From 3b8b0330dbec32dc0bda958ee12b8e4730a9cf55 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 27 2012 12:58:20 +0000 Subject: * Mon Feb 27 2012 Miroslav Grepl 3.10.0-77 - Dontaudit sandbox to shudown unconfined_execmem stream - Allow smtpd_t to manage spool files/directories and symbolic links - Allow ksysguardproces to send system log msgs - Allow automount to execute consoletype - Allow boinc setpgid and signull - Add mysqld_home_t for ~/.my.cnf - Add unit file support to mysqld - rhev-agent package was rename to ovirt-guest-agent - move postfix_domtrans_user_mail_handler() to mta.if - Fix virt_search_images() interface - Fix iscsi policy - Add booleans to allow rsync to share nfs and cifs file sytems - Add file name transition for locale.conf.new - Allow boinc projects to gconf config files - Allow xen to search virt images directories --- diff --git a/policy-F16.patch b/policy-F16.patch index 3c6e4aa..2b27688 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -4932,10 +4932,10 @@ index 0000000..a03aec4 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..9a914b6 +index 0000000..689a667 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,187 @@ +@@ -0,0 +1,188 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -5034,6 +5034,7 @@ index 0000000..9a914b6 +optional_policy(` + execmem_exec(chrome_sandbox_t) + execmem_execmod(chrome_sandbox_t) ++ unconfined_dontaudit_execmem_stream_shutdown(chrome_sandbox_t) +') + +optional_policy(` @@ -7092,7 +7093,7 @@ index f5afe78..eeeebbb 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..c365443 100644 +index 2505654..489ea21 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0) @@ -7170,7 +7171,7 @@ index 2505654..c365443 100644 ############################## # # Local Policy -@@ -75,3 +113,168 @@ optional_policy(` +@@ -75,3 +113,170 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -7247,6 +7248,8 @@ index 2505654..c365443 100644 + +fs_getattr_xattr_fs(gnomesystemmm_t) + ++logging_send_syslog_msg(gnomesystemmm_t) ++ +miscfiles_read_localization(gnomesystemmm_t) + +userdom_read_all_users_state(gnomesystemmm_t) @@ -16474,7 +16477,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..cee9fe0 100644 +index fae1ab1..4796e9b 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -16570,7 +16573,7 @@ index fae1ab1..cee9fe0 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -158,5 +198,216 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -158,5 +198,220 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -16632,6 +16635,10 @@ index fae1ab1..cee9fe0 100644 +') + +optional_policy(` ++ mysqld_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + networkmanager_filetrans_named_content(unconfined_domain_type) +') + @@ -21932,7 +21939,7 @@ index 2be17d2..e47e0f0 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..b4bff66 100644 +index e14b961..1058bf4 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,52 @@ ifndef(`enable_mls',` @@ -22118,17 +22125,19 @@ index e14b961..b4bff66 100644 ') optional_policy(` -@@ -225,25 +285,47 @@ optional_policy(` - ') +@@ -222,6 +282,11 @@ optional_policy(` optional_policy(` -+ ncftool_run(sysadm_t, sysadm_r) + mysql_stream_connect(sysadm_t) ++ mysqld_filetrans_named_content(sysadm_t) +') + +optional_policy(` - netutils_run(sysadm_t, sysadm_r) - netutils_run_ping(sysadm_t, sysadm_r) - netutils_run_traceroute(sysadm_t, sysadm_r) ++ ncftool_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +@@ -231,19 +296,37 @@ optional_policy(` ') optional_policy(` @@ -22166,7 +22175,7 @@ index e14b961..b4bff66 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,31 +335,32 @@ optional_policy(` +@@ -253,31 +336,32 @@ optional_policy(` ') optional_policy(` @@ -22206,7 +22215,7 @@ index e14b961..b4bff66 100644 ') optional_policy(` -@@ -302,12 +385,18 @@ optional_policy(` +@@ -302,12 +386,18 @@ optional_policy(` ') optional_policy(` @@ -22226,7 +22235,7 @@ index e14b961..b4bff66 100644 ') optional_policy(` -@@ -332,7 +421,10 @@ optional_policy(` +@@ -332,7 +422,10 @@ optional_policy(` ') optional_policy(` @@ -22238,7 +22247,7 @@ index e14b961..b4bff66 100644 ') optional_policy(` -@@ -343,19 +435,15 @@ optional_policy(` +@@ -343,19 +436,15 @@ optional_policy(` ') optional_policy(` @@ -22260,7 +22269,7 @@ index e14b961..b4bff66 100644 ') optional_policy(` -@@ -367,45 +455,45 @@ optional_policy(` +@@ -367,45 +456,45 @@ optional_policy(` ') optional_policy(` @@ -22317,7 +22326,7 @@ index e14b961..b4bff66 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +506,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +507,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22328,7 +22337,7 @@ index e14b961..b4bff66 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +523,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +524,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -22336,7 +22345,7 @@ index e14b961..b4bff66 100644 ') optional_policy(` -@@ -446,11 +531,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +532,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22422,10 +22431,10 @@ index 0000000..0e8654b +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 0000000..8b2cdf3 +index 