From d673c86057c01f1c0c0fd01844eb348817b14104 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Sep 10 2014 09:06:49 +0000
Subject: * Wed Sep 10 2014 Lukas Vrabec 3.12.1-184
- ALlow wine domains to create wine_home symlinks.
- Allow policykit_auth_t access check and read usr config files.
- Dontaudit access check on home_root_t for policykit-auth.
- update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent.
- Fix label for /usr/bin/courier/bin/sendmail
- Add files_dontaudit_access_check_home_dir() inteface.
- Allow udev_t mounton udev_var_run_t dirs #(1128618)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index dd7ff70..653e1c3 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -9757,7 +9757,7 @@ index c2c6e05..7996499 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..989ca8b 100644
+index 64ff4d7..87da44f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10978,7 +10978,35 @@ index 64ff4d7..989ca8b 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
-@@ -3796,20 +4536,38 @@ interface(`files_list_mnt',`
+@@ -3534,6 +4274,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+
+ ########################################
+ ##
++## Do not audit attempts to check the
++## access on home root directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_access_check_home_dir',`
++ gen_require(`
++ type home_root_t;
++ ')
++
++ dontaudit $1 home_root_t:dir_file_class_set audit_access;
++')
++
++
++
++########################################
++##
+ ## Search home directories root (/home).
+ ##
+ ##
+@@ -3796,20 +4557,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -11022,7 +11050,7 @@ index 64ff4d7..989ca8b 100644
')
########################################
-@@ -4199,192 +4957,215 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,174 +4978,215 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -11254,36 +11282,26 @@ index 64ff4d7..989ca8b 100644
+## File name transition for system db files in /var/lib.
##
##
--##
--## Domain allowed access.
--##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_delete_tmp_dir_entry',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_filetrans_system_db_named_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-
-- allow $1 tmp_t:dir del_entry_dir_perms;
++
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
- ')
-
- ########################################
- ##
--## Read files in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## temporary directory (/tmp).
- ##
--##
++##
+##
##
-## Domain allowed access.
@@ -11291,19 +11309,19 @@ index 64ff4d7..989ca8b 100644
##
##
#
--interface(`files_read_generic_tmp_files',`
+-interface(`files_delete_tmp_dir_entry',`
+interface(`files_associate_tmp',`
gen_require(`
type tmp_t;
')
-- read_files_pattern($1, tmp_t, tmp_t)
+- allow $1 tmp_t:dir del_entry_dir_perms;
+ allow $1 tmp_t:filesystem associate;
')
########################################
##
--## Manage temporary directories in /tmp.
+-## Read files in the tmp directory (/tmp).
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
@@ -11316,42 +11334,42 @@ index 64ff4d7..989ca8b 100644
##
##
#
--interface(`files_manage_generic_tmp_dirs',`
+-interface(`files_read_generic_tmp_files',`
+interface(`files_associate_rootfs',`
gen_require(`
- type tmp_t;
+ type root_t;
')
-- manage_dirs_pattern($1, tmp_t, tmp_t)
+- read_files_pattern($1, tmp_t, tmp_t)
+ allow $1 root_t:filesystem associate;
')
########################################
##
--## Manage temporary files and directories in /tmp.
+-## Manage temporary directories in /tmp.
+## Get the attributes of the tmp directory (/tmp).
##
##
##
-@@ -4392,53 +5173,56 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4374,53 +5194,56 @@ interface(`files_read_generic_tmp_files',`
##
##
#
--interface(`files_manage_generic_tmp_files',`
+-interface(`files_manage_generic_tmp_dirs',`
+interface(`files_getattr_tmp_dirs',`
gen_require(`
type tmp_t;
')
-- manage_files_pattern($1, tmp_t, tmp_t)
+- manage_dirs_pattern($1, tmp_t, tmp_t)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir getattr;
')
########################################
##
--## Read symbolic links in the tmp directory (/tmp).
+-## Manage temporary files and directories in /tmp.
+## Do not audit attempts to check the
+## access on tmp files
##
@@ -11362,20 +11380,20 @@ index 64ff4d7..989ca8b 100644
##
##
#
--interface(`files_read_generic_tmp_symlinks',`
+-interface(`files_manage_generic_tmp_files',`
+interface(`files_dontaudit_access_check_tmp',`
gen_require(`
- type tmp_t;
+ type etc_t;
')
-- read_lnk_files_pattern($1, tmp_t, tmp_t)
+- manage_files_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
')
########################################
##
--## Read and write generic named sockets in the tmp directory (/tmp).
