- Add mising nslcd_dontaudit_write_sock_file() interface

- one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Don't audit attempts to write to stream socket of nscld by thumbnailers - Allow git_system_t to read network state - Allow pegasas to execute mount command - Fix desc for drdb_admin - Fix condor_amin() - Interface fixes for uptime, vdagent, vnstatd - Fix labeling for moodle in /var/www/moodle/data - Add interface fixes - Allow bugzilla to read certs - /var/www/moodle needs to be writable by apache - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Fix namespace_init_t to create content with proper labels, and allow it to manage all user conten - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Fix sys_nice for cups_domain - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Kernel_t needs mac_admin in order to support labeled NFS - Fix systemd_dontaudit_dbus_chat() interface - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Allow consolehelper domain to write Xauth files in /root - Add port definition for osapi_compute por
2013-04-11 22:49:52 +02:00 · 2013-04-11 22:49:52 +02:00 · fa447f104a
parent d8b4fa387f
commit fa447f104a
3 changed files with 717 additions and 383 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -15970,7 +15970,7 @@ index 649e458..cc924ae 100644
 +	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
 ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..e7add10 100644
+index 6fac350..06704f6 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -16021,7 +16021,15 @@ index 6fac350..e7add10 100644
 # /proc/sys/dev directory and files
 type sysctl_dev_t, sysctl_type;
 genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -233,7 +246,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -189,6 +202,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+ # kernel local policy
+ #
+ 
+allow kernel_t self:capability2 mac_admin;
+ allow kernel_t self:capability ~sys_module;
+ allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow kernel_t self:shm create_shm_perms;
+@@ -233,7 +247,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
 corenet_in_generic_if(unlabeled_t)
 corenet_in_generic_node(unlabeled_t)
 
@ -16029,7 +16037,7 @@ index 6fac350..e7add10 100644
 corenet_all_recvfrom_netlabel(kernel_t)
 # Kernel-generated traffic e.g., ICMP replies:
 corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +256,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +257,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
 corenet_tcp_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_node(kernel_t)
 corenet_send_all_packets(kernel_t)
@ -16055,7 +16063,7 @@ index 6fac350..e7add10 100644
 
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
-@@ -263,7 +279,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +280,8 @@ fs_unmount_all_fs(kernel_t)
 
 selinux_load_policy(kernel_t)
 
@ -16065,7 +16073,7 @@ index 6fac350..e7add10 100644
 
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
-@@ -277,25 +294,49 @@ files_list_root(kernel_t)
+@@ -277,25 +295,49 @@ files_list_root(kernel_t)
 files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
@ -16115,7 +16123,7 @@ index 6fac350..e7add10 100644
 ')
 
 optional_policy(`
-@@ -305,6 +346,19 @@ optional_policy(`
+@@ -305,6 +347,19 @@ optional_policy(`
 
 optional_policy(`
 	logging_send_syslog_msg(kernel_t)
@ -16135,7 +16143,7 @@ index 6fac350..e7add10 100644
 ')
 
 optional_policy(`
-@@ -334,7 +388,6 @@ optional_policy(`
+@@ -334,7 +389,6 @@ optional_policy(`
 
 	rpc_manage_nfs_ro_content(kernel_t)
 	rpc_manage_nfs_rw_content(kernel_t)
@ -16143,7 +16151,7 @@ index 6fac350..e7add10 100644
 	rpc_udp_rw_nfs_sockets(kernel_t)
 
 	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +396,7 @@ optional_policy(`
+@@ -343,9 +397,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
 
@ -16154,7 +16162,7 @@ index 6fac350..e7add10 100644
 	')
 
 	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +405,7 @@ optional_policy(`
+@@ -354,7 +406,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
 
@ -16163,7 +16171,7 @@ index 6fac350..e7add10 100644
 	')
 ')
 
-@@ -367,6 +418,15 @@ optional_policy(`
+@@ -367,6 +419,15 @@ optional_policy(`
 	unconfined_domain_noaudit(kernel_t)
 ')
 
