_t)
 kernel_write_proc_files(xserver_t)
@ -30194,7 +30471,7 @@ index e226da4..5fbf38f 100644
 
 # Run helper programs in xserver_t.
 corecmd_exec_bin(xserver_t)
-@@ -668,7 +958,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +959,6 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -30202,7 +30479,7 @@ index e226da4..5fbf38f 100644
 dev_create_generic_dirs(xserver_t)
 dev_setattr_generic_dirs(xserver_t)
 # raw memory access is needed if not using the frame buffer
-@@ -678,8 +967,13 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,8 +968,13 @@ dev_wx_raw_memory(xserver_t)
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -30216,7 +30493,7 @@ index e226da4..5fbf38f 100644
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
 files_read_usr_files(xserver_t)
-@@ -693,8 +987,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +988,13 @@ fs_getattr_xattr_fs(xserver_t)
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -30230,7 +30507,7 @@ index e226da4..5fbf38f 100644
 
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1015,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1016,14 @@ logging_send_audit_msgs(xserver_t)
 
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -30245,7 +30522,7 @@ index e226da4..5fbf38f 100644
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1075,28 @@ optional_policy(`
+@@ -773,12 +1076,28 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30275,7 +30552,7 @@ index e226da4..5fbf38f 100644
 	unconfined_domtrans(xserver_t)
 ')
 
-@@ -787,6 +1105,10 @@ optional_policy(`
+@@ -787,6 +1106,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30286,7 +30563,7 @@ index e226da4..5fbf38f 100644
 	xfs_stream_connect(xserver_t)
 ')
 
-@@ -802,10 +1124,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1125,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -30299,7 +30576,7 @@ index e226da4..5fbf38f 100644
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -826,6 +1148,13 @@ init_use_fds(xserver_t)
+@@ -826,6 +1149,13 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -30313,7 +30590,7 @@ index e226da4..5fbf38f 100644
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
-@@ -841,11 +1170,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1171,14 @@ tunable_policy(`use_samba_home_dirs',`
 
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -30330,7 +30607,7 @@ index e226da4..5fbf38f 100644
 ')
 
 optional_policy(`
-@@ -991,3 +1323,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+@@ -991,3 +1324,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
 allow xserver_unconfined_type xextension_type:x_extension *;
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.5
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -469,6 +469,11 @@ exit 0
 %endif

 %changelog
+* Thu Sep 16 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-2
+- Add vnstat policy
+- allow libvirt to send audit messages
+- Allow chrome-sandbox to search nfs_t
+
 * Thu Sep 16 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-1
 - Update to upstream