From a839d9784cb3993a68738215bf1714d311a07544 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Nov 21 2013 13:53:30 +0000 Subject: - Allow watchdog to read /etc/passwd - Allow browser plugins to connect to bumblebee - New policy for bumblebee and freqset - Add new policy for mip6d daemon - Add new policy for opensm daemon - Allow condor domains to read/write condor_master udp_socket - Allow openshift_cron_t to append to openshift log files, label /var/log/openshift - Add back file_pid_filetrans for /var/run/dlm_controld - Allow smbd_t to use inherited tmpfs content - Allow mcelog to use the /dev/cpu device - sosreport runs rpcinfo - sosreport runs subscription-manager - Allow staff_t to run frequency command - Allow systemd_tmpfiles to relabel log directories - Allow staff_t to read xserver_log file - Label hsperfdata_root as tmp_t --- diff --git a/permissivedomains.pp b/permissivedomains.pp index 8d3d530..f8ac2b9 100644 Binary files a/permissivedomains.pp and b/permissivedomains.pp differ diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 0722c5a..d597f1d 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -9337,7 +9337,7 @@ index cf04cb5..369ddc2 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..058bb58 100644 +index c2c6e05..52d2b7c 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9471,7 +9471,7 @@ index c2c6e05..058bb58 100644 # # /selinux # -@@ -178,13 +191,14 @@ ifdef(`distro_debian',` +@@ -178,25 +191,28 @@ ifdef(`distro_debian',` # # /srv # @@ -9488,7 +9488,10 @@ index c2c6e05..058bb58 100644 /tmp/.* <> /tmp/\.journal <> -@@ -194,9 +208,10 @@ ifdef(`distro_debian',` + /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /tmp/lost\+found/.* <> ++/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) + # # /usr # @@ -9500,7 +9503,7 @@ index c2c6e05..058bb58 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +219,9 @@ ifdef(`distro_debian',` +@@ -204,15 +220,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9517,7 +9520,7 @@ index c2c6e05..058bb58 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +229,6 @@ ifdef(`distro_debian',` +@@ -220,8 +230,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9526,7 +9529,7 @@ index c2c6e05..058bb58 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +236,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +237,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9535,7 +9538,7 @@ index c2c6e05..058bb58 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +244,24 @@ ifndef(`distro_redhat',` +@@ -237,11 +245,24 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9561,7 +9564,7 @@ index c2c6e05..058bb58 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +276,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +277,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9576,14 +9579,14 @@ index c2c6e05..058bb58 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -270,3 +292,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +293,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..2b01383 100644 +index 64ff4d7..b5f1e4f 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -12118,7 +12121,7 @@ index 64ff4d7..2b01383 100644 ') ######################################## -@@ -6562,3 +7975,491 @@ interface(`files_unconfined',` +@@ -6562,3 +7975,492 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -12479,6 +12482,7 @@ index 64ff4d7..2b01383 100644 + files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") + files_etc_filetrans_etc_runtime($1, file, "hwconf") + files_etc_filetrans_etc_runtime($1, file, "iptables.save") ++ files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") +') @@ -17311,7 +17315,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..4f46291 100644 +index 5da7870..6412825 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,71 @@ policy_module(staff, 2.3.1) @@ -17386,7 +17390,7 @@ index 5da7870..4f46291 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +82,110 @@ optional_policy(` +@@ -23,11 +82,114 @@ optional_policy(` ') optional_policy(` @@ -17431,6 +17435,10 @@ index 5da7870..4f46291 100644 +') + +optional_policy(` ++ freqset_run(staff_t, staff_r) ++') ++ ++optional_policy(` + gnome_role(staff_r, staff_t) +') + @@ -17498,7 +17506,7 @@ index 5da7870..4f46291 100644 ') optional_policy(` -@@ -35,15 +193,31 @@ optional_policy(` +@@ -35,15 +197,31 @@ optional_policy(` ') optional_policy(` @@ -17532,7 +17540,7 @@ index 5da7870..4f46291 100644 ') optional_policy(` -@@ -52,10 +226,55 @@ optional_policy(` +@@ -52,11 +230,57 @@ optional_policy(` ') optional_policy(` @@ -17586,9 +17594,11 @@ index 5da7870..4f46291 100644 + +optional_policy(` xserver_role(staff_r, staff_t) ++ xserver_read_log(staff_t) ') -@@ -65,10 +284,6 @@ ifndef(`distro_redhat',` + ifndef(`distro_redhat',` +@@ -65,10 +289,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17599,7 +17609,7 @@ index 5da7870..4f46291 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +293,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +298,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -17610,7 +17620,7 @@ index 5da7870..4f46291 100644 ') optional_policy(` -@@ -101,10 +312,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +317,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17621,7 +17631,7 @@ index 5da7870..4f46291 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +332,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +337,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17632,7 +17642,7 @@ index 5da7870..4f46291 