+-## Read symbolic links in the tmp directory (/tmp).
+## Do not audit attempts to get the
+## attributes of the tmp directory (/tmp).
##
@@ -11386,42 +11404,41 @@ index 64ff4d7..989ca8b 100644
##
##
#
--interface(`files_rw_generic_tmp_sockets',`
+-interface(`files_read_generic_tmp_symlinks',`
+interface(`files_dontaudit_getattr_tmp_dirs',`
gen_require(`
type tmp_t;
')
-- rw_sock_files_pattern($1, tmp_t, tmp_t)
+- read_lnk_files_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir getattr;
')
########################################
##
--## Set the attributes of all tmp directories.
+-## Read and write generic named sockets in the tmp directory (/tmp).
+## Search the tmp directory (/tmp).
##
##
##
-@@ -4446,77 +5230,92 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4428,35 +5251,36 @@ interface(`files_read_generic_tmp_symlinks',`
##
##
#
--interface(`files_setattr_all_tmp_dirs',`
+-interface(`files_rw_generic_tmp_sockets',`
+interface(`files_search_tmp',`
gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ type tmp_t;
')
-- allow $1 tmpfile:dir { search_dir_perms setattr };
+- rw_sock_files_pattern($1, tmp_t, tmp_t)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir search_dir_perms;
')
########################################
##
--## List all tmp directories.
+-## Set the attributes of all tmp directories.
+## Do not audit attempts to search the tmp directory (/tmp).
##
##
@@ -11431,83 +11448,93 @@ index 64ff4d7..989ca8b 100644
##
##
#
--interface(`files_list_all_tmp',`
+-interface(`files_setattr_all_tmp_dirs',`
+interface(`files_dontaudit_search_tmp',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
')
-- allow $1 tmpfile:dir list_dir_perms;
+- allow $1 tmpfile:dir { search_dir_perms setattr };
+ dontaudit $1 tmp_t:dir search_dir_perms;
')
########################################
##
--## Relabel to and from all temporary
--## directory types.
+-## List all tmp directories.
+## Read the tmp directory (/tmp).
##
##
##
- ## Domain allowed access.
+@@ -4464,59 +5288,55 @@ interface(`files_setattr_all_tmp_dirs',`
##
##
--##
#
--interface(`files_relabel_all_tmp_dirs',`
+-interface(`files_list_all_tmp',`
+interface(`files_list_tmp',`
gen_require(`
- attribute tmpfile;
-- type var_t;
+ type tmp_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
+- allow $1 tmpfile:dir list_dir_perms;
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir list_dir_perms;
')
########################################
##
--## Do not audit attempts to get the attributes
--## of all tmp files.
+-## Relabel to and from all temporary
+-## directory types.
+## Do not audit listing of the tmp directory (/tmp).
##
##
##
--## Domain not to audit.
+-## Domain allowed access.
+## Domain to not audit.
##
##
+-##
#
--interface(`files_dontaudit_getattr_all_tmp_files',`
+-interface(`files_relabel_all_tmp_dirs',`
+interface(`files_dontaudit_list_tmp',`
gen_require(`
- attribute tmpfile;
+- type var_t;
+ type tmp_t;
')
-- dontaudit $1 tmpfile:file getattr;
+- allow $1 var_t:dir search_dir_perms;
+- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ dontaudit $1 tmp_t:dir list_dir_perms;
-+')
-+
+ ')
+
+-########################################
+#######################################
-+##
+ ##
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
+## Allow read and write to the tmp directory (/tmp).
-+##
-+##
+ ##
+ ##
+-##
+-## Domain not to audit.
+-##
+##
+## Domain not to audit.
