From 72da9a92c2c57613cc72121c788fb332896775cc Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 10 2011 17:53:09 +0000 Subject: - Add l2tpd policy - Fixes for abrt - Backport fail2ban_client policy --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 04307a9..2d12a6b 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2361,3 +2361,10 @@ firewalld = module # policy for namespace.init script # namespace = module + +# Layer: services +# Module: l2tpd +# +# policy for l2tpd +# +l2tpd = module diff --git a/policy-F15.patch b/policy-F15.patch index 597b957..9732ec0 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -3041,10 +3041,10 @@ index 0000000..e921f24 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..ee4cf03 +index 0000000..9f6478c --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,111 @@ +@@ -0,0 +1,117 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -3145,6 +3145,7 @@ index 0000000..ee4cf03 + fs_search_nfs(chrome_sandbox_t) + fs_exec_nfs_files(chrome_sandbox_t) + fs_read_nfs_files(chrome_sandbox_t) ++ fs_rw_inherited_nfs_files(chrome_sandbox_t) + fs_read_nfs_symlinks(chrome_sandbox_t) + fs_dontaudit_append_nfs_files(chrome_sandbox_t) +') @@ -3152,10 +3153,15 @@ index 0000000..ee4cf03 +tunable_policy(`use_samba_home_dirs',` + fs_search_cifs(chrome_sandbox_t) + fs_exec_cifs_files(chrome_sandbox_t) ++ fs_rw_inherited_cifs_files(chrome_sandbox_t) + fs_read_cifs_files(chrome_sandbox_t) + fs_read_cifs_symlinks(chrome_sandbox_t) + fs_dontaudit_append_cifs_files(chrome_sandbox_t) +') ++ ++optional_policy(` ++ sandbox_use_ptys(chrome_sandbox_t) ++') diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te index e51e7f5..8e0405f 100644 --- a/policy/modules/apps/cpufreqselector.te @@ -8044,10 +8050,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if new file mode 100644 -index 0000000..3b6af20 +index 0000000..6efdeca --- /dev/null +++ b/policy/modules/apps/sandbox.if -@@ -0,0 +1,341 @@ +@@ -0,0 +1,362 @@ + +## policy for sandbox + @@ -8085,6 +8091,7 @@ index 0000000..3b6af20 + allow $1 sandbox_x_domain:process { signal_perms transition }; + dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; + allow sandbox_x_domain $1:process { sigchld signull }; ++ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use; + dontaudit sandbox_domain $1:process signal; + role $2 types sandbox_x_domain; + role $2 types sandbox_xserver_t; @@ -8204,6 +8211,8 @@ index 0000000..3b6af20 + allow sandbox_xserver_t $1_t:shm rw_shm_perms; + allow $1_client_t $1_t:unix_stream_socket connectto; + allow $1_t $1_client_t:unix_stream_socket connectto; ++ ++ fs_get_xattr_fs_quotas($1_client_t) +') + +######################################## @@ -8389,12 +8398,30 @@ index 0000000..3b6af20 + + allow $1 sandbox_file_t:dir list_dir_perms; +') ++ ++######################################## ++## ++## Read and write a sandbox domain pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sandbox_use_ptys',` ++ gen_require(` ++ type sandbox_devpts_t; ++ ') ++ ++ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms; ++') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..b0cc5df +index 0000000..74ce3e2 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,484 @@ +@@ -0,0 +1,482 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8477,6 +8504,8 @@ index 0000000..b0cc5df +dev_rwx_zero(sandbox_xserver_t) +dev_read_urand(sandbox_xserver_t) + ++domain_use_interactive_fds(sandbox_xserver_t) ++ +files_read_config_files(sandbox_xserver_t) +files_read_usr_files(sandbox_xserver_t) +files_search_home(sandbox_xserver_t) @@ -8514,6 +8543,7 @@ index 0000000..b0cc5df +# sandbox local policy +# + ++allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; +allow sandbox_domain self:fifo_file manage_file_perms; +allow sandbox_domain self:sem create_sem_perms; +allow sandbox_domain self:shm create_shm_perms; @@ -8562,24 +8592,20 @@ index 0000000..b0cc5df +# +# sandbox_x_domain local policy +# ++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; +allow sandbox_x_domain self:fifo_file manage_file_perms; +allow sandbox_x_domain self:sem create_sem_perms; +allow sandbox_x_domain self:shm create_shm_perms; +allow sandbox_x_domain self:msgq create_msgq_perms; -+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; ++allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms; +allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; ++allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; + -+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; -+ -+allow sandbox_x_domain self:process { signal_perms getsched setsched setpgid execstack execmem }; +dontaudit sandbox_x_domain sandbox_x_domain:process signal; +dontaudit sandbox_x_domain sandbox_xserver_t:process signal; ++dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + -+allow sandbox_x_domain self:shm create_shm_perms; -+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; -+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr }; +term_create_pty(sandbox_x_domain,sandbox_devpts_t) @@ -8596,6 +8622,7 @@ index 0000000..b0cc5df +kernel_getattr_proc(sandbox_x_domain) +kernel_read_network_state(sandbox_x_domain) +kernel_read_system_state(sandbox_x_domain) ++kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain) + +domain_dontaudit_read_all_domains_state(sandbox_x_domain) + @@ -8728,7 +8755,6 @@ index 0000000..b0cc5df +allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms; +allow sandbox_x_client_t self:udp_socket create_socket_perms; +allow sandbox_x_client_t self:dbus { acquire_svc send_msg }; -+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms; + +dev_read_rand(sandbox_x_client_t) + @@ -8757,7 +8783,6 @@ index 0000000..b0cc5df +allow sandbox_web_type self:tcp_socket create_stream_socket_perms; +allow sandbox_web_type self:udp_socket create_socket_perms; +allow sandbox_web_type self:dbus { acquire_svc send_msg }; -+allow sandbox_web_type self:netlink_selinux_socket create_socket_perms; + +kernel_dontaudit_search_kernel_sysctl(sandbox_web_type) +kernel_request_load_module(sandbox_web_type) @@ -17685,21 +17710,23 @@ index e88b95f..69ade9e 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc -index 1bd5812..7112560 100644 +index 1bd5812..f7a7a96 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc -@@ -3,8 +3,9 @@ +@@ -1,11 +1,9 @@ + /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) + /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) ++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -+/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - /usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -+/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - +-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +- /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) -@@ -15,6 +16,21 @@ + /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +@@ -15,6 +13,19 @@ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -17719,8 +17746,6 @@ index 1bd5812..7112560 100644 +/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -+ -+ diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if index 0b827c5..7382308 100644 --- a/policy/modules/services/abrt.if @@ -17921,7 +17946,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..28604d3 100644 +index 30861ec..f3f9354 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -17939,7 +17964,14 @@ index 30861ec..28604d3 100644 type abrt_t; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -43,14 +51,37 @@ ifdef(`enable_mcs',` +@@ -37,20 +45,44 @@ files_pid_file(abrt_var_run_t) + type abrt_helper_t; + type abrt_helper_exec_t; + application_domain(abrt_helper_t, abrt_helper_exec_t) ++#init_system_domain(abrt_helper_t, abrt_helper_exec_t) + role system_r types abrt_helper_t; + + ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -17979,7 +18011,7 @@ index 30861ec..28604d3 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +90,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +91,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -17987,7 +18019,7 @@ index 30861ec..28604d3 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +101,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -69,6 +102,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -17995,7 +18027,7 @@ index 30861ec..28604d3 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,7 +115,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,7 +116,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -18004,7 +18036,7 @@ index 30861ec..28604d3 100644 kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +138,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -18012,7 +18044,7 @@ index 30861ec..28604d3 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +148,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -18022,7 +18054,7 @@ index 30861ec..28604d3 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +157,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -18031,7 +18063,7 @@ index 30861ec..28604d3 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t) +@@ -131,7 +169,7 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -18040,7 +18072,7 @@ index 30861ec..28604d3 100644 logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t) +@@ -140,6 +178,16 @@ miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -18057,7 +18089,7 @@ index 30861ec..28604d3 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +197,11 @@ optional_policy(` +@@ -150,6 +198,11 @@ optional_policy(` ') optional_policy(` @@ -18069,7 +18101,7 @@ index 30861ec..28604d3 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +219,7 @@ optional_policy(` +@@ -167,6 +220,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -18077,7 +18109,7 @@ index 30861ec..28604d3 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +231,18 @@ optional_policy(` +@@ -178,12 +232,18 @@ optional_policy(` ') optional_policy(` @@ -18097,7 +18129,12 @@ index 30861ec..28604d3 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -203,6 +262,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) +@@ -200,9 +260,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) + read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) + read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) + ++corecmd_read_all_executables(abrt_helper_t) ++ domain_read_all_domains_state(abrt_helper_t) files_read_etc_files(abrt_helper_t) @@ -18105,7 +18142,7 @@ index 30861ec..28604d3 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +276,8 @@ miscfiles_read_localization(abrt_helper_t) +@@ -216,7 +279,8 @@ miscfiles_read_localization(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -18115,7 +18152,7 @@ index 30861ec..28604d3 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +285,100 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +288,100 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -20712,10 +20749,18 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..e343da3 100644 +index b3b0176..0e8a352 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te -@@ -39,7 +39,7 @@ files_pid_file(asterisk_var_run_t) +@@ -23,6 +23,7 @@ files_type(asterisk_spool_t) + + type asterisk_tmp_t; + files_tmp_file(asterisk_tmp_t) ++mta_system_content(asterisk_tmp_t) + + type asterisk_tmpfs_t; + files_tmpfs_file(asterisk_tmpfs_t) +@@ -39,7 +40,7 @@ files_pid_file(asterisk_var_run_t) # # dac_override for /var/run/asterisk @@ -20724,7 +20769,7 @@ index b3b0176..e343da3 100644 dontaudit asterisk_t self:capability sys_tty_config; allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; allow asterisk_t self:fifo_file rw_fifo_file_perms; -@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f +@@ -76,10 +77,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) @@ -20737,7 +20782,7 @@ index b3b0176..e343da3 100644 kernel_read_system_state(asterisk_t) kernel_read_kernel_sysctls(asterisk_t) -@@ -108,6 +109,8 @@ corenet_tcp_bind_generic_port(asterisk_t) +@@ -108,6 +110,8 @@ corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) @@ -20746,7 +20791,15 @@ index b3b0176..e343da3 100644 corenet_tcp_connect_postgresql_port(asterisk_t) corenet_tcp_connect_snmp_port(asterisk_t) corenet_tcp_connect_sip_port(asterisk_t) -@@ -125,6 +128,7 @@ files_search_spool(asterisk_t) +@@ -116,6 +120,7 @@ dev_rw_generic_usb_dev(asterisk_t) + dev_read_sysfs(asterisk_t) + dev_read_sound(asterisk_t) + dev_write_sound(asterisk_t) ++dev_read_rand(asterisk_t) + dev_read_urand(asterisk_t) + + domain_use_interactive_fds(asterisk_t) +@@ -125,6 +130,7 @@ files_search_spool(asterisk_t) # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm # are labeled usr_t files_read_usr_files(asterisk_t) @@ -20754,7 +20807,7 @@ index b3b0176..e343da3 100644 fs_getattr_all_fs(asterisk_t) fs_list_inotifyfs(asterisk_t) -@@ -141,6 +145,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) +@@ -141,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` @@ -23583,10 +23636,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..22f0ffd +index 0000000..9fe6628 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,120 @@ +@@ -0,0 +1,123 @@ +policy_module(colord,1.0.0) + +######################################## @@ -23637,6 +23690,9 @@ index 0000000..22f0ffd +kernel_read_device_sysctls(colord_t) +kernel_request_load_module(colord_t) + ++# reads *.ini files ++corecmd_read_bin_files(colord_t) ++ +corenet_udp_bind_generic_node(colord_t) +corenet_udp_bind_ipp_port(colord_t) +corenet_tcp_connect_ipp_port(colord_t) @@ -26393,10 +26449,10 @@ index 0000000..60c81d6 +') diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te new file mode 100644 -index 0000000..b7fc006 +index 0000000..5214120 --- /dev/null +++ b/policy/modules/services/dirsrv-admin.te -@@ -0,0 +1,100 @@ +@@ -0,0 +1,101 @@ +policy_module(dirsrv-admin,1.0.0) + +######################################## @@ -26420,7 +26476,8 @@ index 0000000..b7fc006 +# Local policy for the daemon +# +allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; -+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config }; ++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; ++allow dirsrvadmin_t self:process setrlimit; + +manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) +manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) @@ -27748,8 +27805,20 @@ index f28f64b..0b19f11 100644 ') optional_policy(` +diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc +index 0de2b83..b93171c 100644 +--- a/policy/modules/services/fail2ban.fc ++++ b/policy/modules/services/fail2ban.fc +@@ -1,6 +1,7 @@ + /etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) + + /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) ++/usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0) + /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) + + /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if -index f590a1f..b895afb 100644 +index f590a1f..26a6299 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -5,9 +5,9 @@ @@ -27764,6 +27833,15 @@ index f590a1f..b895afb 100644 ## # interface(`fail2ban_domtrans',` +@@ -72,7 +72,7 @@ interface(`fail2ban_read_lib_files',` + ') + + files_search_var_lib($1) +- allow $1 fail2ban_var_lib_t:file read_file_perms; ++ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t) + ') + + ######################################## @@ -102,9 +102,9 @@ interface(`fail2ban_read_log',` ## fail2ban log files. ## @@ -27784,7 +27862,7 @@ index f590a1f..b895afb 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -27822,31 +27900,57 @@ index f590a1f..b895afb 100644 ## All of the rules required to administrate ## an fail2ban environment ## -@@ -155,8 +194,8 @@ interface(`fail2ban_read_pid_files',` +@@ -155,12 +194,13 @@ interface(`fail2ban_read_pid_files',` # interface(`fail2ban_admin',` gen_require(` - type fail2ban_t, fail2ban_log_t; - type fail2ban_var_run_t, fail2ban_initrc_exec_t; + type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; -+ type fail2ban_var_run_t; ++ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t; ++ type fail2ban_client_t; ') - allow $1 fail2ban_t:process { ptrace signal_perms }; +- allow $1 fail2ban_t:process { ptrace signal_perms }; +- ps_process_pattern($1, fail2ban_t) ++ allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; ++ ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) + + init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) + domain_system_change_exemption($1) +@@ -172,4 +212,10 @@ interface(`fail2ban_admin',` + + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, fail2ban_var_lib_t) ++ ++ files_list_tmp($1) ++ admin_pattern($1, fail2ban_tmp_t) + ') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..c756d2a 100644 +index 2a69e5e..7b33bda 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te -@@ -23,12 +23,15 @@ files_type(fail2ban_var_lib_t) +@@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t) type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) +type fail2ban_tmp_t; +files_tmp_file(fail2ban_tmp_t) + ++type fail2ban_client_t; ++type fail2ban_client_exec_t; ++init_daemon_domain(fail2ban_client_t, fail2ban_client_exec_t) ++ ++# new in F16 ++permissive fail2ban_client_t; ++ ######################################## # - # fail2ban local policy +-# fail2ban local policy ++# fail2ban server local policy # -allow fail2ban_t self:capability { sys_tty_config }; @@ -27854,7 +27958,7 @@ index 2a69e5e..c756d2a 100644 allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; -@@ -36,7 +39,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms; +@@ -36,7 +46,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms; allow fail2ban_t self:tcp_socket create_stream_socket_perms; # log files @@ -27863,7 +27967,7 @@ index 2a69e5e..c756d2a 100644 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) -@@ -50,6 +53,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +@@ -50,6 +60,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) @@ -27875,7 +27979,7 @@ index 2a69e5e..c756d2a 100644 kernel_read_system_state(fail2ban_t) corecmd_exec_bin(fail2ban_t) -@@ -66,6 +74,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) +@@ -66,6 +81,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) dev_read_urand(fail2ban_t) domain_use_interactive_fds(fail2ban_t) @@ -27883,7 +27987,7 @@ index 2a69e5e..c756d2a 100644 files_read_etc_files(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) -@@ -94,5 +103,13 @@ optional_policy(` +@@ -94,5 +110,34 @@ optional_policy(` ') optional_policy(` @@ -27895,8 +27999,29 @@ index 2a69e5e..c756d2a 100644 ') + +optional_policy(` -+ libs_exec_ldconfig(fail2ban_t) ++ libs_exec_ldconfig(fail2ban_t) +') ++ ++######################################## ++# ++# fail2ban client local policy ++# ++ ++domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) ++ ++stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) ++ ++kernel_read_system_state(fail2ban_client_t) ++ ++# python ++corecmd_exec_bin(fail2ban_client_t) ++ ++# nsswitch.conf, passwd ++files_read_etc_files(fail2ban_client_t) ++files_read_usr_files(fail2ban_client_t) ++files_search_pids(fail2ban_client_t) ++ ++miscfiles_read_localization(fail2ban_client_t) diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if index 6537214..7d64c0a 100644 --- a/policy/modules/services/fetchmail.if @@ -30860,6 +30985,208 @@ index a73b7a1..83a4f38 100644 +logging_send_syslog_msg(ksmtuned_t) + miscfiles_read_localization(ksmtuned_t) +diff --git a/policy/modules/services/l2tpd.fc b/policy/modules/services/l2tpd.fc +new file mode 100644 +index 0000000..76d879e +--- /dev/null ++++ b/policy/modules/services/l2tpd.fc +@@ -0,0 +1,11 @@ ++ ++/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) ++ ++/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) ++/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) ++ ++/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++ ++/var/run/xl2tpd\.pid gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++ +diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if +new file mode 100644 +index 0000000..5783d58 +--- /dev/null ++++ b/policy/modules/services/l2tpd.if +@@ -0,0 +1,115 @@ ++ ++## policy for l2tpd ++ ++######################################## ++## ++## Transition to l2tpd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`l2tpd_domtrans',` ++ gen_require(` ++ type l2tpd_t, l2tpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t) ++') ++ ++ ++######################################## ++## ++## Execute l2tpd server in the l2tpd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_initrc_domtrans',` ++ gen_require(` ++ type l2tpd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) ++') ++ ++ ++######################################## ++## ++## Read l2tpd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_read_pid_files',` ++ gen_require(` ++ type l2tpd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 l2tpd_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Read and write l2tpd unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_rw_pipes',` ++ gen_require(` ++ type l2tpd_t; ++ ') ++ ++ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an l2tpd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`l2tpd_admin',` ++ gen_require(` ++ type l2tpd_t; ++ type l2tpd_initrc_exec_t; ++ type l2tpd_var_run_t; ++ ') ++ ++ allow $1 l2tpd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, l2tpd_t) ++ ++ l2tpd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 l2tpd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_pids($1) ++ admin_pattern($1, l2tpd_var_run_t) ++') ++ +diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te +new file mode 100644 +index 0000000..02359ec +--- /dev/null ++++ b/policy/modules/services/l2tpd.te +@@ -0,0 +1,58 @@ ++policy_module(l2tpd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type l2tpd_t; ++type l2tpd_exec_t; ++init_daemon_domain(l2tpd_t, l2tpd_exec_t) ++ ++permissive l2tpd_t; ++ ++type l2tpd_initrc_exec_t; ++init_script_file(l2tpd_initrc_exec_t) ++ ++type l2tpd_tmp_t; ++files_tmp_file(l2tpd_tmp_t) ++ ++type l2tpd_var_run_t; ++files_pid_file(l2tpd_var_run_t) ++ ++######################################## ++# ++# l2tpd local policy ++# ++allow l2tpd_t self:capability net_bind_service; ++allow l2tpd_t self:process signal; ++ ++allow l2tpd_t self:fifo_file rw_fifo_file_perms; ++allow l2tpd_t self:unix_stream_socket create_stream_socket_perms; ++allow l2tpd_t self:tcp_socket create_stream_socket_perms; ++ ++manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) ++files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) ++ ++manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) ++manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) ++manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) ++manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) ++files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file }) ++ ++corenet_tcp_bind_generic_node(l2tpd_t) ++corenet_udp_bind_generic_node(l2tpd_t) ++corenet_udp_bind_generic_port(l2tpd_t) ++corenet_tcp_bind_all_rpc_ports(l2tpd_t) ++ ++dev_read_urand(l2tpd_t) ++ ++domain_use_interactive_fds(l2tpd_t) ++ ++files_read_etc_files(l2tpd_t) ++ ++logging_send_syslog_msg(l2tpd_t) ++ ++miscfiles_read_localization(l2tpd_t) ++ ++sysnet_dns_name_resolve(l2tpd_t) diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc index c62f23e..92f3475 100644 --- a/policy/modules/services/ldap.fc @@ -49286,12 +49613,12 @@ index c26ecf5..ad41551 100644 optional_policy(` diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc new file mode 100644 -index 0000000..8d9a111 +index 0000000..ac33ce2 --- /dev/null +++ b/policy/modules/services/zarafa.fc -@@ -0,0 +1,34 @@ +@@ -0,0 +1,33 @@ + -+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) ++/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) + +/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) + @@ -49307,23 +49634,22 @@ index 0000000..8d9a111 + +/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) + -+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) -+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) ++/var/lib/zarafa.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) + -+/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0) ++/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0) +/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) +/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) -+/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) -+/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) ++/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) ++/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) +/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) + -+/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -+/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) ++/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) ++/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) +/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) +/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) -+/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) ++/var/run/zarafa-indexer.* gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if new file mode 100644 index 0000000..7ee5092 @@ -49882,7 +50208,7 @@ index 2952cef..d845132 100644 /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 42b4f0f..0e6f84a 100644 +index 42b4f0f..1bc48bc 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -49918,7 +50244,14 @@ index 42b4f0f..0e6f84a 100644 domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) -@@ -107,8 +116,10 @@ interface(`auth_login_pgm_domain',` +@@ -101,14 +110,17 @@ interface(`auth_login_pgm_domain',` + + # Needed for pam_selinux_permit to cleanup properly + domain_read_all_domains_state($1) ++ corecmd_getattr_all_executables($1) + domain_kill_all_domains($1) + + # pam_keyring allow $1 self:capability ipc_lock; allow $1 self:process setkeycreate; allow $1 self:key manage_key_perms; @@ -49929,7 +50262,7 @@ index 42b4f0f..0e6f84a 100644 manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -@@ -119,13 +130,19 @@ interface(`auth_login_pgm_domain',` +@@ -119,13 +131,19 @@ interface(`auth_login_pgm_domain',` # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) @@ -49950,7 +50283,7 @@ index 42b4f0f..0e6f84a 100644 selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -141,6 +158,8 @@ interface(`auth_login_pgm_domain',` +@@ -141,6 +159,8 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -49959,7 +50292,7 @@ index 42b4f0f..0e6f84a 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -151,13 +170,68 @@ interface(`auth_login_pgm_domain',` +@@ -151,13 +171,68 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -50030,7 +50363,7 @@ index 42b4f0f..0e6f84a 100644 ## Use the login program as an entry point program. ## ## -@@ -361,17 +435,18 @@ interface(`auth_domtrans_chk_passwd',` +@@ -361,17 +436,18 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` kerberos_read_keytab($1) @@ -50051,7 +50384,7 @@ index 42b4f0f..0e6f84a 100644 ') ######################################## -@@ -418,6 +493,25 @@ interface(`auth_run_chk_passwd',` +@@ -418,6 +494,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -50077,7 +50410,7 @@ index 42b4f0f..0e6f84a 100644 ') ######################################## -@@ -694,7 +788,7 @@ interface(`auth_relabel_shadow',` +@@ -694,7 +789,7 @@ interface(`auth_relabel_shadow',` ') files_search_etc($1) @@ -50086,7 +50419,7 @@ index 42b4f0f..0e6f84a 100644 typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -733,7 +827,47 @@ interface(`auth_rw_faillog',` +@@ -733,7 +828,47 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -50135,7 +50468,7 @@ index 42b4f0f..0e6f84a 100644 ') ####################################### -@@ -874,6 +1008,46 @@ interface(`auth_exec_pam',` +@@ -874,6 +1009,46 @@ interface(`auth_exec_pam',` ######################################## ## @@ -50182,7 +50515,7 @@ index 42b4f0f..0e6f84a 100644 ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -889,9 +1063,30 @@ interface(`auth_manage_var_auth',` +@@ -889,9 +1064,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -50216,7 +50549,7 @@ index 42b4f0f..0e6f84a 100644 ') ######################################## -@@ -1093,6 +1288,24 @@ interface(`auth_delete_pam_console_data',` +@@ -1093,6 +1289,24 @@ interface(`auth_delete_pam_console_data',` ######################################## ## @@ -50241,7 +50574,7 @@ index 42b4f0f..0e6f84a 100644 ## Read all directories on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1326,6 +1539,25 @@ interface(`auth_setattr_login_records',` +@@ -1326,6 +1540,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -50267,7 +50600,7 @@ index 42b4f0f..0e6f84a 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1500,28 +1732,36 @@ interface(`auth_manage_login_records',` +@@ -1500,28 +1733,36 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -50311,7 +50644,7 @@ index 42b4f0f..0e6f84a 100644 optional_policy(` kerberos_use($1) ') -@@ -1531,7 +1771,15 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1772,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index efc8cfe..c0798d7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 32%{?dist} +Release: 33%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,11 @@ exit 0 %endif %changelog +* Mon Jul 11 2011 Miroslav Grepl 3.9.16-33 +- Add l2tpd policy +- Fixes for abrt +- Backport fail2ban_client policy + * Fri Jul 1 2011 Miroslav Grepl 3.9.16-32 - Allow getcap, setcap for syslogd - Fix label for /usr/lib64/opera/opera