From 22af8f3eab793957b235390c2830234ca0282705 Mon Sep 17 00:00:00 2001
From: Miroslav <mgrepl@redhat.com>
Date: Jan 26 2012 17:50:35 +0000
Subject: - Add httpd_can_connect_zabbix boolean

- apcupsd_t needs to use seriel ports connected to usb devices
- Allow deltacloudd dac_override, setuid, setgid  caps
- Add zabbix_can_network boolean
- setroubleshoot needs to be able to execute rpm

---

diff --git a/policy-F16.patch b/policy-F16.patch
index 82deced..84a9a7a 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -25686,10 +25686,10 @@ index 6480167..e12bbc0 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..2aee986 100644
+index 3136c6a..dd51579 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
-@@ -18,130 +18,210 @@ policy_module(apache, 2.2.1)
+@@ -18,130 +18,218 @@ policy_module(apache, 2.2.1)
  # Declarations
  #
  
@@ -25804,17 +25804,25 @@ index 3136c6a..2aee986 100644
  ## </desc>
  gen_tunable(httpd_can_sendmail, false)
  
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++
++## <desc>
++##  <p>
++##  Allow http daemon to connect to zabbix
++##  </p>
++## </desc>
++gen_tunable(httpd_can_connect_zabbix, false)
++
++## <desc>
 +##	<p>
 +##	Allow http daemon to check spam
 +##	</p>
 +## </desc>
 +gen_tunable(httpd_can_check_spam, false)
 +
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
 +##	<p>
 +##	Allow Apache to communicate with avahi service via dbus
 +##	</p>
@@ -25956,7 +25964,7 @@ index 3136c6a..2aee986 100644
  attribute httpdcontent;
  attribute httpd_user_content_type;
  
-@@ -166,7 +246,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +254,7 @@ files_type(httpd_cache_t)
  
  # httpd_config_t is the type given to the configuration files
  type httpd_config_t;
@@ -25965,7 +25973,7 @@ index 3136c6a..2aee986 100644
  
  type httpd_helper_t;
  type httpd_helper_exec_t;
-@@ -177,6 +257,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +265,9 @@ role system_r types httpd_helper_t;
  type httpd_initrc_exec_t;
  init_script_file(httpd_initrc_exec_t)
  
@@ -25975,7 +25983,7 @@ index 3136c6a..2aee986 100644
  type httpd_lock_t;
  files_lock_file(httpd_lock_t)
  
-@@ -216,7 +299,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +307,17 @@ files_tmp_file(httpd_suexec_tmp_t)
  
  # setup the system domain for system CGI scripts
  apache_content_template(sys)
@@ -25994,7 +26002,7 @@ index 3136c6a..2aee986 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -226,6 +319,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +327,10 @@ files_tmpfs_file(httpd_tmpfs_t)
  
  apache_content_template(user)
  ubac_constrained(httpd_user_script_t)
@@ -26005,7 +26013,7 @@ index 3136c6a..2aee986 100644
  userdom_user_home_content(httpd_user_content_t)
  userdom_user_home_content(httpd_user_htaccess_t)
  userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +330,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +338,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
  userdom_user_home_content(httpd_user_rw_content_t)
  typeattribute httpd_user_script_t httpd_script_domains;
  typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -26013,7 +26021,7 @@ index 3136c6a..2aee986 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +352,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +360,23 @@ files_type(httpd_var_lib_t)
  type httpd_var_run_t;
  files_pid_file(httpd_var_run_t)
  
@@ -26037,7 +26045,7 @@ index 3136c6a..2aee986 100644
  ########################################
  #
  # Apache server local policy
-@@ -281,11 +388,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +396,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
  allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow httpd_t self:tcp_socket create_stream_socket_perms;
  allow httpd_t self:udp_socket create_socket_perms;
@@ -26051,7 +26059,7 @@ index 3136c6a..2aee986 100644
  
  # Allow the httpd_t to read the web servers config files
  allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +438,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +446,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
  manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -26062,7 +26070,7 @@ index 3136c6a..2aee986 100644
  
  manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +465,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +473,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -26072,7 +26080,7 @@ index 3136c6a..2aee986 100644
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +478,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +486,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
  corenet_tcp_sendrecv_all_ports(httpd_t)
  corenet_udp_sendrecv_all_ports(httpd_t)
  corenet_tcp_bind_generic_node(httpd_t)
@@ -26089,7 +26097,7 @@ index 3136c6a..2aee986 100644
  
  dev_read_sysfs(httpd_t)
  dev_read_rand(httpd_t)
-@@ -378,12 +495,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +503,12 @@ dev_rw_crypto(httpd_t)
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
@@ -26105,7 +26113,7 @@ index 3136c6a..2aee986 100644
  
  domain_use_interactive_fds(httpd_t)
  
