From 0717336accdc62c9b3f8456dab5cf95943f84e36 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Feb 01 2012 12:41:08 +0000 Subject: - Add logging_syslogd_use_tty boolea - Add polipo_connect_all_unreserved bolean - Allow zabbix to connect to ftp port - Allow systemd-logind to be able to switch VTs - Allow apache to communicate with memcached through a sock_file - Allow denyhosts to use fifo files and exec shell - Allow sandbox_nacl to setsched on its process - Allow chrome_sandbox_t to send all signals to sandbox_nacl_t - Allow cupsd_lpd_t to connect to the printer port --- diff --git a/policy-F16.patch b/policy-F16.patch index 84a9a7a..3d81387 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1304,7 +1304,7 @@ index 4f7bd3c..a29af21 100644 - unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..071d66e 100644 +index 7090dae..b8152bc 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t) @@ -1416,7 +1416,18 @@ index 7090dae..071d66e 100644 cups_domtrans(logrotate_t) ') -@@ -200,9 +217,12 @@ optional_policy(` +@@ -178,6 +195,10 @@ optional_policy(` + ') + + optional_policy(` ++ chronyd_read_keys(logrotate_t) ++') ++ ++optional_policy(` + icecast_signal(logrotate_t) + ') + +@@ -200,9 +221,12 @@ optional_policy(` ') optional_policy(` @@ -1430,7 +1441,7 @@ index 7090dae..071d66e 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -228,3 +248,14 @@ optional_policy(` +@@ -228,3 +252,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -4914,7 +4925,7 @@ index 0000000..a03aec4 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..9da72e0 +index 0000000..9a914b6 --- /dev/null +++ b/policy/modules/apps/chrome.te @@ -0,0 +1,187 @@ @@ -5063,7 +5074,7 @@ index 0000000..9da72e0 +# chrome_sandbox_nacl local policy +# + -+allow chrome_sandbox_nacl_t self:process execmem; ++allow chrome_sandbox_nacl_t self:process { execmem setsched }; +allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms; +allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; +allow chrome_sandbox_nacl_t self:shm create_shm_perms; @@ -5073,7 +5084,7 @@ index 0000000..9da72e0 + +allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; +allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; -+allow chrome_sandbox_t chrome_sandbox_nacl_t:process share; ++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share }; + +manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) +fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file) @@ -25686,10 +25697,10 @@ index 6480167..e12bbc0 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..dd51579 100644 +index 3136c6a..7770367 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,130 +18,218 @@ policy_module(apache, 2.2.1) +@@ -18,130 +18,225 @@ policy_module(apache, 2.2.1) # Declarations # @@ -25738,6 +25749,13 @@ index 3136c6a..dd51579 100644 + +## +##

++## Allow httpd processes to manage IPA content ++##

++## ++gen_tunable(httpd_manage_ipa, false) ++ ++## ++##

+## Allow httpd daemon to change system limits +##

+## @@ -25964,7 +25982,7 @@ index 3136c6a..dd51579 100644 attribute httpdcontent; attribute httpd_user_content_type; -@@ -166,7 +254,7 @@ files_type(httpd_cache_t) +@@ -166,7 +261,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -25973,7 +25991,7 @@ index 3136c6a..dd51579 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +265,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +272,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -25983,7 +26001,7 @@ index 3136c6a..dd51579 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +307,17 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +314,17 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -26002,7 +26020,7 @@ index 3136c6a..dd51579 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +327,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +334,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -26013,7 +26031,7 @@ index 3136c6a..dd51579 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +338,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +345,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -26021,7 +26039,7 @@ index 3136c6a..dd51579 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +360,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +367,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -26045,7 +26063,7 @@ index 3136c6a..dd51579 100644 ######################################## # # Apache server local policy -@@ -281,11 +396,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +403,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -26059,7 +26077,7 @@ index 3136c6a..dd51579 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +446,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +453,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -26070,7 +26088,7 @@ index 3136c6a..dd51579 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +473,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +480,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -26080,7 +26098,7 @@ index 3136c6a..dd51579 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +486,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +493,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -26097,7 +26115,7 @@ index 3136c6a..dd51579 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +503,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +510,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -26113,7 +26131,7 @@ index 3136c6a..dd51579 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +516,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +523,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -26121,7 +26139,7 @@ index 3136c6a..dd51579 