+##
-+##
-+#
+ ##
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
+- gen_require(`
+- attribute tmpfile;
+- ')
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
-+
+
+- dontaudit $1 tmpfile:file getattr;
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
')
@@ -11520,7 +11547,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4524,110 +5323,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4524,110 +5344,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
##
##
#
@@ -11659,7 +11686,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4635,22 +5422,17 @@ interface(`files_tmp_filetrans',`
+@@ -4635,22 +5443,17 @@ interface(`files_tmp_filetrans',`
##
##
#
@@ -11686,7 +11713,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4658,17 +5440,17 @@ interface(`files_purge_tmp',`
+@@ -4658,17 +5461,17 @@ interface(`files_purge_tmp',`
##
##
#
@@ -11708,7 +11735,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4676,18 +5458,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4676,18 +5479,17 @@ interface(`files_setattr_usr_dirs',`
##
##
#
@@ -11731,7 +11758,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4695,35 +5476,35 @@ interface(`files_search_usr',`
+@@ -4695,35 +5497,35 @@ interface(`files_search_usr',`
##
##
#
@@ -11776,7 +11803,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4731,36 +5512,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4731,36 +5533,35 @@ interface(`files_dontaudit_write_usr_dirs',`
##
##
#
@@ -11822,7 +11849,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4768,17 +5548,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4768,17 +5569,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
##
##
#
@@ -11844,7 +11871,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4786,73 +5566,59 @@ interface(`files_delete_usr_dirs',`
+@@ -4786,73 +5587,59 @@ interface(`files_delete_usr_dirs',`
##
##
#
@@ -11937,7 +11964,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4860,55 +5626,58 @@ interface(`files_read_usr_files',`
+@@ -4860,55 +5647,58 @@ interface(`files_read_usr_files',`
##
##
#
@@ -12012,7 +12039,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4916,67 +5685,70 @@ interface(`files_manage_usr_files',`
+@@ -4916,67 +5706,70 @@ interface(`files_manage_usr_files',`
##
##
#
@@ -12101,7 +12128,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -4985,35 +5757,50 @@ interface(`files_read_usr_symlinks',`
+@@ -4985,35 +5778,50 @@ interface(`files_read_usr_symlinks',`
##
##
#
@@ -12161,7 +12188,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5021,20 +5808,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5021,20 +5829,17 @@ interface(`files_dontaudit_search_src',`
##
##
#
@@ -12186,7 +12213,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5042,20 +5826,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5042,20 +5847,18 @@ interface(`files_getattr_usr_src_files',`
##
##
#
@@ -12211,7 +12238,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5063,38 +5845,35 @@ interface(`files_read_usr_src_files',`
+@@ -5063,38 +5866,35 @@ interface(`files_read_usr_src_files',`
##
##
#
@@ -12259,7 +12286,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5102,37 +5881,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5102,37 +5902,36 @@ interface(`files_create_kernel_symbol_table',`
##
##
#
@@ -12307,7 +12334,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5140,35 +5918,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5140,35 +5939,35 @@ interface(`files_delete_kernel_symbol_table',`
##
##
#
@@ -12352,7 +12379,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5176,36 +5954,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5176,36 +5975,55 @@ interface(`files_dontaudit_write_var_dirs',`
##
##
#
@@ -12418,7 +12445,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5213,36 +6010,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5213,36 +6031,37 @@ interface(`files_dontaudit_search_var',`
##
##
#
@@ -12430,10 +12457,11 @@ index 64ff4d7..989ca8b 100644
')
- allow $1 var_t:dir list_dir_perms;
+-')
+ allow $1 usr_t:dir list_dir_perms;
+ exec_files_pattern($1, usr_t, usr_t)
+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
++')
########################################
##
@@ -12466,7 +12494,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5250,17 +6048,17 @@ interface(`files_manage_var_dirs',`
+@@ -5250,17 +6069,17 @@ interface(`files_manage_var_dirs',`
##
##
#
@@ -12488,7 +12516,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5268,17 +6066,17 @@ interface(`files_read_var_files',`
+@@ -5268,17 +6087,17 @@ interface(`files_read_var_files',`
##
##
#
@@ -12510,7 +12538,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5286,73 +6084,86 @@ interface(`files_append_var_files',`
+@@ -5286,73 +6105,86 @@ interface(`files_append_var_files',`
##
##
#
@@ -12617,7 +12645,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5360,50 +6171,41 @@ interface(`files_read_var_symlinks',`
+@@ -5360,50 +6192,41 @@ interface(`files_read_var_symlinks',`
##
##
#
@@ -12682,7 +12710,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5411,69 +6213,56 @@ interface(`files_var_filetrans',`