-@@ -391,6 +508,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +516,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
  files_read_usr_files(httpd_t)
  files_list_mnt(httpd_t)
  files_search_spool(httpd_t)
@@ -26113,7 +26121,7 @@ index 3136c6a..2aee986 100644
  files_read_var_lib_files(httpd_t)
  files_search_home(httpd_t)
  files_getattr_home_dir(httpd_t)
-@@ -402,48 +520,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +528,101 @@ files_read_etc_files(httpd_t)
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26217,7 +26225,7 @@ index 3136c6a..2aee986 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +627,51 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +635,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
  	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -26240,6 +26248,10 @@ index 3136c6a..2aee986 100644
 +    corenet_tcp_connect_ldap_port(httpd_t)
 +')
 +
++tunable_policy(`httpd_can_connect_zabbix',`
++	corenet_tcp_connect_zabbix_port(httpd_t)
++')
++
  tunable_policy(`httpd_enable_ftp_server',`
  	corenet_tcp_bind_ftp_port(httpd_t)
 +	corenet_tcp_bind_all_ephemeral_ports(httpd_t)
@@ -26271,7 +26283,7 @@ index 3136c6a..2aee986 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_t)
  	fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +681,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +693,16 @@ tunable_policy(`httpd_can_sendmail',`
  	# allow httpd to connect to mail servers
  	corenet_tcp_connect_smtp_port(httpd_t)
  	corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -26288,7 +26300,7 @@ index 3136c6a..2aee986 100644
  ')
  
  tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +705,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +717,19 @@ tunable_policy(`httpd_ssi_exec',`
  # to run correctly without this permission, so the permission
  # are dontaudited here.
  tunable_policy(`httpd_tty_comm',`
@@ -26309,7 +26321,7 @@ index 3136c6a..2aee986 100644
  ')
  
  optional_policy(`
-@@ -513,7 +729,13 @@ optional_policy(`
+@@ -513,7 +741,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26324,7 +26336,7 @@ index 3136c6a..2aee986 100644
  ')
  
  optional_policy(`
-@@ -528,7 +750,19 @@ optional_policy(`
+@@ -528,7 +762,19 @@ optional_policy(`
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
@@ -26345,7 +26357,7 @@ index 3136c6a..2aee986 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +771,13 @@ optional_policy(`
+@@ -537,8 +783,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26360,7 +26372,7 @@ index 3136c6a..2aee986 100644
  	')
  ')
  
-@@ -556,7 +795,13 @@ optional_policy(`
+@@ -556,7 +807,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26374,7 +26386,7 @@ index 3136c6a..2aee986 100644
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -567,6 +812,7 @@ optional_policy(`
+@@ -567,6 +824,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -26382,7 +26394,7 @@ index 3136c6a..2aee986 100644
  ')
  
  optional_policy(`
-@@ -577,6 +823,20 @@ optional_policy(`
+@@ -577,6 +835,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26403,7 +26415,7 @@ index 3136c6a..2aee986 100644
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
  	postgresql_unpriv_client(httpd_t)
-@@ -591,6 +851,11 @@ optional_policy(`
+@@ -591,6 +863,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26415,7 +26427,7 @@ index 3136c6a..2aee986 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -603,6 +868,12 @@ optional_policy(`
+@@ -603,6 +880,12 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -26428,7 +26440,7 @@ index 3136c6a..2aee986 100644
  ########################################
  #
  # Apache helper local policy
-@@ -616,7 +887,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +899,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
  
  logging_send_syslog_msg(httpd_helper_t)
  
@@ -26441,7 +26453,7 @@ index 3136c6a..2aee986 100644
  
  ########################################
  #
-@@ -654,28 +929,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +941,30 @@ libs_exec_lib_files(httpd_php_t)
  userdom_use_unpriv_users_fds(httpd_php_t)
  
  tunable_policy(`httpd_can_network_connect_db',`
@@ -26485,7 +26497,7 @@ index 3136c6a..2aee986 100644
  ')
  
  ########################################
-@@ -685,6 +962,8 @@ optional_policy(`
+@@ -685,6 +974,8 @@ optional_policy(`
  