@ -16179,7 +16187,7 @@ index 6fac350..e7add10 100644
 ########################################
 #
 # Unlabeled process local policy
-@@ -409,4 +469,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
 allow kern_unconfined unlabeled_t:filesystem *;
 allow kern_unconfined unlabeled_t:association *;
 allow kern_unconfined unlabeled_t:packet *;
@ -22226,7 +22234,7 @@ index d1f64a0..3be3d00 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..ad955d5 100644
+index 6bf0ecc..0ef3955 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -22571,15 +22579,58 @@ index 6bf0ecc..ad955d5 100644
 ########################################
 ## <summary>
 ##	Create a Xauthority file in the user home directory.
-@@ -598,6 +682,7 @@ interface(`xserver_read_user_xauth',`
+@@ -567,6 +651,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
+ 
+ ########################################
+ ## <summary>
+##	Create a Xauthority file in the admin home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_admin_home_dir_filetrans_xauth',`
+	gen_require(`
+		type xauth_home_t;
+	')
+
+	userdom_admin_home_dir_filetrans($1, xauth_home_t, file)
+')
+
+########################################
+## <summary>
+ ##	Read all users fonts, user font configurations,
+ ##	and manage all users font caches.
+ ## </summary>
+@@ -598,6 +700,25 @@ interface(`xserver_read_user_xauth',`
 
 	allow $1 xauth_home_t:file read_file_perms;
 	userdom_search_user_home_dirs($1)
 +	xserver_read_xdm_pid($1)
+')
+
+########################################
+## <summary>
+##	Manage all users .Xauthority.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_user_xauth',`
+	gen_require(`
+		type xauth_home_t;
+	')
+
+	allow $1 xauth_home_t:file manage_file_perms;
 ')
 
 ########################################
-@@ -615,7 +700,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +736,7 @@ interface(`xserver_setattr_console_pipes',`
 		type xconsole_device_t;
 	')
 
@ -22588,7 +22639,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -638,6 +723,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +759,25 @@ interface(`xserver_rw_console',`
 
 ########################################
 ## <summary>
@ -22614,7 +22665,7 @@ index 6bf0ecc..ad955d5 100644
 ##	Use file descriptors for xdm.
 ## </summary>
 ## <param name="domain">
-@@ -651,7 +755,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +791,7 @@ interface(`xserver_use_xdm_fds',`
 		type xdm_t;
 	')
 
@ -22623,7 +22674,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -670,7 +774,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +810,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
 		type xdm_t;
 	')
 
@ -22632,7 +22683,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -688,7 +792,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +828,7 @@ interface(`xserver_rw_xdm_pipes',`
 		type xdm_t;
 	')
 
@ -22641,7 +22692,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -703,12 +807,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +843,11 @@ interface(`xserver_rw_xdm_pipes',`
 ## </param>
 #
 interface(`xserver_dontaudit_rw_xdm_pipes',`
@ -22655,7 +22706,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -765,11 +868,71 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +904,71 @@ interface(`xserver_manage_xdm_spool_files',`
 #
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
@ -22729,7 +22780,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -793,6 +956,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +992,25 @@ interface(`xserver_read_xdm_rw_config',`
 
 ########################################
 ## <summary>
@ -22755,7 +22806,7 @@ index 6bf0ecc..ad955d5 100644
 ##	Set the attributes of XDM temporary directories.
 ## </summary>
 ## <param name="domain">
-@@ -806,7 +988,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +1024,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 		type xdm_tmp_t;
 	')
 
@ -22782,7 +22833,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -846,7 +1046,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1082,26 @@ interface(`xserver_read_xdm_pid',`
 	')
 
 	files_search_pids($1)
@ -22810,7 +22861,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -869,6 +1088,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1124,24 @@ interface(`xserver_read_xdm_lib_files',`
 
 ########################################
 ## <summary>
@ -22835,7 +22886,7 @@ index 6bf0ecc..ad955d5 100644
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -938,7 +1175,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1211,26 @@ interface(`xserver_getattr_log',`
 	')
 
 	logging_search_logs($1)
@ -22863,7 +22914,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -957,7 +1213,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1249,7 @@ interface(`xserver_dontaudit_write_log',`
 		type xserver_log_t;
 	')
 
@ -22872,7 +22923,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -1004,6 +1260,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1296,45 @@ interface(`xserver_read_xkb_libs',`
 
 ########################################
 ## <summary>
@ -22918,7 +22969,7 @@ index 6bf0ecc..ad955d5 100644
 ##	Read xdm temporary files.
 ## </summary>
 ## <param name="domain">
-@@ -1017,7 +1312,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1348,7 @@ interface(`xserver_read_xdm_tmp_files',`
 		type xdm_tmp_t;
 	')
 