+@@ -5411,69 +6234,56 @@ interface(`files_var_filetrans',`
##
##
#
@@ -12767,7 +12795,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5481,17 +6270,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5481,17 +6291,18 @@ interface(`files_dontaudit_search_var_lib',`
##
##
#
@@ -12791,7 +12819,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5499,70 +6289,54 @@ interface(`files_list_var_lib',`
+@@ -5499,70 +6310,54 @@ interface(`files_list_var_lib',`
##
##
#
@@ -12875,7 +12903,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5570,41 +6344,36 @@ interface(`files_read_var_lib_files',`
+@@ -5570,41 +6365,36 @@ interface(`files_read_var_lib_files',`
##
##
#
@@ -12927,7 +12955,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5612,36 +6381,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5612,36 +6402,36 @@ interface(`files_manage_urandom_seed',`
##
##
#
@@ -12974,7 +13002,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5649,38 +6418,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5649,38 +6439,35 @@ interface(`files_setattr_lock_dirs',`
##
##
#
@@ -13022,7 +13050,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5688,19 +6454,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,19 +6475,17 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -13046,7 +13074,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5708,60 +6472,54 @@ interface(`files_list_locks',`
+@@ -5708,60 +6493,54 @@ interface(`files_list_locks',`
##
##
#
@@ -13122,7 +13150,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5769,20 +6527,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,20 +6548,18 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -13148,7 +13176,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -5790,185 +6546,207 @@ interface(`files_getattr_generic_locks',`
+@@ -5790,86 +6567,120 @@ interface(`files_getattr_generic_locks',`
##
##
#
@@ -13278,94 +13306,63 @@ index 64ff4d7..989ca8b 100644
-## manage all lock files.
+## Do not audit attempts to search the
+## contents of /var/lib.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
++##
++##
+##
- #
--interface(`files_manage_all_locks',`
++#
+interface(`files_dontaudit_search_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
++ gen_require(`
+ type var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-- manage_lnk_files_pattern($1, lockfile, lockfile)
++ ')
++
+ dontaudit $1 var_lib_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Create an object in the locks directory, with a private
--## type using a type transition.
++')
++
++########################################
++##
+## List the contents of the /var/lib directory.
##
##
##
- ## Domain allowed access.
+@@ -5877,37 +6688,66 @@ interface(`files_read_all_locks',`
##
##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
#
--interface(`files_lock_filetrans',`
+-interface(`files_manage_all_locks',`
+interface(`files_list_var_lib',`
gen_require(`
+- attribute lockfile;
- type var_t, var_lock_t;
+ type var_t, var_lib_t;
')
-- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_lock_t, $2, $3, $4)
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- manage_dirs_pattern($1, lockfile, lockfile)
+- manage_files_pattern($1, lockfile, lockfile)
+- manage_lnk_files_pattern($1, lockfile, lockfile)
+ list_dirs_pattern($1, var_t, var_lib_t)
- ')
-
--########################################
++')
++
+###########################################
- ##
--## Do not audit attempts to get the attributes
--## of the /var/run directory.
++##
+## Read-write /var/lib directories
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_pid_dirs',`
++##
++##
++#
+interface(`files_rw_var_lib_dirs',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir getattr;
++ ')
++
+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
+')
+
@@ -13388,7 +13385,8 @@ index 64ff4d7..989ca8b 100644
########################################
##
--## Set the attributes of the /var/run directory.
+-## Create an object in the locks directory, with a private
+-## type using a type transition.
+## Create objects in the /var/lib directory
##
##
@@ -13396,99 +13394,101 @@ index 64ff4d7..989ca8b 100644
## Domain allowed access.
##
##
+-##
+##
-+##
+ ##
+-## The type of the object to be created.
+## The type of the object to be created
-+##
-+##
+ ##
+ ##
+-##
+##
-+##
+ ##
+-## The object class of the object being created.
+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
+ ##
+ ##
+ ##
+@@ -5916,39 +6756,37 @@ interface(`files_manage_all_locks',`
+ ##
+ ##
#
--interface(`files_setattr_pid_dirs',`
+-interface(`files_lock_filetrans',`
+interface(`files_var_lib_filetrans',`
gen_require(`
-- type var_run_t;
+- type var_t, var_lock_t;
+ type var_t, var_lib_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
-+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
')
########################################
##
--## Search the contents of runtime process
--## ID directories (/var/run).
+-## Do not audit attempts to get the attributes
+-## of the /var/run directory.
+## Read generic files in /var/lib.