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +528,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +535,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -26225,7 +26243,7 @@ index 3136c6a..dd51579 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,25 +635,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,25 +642,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -26283,7 +26301,7 @@ index 3136c6a..dd51579 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +693,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +700,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -26300,7 +26318,7 @@ index 3136c6a..dd51579 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +717,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +724,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -26321,7 +26339,7 @@ index 3136c6a..dd51579 100644 ') optional_policy(` -@@ -513,7 +741,13 @@ optional_policy(` +@@ -513,7 +748,13 @@ optional_policy(` ') optional_policy(` @@ -26336,7 +26354,7 @@ index 3136c6a..dd51579 100644 ') optional_policy(` -@@ -528,7 +762,19 @@ optional_policy(` +@@ -528,7 +769,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -26357,7 +26375,7 @@ index 3136c6a..dd51579 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +783,13 @@ optional_policy(` +@@ -537,8 +790,13 @@ optional_policy(` ') optional_policy(` @@ -26372,7 +26390,7 @@ index 3136c6a..dd51579 100644 ') ') -@@ -556,7 +807,13 @@ optional_policy(` +@@ -556,7 +814,21 @@ optional_policy(` ') optional_policy(` @@ -26381,12 +26399,20 @@ index 3136c6a..dd51579 100644 +') + +optional_policy(` ++ memcached_stream_connect(httpd_t) ++ ++ tunable_policy(`httpd_manage_ipa',` ++ memcached_manage_pid_files(httpd_t) ++ ') ++') ++ ++optional_policy(` # Allow httpd to work with mysql + mysql_read_config(httpd_t) mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +824,7 @@ optional_policy(` +@@ -567,6 +839,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -26394,7 +26420,7 @@ index 3136c6a..dd51579 100644 ') optional_policy(` -@@ -577,6 +835,20 @@ optional_policy(` +@@ -577,6 +850,20 @@ optional_policy(` ') optional_policy(` @@ -26415,7 +26441,7 @@ index 3136c6a..dd51579 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +863,11 @@ optional_policy(` +@@ -591,6 +878,11 @@ optional_policy(` ') optional_policy(` @@ -26427,7 +26453,7 @@ index 3136c6a..dd51579 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +880,12 @@ optional_policy(` +@@ -603,6 +895,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -26440,7 +26466,7 @@ index 3136c6a..dd51579 100644 ######################################## # # Apache helper local policy -@@ -616,7 +899,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +914,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -26453,7 +26479,7 @@ index 3136c6a..dd51579 100644 ######################################## # -@@ -654,28 +941,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +956,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -26497,7 +26523,7 @@ index 3136c6a..dd51579 100644 ') ######################################## -@@ -685,6 +974,8 @@ optional_policy(` +@@ -685,6 +989,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -26506,7 +26532,7 @@ index 3136c6a..dd51579 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +990,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1005,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -26532,7 +26558,7 @@ index 3136c6a..dd51579 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1036,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1051,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -26565,7 +26591,7 @@ index 3136c6a..dd51579 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1083,25 @@ optional_policy(` +@@ -769,6 +1098,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -26591,7 +26617,7 @@ index 3136c6a..dd51579 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1122,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1137,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -26609,7 +26635,7 @@ index 3136c6a..dd51579 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1141,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1156,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -26666,7 +26692,7 @@ index 3136c6a..dd51579 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1192,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1207,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -26697,7 +26723,7 @@ index 3136c6a..dd51579 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1227,20 @@ optional_policy(` +@@ -842,10 +1242,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -26718,7 +26744,7 @@ index 3136c6a..dd51579 100644 ') ######################################## -@@ -891,11 +1286,49 @@ optional_policy(` +@@ -891,11 +1301,49 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -33224,7 +33250,7 @@ index 305ddf4..173cd16 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..4082621 100644 +index 0f28095..50a94a4 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -33396,7 +33422,15 @@ index 0f28095..4082621 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -587,13 +614,17 @@ auth_use_nsswitch(cups_pdf_t) +@@ -537,6 +564,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) + corenet_tcp_bind_generic_node(cupsd_lpd_t) + corenet_udp_bind_generic_node(cupsd_lpd_t) + corenet_tcp_connect_ipp_port(cupsd_lpd_t) ++corenet_tcp_connect_printer_port(cupsd_lpd_t) + + dev_read_urand(cupsd_lpd_t) + dev_read_rand(cupsd_lpd_t) +@@ -587,13 +615,17 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -33416,7 +33450,7 @@ index 0f28095..4082621 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) -@@ -606,6 +637,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -606,6 +638,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') @@ -33427,7 +33461,7 @@ index 0f28095..4082621 100644 ######################################## # # HPLIP local policy -@@ -639,7 +674,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +675,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -33436,7 +33470,7 @@ index 0f28095..4082621 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +720,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +721,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -33444,7 +33478,7 @@ index 0f28095..4082621 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +732,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -34432,20 +34466,29 @@ index 567865f..9c9e65c 100644 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te -index 8ba9425..b10da2c 100644 +index 8ba9425..5aaad2f 100644 --- a/policy/modules/services/denyhosts.te +++ b/policy/modules/services/denyhosts.te -@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t) +@@ -25,7 +25,9 @@ logging_log_file(denyhosts_var_log_t) # # DenyHosts personal policy. # - +# Bug #588563 +allow denyhosts_t self:capability sys_tty_config; ++allow denyhosts_t self:fifo_file rw_fifo_file_perms; allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; allow denyhosts_t self:tcp_socket create_socket_perms; allow denyhosts_t self:udp_socket create_socket_perms; -@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) +@@ -45,6 +47,7 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) + + kernel_read_system_state(denyhosts_t) + ++corecmd_exec_shell(denyhosts_t) + corecmd_exec_bin(denyhosts_t) + + corenet_all_recvfrom_unlabeled(denyhosts_t) +@@ -53,20 +56,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) corenet_tcp_bind_generic_node(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) @@ -43519,7 +43562,7 @@ index 98d28b4..1c1d012 100644 + delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +') diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if -index db4fd6f..5008a6c 100644 +index db4fd6f..7fe8321 100644 --- a/policy/modules/services/memcached.if +++ b/policy/modules/services/memcached.if @@ -5,15 +5,14 @@ @@ -43541,7 +43584,52 @@ index db4fd6f..5008a6c 100644 ') domtrans_pattern($1, memcached_exec_t, memcached_t) -@@ -57,8 +56,7 @@ interface(`memcached_read_pid_files',` +@@ -40,6 +39,44 @@ interface(`memcached_read_pid_files',` + + ######################################## + ## ++## Manage memcached PID files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`memcached_manage_pid_files',` ++ gen_require(` ++ type memcached_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t) ++') ++ ++######################################## ++## ++## Connect to memcached over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`memcached_stream_connect',` ++ gen_require(` ++ type memcached_t, memcached_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an memcached environment + ## +@@ -57,8 +94,7 @@ interface(`memcached_read_pid_files',` # interface(`memcached_admin',` gen_require(` @@ -43551,7 +43639,7 @@ index db4fd6f..5008a6c 100644 ') allow $1 memcached_t:process { ptrace signal_perms }; -@@ -69,5 +67,6 @@ interface(`memcached_admin',` +@@ -69,5 +105,6 @@ interface(`memcached_admin',` role_transition $2 memcached_initrc_exec_t system_r; allow $2 system_r; @@ -50082,10 +50170,10 @@ index 0000000..b11f37a +') diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te new file mode 100644 -index 0000000..89ab1b6 +index 0000000..7750ace --- /dev/null +++ b/policy/modules/services/polipo.te -@@ -0,0 +1,159 @@ +@@ -0,0 +1,170 @@ +policy_module(polipo, 1.0.0) + +######################################## @@ -50134,6 +50222,13 @@ index 0000000..89ab1b6 +## +gen_tunable(polipo_session_send_syslog_msg, false) + ++## ++##

++## Allow polipo to connect to all ports > 1023 ++##

++## ++gen_tunable(polipo_connect_all_unreserved, false) ++ +attribute polipo_daemon; + +type polipo_t, polipo_daemon; @@ -50205,6 +50300,10 @@ index 0000000..89ab1b6 + +logging_send_syslog_msg(polipo_t) + ++tunable_policy(`polipo_connect_all_unreserved',` ++ corenet_tcp_connect_all_unreserved_ports(polipo_t) ++') ++ +tunable_policy(`polipo_use_cifs',` + fs_manage_cifs_files(polipo_t) +') @@ -64094,7 +64193,7 @@ index 4966c94..cb2e1a3 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..351ed06 100644 +index 130ced9..69aedbf 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -64332,12 +64431,14 @@ index 130ced9..351ed06 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +495,18 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +495,20 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; + userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP") + userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority") ++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-c") ++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-n") + userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority") + userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth") + userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors") @@ -64353,7 +64454,7 @@ index 130ced9..351ed06 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +518,26 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +520,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -64382,7 +64483,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +571,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -64390,7 +64491,7 @@ index 130ced9..351ed06 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -549,6 +602,24 @@ interface(`xserver_domtrans_xauth',` +@@ -549,6 +604,24 @@ interface(`xserver_domtrans_xauth',` ######################################## ## @@ -64415,7 +64516,7 @@ index 130ced9..351ed06 100644 ## Create a Xauthority file in the user home directory. ## ## -@@ -598,6 +669,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +671,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -64423,7 +64524,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -615,7 +687,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +689,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -64432,7 +64533,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -638,6 +710,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +712,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -64458,7 +64559,7 @@ index 130ced9..351ed06 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +742,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +744,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -64467,7 +64568,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -670,7 +761,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +763,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -64476,7 +64577,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -688,7 +779,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +781,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -64485,7 +64586,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -703,12 +794,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +796,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -64499,7 +64600,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -724,11 +814,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +816,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -64533,7 +64634,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -752,6 +862,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -752,6 +864,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -64559,7 +64660,7 @@ index 130ced9..351ed06 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -765,7 +894,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +896,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -64568,7 +64669,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -805,7 +934,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +936,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -64596,7 +64697,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -828,6 +976,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -828,6 +978,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -64621,7 +64722,7 @@ index 130ced9..351ed06 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -897,7 +1063,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1065,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -64630,7 +64731,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -916,7 +1082,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1084,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -64639,7 +64740,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -963,6 +1129,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1131,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -64685,7 +64786,7 @@ index 130ced9..351ed06 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1181,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1183,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -64694,7 +64795,7 @@ index 130ced9..351ed06 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1243,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1245,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -64737,7 +64838,7 @@ index 130ced9..351ed06 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1293,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1295,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -64746,7 +64847,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -1070,8 +1311,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1313,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -64758,7 +64859,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -1185,6 +1428,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1430,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -64785,7 +64886,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -1210,7 +1473,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1475,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -64794,7 +64895,7 @@ index 130ced9..351ed06 100644 ## ## ## -@@ -1220,13 +1483,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1485,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -64819,7 +64920,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -1243,10 +1516,458 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1518,458 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -66510,7 +66611,7 @@ index c9981d1..d0931f9 100644 corenet_sendrecv_zabbix_agent_client_packets($1) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te -index 7f88f5f..4d704e8 100644 +index 7f88f5f..7d8a06e 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1) @@ -66568,7 +66669,7 @@ index 7f88f5f..4d704e8 100644 # shared memory rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) -@@ -58,25 +75,53 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +@@ -58,25 +75,55 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) @@ -66580,8 +66681,10 @@ index 7f88f5f..4d704e8 100644 + corenet_tcp_bind_generic_node(zabbix_t) corenet_tcp_bind_zabbix_port(zabbix_t) -+#needed by zabbix-server-mysql ++# needed by zabbix-server-mysql +corenet_tcp_connect_http_port(zabbix_t) ++# to monitor ftp urls ++corenet_tcp_connect_ftp_port(zabbix_t) + +dev_read_urand(zabbix_t) @@ -66597,8 +66700,8 @@ index 7f88f5f..4d704e8 100644 zabbix_agent_tcp_connect(zabbix_t) +tunable_policy(`zabbix_can_network',` -+ corenet_tcp_connect_all_unreserved_ports(zabbix_t) -+ corenet_tcp_connect_all_ephemeral_ports(zabbix_t) ++ corenet_tcp_connect_all_unreserved_ports(zabbix_t) ++ corenet_tcp_connect_all_ephemeral_ports(zabbix_t) +') + optional_policy(` @@ -66624,7 +66727,7 @@ index 7f88f5f..4d704e8 100644 ######################################## # # zabbix agent local policy -@@ -134,3 +179,4 @@ sysnet_dns_name_resolve(zabbix_agent_t) +@@ -134,3 +181,4 @@ sysnet_dns_name_resolve(zabbix_agent_t) # Network access to zabbix server zabbix_tcp_connect(zabbix_agent_t) @@ -71469,10 +71572,10 @@ index 831b909..efe1038 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..8c7803a 100644 +index b6ec597..aea710e 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2) +@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2) # Declarations # @@ -71483,10 +71586,17 @@ index b6ec597..8c7803a 100644 +## +gen_tunable(logging_syslogd_can_sendmail, false) + ++## ++##

++## Allow syslogd the ability to read/write terminals ++##

++## ++gen_tunable(logging_syslogd_use_tty, false) ++ attribute logfile; type auditctl_t; -@@ -20,6 +27,7 @@ files_security_file(auditd_log_t) +@@ -20,6 +34,7 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) type audit_spool_t; @@ -71494,7 +71604,7 @@ index b6ec597..8c7803a 100644 files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) -@@ -64,6 +72,7 @@ files_config_file(syslog_conf_t) +@@ -64,6 +79,7 @@ files_config_file(syslog_conf_t) type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) @@ -71502,7 +71612,7 @@ index b6ec597..8c7803a 100644 type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -111,7 +120,7 @@ domain_use_interactive_fds(auditctl_t) +@@ -111,7 +127,7 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -71511,7 +71621,7 @@ index b6ec597..8c7803a 100644 init_dontaudit_use_fds(auditctl_t) -@@ -183,16 +192,19 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +199,19 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -71532,7 +71642,7 @@ index b6ec597..8c7803a 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,10 +249,17 @@ corecmd_exec_shell(audisp_t) +@@ -237,10 +256,17 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -71550,7 +71660,7 @@ index b6ec597..8c7803a 100644 logging_send_syslog_msg(audisp_t) -@@ -250,6 +269,10 @@ sysnet_dns_name_resolve(audisp_t) +@@ -250,6 +276,10 @@ sysnet_dns_name_resolve(audisp_t) optional_policy(` dbus_system_bus_client(audisp_t) @@ -71561,7 +71671,7 @@ index b6ec597..8c7803a 100644 ') ######################################## -@@ -280,11 +303,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,11 +310,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -71582,7 +71692,7 @@ index b6ec597..8c7803a 100644 sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -354,11 +386,12 @@ optional_policy(` +@@ -354,11 +393,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -71597,7 +71707,7 @@ index b6ec597..8c7803a 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -376,6 +409,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -376,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -71605,7 +71715,7 @@ index b6ec597..8c7803a 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -385,9 +419,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -385,9 +426,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -71621,10 +71731,15 @@ index b6ec597..8c7803a 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -426,9 +466,18 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -426,9 +473,23 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) ++tunable_policy(`logging_syslogd_use_tty',` ++ term_use_all_ttys(syslogd_t) ++ term_use_all_ptys(syslogd_t) ++') ++ +tunable_policy(`logging_syslogd_can_sendmail',` + # support for ommail module to send logs via mail + corenet_tcp_connect_smtp_port(syslogd_t) @@ -71640,7 +71755,7 @@ index b6ec597..8c7803a 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,6 +497,7 @@ term_write_console(syslogd_t) +@@ -448,6 +509,7 @@ term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -71648,7 +71763,7 @@ index b6ec597..8c7803a 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -459,6 +509,7 @@ init_use_fds(syslogd_t) +@@ -459,6 +521,7 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -71656,7 +71771,7 @@ index b6ec597..8c7803a 100644 miscfiles_read_localization(syslogd_t) -@@ -496,11 +547,20 @@ optional_policy(` +@@ -496,11 +559,20 @@ optional_policy(` ') optional_policy(` @@ -75356,7 +75471,7 @@ index 0000000..1688a39 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..9e08125 +index 0000000..567c78c --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,381 @@ @@ -75420,7 +75535,7 @@ index 0000000..9e08125 +# + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) -+allow systemd_logind_t self:capability { chown dac_override fowner }; ++allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config }; +allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_logind_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 3265b0a..433db05 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 74%{?dist} +Release: 75%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Feb 1 2012 Miroslav Grepl 3.10.0-75 +- Add logging_syslogd_use_tty boolea +- Add polipo_connect_all_unreserved bolean +- Allow zabbix to connect to ftp port +- Allow systemd-logind to be able to switch VTs +- Allow apache to communicate with memcached through a sock_file +- Allow denyhosts to use fifo files and exec shell +- Allow sandbox_nacl to setsched on its process +- Allow chrome_sandbox_t to send all signals to sandbox_nacl_t +- Allow cupsd_lpd_t to connect to the printer port + * Thu Jan 26 2012 Miroslav Grepl 3.10.0-74 - Add httpd_can_connect_zabbix boolean - apcupsd_t needs to use seriel ports connected to usb devices