@ -22927,71 +22978,113 @@ index 6bf0ecc..ad955d5 100644
 	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
 
-@@ -1079,6 +1374,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,53 +1410,91 @@ interface(`xserver_manage_xdm_tmp_files',`
 
 ########################################
 ## <summary>
+-##	Do not audit attempts to get the attributes of
+-##	xdm temporary named sockets.
 +##	Create, read, write, and delete xdm temporary dirs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`xserver_relabel_xdm_tmp_dirs',`
-+	gen_require(`
-+		type xdm_tmp_t;
-+	')
-+
-+	allow $1 xdm_tmp_t:dir relabel_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete xdm temporary dirs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`xserver_manage_xdm_tmp_dirs',`
-+	gen_require(`
-+		type xdm_tmp_t;
-+	')
-+
-+	manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to get the attributes of
- ##	xdm temporary named sockets.
 ## </summary>
-@@ -1093,7 +1424,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
+##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+interface(`xserver_relabel_xdm_tmp_dirs',`
+ 	gen_require(`
 		type xdm_tmp_t;
 	')
 
 -	dontaudit $1 xdm_tmp_t:sock_file getattr;
-+	dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+	allow $1 xdm_tmp_t:dir relabel_dir_perms;
 ')
 
 ########################################
-@@ -1111,8 +1442,10 @@ interface(`xserver_domtrans',`
- 		type xserver_t, xserver_exec_t;
+ ## <summary>
+-##	Execute the X server in the X server domain.
+##	Create, read, write, and delete xdm temporary dirs.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed to transition.
+##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`xserver_domtrans',`
+interface(`xserver_manage_xdm_tmp_dirs',`
+ 	gen_require(`
+-		type xserver_t, xserver_exec_t;
+		type xdm_tmp_t;
 	')
 
 - 	allow $1 xserver_t:process siginh;
-+	allow $1 xserver_t:process siginh;
- 	domtrans_pattern($1, xserver_exec_t, xserver_t)
-+
-+	allow xserver_t $1:process getpgid;
+-	domtrans_pattern($1, xserver_exec_t, xserver_t)
+	manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
 
 ########################################
-@@ -1226,6 +1559,26 @@ interface(`xserver_stream_connect',`
+ ## <summary>
+-##	Signal X servers
+##	Do not audit attempts to get the attributes of
+##	xdm temporary named sockets.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
+##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`xserver_signal',`
+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute the X server in the X server domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`xserver_domtrans',`
+	gen_require(`
+		type xserver_t, xserver_exec_t;
+	')
+
+	allow $1 xserver_t:process siginh;
+	domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+	allow xserver_t $1:process getpgid;
+')
+
+########################################
+## <summary>
+##	Signal X servers
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_signal',`
+ 	gen_require(`
+ 		type xserver_t;
+ 	')
+@@ -1226,6 +1595,26 @@ interface(`xserver_stream_connect',`
 
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -23018,7 +23111,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -1251,7 +1604,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1640,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
@ -23027,7 +23120,7 @@ index 6bf0ecc..ad955d5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1261,13 +1614,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1650,23 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
@ -23052,7 +23145,7 @@ index 6bf0ecc..ad955d5 100644
 ')
 
 ########################################
-@@ -1284,10 +1647,604 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1683,604 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -23660,7 +23753,7 @@ index 6bf0ecc..ad955d5 100644
 +	files_search_tmp($1)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..0881350 100644
+index 2696452..48c4924 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@ -24225,7 +24318,7 @@ index 2696452..0881350 100644
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +620,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +620,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -24254,6 +24347,7 @@ index 2696452..0881350 100644
 +init_status(xdm_t)
 
 libs_exec_lib_files(xdm_t)
+libs_exec_ldconfig(xdm_t)
 
 logging_read_generic_logs(xdm_t)
 
@ -24270,7 +24364,7 @@ index 2696452..0881350 100644
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +664,43 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -24320,7 +24414,7 @@ index 2696452..0881350 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +714,26 @@ tunable_policy(`xdm_sysadm_login',`
 ')
 
 optional_policy(`
@ -24347,7 +24441,7 @@ index 2696452..0881350 100644
 ')
 
 optional_policy(`
-@@ -514,12 +740,72 @@ optional_policy(`
+@@ -514,12 +741,72 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24420,7 +24514,7 @@ index 2696452..0881350 100644
 	hostname_exec(xdm_t)
 ')
 