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
@@ -26494,7 +26506,7 @@ index 3136c6a..2aee986 100644
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +978,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +990,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -26520,7 +26532,7 @@ index 3136c6a..2aee986 100644
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1024,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1036,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -26553,7 +26565,7 @@ index 3136c6a..2aee986 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1071,25 @@ optional_policy(`
+@@ -769,6 +1083,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -26579,7 +26591,7 @@ index 3136c6a..2aee986 100644
  ########################################
  #
  # Apache system script local policy
-@@ -789,12 +1110,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1122,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -26597,7 +26609,7 @@ index 3136c6a..2aee986 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -803,18 +1129,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1141,50 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -26654,7 +26666,7 @@ index 3136c6a..2aee986 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1180,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1192,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -26685,7 +26697,7 @@ index 3136c6a..2aee986 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1215,20 @@ optional_policy(`
+@@ -842,10 +1227,20 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -26706,7 +26718,7 @@ index 3136c6a..2aee986 100644
  ')
  
  ########################################
-@@ -891,11 +1274,49 @@ optional_policy(`
+@@ -891,11 +1286,49 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -26724,13 +26736,13 @@ index 3136c6a..2aee986 100644
 +	userdom_search_user_home_content(httpd_t)
 +	userdom_search_user_home_content(httpd_suexec_t)
 +	userdom_search_user_home_content(httpd_user_script_t)
- ')
++')
 +
 +tunable_policy(`httpd_read_user_content',`
 +	userdom_read_user_home_content_files(httpd_t)
 +	userdom_read_user_home_content_files(httpd_suexec_t)
 +	userdom_read_user_home_content_files(httpd_user_script_t)
-+')
+ ')
 +
 +########################################
 +#
@@ -26778,10 +26790,18 @@ index cd07b96..9b7742f 100644
  /var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
 +/var/www/cgi-bin/apcgui(/.*)?		gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
 diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
-index d052bf0..ec55314 100644
+index d052bf0..3059bd2 100644
 --- a/policy/modules/services/apcupsd.te
 +++ b/policy/modules/services/apcupsd.te
-@@ -87,13 +87,17 @@ miscfiles_read_localization(apcupsd_t)
+@@ -76,6 +76,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
+ 
+ # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
+ term_use_unallocated_ttys(apcupsd_t)
++term_use_usb_ttys(apcupsd_t)
+ 
+ #apcupsd runs shutdown, probably need a shutdown domain
+ init_rw_utmp(apcupsd_t)
+@@ -87,13 +88,17 @@ miscfiles_read_localization(apcupsd_t)
  
  sysnet_dns_name_resolve(apcupsd_t)
  
@@ -50750,7 +50770,7 @@ index 46bee12..76b68b5 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..c24aed3 100644
+index a32c4b3..f639ebb 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
 @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -51093,7 +51113,7 @@ index a32c4b3..c24aed3 100644
  
  allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
  
-+rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 +
  files_search_all_mountpoints(postfix_smtp_t)
  
@@ -58216,7 +58236,7 @@ index bcdd16c..7c379a8 100644
  	files_list_var_lib($1)
  	admin_pattern($1, setroubleshoot_var_lib_t)
 diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..a181f01 100644
+index 086cd5f..6e66656 100644
 --- a/policy/modules/services/setroubleshoot.te
 +++ b/policy/modules/services/setroubleshoot.te
 @@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
@@ -58277,7 +58297,7 @@ index 086cd5f..a181f01 100644
  seutil_read_config(setroubleshootd_t)
  seutil_read_file_contexts(setroubleshootd_t)
  seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,6 +128,18 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,10 +128,23 @@ seutil_read_bin_policy(setroubleshootd_t)
  userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
  
  optional_policy(`
@@ -58296,7 +58316,12 @@ index 086cd5f..a181f01 100644
  	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
  ')
  
-@@ -151,7 +170,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+ optional_policy(`
++	rpm_exec(setroubleshootd_t)
+ 	rpm_signull(setroubleshootd_t)
+ 	rpm_read_db(setroubleshootd_t)
+ 	rpm_dontaudit_manage_db(setroubleshootd_t)
+@@ -151,7 +171,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
  corecmd_exec_bin(setroubleshoot_fixit_t)
  corecmd_exec_shell(setroubleshoot_fixit_t)
  
@@ -58308,7 +58333,7 @@ index 086cd5f..a181f01 100644
  
  files_read_usr_files(setroubleshoot_fixit_t)
  files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +187,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +188,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
  
  miscfiles_read_localization(setroubleshoot_fixit_t)
  
