From 5daa339d03d5e11223eb660a432e3cb64424ad0d Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Jan 10 2014 10:09:50 +0000
Subject: * Fri Jan 10 2014 Lukas Vrabec 3.12.1-74.17
- Allow polipo to connect to http_cache_ports
- Add new access for mythtv
- Allow tor to bind to hplip port
- Allow showall_t to send itself signals
- Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
- Fixed filetrans in zabbix policy
- Allow httpd to read ldap certs
- passwd to create gnome-keyring passwd socket
- Allow sytemd_tmpfiles_t to delete all directories
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 342b464..da6bf89 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -2575,7 +2575,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..3053e39 100644
+index d555767..dd089fa 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2857,7 +2857,7 @@ index d555767..3053e39 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,18 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2867,6 +2867,7 @@ index d555767..3053e39 100644
- nscd_run(passwd_t, passwd_roles)
+ gnome_exec_keyringd(passwd_t)
+ gnome_manage_cache_home_dir(passwd_t)
++ gnome_manage_generic_cache_sockets(passwd_t)
+ gnome_stream_connect_gkeyringd(passwd_t)
+')
+
@@ -2876,7 +2877,7 @@ index d555767..3053e39 100644
')
########################################
-@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +447,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -2889,7 +2890,7 @@ index d555767..3053e39 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +463,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -2897,7 +2898,7 @@ index d555767..3053e39 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +472,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -2919,7 +2920,7 @@ index d555767..3053e39 100644
')
########################################
-@@ -443,7 +489,8 @@ optional_policy(`
+@@ -443,7 +490,8 @@ optional_policy(`
# Useradd local policy
#
@@ -2929,7 +2930,7 @@ index d555767..3053e39 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -2940,7 +2941,7 @@ index d555767..3053e39 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +517,36 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -2989,7 +2990,7 @@ index d555767..3053e39 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +557,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3040,7 +3041,7 @@ index d555767..3053e39 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +596,12 @@ optional_policy(`
+@@ -542,7 +597,12 @@ optional_policy(`
')
optional_policy(`
@@ -3054,7 +3055,7 @@ index d555767..3053e39 100644
')
optional_policy(`
-@@ -550,6 +609,11 @@ optional_policy(`
+@@ -550,6 +610,11 @@ optional_policy(`
')
optional_policy(`
@@ -3066,7 +3067,7 @@ index d555767..3053e39 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +623,12 @@ optional_policy(`
+@@ -559,3 +624,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -9402,7 +9403,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..3e91f7d 100644
+index 64ff4d7..48e851f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11932,7 +11933,7 @@ index 64ff4d7..3e91f7d 100644
')
allow $1 var_t:dir search_dir_perms;
-@@ -6562,3 +7839,491 @@ interface(`files_unconfined',`
+@@ -6562,3 +7839,509 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12243,6 +12244,24 @@ index 64ff4d7..3e91f7d 100644
+
+########################################
+##
++## Allow domain to delete to all dirs
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_delete_all_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
++')
++
++########################################
++##
+## Transition named content in the var_run_t directory
+##
+##
@@ -37231,10 +37250,10 @@ index 0000000..ba2e887
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..c617553
+index 0000000..4015e6a
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,664 @@