##
##
##
-@@ -5976,39 +6754,37 @@ interface(`files_setattr_pid_dirs',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
#
--interface(`files_search_pids',`
+-interface(`files_dontaudit_getattr_pid_dirs',`
+interface(`files_read_var_lib_files',`
gen_require(`
-- type var_t, var_run_t;
+- type var_run_t;
+ type var_t, var_lib_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir getattr;
+ allow $1 var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
########################################
##
--## Do not audit attempts to search
--## the /var/run directory.
+-## Set the attributes of the /var/run directory.
+## Read generic symbolic links in /var/lib
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -5956,19 +6794,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
##
##
#
--interface(`files_dontaudit_search_pids',`
+-interface(`files_setattr_pid_dirs',`
+interface(`files_read_var_lib_symlinks',`
gen_require(`
- type var_run_t;
+ type var_t, var_lib_t;
')
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir setattr;
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
########################################
##
--## List the contents of the runtime process
+-## Search the contents of runtime process
-## ID directories (/var/run).
+## manage generic symbolic links
+## in the /var/lib directory.
##
##
##
-@@ -6016,18 +6792,21 @@ interface(`files_dontaudit_search_pids',`
+@@ -5976,18 +6813,495 @@ interface(`files_setattr_pid_dirs',`
##
##
#
--interface(`files_list_pids',`
+-interface(`files_search_pids',`
+interface(`files_manage_var_lib_symlinks',`
gen_require(`
- type var_t, var_run_t;
@@ -13496,7 +13496,7 @@ index 64ff4d7..989ca8b 100644
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
+- search_dirs_pattern($1, var_t, var_run_t)
+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
')
@@ -13505,17 +13505,16 @@ index 64ff4d7..989ca8b 100644
+
########################################
##
--## Read generic process ID files.
+-## Do not audit attempts to search
+## Create, read, write, and delete the
+## pseudorandom number generator seed.
- ##
- ##
- ##
-@@ -6035,19 +6814,1150 @@ interface(`files_list_pids',`
- ##
- ##
- #
--interface(`files_read_generic_pids',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_manage_urandom_seed',`
+ gen_require(`
+ type var_t, var_lib_t;
@@ -13983,14 +13982,14 @@ index 64ff4d7..989ca8b 100644
+########################################
+##
+## Do not audit attempts to search
-+## the /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
+ ## the /var/run directory.
+ ##
+ ##
+@@ -5996,19 +7310,675 @@ interface(`files_search_pids',`
+ ##
+ ##
+ #
+-interface(`files_dontaudit_search_pids',`
+interface(`files_dontaudit_search_pids',`
+ gen_require(`
+ type var_run_t;
@@ -14650,82 +14649,93 @@ index 64ff4d7..989ca8b 100644
+#
+interface(`files_dontaudit_search_spool',`
gen_require(`
-- type var_t, var_run_t;
+- type var_run_t;
+ type var_spool_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
+ dontaudit $1 var_spool_t:dir search_dir_perms;
')
########################################
##
--## Write named generic process ID pipes
+-## List the contents of the runtime process
+-## ID directories (/var/run).
+## List the contents of generic spool
+## (/var/spool) directories.
##
##
##
-@@ -6055,43 +7965,189 @@ interface(`files_read_generic_pids',`
+@@ -6016,18 +7986,18 @@ interface(`files_dontaudit_search_pids',`
##
##
#
--interface(`files_write_generic_pid_pipes',`
+-interface(`files_list_pids',`
+interface(`files_list_spool',`
gen_require(`
-- type var_run_t;
+- type var_t, var_run_t;
+ type var_t, var_spool_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
+- list_dirs_pattern($1, var_t, var_run_t)
+ list_dirs_pattern($1, var_t, var_spool_t)
')
########################################
##
--## Create an object in the process ID directory, with a private type.
+-## Read generic process ID files.
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6035,19 +8005,18 @@ interface(`files_list_pids',`
+ ##
+ ##
+ #
+-interface(`files_read_generic_pids',`
+interface(`files_manage_generic_spool_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Write named generic process ID pipes
+## Read generic spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6055,43 +8024,151 @@ interface(`files_read_generic_pids',`
+ ##
+ ##
+ #
+-interface(`files_write_generic_pid_pipes',`
+interface(`files_read_generic_spool',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
+ list_dirs_pattern($1, var_t, var_spool_t)
+ read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in the process ID directory, with a private type.