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +344,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +349,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17643,7 +17653,7 @@ index 5da7870..4f46291 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +375,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +380,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -31164,7 +31174,7 @@ index b50c5fe..2faaaf2 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..9b82ed0 100644 +index 4e94884..bb6086e 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -31286,11 +31296,7 @@ index 4e94884..9b82ed0 100644 + gen_require(` + type devlog_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + allow $1 devlog_t:sock_file manage_sock_file_perms; + dev_filetrans($1, devlog_t, sock_file) + init_pid_filetrans($1, devlog_t, sock_file, "syslog") @@ -31310,7 +31316,11 @@ index 4e94884..9b82ed0 100644 + gen_require(` + type devlog_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + allow $1 devlog_t:sock_file relabel_sock_file_perms; +') + @@ -31352,7 +31362,33 @@ index 4e94884..9b82ed0 100644 ') ######################################## -@@ -776,7 +901,25 @@ interface(`logging_append_all_logs',` +@@ -722,6 +847,25 @@ interface(`logging_setattr_all_log_dirs',` + allow $1 logfile:dir setattr; + ') + ++####################################### ++## ++## Relabel on all log dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_relabel_all_log_dirs',` ++ gen_require(` ++ attribute logfile; ++ ') ++ ++ relabel_dirs_pattern($1, logfile, logfile) ++') ++ + ######################################## + ## + ## Do not audit attempts to get the attributes +@@ -776,7 +920,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -31379,7 +31415,7 @@ index 4e94884..9b82ed0 100644 ') ######################################## -@@ -859,7 +1002,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1021,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -31388,7 +31424,7 @@ index 4e94884..9b82ed0 100644 ') ######################################## -@@ -885,6 +1028,44 @@ interface(`logging_read_generic_logs',` +@@ -885,6 +1047,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -31433,7 +31469,7 @@ index 4e94884..9b82ed0 100644 ## Write generic log files. ## ## -@@ -905,6 +1086,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1105,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -31458,7 +31494,7 @@ index 4e94884..9b82ed0 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1183,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1202,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -31476,7 +31512,7 @@ index 4e94884..9b82ed0 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1208,33 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1227,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -31510,7 +31546,7 @@ index 4e94884..9b82ed0 100644 ') ######################################## -@@ -1032,10 +1263,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1282,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -31528,7 +31564,7 @@ index 4e94884..9b82ed0 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1293,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1312,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -31537,7 +31573,7 @@ index 4e94884..9b82ed0 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1323,35 @@ interface(`logging_admin',` +@@ -1085,3 +1342,35 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -37794,10 +37830,10 @@ index 0000000..35b4178 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..f758960 +index 0000000..a88f6e2 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,650 @@ +@@ -0,0 +1,651 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -38129,6 +38165,7 @@ index 0000000..f758960 +logging_create_devlog_dev(systemd_tmpfiles_t) +logging_send_syslog_msg(systemd_tmpfiles_t) +logging_setattr_all_log_dirs(systemd_tmpfiles_t) ++logging_relabel_all_log_dirs(systemd_tmpfiles_t) + +miscfiles_filetrans_named_content(systemd_tmpfiles_t) +miscfiles_manage_man_pages(systemd_tmpfiles_t) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index f874adf..7ad8120 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -9694,6 +9694,198 @@ index 41f8251..57f094e 100644 optional_policy(` mta_send_mail(httpd_bugzilla_script_t) ') +diff --git a/bumblebee.fc b/bumblebee.fc +new file mode 100644 +index 0000000..17eea86 +--- /dev/null ++++ b/bumblebee.fc +@@ -0,0 +1,7 @@ ++/etc/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) ++ ++/usr/lib/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) ++ ++/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0) ++ ++/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0) +diff --git a/bumblebee.if b/bumblebee.if +new file mode 100644 +index 0000000..f61b9c3 +--- /dev/null ++++ b/bumblebee.if +@@ -0,0 +1,122 @@ ++ ++## policy for bumblebee ++ ++######################################## ++## ++## Execute TEMPLATE in the bumblebee domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`bumblebee_domtrans',` ++ gen_require(` ++ type bumblebee_t, bumblebee_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t) ++') ++######################################## ++## ++## Read bumblebee PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bumblebee_read_pid_files',` ++ gen_require(` ++ type bumblebee_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t) ++') ++ ++######################################## ++## ++## Execute bumblebee server in the