+@@ -0,0 +1,665 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37550,6 +37569,7 @@ index 0000000..c617553
+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
+files_delete_boot_flag(systemd_tmpfiles_t)
++files_delete_all_non_security_dirs(systemd_tmpfiles_t)
+files_delete_all_non_security_files(systemd_tmpfiles_t)
+files_delete_all_pid_sockets(systemd_tmpfiles_t)
+files_delete_all_pid_pipes(systemd_tmpfiles_t)
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 55302d1..9fdd91f 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -4678,7 +4678,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..25fbcc6 100644
+index 1a82e29..4457dc9 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5868,7 +5868,7 @@ index 1a82e29..25fbcc6 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +918,46 @@ optional_policy(`
+@@ -781,34 +918,47 @@ optional_policy(`
')
optional_policy(`
@@ -5901,6 +5901,7 @@ index 1a82e29..25fbcc6 100644
- tunable_policy(`httpd_can_network_connect_ldap',`
- ldap_tcp_connect(httpd_t)
- ')
++ ldap_read_certs(httpd_t)
')
optional_policy(`
@@ -5926,7 +5927,7 @@ index 1a82e29..25fbcc6 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +965,18 @@ optional_policy(`
+@@ -816,8 +966,18 @@ optional_policy(`
')
optional_policy(`
@@ -5945,7 +5946,7 @@ index 1a82e29..25fbcc6 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +985,7 @@ optional_policy(`
+@@ -826,6 +986,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5953,7 +5954,7 @@ index 1a82e29..25fbcc6 100644
')
optional_policy(`
-@@ -836,20 +996,39 @@ optional_policy(`
+@@ -836,20 +997,39 @@ optional_policy(`
')
optional_policy(`
@@ -5979,7 +5980,7 @@ index 1a82e29..25fbcc6 100644
+ pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t)
-+ pki_read_tomcat_cert(httpd_t)
++ pki_read_tomcat_cert(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
@@ -5999,7 +6000,7 @@ index 1a82e29..25fbcc6 100644
')
optional_policy(`
-@@ -857,19 +1036,35 @@ optional_policy(`
+@@ -857,19 +1037,35 @@ optional_policy(`
')
optional_policy(`
@@ -6035,7 +6036,7 @@ index 1a82e29..25fbcc6 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1072,171 @@ optional_policy(`
+@@ -877,65 +1073,171 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6229,7 +6230,7 @@ index 1a82e29..25fbcc6 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1245,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1246,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6384,7 +6385,7 @@ index 1a82e29..25fbcc6 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1329,104 @@ optional_policy(`
+@@ -1077,172 +1330,104 @@ optional_policy(`
')
')
@@ -6620,7 +6621,7 @@ index 1a82e29..25fbcc6 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1434,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1435,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6717,7 +6718,7 @@ index 1a82e29..25fbcc6 100644
########################################
#
-@@ -1315,8 +1509,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1510,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6734,7 +6735,7 @@ index 1a82e29..25fbcc6 100644
')
########################################
-@@ -1324,49 +1525,38 @@ optional_policy(`
+@@ -1324,49 +1526,38 @@ optional_policy(`
# User content local policy
#
@@ -6799,7 +6800,7 @@ index 1a82e29..25fbcc6 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1566,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1567,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -45033,10 +45034,10 @@ index 0000000..6ad142d
+')
diff --git a/mythtv.te b/mythtv.te
new file mode 100644
-index 0000000..90129ac
+index 0000000..395c2fd
--- /dev/null
+++ b/mythtv.te
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,46 @@
+policy_module(mythtv, 1.0.0)
+
+########################################
@@ -45056,6 +45057,9 @@ index 0000000..90129ac
+#
+# httpd_mythtv_script local policy
+#
++#============= httpd_mythtv_script_t ==============