0000000..5832252 --- /dev/null +++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,687 @@ +@@ -0,0 +1,705 @@ +## Unconfiend user role + +######################################## @@ -22682,6 +22691,24 @@ index 0000000..8b2cdf3 + allow $1 unconfined_execmem_t:process signal; +') + ++####################################### ++## ++## Send a signal to the unconfined execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dontaudit_execmem_stream_shutdown',` ++ gen_require(` ++ type unconfined_execmem_t; ++ ') ++ ++ dontaudit $1 unconfined_execmem_t:unix_stream_socket shutdown; ++') ++ +######################################## +## +## Send generic signals to the unconfined domain. @@ -27321,7 +27348,7 @@ index d80a16b..68b85e2 100644 init_labeled_script_domtrans($1, automount_initrc_exec_t) diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te -index 39799db..9390ef1 100644 +index 39799db..68c3900 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -64,6 +64,7 @@ kernel_read_network_state(automount_t) @@ -27342,10 +27369,14 @@ index 39799db..9390ef1 100644 userdom_dontaudit_use_unpriv_user_fds(automount_t) userdom_dontaudit_search_user_home_dirs(automount_t) -@@ -155,6 +153,13 @@ optional_policy(` +@@ -155,6 +153,17 @@ optional_policy(` ') optional_policy(` ++ consoletype_exec(automount_t) ++') ++ ++optional_policy(` + # Run mount in the mount_t domain. + mount_domtrans(automount_t) + mount_domtrans_showmount(automount_t) @@ -28092,7 +28123,7 @@ index 0000000..fa9b95a +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..8b244be +index 0000000..41698a6 --- /dev/null +++ b/policy/modules/services/boinc.te @@ -0,0 +1,175 @@ @@ -28171,7 +28202,7 @@ index 0000000..8b244be +# + +allow boinc_t self:capability { kill }; -+allow boinc_t self:process { setsched sigkill }; ++allow boinc_t self:process { setsched setpgid signull sigkill }; + +allow boinc_t self:unix_stream_socket create_stream_socket_perms; +allow boinc_t self:tcp_socket create_stream_socket_perms; @@ -46043,8 +46074,27 @@ index f17583b..171ebec 100644 +fs_getattr_all_fs(munin_plugin_domain) + +miscfiles_read_localization(munin_plugin_domain) +diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc +index cc7192c..eeb72ba 100644 +--- a/policy/modules/services/mysql.fc ++++ b/policy/modules/services/mysql.fc +@@ -1,6 +1,14 @@ + # mysql database server + + # ++# /HOME ++# ++HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) ++/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) ++ ++/lib/systemd/system/mysqld\.service -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) ++ ++# + # /etc + # + /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if -index e9c0982..14af30a 100644 +index e9c0982..ffbf2d0 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -18,6 +18,24 @@ interface(`mysql_domtrans',` @@ -46145,7 +46195,56 @@ index e9c0982..14af30a 100644 ##################################### ## ## Read MySQL PID files. -@@ -329,10 +384,9 @@ interface(`mysql_search_pid_files',` +@@ -313,6 +368,48 @@ interface(`mysql_search_pid_files',` + + ######################################## + ## ++## Execute mysqld server in the mysqld domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mysqld_systemctl',` ++ gen_require(` ++ type mysqld_unit_file_t; ++ type mysqld_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 mysqld_unit_file_t:file read_file_perms; ++ allow $1 mysqld_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, mysqld_t) ++') ++ ++######################################## ++## ++## Transition to mysqld named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mysqld_filetrans_named_content',` ++ gen_require(` ++ type mysqld_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") ++ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") ++') ++ ++######################################## ++## + ## All of the rules required to administrate an mysql environment + ## + ## +@@ -329,10 +426,10 @@ interface(`mysql_search_pid_files',` # interface(`mysql_admin',` gen_require(` @@ -46156,10 +46255,11 @@ index e9c0982..14af30a 100644 + type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t; + type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; + type mysqld_etc_t; ++ type mysqld_home_t; ') allow $1 mysqld_t:process { ptrace signal_perms }; -@@ -343,13 +397,19 @@ interface(`mysql_admin',` +@@ -343,13 +440,25 @@ interface(`mysql_admin',` role_transition $2 mysqld_initrc_exec_t system_r; allow $2 system_r; @@ -46177,10 +46277,16 @@ index e9c0982..14af30a 100644 + files_list_tmp($1) admin_pattern($1, mysqld_tmp_t) + ++ userdom_search_user_home_dirs($1) ++ files_list_root($1) ++ admin_pattern($1, mysqld_home_t) ++ ++ mysqld_systemctl($1) ++ + mysql_stream_connect($1) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..d86e78b 100644 +index 0a0d63c..c51cbf6 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -46196,7 +46302,20 @@ index 0a0d63c..d86e78b 100644 ## gen_tunable(mysql_connect_any, false) -@@ -64,11 +64,12 @@ allow mysqld_t self:udp_socket create_socket_perms; +@@ -29,6 +29,12 @@ files_type(mysqld_db_t) + type mysqld_etc_t alias etc_mysqld_t; + files_config_file(mysqld_etc_t) + ++type