bumblebee domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`bumblebee_systemctl',` ++ gen_require(` ++ type bumblebee_t; ++ type bumblebee_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 bumblebee_unit_file_t:file read_file_perms; ++ allow $1 bumblebee_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, bumblebee_t) ++') ++ ++######################################## ++## ++## Connect to bumblebee over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bumblebee_stream_connect',` ++ gen_require(` ++ type bumblebee_t, bumblebee_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an bumblebee environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`bumblebee_admin',` ++ gen_require(` ++ type bumblebee_t; ++ type bumblebee_var_run_t; ++ type bumblebee_unit_file_t; ++ ') ++ ++ allow $1 bumblebee_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, bumblebee_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, bumblebee_var_run_t) ++ ++ bumblebee_systemctl($1) ++ admin_pattern($1, bumblebee_unit_file_t) ++ allow $1 bumblebee_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/bumblebee.te b/bumblebee.te +new file mode 100644 +index 0000000..f39fc96 +--- /dev/null ++++ b/bumblebee.te +@@ -0,0 +1,45 @@ ++policy_module(bumblebee, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type bumblebee_t; ++type bumblebee_exec_t; ++init_daemon_domain(bumblebee_t, bumblebee_exec_t) ++ ++permissive bumblebee_t; ++ ++type bumblebee_var_run_t; ++files_pid_file(bumblebee_var_run_t) ++ ++type bumblebee_unit_file_t; ++systemd_unit_file(bumblebee_unit_file_t) ++ ++######################################## ++# ++# bumblebee local policy ++# ++allow bumblebee_t self:capability { setgid }; ++allow bumblebee_t self:process { fork signal_perms }; ++allow bumblebee_t self:fifo_file rw_fifo_file_perms; ++allow bumblebee_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t) ++manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t) ++manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t) ++manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t) ++files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file }) ++ ++kernel_read_system_state(bumblebee_t) ++ ++dev_read_sysfs(bumblebee_t) ++ ++domain_use_interactive_fds(bumblebee_t) ++ ++files_read_etc_files(bumblebee_t) ++ ++logging_send_syslog_msg(bumblebee_t) ++ ++miscfiles_read_localization(bumblebee_t) diff --git a/cachefilesd.fc b/cachefilesd.fc index 648c790..aa03fc8 100644 --- a/cachefilesd.fc @@ -10845,10 +11037,10 @@ index 0000000..5977d96 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..406f3a0 +index 0000000..12585f0 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,242 @@ +@@ -0,0 +1,246 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -11025,6 +11217,10 @@ index 0000000..406f3a0 +') + +optional_policy(` ++ bumblebee_stream_connect(chrome_sandbox_t) ++') ++ ++optional_policy(` + cups_stream_connect(chrome_sandbox_t) +') + @@ -13419,7 +13615,7 @@ index 3fe3cb8..5fe84a6 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..ff94f23 100644 +index 3f2b672..8fb887d 100644 --- a/condor.te +++ b/condor.te @@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t) @@ -13469,7 +13665,11 @@ index 3f2b672..ff94f23 100644 logging_log_filetrans(condor_domain, condor_log_t, { dir file }) manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) -@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; +@@ -83,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) + + allow condor_domain condor_master_t:process signull; + allow condor_domain condor_master_t:tcp_socket getattr; ++allow condor_domain condor_master_t:udp_socket { read write }; kernel_read_kernel_sysctls(condor_domain) kernel_read_network_state(condor_domain) @@ -13483,7 +13683,7 @@ index 3f2b672..ff94f23 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -106,9 +115,9 @@ dev_read_rand(condor_domain) +@@ -106,9 +116,9 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) @@ -13495,7 +13695,7 @@ index 3f2b672..ff94f23 100644 tunable_policy(`condor_tcp_network_connect',` corenet_sendrecv_all_client_packets(condor_domain) -@@ -125,7 +134,7 @@ optional_policy(` +@@ -125,7 +135,7 @@ optional_policy(` # Master local policy # @@ -13504,7 +13704,7 @@ index 3f2b672..ff94f23 100644 allow condor_master_t condor_domain:process { sigkill signal }; -@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +@@ -133,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) @@ -13515,7 +13715,7 @@ index 3f2b672..ff94f23 100644 corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) -@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t) +@@ -152,6 +166,8 @@ domain_read_all_domains_state(condor_master_t) auth_use_nsswitch(condor_master_t) @@ -13524,7 +13724,7 @@ index 3f2b672..ff94f23 100644 optional_policy(` mta_send_mail(condor_master_t) mta_read_config(condor_master_t) -@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; +@@ -169,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; kernel_read_network_state(condor_collector_t) @@ -13533,7 +13733,7 @@ index 3f2b672..ff94f23 100644 ##################################### # # Negotiator local policy -@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -178,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -13542,7 +13742,7 @@ index 3f2b672..ff94f23 100644 ###################################### # # Procd local policy -@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; +@@ -185,7 +205,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; @@ -13552,7 +13752,7 @@ index 3f2b672..ff94f23 100644 domain_read_all_domains_state(condor_procd_t) -@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -201,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -13561,7 +13761,7 @@ index 3f2b672..ff94f23 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -209,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -13570,7 +13770,7 @@ index 3f2b672..ff94f23 100644 ##################################### # # Startd local policy -@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -13583,7 +13783,7 @@ index 3f2b672..ff94f23 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +272,7 @@ optional_policy(` +@@ -249,3 +273,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -25004,6 +25204,135 @@ index c81b6e8..34e1f1c 100644 +optional_policy(` + xserver_read_state_xdm(fprintd_t) ') +diff --git a/freqset.fc b/freqset.fc +new file mode 100644 +index 0000000..3cd9c38 +--- /dev/null ++++ b/freqset.fc +@@ -0,0 +1 @@ ++/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset -- gen_context(system_u:object_r:freqset_exec_t,s0) +diff --git a/freqset.if b/freqset.if +new file mode 100644 +index 0000000..190ccc0 +--- /dev/null ++++ b/freqset.if +@@ -0,0 +1,76 @@ ++ ++## policy for freqset ++ ++######################################## ++## ++## Execute TEMPLATE in the freqset domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`freqset_domtrans',` ++ gen_require(` ++ type freqset_t, freqset_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, freqset_exec_t, freqset_t) ++') ++ ++######################################## ++## ++## Execute freqset in the freqset domain, and ++## allow the specified role the freqset domain. ++## ++## ++## ++## Domain allowed to transition ++## ++## ++## ++## ++## The role to be allowed the freqset domain. ++## ++## ++# ++interface(`freqset_run',` ++ gen_require(` ++ type freqset_t; ++ attribute_role freqset_roles; ++ ') ++ ++ freqset_domtrans($1) ++ roleattribute $2 freqset_roles; ++') ++ ++######################################## ++## ++## Role access for freqset ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`freqset_role',` ++ gen_require(` ++ type freqset_t; ++ attribute_role freqset_roles; ++ ') ++ ++ roleattribute $1 freqset_roles; ++ ++ freqset_domtrans($2) ++ ++ ps_process_pattern($2, freqset_t) ++ allow $2 freqset_t:process { signull signal sigkill }; ++') +diff --git a/freqset.te b/freqset.te +new file mode 100644 +index 0000000..0d09fbd +--- /dev/null ++++ b/freqset.te +@@ -0,0 +1,34 @@ ++policy_module(freqset, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute_role freqset_roles; ++roleattribute system_r freqset_roles; ++ ++type freqset_t; ++type freqset_exec_t; ++application_domain(freqset_t, freqset_exec_t) ++ ++role freqset_roles types freqset_t; ++ ++######################################## ++# ++# freqset local policy ++# ++allow freqset_t self:capability { setuid }; ++ ++allow freqset_t self:fifo_file manage_fifo_file_perms; ++allow freqset_t self:unix_stream_socket create_stream_socket_perms; ++ ++dev_rw_sysfs(freqset_t) ++ ++domain_use_interactive_fds(freqset_t) ++ ++files_read_etc_files(freqset_t) ++ ++miscfiles_read_localization(freqset_t) ++ ++userdom_use_inherited_user_terminals(freqset_t) diff --git a/ftp.fc b/ftp.fc index ddb75c1..44f74e6 100644 --- a/ftp.fc @@ -38287,7 +38616,7 @@ index 9dbe694..ea89ab1 100644 admin_pattern($1, mcelog_var_run_t) ') diff --git a/mcelog.te b/mcelog.te -index 13ea191..c146d9c 100644 +index 13ea191..2b4e761 100644 --- a/mcelog.te +++ b/mcelog.te @@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false) @@ -38304,7 +38633,7 @@ index 13ea191..c146d9c 100644 type mcelog_t; type mcelog_exec_t; init_daemon_domain(mcelog_t, mcelog_exec_t) -@@ -84,17 +77,20 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) +@@ -84,17 +77,21 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) kernel_read_system_state(mcelog_t) @@ -38314,9 +38643,10 @@ index 13ea191..c146d9c 100644 dev_read_raw_memory(mcelog_t) dev_read_kmsg(mcelog_t) dev_rw_sysfs(mcelog_t) - --files_read_etc_files(mcelog_t) - +-files_read_etc_files(mcelog_t) ++dev_rw_cpu_microcode(mcelog_t) + mls_file_read_all_levels(mcelog_t) +auth_use_nsswitch(mcelog_t) @@ -38328,7 +38658,7 @@ index 13ea191..c146d9c 100644 tunable_policy(`mcelog_client',` allow mcelog_t self:unix_stream_socket connectto; -@@ -114,9 +110,6 @@ tunable_policy(`mcelog_server',` +@@ -114,9 +111,6 @@ tunable_policy(`mcelog_server',` allow mcelog_t self:unix_stream_socket { listen accept }; ') @@ -39105,6 +39435,139 @@ index 92508b2..db83591 100644 optional_policy(` spamassassin_domtrans_client(spamass_milter_t) ') +diff --git a/mip6d.fc b/mip6d.fc +new file mode 100644 +index 0000000..767bbad +--- /dev/null ++++ b/mip6d.fc +@@ -0,0 +1,3 @@ ++/usr/lib/systemd/system/mip6d.