++allow httpd_mythtv_script_t self:process setpgid;
++dev_list_sysfs(httpd_mythtv_script_t)
+
+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
@@ -45071,6 +45075,8 @@ index 0000000..90129ac
+
+fs_read_nfs_files(httpd_mythtv_script_t)
+
++auth_read_passwd(httpd_mythtv_script_t)
++
+miscfiles_read_localization(httpd_mythtv_script_t)
+
+optional_policy(`
@@ -57833,7 +57839,7 @@ index ae27bb7..d00f6ba 100644
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
-index 316d53a..35d9018 100644
+index 316d53a..6646219 100644
--- a/polipo.te
+++ b/polipo.te
@@ -1,4 +1,4 @@
@@ -57909,7 +57915,7 @@ index 316d53a..35d9018 100644
type polipo_cache_t;
files_type(polipo_cache_t)
-@@ -56,112 +63,97 @@ files_type(polipo_cache_t)
+@@ -56,112 +63,98 @@ files_type(polipo_cache_t)
type polipo_log_t;
logging_log_file(polipo_log_t)
@@ -57962,6 +57968,7 @@ index 316d53a..35d9018 100644
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
++corenet_tcp_connect_http_cache_port(polipo_daemon)
+corenet_tcp_connect_tor_port(polipo_daemon)
+corenet_tcp_connect_flash_port(polipo_daemon)
@@ -81297,10 +81304,18 @@ index 1aeef8a..d5ce40a 100644
admin_pattern($1, shorewall_etc_t)
diff --git a/shorewall.te b/shorewall.te
-index ca03de6..c3b5559 100644
+index ca03de6..e0ebb61 100644
--- a/shorewall.te
+++ b/shorewall.te
-@@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
+@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t)
+
+ allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+ dontaudit shorewall_t self:capability sys_tty_config;
++allow shorewall_t self:process signal_perms;
+ allow shorewall_t self:fifo_file rw_fifo_file_perms;
+ allow shorewall_t self:netlink_socket create_socket_perms;
+
+@@ -44,9 +45,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
@@ -81311,7 +81326,7 @@ index ca03de6..c3b5559 100644
logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
-@@ -57,6 +55,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+@@ -57,6 +56,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
@@ -81321,7 +81336,7 @@ index ca03de6..c3b5559 100644
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-@@ -74,7 +75,6 @@ dev_read_urand(shorewall_t)
+@@ -74,7 +76,6 @@ dev_read_urand(shorewall_t)
domain_read_all_domains_state(shorewall_t)
files_getattr_kernel_modules(shorewall_t)
@@ -81329,7 +81344,7 @@ index ca03de6..c3b5559 100644
files_search_kernel_modules(shorewall_t)
fs_getattr_all_fs(shorewall_t)
-@@ -86,12 +86,11 @@ init_rw_utmp(shorewall_t)
+@@ -86,12 +87,11 @@ init_rw_utmp(shorewall_t)
logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
@@ -88900,7 +88915,7 @@ index 61c2e07..5e1df41 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 964a395..78962c4 100644
+index 964a395..ea77295 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4)
@@ -88935,7 +88950,15 @@ index 964a395..78962c4 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -98,19 +107,22 @@ dev_read_urand(tor_t)
+@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+ corenet_sendrecv_tor_server_packets(tor_t)
+ corenet_tcp_bind_tor_port(tor_t)
+ corenet_tcp_sendrecv_tor_port(tor_t)
++corenet_tcp_bind_hplip_port(tor_t)
+
+ corenet_sendrecv_all_client_packets(tor_t)
+ corenet_tcp_connect_all_ports(tor_t)
+@@ -98,19 +108,22 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
@@ -96961,6 +96984,18 @@ index d837e88..910aeec 100644
userdom_use_unpriv_users_fds(yam_t)
userdom_search_user_home_dirs(yam_t)
+diff --git a/zabbix.fc b/zabbix.fc
+index ce10cb1..c8f60fc 100644
+--- a/zabbix.fc
++++ b/zabbix.fc
+@@ -10,6 +10,7 @@
+ /usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+
++/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0)
+ /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+
+ /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0)
diff --git a/zabbix.if b/zabbix.if
index dd63de0..38ce620 100644
--- a/zabbix.if