+## Create, read, write, and delete generic
+## spool files.
+##
@@ -14885,7 +14895,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -6099,14 +8155,82 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6099,14 +8176,82 @@ interface(`files_write_generic_pid_pipes',`
## Domain allowed access.
##
##
@@ -14971,7 +14981,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -6114,65 +8238,56 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6114,65 +8259,56 @@ interface(`files_write_generic_pid_pipes',`
## The name of the object being created.
##
##
@@ -15055,7 +15065,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -6180,19 +8295,17 @@ interface(`files_rw_generic_pids',`
+@@ -6180,19 +8316,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -15079,7 +15089,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -6200,38 +8313,43 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6200,38 +8334,43 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -15135,7 +15145,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -6240,127 +8358,111 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6240,127 +8379,111 @@ interface(`files_dontaudit_ioctl_all_pids',`
##
##
#
@@ -15297,7 +15307,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -6368,132 +8470,188 @@ interface(`files_search_spool',`
+@@ -6368,132 +8491,188 @@ interface(`files_search_spool',`
##
##
#
@@ -15539,7 +15549,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -6501,53 +8659,17 @@ interface(`files_spool_filetrans',`
+@@ -6501,53 +8680,17 @@ interface(`files_spool_filetrans',`
##
##
#
@@ -15597,7 +15607,7 @@ index 64ff4d7..989ca8b 100644
##
##
##
-@@ -6555,10 +8677,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6555,10 +8698,10 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -42996,7 +43006,7 @@ index 0f64692..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..f10561b 100644
+index a5ec88b..26bc8ba 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -43042,7 +43052,7 @@ index a5ec88b..f10561b 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -63,31 +67,40 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -63,31 +67,41 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -43065,6 +43075,7 @@ index a5ec88b..f10561b 100644
-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+allow udev_t udev_var_run_t:file mounton;
++allow udev_t udev_var_run_t:dir mounton;
+allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms;
+dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
@@ -43089,7 +43100,7 @@ index a5ec88b..f10561b 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -98,6 +111,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -98,6 +112,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -43097,7 +43108,7 @@ index a5ec88b..f10561b 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -106,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -106,23 +121,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -43133,7 +43144,7 @@ index a5ec88b..f10561b 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
-@@ -144,17 +166,20 @@ auth_use_nsswitch(udev_t)
+@@ -144,17 +167,20 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -43155,7 +43166,7 @@ index a5ec88b..f10561b 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -168,7 +193,11 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -168,7 +194,11 @@ sysnet_read_dhcpc_pid(udev_t)
sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
@@ -43168,7 +43179,7 @@ index a5ec88b..f10561b 100644
userdom_dontaudit_search_user_home_content(udev_t)
-@@ -179,16 +208,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +209,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -43187,7 +43198,7 @@ index a5ec88b..f10561b 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -226,19 +248,38 @@ optional_policy(`
+@@ -226,19 +249,38 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -43226,7 +43237,7 @@ index a5ec88b..f10561b 100644
')
optional_policy(`
-@@ -264,6 +305,10 @@ optional_policy(`
+@@ -264,6 +306,10 @@ optional_policy(`
')
optional_policy(`
@@ -43237,7 +43248,7 @@ index a5ec88b..f10561b 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -278,6 +323,15 @@ optional_policy(`
+@@ -278,6 +324,15 @@ optional_policy(`
')
optional_policy(`
@@ -43253,7 +43264,7 @@ index a5ec88b..f10561b 100644
unconfined_signal(udev_t)
')
-@@ -290,6 +344,7 @@ optional_policy(`
+@@ -290,6 +345,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 23597a4..70da7ca 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..6098f52 100644
+index e4f84de..b5f4f9a 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,46 @@
+@@ -1,30 +1,48 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -14,7 +14,7 @@ index e4f84de..6098f52 100644
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
-+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
@@ -36,6 +36,8 @@ index e4f84de..6098f52 100644
+
+/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+
++/var/lib/abrt(/.*)? gen_context(system_u:object_r:abrt_var_lib_t,s0)
++
+/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -566,7 +568,7 @@ index 058d908..cf17e67 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..9b01e12 100644
+index cc43d25..b2e7c34 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -575,7 +577,7 @@ index cc43d25..9b01e12 100644
########################################