* -- gen_context(system_u:object_r:mip6d_unit_file_t,s0) ++ ++/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0) +diff --git a/mip6d.if b/mip6d.if +new file mode 100644 +index 0000000..9e2bf1b +--- /dev/null ++++ b/mip6d.if +@@ -0,0 +1,80 @@ ++ ++## Mobile IPv6 and NEMO Basic Support implementation ++ ++######################################## ++## ++## Execute TEMPLATE in the mip6d domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mip6d_domtrans',` ++ gen_require(` ++ type mip6d_t, mip6d_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, mip6d_exec_t, mip6d_t) ++') ++######################################## ++## ++## Execute mip6d server in the mip6d domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mip6d_systemctl',` ++ gen_require(` ++ type mip6d_t; ++ type mip6d_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 mip6d_unit_file_t:file read_file_perms; ++ allow $1 mip6d_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, mip6d_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an mip6d environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`mip6d_admin',` ++ gen_require(` ++ type mip6d_t; ++ type mip6d_unit_file_t; ++ ') ++ ++ allow $1 mip6d_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, mip6d_t) ++ ++ mip6d_systemctl($1) ++ admin_pattern($1, mip6d_unit_file_t) ++ allow $1 mip6d_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/mip6d.te b/mip6d.te +new file mode 100644 +index 0000000..86d2351 +--- /dev/null ++++ b/mip6d.te +@@ -0,0 +1,32 @@ ++policy_module(mip6d, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type mip6d_t; ++type mip6d_exec_t; ++init_daemon_domain(mip6d_t, mip6d_exec_t) ++ ++type mip6d_unit_file_t; ++systemd_unit_file(mip6d_unit_file_t) ++ ++######################################## ++# ++# mip6d local policy ++# ++#allow mip6d_t self:capability { net_admin net_raw }; ++allow mip6d_t self:process { fork signal }; ++allow mip6d_t self:netlink_route_socket create_netlink_socket_perms; ++allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms; ++allow mip6d_t self:rawip_socket create_socket_perms; ++allow mip6d_t self:udp_socket create_socket_perms; ++allow mip6d_t self:fifo_file rw_fifo_file_perms; ++allow mip6d_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_rw_net_sysctls(mip6d_t) ++kernel_read_network_state(mip6d_t) ++ ++logging_send_syslog_msg(mip6d_t) ++ diff --git a/mock.fc b/mock.fc new file mode 100644 index 0000000..8d0e473 @@ -41124,7 +41587,7 @@ index 6194b80..ada96f0 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..b236449 100644 +index 6a306ee..3451a03 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -41398,12 +41861,12 @@ index 6a306ee..b236449 100644 - -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -41533,34 +41996,34 @@ index 6a306ee..b236449 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) -+') -+ -+optional_policy(` -+ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ lpd_domtrans_lpr(mozilla_t) ++ java_domtrans(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ nscd_socket_use(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) ++ nscd_socket_use(mozilla_t) ++') ++ ++optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -41568,7 +42031,7 @@ index 6a306ee..b236449 100644 ') optional_policy(` -@@ -300,259 +324,236 @@ optional_policy(` +@@ -300,259 +324,240 @@ optional_policy(` ######################################## # @@ -41651,12 +42114,12 @@ index 6a306ee..b236449 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) @@ -41828,12 +42291,12 @@ index 6a306ee..b236449 100644 -userdom_manage_user_tmp_dirs(mozilla_plugin_t) -userdom_manage_user_tmp_files(mozilla_plugin_t) -- ++systemd_read_logind_sessions_files(mozilla_plugin_t) + -userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) -+systemd_read_logind_sessions_files(mozilla_plugin_t) - +- -userdom_write_user_tmp_sockets(mozilla_plugin_t) +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) @@ -41857,28 +42320,31 @@ index 6a306ee..b236449 100644 -ifndef(`enable_mls',` - fs_list_dos(mozilla_plugin_t) - fs_read_dos_files(mozilla_plugin_t) -- -- fs_search_removable(mozilla_plugin_t) -- fs_read_removable_files(mozilla_plugin_t) -- fs_read_removable_symlinks(mozilla_plugin_t) +userdom_read_user_home_content_files(mozilla_plugin_t) +userdom_read_user_home_content_symlinks(mozilla_plugin_t) +userdom_read_home_certs(mozilla_plugin_t) +userdom_read_home_audio_files(mozilla_plugin_t) +userdom_exec_user_tmp_files(mozilla_plugin_t) +- fs_search_removable(mozilla_plugin_t) +- fs_read_removable_files(mozilla_plugin_t) +- fs_read_removable_symlinks(mozilla_plugin_t) ++userdom_home_manager(mozilla_plugin_t) + - fs_read_iso9660_files(mozilla_plugin_t) --') -- ++tunable_policy(`mozilla_plugin_can_network_connect',` ++ corenet_tcp_connect_all_ports(mozilla_plugin_t) + ') + -tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process execmem; -') -+userdom_home_manager(mozilla_plugin_t) - +- -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_t self:process { execmem execstack }; -+tunable_policy(`mozilla_plugin_can_network_connect',` -+ corenet_tcp_connect_all_ports(mozilla_plugin_t) ++optional_policy(` ++ alsa_read_rw_config(mozilla_plugin_t) ++ alsa_read_home_files(mozilla_plugin_t) ') -tunable_policy(`use_nfs_home_dirs',` @@ -41886,8 +42352,7 @@ index 6a306ee..b236449 100644 - fs_manage_nfs_files(mozilla_plugin_t) - fs_manage_nfs_symlinks(mozilla_plugin_t) +optional_policy(` -+ alsa_read_rw_config(mozilla_plugin_t) -+ alsa_read_home_files(mozilla_plugin_t) ++ apache_list_modules(mozilla_plugin_t) ') -tunable_policy(`use_samba_home_dirs',` @@ -41895,7 +42360,7 @@ index 6a306ee..b236449 100644 - fs_manage_cifs_files(mozilla_plugin_t) - fs_manage_cifs_symlinks(mozilla_plugin_t) +optional_policy(` -+ apache_list_modules(mozilla_plugin_t) ++ bumblebee_stream_connect(mozilla_plugin_t) ') optional_policy(` @@ -41956,7 +42421,7 @@ index 6a306ee..b236449 100644 ') optional_policy(` -@@ -560,7 +561,7 @@ optional_policy(` +@@ -560,7 +565,7 @@ optional_policy(` ') optional_policy(` @@ -41965,7 +42430,7 @@ index 6a306ee..b236449 100644 ') optional_policy(` -@@ -568,108 +569,130 @@ optional_policy(` +@@ -568,108 +573,130 @@ optional_policy(` ') optional_policy(` @@ -52301,10 +52766,10 @@ index 0000000..a437f80 +files_read_config_files(openshift_domain) diff --git a/openshift.fc b/openshift.fc new file mode 100644 -index 0000000..f2d6119 +index 0000000..0dc672f --- /dev/null +++ b/openshift.fc -@@ -0,0 +1,26 @@ +@@ -0,0 +1,27 @@ +/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0) + @@ -52321,6 +52786,7 @@ index 0000000..f2d6119 +/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0) + +/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0) ++/var/log/openshift(/.