-@@ -537,28 +823,78 @@ optional_policy(`
+@@ -537,28 +824,78 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24508,7 +24602,7 @@ index 2696452..0881350 100644
 ')
 
 optional_policy(`
-@@ -570,6 +906,14 @@ optional_policy(`
+@@ -570,6 +907,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24523,7 +24617,7 @@ index 2696452..0881350 100644
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -594,8 +938,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +939,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -24536,7 +24630,7 @@ index 2696452..0881350 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +955,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +956,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -24552,7 +24646,7 @@ index 2696452..0881350 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +971,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +972,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
 
@ -24563,7 +24657,7 @@ index 2696452..0881350 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +986,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +987,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -24585,7 +24679,7 @@ index 2696452..0881350 100644
 
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1006,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1007,12 @@ kernel_read_modprobe_sysctls(xserver_t)
 # Xorg wants to check if kernel is tainted
 kernel_read_kernel_sysctls(xserver_t)
 kernel_write_proc_files(xserver_t)
@ -24599,7 +24693,7 @@ index 2696452..0881350 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1032,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1033,27 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -24630,7 +24724,7 @@ index 2696452..0881350 100644
 
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -694,7 +1063,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1064,16 @@ fs_getattr_xattr_fs(xserver_t)
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -24648,7 +24742,7 @@ index 2696452..0881350 100644
 mls_xwin_read_to_clearance(xserver_t)
 
 selinux_validate_context(xserver_t)
-@@ -708,20 +1086,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1087,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
 
@ -24672,7 +24766,7 @@ index 2696452..0881350 100644
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1105,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1106,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
 
@ -24681,7 +24775,7 @@ index 2696452..0881350 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1149,44 @@ optional_policy(`
+@@ -775,16 +1150,44 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24727,7 +24821,7 @@ index 2696452..0881350 100644
 	unconfined_domtrans(xserver_t)
 ')
 
-@@ -793,6 +1195,10 @@ optional_policy(`
+@@ -793,6 +1196,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24738,7 +24832,7 @@ index 2696452..0881350 100644
 	xfs_stream_connect(xserver_t)
 ')
 
-@@ -808,10 +1214,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1215,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -24752,7 +24846,7 @@ index 2696452..0881350 100644
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1225,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1226,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
 # Run xkbcomp.
@ -24761,7 +24855,7 @@ index 2696452..0881350 100644
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
-@@ -832,26 +1238,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1239,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -24796,7 +24890,7 @@ index 2696452..0881350 100644
 ')
 
 optional_policy(`
-@@ -902,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1304,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -24805,7 +24899,7 @@ index 2696452..0881350 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
 
-@@ -956,11 +1357,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1358,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
 
@ -24837,7 +24931,7 @@ index 2696452..0881350 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1403,40 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1404,40 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
@ -28076,7 +28170,7 @@ index 24e7804..1894886 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..61531ce 100644
+index dd3be8d..84ffb31 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@ -29138,7 +29232,7 @@ index dd3be8d..61531ce 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -896,3 +1353,191 @@ optional_policy(`
+@@ -896,3 +1353,196 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -29321,6 +29415,11 @@ index dd3be8d..61531ce 100644
 +allow initrc_domain systemprocess:process transition;
 +
 +optional_policy(`
+	systemd_getattr_unit_dirs(daemon)
+	systemd_getattr_unit_dirs(systemprocess)
+')
+
+optional_policy(`
 +    rgmanager_search_lib(initrc_domain)
 +')
 +
@ -35720,10 +35819,10 @@ index 0000000..4e12420
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..16c7767
+index 0000000..5894afb
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1122 @@
+@@ -0,0 +1,1159 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -35893,7 +35992,25 @@ index 0000000..16c7767
 +        ')
 +
 +    files_search_var_lib($1)
-+    allow $1 systemd_unit_file_type:file getattr_file_perms;
+    getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+')
+
+#####################################
+## <summary>
+##      Allow domain to getattr all systemd unit directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_getattr_unit_dirs',`
+        gen_require(`
+                attribute systemd_unit_file_type;
+        ')
+
+    allow $1 systemd_unit_file_type:dir getattr;
 +')
 +
 +######################################
@ -36846,12 +36963,31 @@ index 0000000..16c7767
 +	allow systemd_localed_t $1:dbus send_msg;
 +	ps_process_pattern(systemd_localed_t, $1)
 +')
+
+########################################
+## <summary>
+##	Dontaudit attempts to send dbus domains chat messages
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`systemd_dontaudit_dbus_chat',`
+	gen_require(`
+		attribute systemd_domain;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 systemd_domain:dbus send_msg;
+')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..4d56107
+index 0000000..b3ea12d
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,641 @@
+@@ -0,0 +1,642 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -37342,7 +37478,8 @@ index 0000000..4d56107
 +#
 +# Hostnamed policy
 +#
-+dontaudit systemd_hostnamed_t self:capability { sys_admin sys_ptrace };
+allow systemd_hostnamed_t self:capability sys_admin;
+dontaudit systemd_hostnamed_t self:capability sys_ptrace;
 +
 +allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
 +allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
@ -37791,7 +37928,7 @@ index 0f64692..d7e8a01 100644
 
 ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..32e7d9e 100644
+index a5ec88b..1749342 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -37942,16 +38079,17 @@ index a5ec88b..32e7d9e 100644
 
 seutil_read_config(udev_t)
 seutil_read_default_contexts(udev_t)
-@@ -170,6 +188,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -170,6 +188,9 @@ sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
 +systemd_login_read_pid_files(udev_t)
+systemd_getattr_unit_files(udev_t)
 +
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_gentoo',`
-@@ -179,16 +199,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +200,9 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -37970,7 +38108,7 @@ index a5ec88b..32e7d9e 100644
 
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
-@@ -226,19 +239,34 @@ optional_policy(`
+@@ -226,19 +240,34 @@ optional_policy(`
 
 optional_policy(`
 	cups_domtrans_config(udev_t)
@ -38005,7 +38143,7 @@ index a5ec88b..32e7d9e 100644
 ')
 
 optional_policy(`
-@@ -264,6 +292,10 @@ optional_policy(`
+@@ -264,6 +293,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38016,7 +38154,7 @@ index a5ec88b..32e7d9e 100644
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
 ')
-@@ -278,6 +310,15 @@ optional_policy(`
+@@ -278,6 +311,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38032,7 +38170,7 @@ index a5ec88b..32e7d9e 100644
 	unconfined_signal(udev_t)
 ')
 
-@@ -290,6 +331,7 @@ optional_policy(`
+@@ -290,6 +332,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -526,6 +526,41 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Thu Apr 11 2013 Miroslav Grepl <mgrpel@redhat.com> 3.12.1-29
+- Add mising nslcd_dontaudit_write_sock_file() interface
+- one more fix
+- Fix pki_read_tomcat_lib_files() interface
+- Allow certmonger to read pki-tomcat lib files
+- Allow certwatch to execute bin_t
+- Allow snmp to manage /var/lib/net-snmp files
+- Don't audit attempts to write to stream socket of nscld by thumbnailers
+- Allow git_system_t to read network state
+- Allow pegasas to execute mount command
+- Fix desc for drdb_admin
+- Fix condor_amin()
+- Interface fixes for uptime, vdagent, vnstatd
+- Fix labeling for moodle in /var/www/moodle/data
+- Add interface fixes
+- Allow bugzilla to read certs
+- /var/www/moodle needs to be writable by apache
+- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
+- Fix namespace_init_t to create content with proper labels, and allow it to manage all user content
+- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
+- Fixes for dlm_controld
+- Fix apache_read_sys_content_rw_dirs() interface
+- Allow logrotate to read /var/log/z-push dir
+- Fix sys_nice for cups_domain
+- Allow postfix_postdrop to acces postfix_public socket
+- Allow sched_setscheduler for cupsd_t
+- Add missing context for /usr/sbin/snmpd
+- Kernel_t needs mac_admin in order to support labeled NFS
+- Fix systemd_dontaudit_dbus_chat() interface
+- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
+- Allow consolehelper domain to write Xauth files in /root
+- Add port definition for osapi_compute port
+- Allow unconfined to create /etc/hostname with correct labeling
+- Add systemd_filetrans_named_hostname() interface
+
 * Mon Apr 8 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-28
 - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
 - Fixes for dlm_controld