@@ -66485,10 +66510,24 @@ index c9981d1..d0931f9 100644
  
  	corenet_sendrecv_zabbix_agent_client_packets($1)
 diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 7f88f5f..5f1e19c 100644
+index 7f88f5f..4d704e8 100644
 --- a/policy/modules/services/zabbix.te
 +++ b/policy/modules/services/zabbix.te
-@@ -23,6 +23,10 @@ init_script_file(zabbix_agent_initrc_exec_t)
+@@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1)
+ # Declarations
+ #
+ 
++## <desc>
++## <p>
++## Allow zabbix to connect to unreserved ports
++## </p>
++## </desc>
++gen_tunable(zabbix_can_network, false)
++
+ type zabbix_t;
+ type zabbix_exec_t;
+ init_daemon_domain(zabbix_t, zabbix_exec_t)
+@@ -23,6 +30,10 @@ init_script_file(zabbix_agent_initrc_exec_t)
  type zabbix_log_t;
  logging_log_file(zabbix_log_t)
  
@@ -66499,7 +66538,7 @@ index 7f88f5f..5f1e19c 100644
  # shared memory
  type zabbix_tmpfs_t;
  files_tmpfs_file(zabbix_tmpfs_t)
-@@ -36,19 +40,25 @@ files_pid_file(zabbix_var_run_t)
+@@ -36,19 +47,25 @@ files_pid_file(zabbix_var_run_t)
  # zabbix local policy
  #
  
@@ -66529,7 +66568,7 @@ index 7f88f5f..5f1e19c 100644
  # shared memory
  rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
  fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-@@ -58,14 +68,25 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -58,25 +75,53 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
  manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
  
@@ -66557,7 +66596,13 @@ index 7f88f5f..5f1e19c 100644
  
  zabbix_agent_tcp_connect(zabbix_t)
  
-@@ -74,9 +95,21 @@ optional_policy(`
++tunable_policy(`zabbix_can_network',`
++    corenet_tcp_connect_all_unreserved_ports(zabbix_t)
++    corenet_tcp_connect_all_ephemeral_ports(zabbix_t)
++')
++
+ optional_policy(`
+ 	mysql_stream_connect(zabbix_t)
  ')
  
  optional_policy(`
@@ -66579,6 +66624,11 @@ index 7f88f5f..5f1e19c 100644
  ########################################
  #
  # zabbix agent local policy
+@@ -134,3 +179,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
+ 
+ # Network access to zabbix server
+ zabbix_tcp_connect(zabbix_agent_t)
++
 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
 index 3defaa1..2ad2488 100644
 --- a/policy/modules/services/zarafa.fc
@@ -76905,7 +76955,7 @@ index db75976..ce61aed 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..c6d53ea 100644
+index 4b2878a..38698f3 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -78598,12 +78648,16 @@ index 4b2878a..c6d53ea 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1700,12 +2199,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1698,14 +2197,35 @@ interface(`userdom_mmap_user_home_content_files',`
+ interface(`userdom_read_user_home_content_files',`
+ 	gen_require(`
  		type user_home_dir_t, user_home_t;
++		attribute user_home_type;
  	')
  
-+	list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
- 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++	list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
++	read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
  	files_search_home($1)
  ')
  
@@ -78631,7 +78685,7 @@ index 4b2878a..c6d53ea 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1716,11 +2235,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2236,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -78649,7 +78703,7 @@ index 4b2878a..c6d53ea 100644
  ')
  
  ########################################
-@@ -1779,6 +2301,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2302,60 @@ interface(`userdom_delete_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -78710,7 +78764,7 @@ index 4b2878a..c6d53ea 100644
  ##	Do not audit attempts to write user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1810,8 +2386,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2387,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -78720,7 +78774,7 @@ index 4b2878a..c6d53ea 100644
  ')
  
  ########################################
-@@ -1827,20 +2402,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2403,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -78745,7 +78799,7 @@ index 4b2878a..c6d53ea 100644
  
  ########################################
  ## <summary>
-@@ -1941,6 +2510,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2511,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -78770,7 +78824,7 @@ index 4b2878a..c6d53ea 100644
  ##	Create, read, write, and delete named pipes
  ##	in a user home subdirectory.
  ## </summary>
-@@ -2008,7 +2595,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2596,7 @@ interface(`userdom_user_home_dir_filetrans',`
  		type user_home_dir_t;
  	')
  