*)? gen_context(system_u:object_r:openshift_log_t,s0) + +/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0) + @@ -53039,10 +53505,10 @@ index 0000000..e03de01 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..cd25e8e +index 0000000..0a6f091 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,555 @@ +@@ -0,0 +1,556 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -53533,6 +53999,7 @@ index 0000000..cd25e8e +allow openshift_cron_t self:unix_dgram_socket create_socket_perms; +allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms; + ++append_files_pattern(openshift_cron_t, openshift_log_t, openshift_log_t) +manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) +manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) +manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) @@ -53598,6 +54065,295 @@ index 0000000..cd25e8e + ssh_dontaudit_read_server_keys(openshift_cron_t) +') + +diff --git a/opensm.fc b/opensm.fc +new file mode 100644 +index 0000000..51650fa +--- /dev/null ++++ b/opensm.fc +@@ -0,0 +1,7 @@ ++/usr/lib/systemd/system/opensm.* -- gen_context(system_u:object_r:opensm_unit_file_t,s0) ++ ++/usr/libexec/opensm-launch -- gen_context(system_u:object_r:opensm_exec_t,s0) ++ ++/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0) ++ ++/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0) +diff --git a/opensm.if b/opensm.if +new file mode 100644 +index 0000000..a62f050 +--- /dev/null ++++ b/opensm.if +@@ -0,0 +1,220 @@ ++ ++## Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB ++ ++######################################## ++## ++## Execute TEMPLATE in the opensm domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`opensm_domtrans',` ++ gen_require(` ++ type opensm_t, opensm_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, opensm_exec_t, opensm_t) ++') ++ ++######################################## ++## ++## Search opensm cache directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_search_cache',` ++ gen_require(` ++ type opensm_cache_t; ++ ') ++ ++ allow $1 opensm_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read opensm cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_read_cache_files',` ++ gen_require(` ++ type opensm_cache_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, opensm_cache_t, opensm_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## opensm cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_manage_cache_files',` ++ gen_require(` ++ type opensm_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, opensm_cache_t, opensm_cache_t) ++') ++ ++######################################## ++## ++## Manage opensm cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_manage_cache_dirs',` ++ gen_require(` ++ type opensm_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t) ++') ++ ++######################################## ++## ++## Read opensm's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`opensm_read_log',` ++ gen_require(` ++ type opensm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, opensm_log_t, opensm_log_t) ++') ++ ++######################################## ++## ++## Append to opensm log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_append_log',` ++ gen_require(` ++ type opensm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, opensm_log_t, opensm_log_t) ++') ++ ++######################################## ++## ++## Manage opensm log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_manage_log',` ++ gen_require(` ++ type opensm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, opensm_log_t, opensm_log_t) ++ manage_files_pattern($1, opensm_log_t, opensm_log_t) ++ manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t) ++') ++######################################## ++## ++## Execute opensm server in the opensm domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`opensm_systemctl',` ++ gen_require(` ++ type opensm_t; ++ type opensm_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 opensm_unit_file_t:file read_file_perms; ++ allow $1 opensm_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, opensm_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an opensm environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`opensm_admin',` ++ gen_require(` ++ type opensm_t; ++ type opensm_cache_t; ++ type opensm_log_t; ++ type opensm_unit_file_t; ++ ') ++ ++ allow $1 opensm_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, opensm_t) ++ ++ files_search_var($1) ++ admin_pattern($1, opensm_cache_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, opensm_log_t) ++ ++ opensm_systemctl($1) ++ admin_pattern($1, opensm_unit_file_t) ++ allow $1 opensm_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/opensm.te b/opensm.te +new file mode 100644 +index 0000000..a055461 +--- /dev/null ++++ b/opensm.te +@@ -0,0 +1,44 @@ ++policy_module(opensm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type