#
-@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4)
+@@ -6,105 +6,134 @@ policy_module(abrt, 1.3.4)
#
##
@@ -636,6 +638,9 @@ index cc43d25..9b01e12 100644
type abrt_var_log_t;
logging_log_file(abrt_var_log_t)
++type abrt_var_lib_t;
++files_type(abrt_var_lib_t)
++
type abrt_tmp_t;
files_tmp_file(abrt_tmp_t)
@@ -751,7 +756,7 @@ index cc43d25..9b01e12 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +141,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -783,7 +788,7 @@ index cc43d25..9b01e12 100644
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +172,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -802,7 +807,7 @@ index cc43d25..9b01e12 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +193,43 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +196,43 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -849,7 +854,7 @@ index cc43d25..9b01e12 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +237,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +240,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -866,7 +871,7 @@ index cc43d25..9b01e12 100644
')
optional_policy(`
-@@ -209,6 +249,20 @@ optional_policy(`
+@@ -209,6 +252,20 @@ optional_policy(`
')
optional_policy(`
@@ -887,7 +892,7 @@ index cc43d25..9b01e12 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -221,6 +275,11 @@ optional_policy(`
+@@ -221,6 +278,11 @@ optional_policy(`
')
optional_policy(`
@@ -899,7 +904,7 @@ index cc43d25..9b01e12 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -230,6 +289,7 @@ optional_policy(`
+@@ -230,6 +292,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -907,7 +912,7 @@ index cc43d25..9b01e12 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +300,17 @@ optional_policy(`
+@@ -240,9 +303,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -926,7 +931,7 @@ index cc43d25..9b01e12 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +321,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +324,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -941,7 +946,7 @@ index cc43d25..9b01e12 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +340,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +343,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -949,7 +954,7 @@ index cc43d25..9b01e12 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +349,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +352,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -970,7 +975,7 @@ index cc43d25..9b01e12 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +370,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +373,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -997,7 +1002,7 @@ index cc43d25..9b01e12 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +406,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +409,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -1011,7 +1016,7 @@ index cc43d25..9b01e12 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +424,11 @@ optional_policy(`
+@@ -330,10 +427,11 @@ optional_policy(`
#######################################
#
@@ -1025,7 +1030,7 @@ index cc43d25..9b01e12 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +447,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +450,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1057,6 +1062,9 @@ index cc43d25..9b01e12 100644
manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
++
++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
++manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
@@ -1067,12 +1075,17 @@ index cc43d25..9b01e12 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
++dev_read_urand(abrt_dump_oops_t)
++dev_read_rand(abrt_dump_oops_t)
++
domain_use_interactive_fds(abrt_dump_oops_t)
++fs_getattr_all_fs(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
++logging_read_syslog_pid(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
#######################################
@@ -1087,7 +1100,7 @@ index cc43d25..9b01e12 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +505,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +516,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1113,19 +1126,19 @@ index cc43d25..9b01e12 100644
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
-
--logging_send_syslog_msg(abrt_domain)
++
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
-
--miscfiles_read_localization(abrt_domain)
++
+corecmd_exec_bin(abrt_upload_watch_t)
+
+dev_read_urand(abrt_upload_watch_t)
+
+files_search_spool(abrt_upload_watch_t)
-+
+
+-logging_send_syslog_msg(abrt_domain)
+auth_read_passwd(abrt_upload_watch_t)
-+
+
+-miscfiles_read_localization(abrt_domain)
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
@@ -30085,7 +30098,7 @@ index e39de43..5edcb83 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..af9415c 100644
+index d03fd43..ba8cb38 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,157 @@
@@ -31148,7 +31161,7 @@ index d03fd43..af9415c 100644
##
##
##
-@@ -704,12 +778,966 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +778,985 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
@@ -31910,6 +31923,25 @@ index d03fd43..af9415c 100644
+ userdom_search_user_home_dirs($1)
+')
+
++########################################
++##
++## Check whether sendmail executable
++## files are executable.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_access_check_usr_config',`
++ gen_require(`
++ type config_usr_t;