mysqld_home_t; ++userdom_user_home_content(mysqld_home_t) ++ ++type mysqld_unit_file_t; ++systemd_unit_file(mysqld_unit_file_t) ++ + type mysqld_initrc_exec_t; + init_script_file(mysqld_initrc_exec_t) + +@@ -64,11 +70,12 @@ allow mysqld_t self:udp_socket create_socket_perms; manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -46210,7 +46329,7 @@ index 0a0d63c..d86e78b 100644 allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file manage_file_perms; -@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -78,13 +85,20 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) @@ -46219,6 +46338,9 @@ index 0a0d63c..d86e78b 100644 manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file }) +files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) ++ ++userdom_dontaudit_use_unpriv_user_fds(mysqld_t) ++read_files_pattern(mysqld_t, mysqld_home_t, mysqld_home_t) kernel_read_system_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) @@ -46229,9 +46351,14 @@ index 0a0d63c..d86e78b 100644 corenet_all_recvfrom_unlabeled(mysqld_t) corenet_all_recvfrom_netlabel(mysqld_t) corenet_tcp_sendrecv_generic_if(mysqld_t) -@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t) - userdom_read_user_home_content_files(mysqld_t) +@@ -122,13 +136,8 @@ miscfiles_read_localization(mysqld_t) + sysnet_read_config(mysqld_t) + +-userdom_dontaudit_use_unpriv_user_fds(mysqld_t) +-# for /root/.my.cnf - should not be needed: +-userdom_read_user_home_content_files(mysqld_t) +- ifdef(`distro_redhat',` - # because Fedora has the sock_file in the database directory - type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; @@ -46239,7 +46366,7 @@ index 0a0d63c..d86e78b 100644 ') tunable_policy(`mysql_connect_any',` -@@ -155,9 +159,11 @@ optional_policy(` +@@ -155,9 +164,11 @@ optional_policy(` allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; @@ -46251,7 +46378,7 @@ index 0a0d63c..d86e78b 100644 domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) -@@ -170,26 +176,33 @@ kernel_read_system_state(mysqld_safe_t) +@@ -170,26 +181,33 @@ kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) @@ -51202,7 +51329,7 @@ index 46bee12..76b68b5 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..f639ebb 100644 +index a32c4b3..90db1ee 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -51565,7 +51692,17 @@ index a32c4b3..f639ebb 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -581,17 +665,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, + corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) + + # for prng_exch +-allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; ++manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) ++manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) ++manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) + allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; + + corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -51582,7 +51719,7 @@ index a32c4b3..f639ebb 100644 ') optional_policy(` -@@ -599,6 +689,11 @@ optional_policy(` +@@ -599,6 +691,11 @@ optional_policy(` ') optional_policy(` @@ -51594,7 +51731,7 @@ index a32c4b3..f639ebb 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +706,6 @@ optional_policy(` +@@ -611,7 +708,6 @@ optional_policy(` # Postfix virtual local policy # @@ -51602,7 +51739,7 @@ index a32c4b3..f639ebb 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +724,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +726,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -55284,11 +55421,15 @@ index 93c896a..8c29c39 100644 +') diff --git a/policy/modules/services/rhev.fc b/policy/modules/services/rhev.fc new file mode 100644 -index 0000000..9a8524d +index 0000000..3599f59 --- /dev/null +++ b/policy/modules/services/rhev.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,9 @@ +/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) ++/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) ++ ++/lib/systemd/system/ovirt-guest-agent\.service -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0) ++/usr/lib/systemd/system/ovirt-guest-agent\.serviceservice -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0) + +/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) + @@ -55377,10 +55518,10 @@ index 0000000..bf11e25 +') diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te new file mode 100644 -index 0000000..5fdaf06 +index 0000000..1986422 --- /dev/null +++ b/policy/modules/services/rhev.te -@@ -0,0 +1,108 @@ +@@ -0,0 +1,111 @@ +policy_module(rhev,1.0) + +######################################## @@ -55392,6 +55533,9 @@ index 0000000..5fdaf06 +type rhev_agentd_exec_t; +init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t) + ++type rhev_agentd_unit_file_t; ++systemd_unit_file(rhev_agentd_unit_file_t) ++ +type rhev_agentd_var_run_t; +files_pid_file(rhev_agentd_var_run_t) + @@ -77519,7 +77663,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..9e90eb9 100644 +index 4b2878a..050c81a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -78385,7 +78529,7 @@ index 4b2878a..9e90eb9 100644 userdom_change_password_template($1) -@@ -736,72 +912,76 @@ template(`userdom_login_user_template', ` +@@ -736,72 +912,80 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -78455,20 +78599,24 @@ index 4b2878a..9e90eb9 100644 + miscfiles_exec_tetex_data($1_usertype) + + seutil_read_config($1_usertype) - -- seutil_read_config($1_t) ++ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) + cups_stream_connect_ptal($1_usertype) + ') +- seutil_read_config($1_t) ++ optional_policy(` ++ kerberos_use($1_usertype) ++ kerberos_filetrans_home_content($1_usertype) ++ ') + optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ kerberos_use($1_usertype) -+ kerberos_filetrans_home_content($1_usertype) ++ mysqld_filetrans_named_content($1_usertype) ') optional_policy(` @@ -78495,7 +78643,7 @@ index 4b2878a..9e90eb9 100644 ') ') -@@ -833,6 +1013,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1017,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -78505,7 +78653,7 @@ index 4b2878a..9e90eb9 100644 ############################## # # Local policy -@@ -874,45 +1057,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1061,118 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -78635,7 +78783,7 @@ index 4b2878a..9e90eb9 100644 ') ') -@@ -947,7 +1203,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1207,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -78644,7 +78792,7 @@ index 4b2878a..9e90eb9 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1212,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1216,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -78662,7 +78810,7 @@ index 4b2878a..9e90eb9 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,23 +1237,72 @@ template(`userdom_unpriv_user_template', ` +@@ -978,23 +1241,72 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -78713,15 +78861,15 @@ index 4b2878a..9e90eb9 100644 + + optional_policy(` + gpm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ execmem_role_template($1, $1_r, $1_t) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) ++ execmem_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` + java_role_template($1, $1_r, $1_t) + ') + @@ -78744,7 +78892,7 @@ index 4b2878a..9e90eb9 100644 ') # Run pppd in pppd_t by default for user -@@ -1003,7 +1311,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1003,7 +1315,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -78755,7 +78903,7 @@ index 4b2878a..9e90eb9 100644 ') ') -@@ -1039,7 +1349,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1353,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -78764,7 +78912,7 @@ index 4b2878a..9e90eb9 100644 ') ############################## -@@ -1066,6 +1376,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1380,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -78772,7 +78920,7 @@ index 4b2878a..9e90eb9 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1389,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -78782,7 +78930,7 @@ index 4b2878a..9e90eb9 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1406,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -78790,7 +78938,7 @@ index 4b2878a..9e90eb9 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1424,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -78804,7 +78952,7 @@ index 4b2878a..9e90eb9 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',` +@@ -1119,29 +1441,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -78847,7 +78995,7 @@ index 4b2878a..9e90eb9 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1482,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -78856,7 +79004,7 @@ index 4b2878a..9e90eb9 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1543,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -78865,7 +79013,7 @@ index 4b2878a..9e90eb9 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',` +@@ -1222,8 +1557,9 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -78876,7 +79024,7 @@ index 4b2878a..9e90eb9 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1570,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -78905,7 +79053,7 @@ index 4b2878a..9e90eb9 100644 ') optional_policy(` -@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1598,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -78921,7 +79069,7 @@ index 4b2878a..9e90eb9 100644 ') optional_policy(` -@@ -1279,54 +1622,103 @@ template(`userdom_security_admin_template',` +@@ -1279,50 +1626,99 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -78990,15 +79138,15 @@ index 4b2878a..9e90eb9 100644 ') - allow $1 user_devpts_t:chr_file setattr_chr_file_perms; +-') + typeattribute $1 user_tmpfs_type; + + files_tmpfs_file($1) + ubac_constrained($1) - ') - - ######################################## - ## --## Create a user pty. ++') ++ ++######################################## ++## +## Allow domain to attach to TUN devices created by administrative users. +## +## @@ -79033,14 +79181,10 @@ index 4b2878a..9e90eb9 100644 + + allow $1 user_devpts_t:chr_file setattr_chr_file_perms; +') -+ -+######################################## -+## -+## Create a user pty. - ## - ## - ## -@@ -1395,6 +1787,7 @@ interface(`userdom_search_user_home_dirs',` + + ######################################## + ## +@@ -1395,6 +1791,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -79048,7 +79192,7 @@ index 4b2878a..9e90eb9 100644 files_search_home($1) ') -@@ -1441,6 +1834,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1838,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -79063,7 +79207,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -1456,9 +1857,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1861,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -79075,7 +79219,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -1515,6 +1918,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1922,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -79118,7 +79262,7 @@ index 4b2878a..9e90eb9 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2028,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2032,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -79127,7 +79271,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -1603,10 +2044,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2048,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -79142,7 +79286,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -1649,6 +2092,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2096,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -79186,7 +79330,7 @@ index 4b2878a..9e90eb9 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2148,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2152,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -79212,7 +79356,7 @@ index 4b2878a..9e90eb9 100644 ## Mmap user home files. ## ## -@@ -1698,14 +2197,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1698,14 +2201,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -79250,7 +79394,7 @@ index 4b2878a..9e90eb9 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2237,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2241,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -79268,7 +79412,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -1779,6 +2303,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2307,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -79329,7 +79473,7 @@ index 4b2878a..9e90eb9 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2388,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2392,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -79339,7 +79483,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -1827,20 +2404,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,21 +2408,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -79353,18 +79497,19 @@ index 4b2878a..9e90eb9 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') --') +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) +- ') +-') +- ######################################## ## -@@ -1941,6 +2512,24 @@ interface(`userdom_delete_user_home_content_symlinks',` + ## Do not audit attempts to execute user home files. +@@ -1941,6 +2516,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -79389,7 +79534,7 @@ index 4b2878a..9e90eb9 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2597,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2601,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -79398,7 +79543,7 @@ index 4b2878a..9e90eb9 100644 files_search_home($1) ') -@@ -2039,7 +2628,7 @@ interface(`userdom_user_home_content_filetrans',` +@@ -2039,7 +2632,7 @@ interface(`userdom_user_home_content_filetrans',` type user_home_dir_t, user_home_t; ') @@ -79407,7 +79552,7 @@ index 4b2878a..9e90eb9 100644 allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') -@@ -2158,11 +2747,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2158,11 +2751,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -79422,7 +79567,7 @@ index 4b2878a..9e90eb9 100644 files_search_tmp($1) ') -@@ -2182,7 +2771,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2775,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -79431,7 +79576,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -2390,7 +2979,7 @@ interface(`userdom_user_tmp_filetrans',` +@@ -2390,7 +2983,7 @@ interface(`userdom_user_tmp_filetrans',` type user_tmp_t; ') @@ -79440,7 +79585,7 @@ index 4b2878a..9e90eb9 100644 files_search_tmp($1) ') -@@ -2419,6 +3008,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2419,6 +3012,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2) ') @@ -79466,7 +79611,7 @@ index 4b2878a..9e90eb9 100644 ######################################## ## ## Read user tmpfs files. -@@ -2435,13 +3043,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3047,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -79482,7 +79627,7 @@ index 4b2878a..9e90eb9 100644 ## ## ## -@@ -2462,7 +3071,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,7 +3075,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -79491,7 +79636,7 @@ index 4b2878a..9e90eb9 100644 ## ## ## -@@ -2470,14 +3079,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2470,14 +3083,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -79526,7 +79671,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -2572,7 +3197,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3201,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -79535,7 +79680,7 @@ index 4b2878a..9e90eb9 100644 ## ## ## -@@ -2580,48 +3205,97 @@ interface(`userdom_use_user_ttys',` +@@ -2580,33 +3209,63 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -79570,23 +79715,18 @@ index 4b2878a..9e90eb9 100644 -## not be allowed for non-interactive domains. -##

-## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`userdom_use_user_terminals',` ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_use_user_ptys',` - gen_require(` -- type user_tty_device_t, user_devpts_t; ++ gen_require(` + type user_devpts_t; - ') - -- allow $1 user_tty_device_t:chr_file rw_term_perms; - allow $1 user_devpts_t:chr_file rw_term_perms; -- term_list_ptys($1) ++ ') ++ ++ allow $1 user_devpts_t:chr_file rw_term_perms; +') + +######################################## @@ -79620,18 +79760,22 @@ index 4b2878a..9e90eb9 100644 +## access. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# + ## + ## + ## Domain allowed access. +@@ -2614,14 +3273,33 @@ interface(`userdom_use_user_ptys',` + ## + ## + # +-interface(`userdom_use_user_terminals',` +interface(`userdom_use_inherited_user_terminals',` -+ gen_require(` -+ type user_tty_device_t, user_devpts_t; -+ ') -+ + gen_require(` + type user_tty_device_t, user_devpts_t; + ') + +- allow $1 user_tty_device_t:chr_file rw_term_perms; +- allow $1 user_devpts_t:chr_file rw_term_perms; +- term_list_ptys($1) + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') @@ -79657,7 +79801,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -2640,8 +3314,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2640,8 +3318,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -79687,7 +79831,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -2713,6 +3406,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2713,6 +3410,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -79712,7 +79856,7 @@ index 4b2878a..9e90eb9 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2736,24 +3447,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3451,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -79737,7 +79881,7 @@ index 4b2878a..9e90eb9 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3465,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3469,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -79763,7 +79907,7 @@ index 4b2878a..9e90eb9 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3526,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3530,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -79772,7 +79916,7 @@ index 4b2878a..9e90eb9 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3542,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3546,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -79806,7 +79950,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -2972,7 +3630,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3634,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -79815,7 +79959,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -3027,7 +3685,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3689,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -79862,7 +80006,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -3045,7 +3741,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3045,7 +3745,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -79871,7 +80015,7 @@ index 4b2878a..9e90eb9 100644 ') ######################################## -@@ -3064,6 +3760,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3764,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -79879,7 +80023,7 @@ index 4b2878a..9e90eb9 100644 kernel_search_proc($1) ') -@@ -3142,6 +3839,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3843,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -79904,7 +80048,7 @@ index 4b2878a..9e90eb9 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3160,6 +3875,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3879,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -79929,7 +80073,7 @@ index 4b2878a..9e90eb9 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3927,1165 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3931,1165 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 845926b..09ab505 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 76%{?dist} +Release: 77%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,23 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Feb 27 2012 Miroslav Grepl 3.10.0-77 +- Dontaudit sandbox to shudown unconfined_execmem stream +- Allow smtpd_t to manage spool files/directories and symbolic links +- Allow ksysguardproces to send system log msgs +- Allow automount to execute consoletype +- Allow boinc setpgid and signull +- Add mysqld_home_t for ~/.my.cnf +- Add unit file support to mysqld +- rhev-agent package was rename to ovirt-guest-agent +- move postfix_domtrans_user_mail_handler() to mta.if +- Fix virt_search_images() interface +- Fix iscsi policy +- Add booleans to allow rsync to share nfs and cifs file sytems +- Add file name transition for locale.conf.new +- Allow boinc projects to gconf config files +- Allow xen to search virt images directories + * Mon Feb 20 2012 Miroslav Grepl 3.10.0-76 - Allow denyhosts to read "unix" - Add file name transition for locale.conf.new