opensm_t; ++type opensm_exec_t; ++init_daemon_domain(opensm_t, opensm_exec_t) ++ ++type opensm_cache_t; ++files_type(opensm_cache_t) ++ ++type opensm_log_t; ++logging_log_file(opensm_log_t) ++ ++type opensm_unit_file_t; ++systemd_unit_file(opensm_unit_file_t) ++ ++######################################## ++# ++# opensm local policy ++# ++allow opensm_t self:process { signal fork }; ++allow opensm_t self:fifo_file rw_fifo_file_perms; ++allow opensm_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t) ++manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t) ++files_var_filetrans(opensm_t, opensm_cache_t, { dir file }) ++ ++manage_files_pattern(opensm_t, opensm_log_t, opensm_log_t) ++logging_log_filetrans(opensm_t, opensm_log_t, file ) ++ ++kernel_read_system_state(opensm_t) ++ ++auth_read_passwd(opensm_t) ++ ++corecmd_exec_bin(opensm_t) ++ ++dev_read_sysfs(opensm_t) ++ ++logging_send_syslog_msg(opensm_t) diff --git a/openvpn.fc b/openvpn.fc index 300213f..4cdfe09 100644 --- a/openvpn.fc @@ -72048,7 +72804,7 @@ index 56bc01f..2e4d698 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..26fba30 100644 +index 2c2de9a..de2014c 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -72367,7 +73123,7 @@ index 2c2de9a..26fba30 100644 ') ##################################### -@@ -79,7 +349,7 @@ optional_policy(` +@@ -79,9 +349,11 @@ optional_policy(` # dlm_controld local policy # @@ -72375,8 +73131,12 @@ index 2c2de9a..26fba30 100644 +allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource }; allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; ++files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir) ++ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t) + stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +@@ -98,16 +370,30 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -72409,7 +73169,7 @@ index 2c2de9a..26fba30 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +404,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -72420,7 +73180,7 @@ index 2c2de9a..26fba30 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +433,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -72431,7 +73191,7 @@ index 2c2de9a..26fba30 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +443,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -72440,7 +73200,7 @@ index 2c2de9a..26fba30 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +463,8 @@ optional_policy(` +@@ -182,7 +465,8 @@ optional_policy(` ') optional_policy(` @@ -72450,7 +73210,7 @@ index 2c2de9a..26fba30 100644 ') optional_policy(` -@@ -190,12 +472,12 @@ optional_policy(` +@@ -190,12 +474,12 @@ optional_policy(` ') optional_policy(` @@ -72466,7 +73226,7 @@ index 2c2de9a..26fba30 100644 ') optional_policy(` -@@ -203,6 +485,13 @@ optional_policy(` +@@ -203,6 +487,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -72480,7 +73240,7 @@ index 2c2de9a..26fba30 100644 ####################################### # # foghorn local policy -@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +512,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -72501,7 +73261,7 @@ index 2c2de9a..26fba30 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +550,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -72510,7 +73270,7 @@ index 2c2de9a..26fba30 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +570,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -72552,7 +73312,7 @@ index 2c2de9a..26fba30 100644 ###################################### # # qdiskd local policy -@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +645,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -78232,7 +78992,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..9e91107 100644 +index 57c034b..5f13e3c 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -78653,7 +79413,7 @@ index 57c034b..9e91107 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) -@@ -360,44 +356,54 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -360,44 +356,55 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -78702,6 +79462,7 @@ index 57c034b..9e91107 100644 files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) fs_dontaudit_getattr_tmpfs_dirs(smbd_t) ++ fs_rw_inherited_tmpfs_files(smbd_t) ') -tunable_policy(`allow_smbd_anon_write',` @@ -78719,7 +79480,7 @@ index 57c034b..9e91107 100644 ') tunable_policy(`samba_domain_controller',` -@@ -413,20 +419,10 @@ tunable_policy(`samba_domain_controller',` +@@ -413,20 +420,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -78742,7 +79503,7 @@ index 57c034b..9e91107 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -435,6 +431,7 @@ tunable_policy(`samba_share_nfs',` +@@ -435,6 +432,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -78750,7 +79511,7 @@ index 57c034b..9e91107 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -442,17 +439,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -442,17 +440,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -78768,7 +79529,7 @@ index 57c034b..9e91107 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -460,6 +446,7 @@ optional_policy(` +@@ -460,6 +447,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -78776,7 +79537,7 @@ index 57c034b..9e91107 100644 ') optional_policy(` -@@ -473,6 +460,11 @@ optional_policy(` +@@ -473,6 +461,11 @@ optional_policy(` ') optional_policy(` @@ -78788,7 +79549,7 @@ index 57c034b..9e91107 100644 lpd_exec_lpr(smbd_t) ') -@@ -493,9 +485,33 @@ optional_policy(` +@@ -493,9 +486,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -78823,7 +79584,7 @@ index 57c034b..9e91107 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -506,9 +522,11 @@ allow nmbd_t self:msg { send receive }; +@@ -506,9 +523,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -78838,7 +79599,7 @@ index 57c034b..9e91107 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -520,20 +538,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +539,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -78862,7 +79623,7 @@ index 57c034b..9e91107 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +556,41 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -78928,7 +79689,7 @@ index 57c034b..9e91107 100644 ') optional_policy(` -@@ -600,19 +602,26 @@ optional_policy(` +@@ -600,19 +603,26 @@ optional_policy(` ######################################## # @@ -78960,7 +79721,7 @@ index 57c034b..9e91107 100644 samba_search_var(smbcontrol_t) samba_read_winbind_pid(smbcontrol_t) -@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +630,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -78978,7 +79739,7 @@ index 57c034b..9e91107 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +642,23 @@ optional_policy(` +@@ -637,22 +643,23 @@ optional_policy(` ######################################## # @@ -79010,7 +79771,7 @@ index 57c034b..9e91107 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +668,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -79046,7 +79807,7 @@ index 57c034b..9e91107 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +695,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -79138,7 +79899,7 @@ index 57c034b..9e91107 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +774,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -79162,7 +79923,7 @@ index 57c034b..9e91107 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +788,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -79205,7 +79966,7 @@ index 57c034b..9e91107 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +818,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -79219,7 +79980,7 @@ index 57c034b..9e91107 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -834,16 +841,19 @@ optional_policy(` +@@ -834,16 +842,19 @@ optional_policy(` # allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; @@ -79243,7 +80004,7 @@ index 57c034b..9e91107 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +864,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -79254,7 +80015,7 @@ index 57c034b..9e91107 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +875,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -79284,7 +80045,7 @@ index 57c034b..9e91107 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +898,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -79305,7 +80066,7 @@ index 57c034b..9e91107 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +916,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -79316,7 +80077,7 @@ index 57c034b..9e91107 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,26 +924,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -79358,7 +80119,7 @@ index 57c034b..9e91107 100644 ') optional_policy(` -@@ -952,31 +971,29 @@ optional_policy(` +@@ -952,31 +972,29 @@ optional_policy(` # Winbind helper local policy # @@ -79396,7 +80157,7 @@ index 57c034b..9e91107 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +1007,38 @@ optional_policy(` +@@ -990,25 +1008,38 @@ optional_policy(` ######################################## # @@ -96846,7 +97607,7 @@ index eecd0e0..8df2e8c 100644 /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/watchdog.te b/watchdog.te -index 29f79e8..45b3926 100644 +index 29f79e8..01df7d7 100644 --- a/watchdog.te +++ b/watchdog.te @@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) @@ -96891,7 +97652,11 @@ index 29f79e8..45b3926 100644 files_manage_etc_runtime_files(watchdog_t) files_etc_filetrans_etc_runtime(watchdog_t, file) -@@ -75,8 +84,6 @@ auth_append_login_records(watchdog_t) +@@ -72,11 +81,10 @@ fs_getattr_all_fs(watchdog_t) + fs_search_auto_mountpoints(watchdog_t) + + auth_append_login_records(watchdog_t) ++auth_read_passwd(watchdog_t) logging_send_syslog_msg(watchdog_t) @@ -96900,7 +97665,7 @@ index 29f79e8..45b3926 100644 sysnet_dns_name_resolve(watchdog_t) userdom_dontaudit_use_unpriv_user_fds(watchdog_t) -@@ -97,3 +104,28 @@ optional_policy(` +@@ -97,3 +105,28 @@ optional_policy(` optional_policy(` udev_read_db(watchdog_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index a3b7087..f8633b7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 103%{?dist} +Release: 104%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -573,6 +573,24 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Nov 21 2013 Miroslav Grepl 3.12.1-104 +- Allow watchdog to read /etc/passwd +- Allow browser plugins to connect to bumblebee +- New policy for bumblebee and freqset +- Add new policy for mip6d daemon +- Add new policy for opensm daemon +- Allow condor domains to read/write condor_master udp_socket +- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift +- Add back file_pid_filetrans for /var/run/dlm_controld +- Allow smbd_t to use inherited tmpfs content +- Allow mcelog to use the /dev/cpu device +- sosreport runs rpcinfo +- sosreport runs subscription-manager +- Allow staff_t to run frequency command +- Allow systemd_tmpfiles to relabel log directories +- Allow staff_t to read xserver_log file +- Label hsperfdata_root as tmp_t + * Wed Nov 20 2013 Miroslav Grepl 3.12.1-103 - More sosreport fixes to make ABRT working