@@ -97124,7 +97159,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..dea93eb 100644
+index 46e4cd3..8f76086 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3)
@@ -97136,7 +97171,17 @@ index 46e4cd3..dea93eb 100644
## Determine whether zabbix can
## connect to all TCP ports
##
-@@ -52,11 +52,10 @@ allow zabbix_t self:sem create_sem_perms;
+@@ -27,6 +27,9 @@ init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
+ type zabbix_agent_initrc_exec_t;
+ init_script_file(zabbix_agent_initrc_exec_t)
+
++type zabbix_var_lib_t;
++files_type(zabbix_var_lib_t)
++
+ type zabbix_log_t;
+ logging_log_file(zabbix_log_t)
+
+@@ -52,11 +55,15 @@ allow zabbix_t self:sem create_sem_perms;
allow zabbix_t self:shm create_shm_perms;
allow zabbix_t self:tcp_socket create_stream_socket_perms;
@@ -97145,6 +97190,11 @@ index 46e4cd3..dea93eb 100644
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
++manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
++
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@@ -97152,7 +97202,15 @@ index 46e4cd3..dea93eb 100644
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-@@ -95,12 +94,8 @@ corecmd_exec_shell(zabbix_t)
+@@ -85,6 +92,7 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
+ corenet_sendrecv_http_client_packets(zabbix_t)
+ corenet_tcp_connect_http_port(zabbix_t)
+ corenet_tcp_sendrecv_http_port(zabbix_t)
++corenet_tcp_connect_smtp_port(zabbix_t)
+
+ corenet_sendrecv_zabbix_server_packets(zabbix_t)
+ corenet_tcp_bind_zabbix_port(zabbix_t)
+@@ -95,12 +103,8 @@ corecmd_exec_shell(zabbix_t)
dev_read_urand(zabbix_t)
@@ -97165,7 +97223,7 @@ index 46e4cd3..dea93eb 100644
zabbix_agent_tcp_connect(zabbix_t)
tunable_policy(`zabbix_can_network',`
-@@ -110,12 +105,11 @@ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +114,11 @@ tunable_policy(`zabbix_can_network',`
')
optional_policy(`
@@ -97180,7 +97238,7 @@ index 46e4cd3..dea93eb 100644
')
optional_policy(`
-@@ -125,6 +119,7 @@ optional_policy(`
+@@ -125,6 +128,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t)
@@ -97188,7 +97246,7 @@ index 46e4cd3..dea93eb 100644
')
########################################
-@@ -133,17 +128,14 @@ optional_policy(`
+@@ -133,17 +137,14 @@ optional_policy(`
#
allow zabbix_agent_t self:capability { setuid setgid };
@@ -97208,7 +97266,7 @@ index 46e4cd3..dea93eb 100644
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -154,6 +146,8 @@ files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
+@@ -154,6 +155,8 @@ files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
kernel_read_all_sysctls(zabbix_agent_t)
kernel_read_system_state(zabbix_agent_t)
@@ -97217,7 +97275,7 @@ index 46e4cd3..dea93eb 100644
corecmd_read_all_executables(zabbix_agent_t)
corenet_all_recvfrom_unlabeled(zabbix_agent_t)
-@@ -182,7 +176,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+@@ -182,7 +185,6 @@ domain_search_all_domains_state(zabbix_agent_t)
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
files_read_all_symlinks(zabbix_agent_t)
@@ -97225,7 +97283,7 @@ index 46e4cd3..dea93eb 100644
fs_getattr_all_fs(zabbix_agent_t)
-@@ -190,8 +183,11 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,8 +192,11 @@ init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b25825c..8cdb099 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.16%{?dist}
+Release: 74.17%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jan 10 2014 Lukas Vrabec 3.12.1-74.17
+- Allow polipo to connect to http_cache_ports
+- Add new access for mythtv
+- Allow tor to bind to hplip port
+- Allow showall_t to send itself signals
+- Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
+- Fixed filetrans in zabbix policy
+- Allow httpd to read ldap certs
+- passwd to create gnome-keyring passwd socket
+- Allow sytemd_tmpfiles_t to delete all directories
+
* Fri Dec 20 2013 Lukas Vrabec 3.12.1-74.16
- Allow amanda to do backups over UDP
- Add log support for sensord