@@ -78779,7 +78833,7 @@ index 4b2878a..c6d53ea 100644
  	files_search_home($1)
  ')
  
-@@ -2039,7 +2626,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2627,7 @@ interface(`userdom_user_home_content_filetrans',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -78788,7 +78842,7 @@ index 4b2878a..c6d53ea 100644
  	allow $1 user_home_dir_t:dir search_dir_perms;
  	files_search_home($1)
  ')
-@@ -2182,7 +2769,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2770,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -78797,7 +78851,7 @@ index 4b2878a..c6d53ea 100644
  ')
  
  ########################################
-@@ -2390,7 +2977,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2978,7 @@ interface(`userdom_user_tmp_filetrans',`
  		type user_tmp_t;
  	')
  
@@ -78806,7 +78860,7 @@ index 4b2878a..c6d53ea 100644
  	files_search_tmp($1)
  ')
  
-@@ -2419,6 +3006,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3007,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2)
  ')
  
@@ -78832,7 +78886,7 @@ index 4b2878a..c6d53ea 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2435,13 +3041,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3042,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -78848,7 +78902,7 @@ index 4b2878a..c6d53ea 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2462,7 +3069,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3070,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -78857,7 +78911,7 @@ index 4b2878a..c6d53ea 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2470,14 +3077,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3078,30 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -78892,7 +78946,7 @@ index 4b2878a..c6d53ea 100644
  ')
  
  ########################################
-@@ -2572,7 +3195,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3196,7 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -78901,7 +78955,7 @@ index 4b2878a..c6d53ea 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2580,48 +3203,97 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,48 +3204,97 @@ interface(`userdom_use_user_ttys',`
  ##	</summary>
  ## </param>
  #
@@ -79023,7 +79077,7 @@ index 4b2878a..c6d53ea 100644
  ')
  
  ########################################
-@@ -2640,8 +3312,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3313,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -79053,7 +79107,7 @@ index 4b2878a..c6d53ea 100644
  ')
  
  ########################################
-@@ -2713,6 +3404,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3405,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -79078,7 +79132,7 @@ index 4b2878a..c6d53ea 100644
  ########################################
  ## <summary>
  ##	Execute an Xserver session in all unprivileged user domains.  This
-@@ -2736,24 +3445,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3446,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -79103,7 +79157,7 @@ index 4b2878a..c6d53ea 100644
  ########################################
  ## <summary>
  ##	Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3463,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3464,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  	allow $1 unpriv_userdomain:sem create_sem_perms;
  ')
  
@@ -79129,7 +79183,7 @@ index 4b2878a..c6d53ea 100644
  ########################################
  ## <summary>
  ##	Manage unpriviledged user SysV shared
-@@ -2852,7 +3524,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3525,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -79138,7 +79192,7 @@ index 4b2878a..c6d53ea 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2868,29 +3540,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3541,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -79172,7 +79226,7 @@ index 4b2878a..c6d53ea 100644
  ')
  
  ########################################
-@@ -2972,7 +3628,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3629,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -79181,7 +79235,7 @@ index 4b2878a..c6d53ea 100644
  ')
  
  ########################################
-@@ -3027,7 +3683,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3684,45 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -79228,7 +79282,7 @@ index 4b2878a..c6d53ea 100644
  ')
  
  ########################################
-@@ -3045,7 +3739,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3740,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
  		type user_tty_device_t;
  	')
  
@@ -79237,7 +79291,7 @@ index 4b2878a..c6d53ea 100644
  ')
  
  ########################################
-@@ -3064,6 +3758,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3759,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -79245,7 +79299,7 @@ index 4b2878a..c6d53ea 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3142,6 +3837,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3838,24 @@ interface(`userdom_signal_all_users',`
  
  ########################################
  ## <summary>
@@ -79270,7 +79324,7 @@ index 4b2878a..c6d53ea 100644
  ##	Send a SIGCHLD signal to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3160,6 +3873,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3874,24 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -79295,7 +79349,7 @@ index 4b2878a..c6d53ea 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3194,3 +3925,1165 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3926,1165 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4bb53d5..3265b0a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 73%{?dist}
+Release: 74%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,13 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Jan 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-74
+- Add httpd_can_connect_zabbix boolean
+- apcupsd_t needs to use seriel ports connected to usb devices
+- Allow deltacloudd dac_override, setuid, setgid  caps
+- Add zabbix_can_network boolean
+- setroubleshoot needs to be able to execute rpm
+
 * Fri Jan 20 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-73
 - Backport colord policy from F17