++ ')
++
++ allow $1 config_usr_t:dir_file_class_set audit_access;;
++')
++
+######################################
+##
+## Allow read kde config content
@@ -32964,7 +32996,7 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 44cf341..4af1ba0 100644
+index 44cf341..2153214 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
@@ -33309,7 +33341,7 @@ index 44cf341..4af1ba0 100644
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
-@@ -239,37 +264,41 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,37 +264,42 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
@@ -33335,6 +33367,7 @@ index 44cf341..4af1ba0 100644
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
++ userdom_manage_all_user_tmp_content(gpg_agent_t)
')
-tunable_policy(`use_nfs_home_dirs',`
@@ -33363,7 +33396,7 @@ index 44cf341..4af1ba0 100644
##############################
#
# Pinentry local policy
-@@ -277,8 +306,17 @@ optional_policy(`
+@@ -277,8 +307,17 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -33382,7 +33415,7 @@ index 44cf341..4af1ba0 100644
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +325,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +326,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
@@ -47505,10 +47538,10 @@ index c97c177..9411154 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index f42896c..1e1a679 100644
+index f42896c..bd1eb52 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -1,34 +1,45 @@
+@@ -1,34 +1,44 @@
-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
@@ -47547,7 +47580,7 @@ index f42896c..1e1a679 100644
/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -65114,7 +65147,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 49694e8..a1497cd 100644
+index 49694e8..55d1871 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,4 +1,4 @@
@@ -65286,7 +65319,7 @@ index 49694e8..a1497cd 100644
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -145,9 +159,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,65 +159,79 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -65296,7 +65329,10 @@ index 49694e8..a1497cd 100644
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t)
-@@ -157,53 +168,64 @@ files_search_home(policykit_auth_t)
+
+ files_read_etc_runtime_files(policykit_auth_t)
+ files_search_home(policykit_auth_t)
++files_dontaudit_access_check_home_dir(policykit_auth_t)
fs_getattr_all_fs(policykit_auth_t)
fs_search_tmpfs(policykit_auth_t)
@@ -65324,10 +65360,14 @@ index 49694e8..a1497cd 100644
optional_policy(`
consolekit_dbus_chat(policykit_auth_t)
')
--
++')
+
- optional_policy(`
- policykit_dbus_chat(policykit_auth_t)
- ')
++optional_policy(`
++ gnome_read_config(policykit_auth_t)
++ gnome_access_check_usr_config(policykit_auth_t)
')
optional_policy(`
@@ -65371,7 +65411,7 @@ index 49694e8..a1497cd 100644
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +233,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +239,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@@ -65398,7 +65438,7 @@ index 49694e8..a1497cd 100644
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
-@@ -235,26 +254,28 @@ optional_policy(`
+@@ -235,26 +260,28 @@ optional_policy(`
########################################
#
@@ -65433,7 +65473,7 @@ index 49694e8..a1497cd 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -266,6 +287,6 @@ optional_policy(`
+@@ -266,6 +293,6 @@ optional_policy(`
')
optional_policy(`
@@ -103203,7 +103243,7 @@ index 9dec06c..c43ef2e 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..d894b4d 100644
+index 1f22fba..e8ed215 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,224 @@
@@ -104667,7 +104707,7 @@ index 1f22fba..d894b4d 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1143,315 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1143,317 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -104716,6 +104756,8 @@ index 1f22fba..d894b4d 100644
+# svirt_sandbox_domain local policy
#
+allow svirt_sandbox_domain self:key manage_key_perms;
++dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search;
++
+allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
+allow svirt_sandbox_domain self:fifo_file manage_file_perms;
+allow svirt_sandbox_domain self:sem create_sem_perms;
@@ -105120,7 +105162,7 @@ index 1f22fba..d894b4d 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1464,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1466,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -105135,7 +105177,7 @@ index 1f22fba..d894b4d 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1482,8 @@ optional_policy(`
+@@ -1183,9 +1484,8 @@ optional_policy(`
########################################
#
@@ -105146,7 +105188,7 @@ index 1f22fba..d894b4d 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1496,219 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1498,219 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -106609,7 +106651,7 @@ index fd2b6cc..938c4a7 100644
+')
+
diff --git a/wine.te b/wine.te
-index b51923c..4906ce0 100644
+index b51923c..f38d4b1 100644
--- a/wine.te
+++ b/wine.te
@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1)
@@ -106625,7 +106667,7 @@ index b51923c..4906ce0 100644
type wine_exec_t;
userdom_user_application_domain(wine_t, wine_exec_t)
role wine_roles types wine_t;
-@@ -25,56 +26,58 @@ role wine_roles types wine_t;
+@@ -25,56 +26,59 @@ role wine_roles types wine_t;
type wine_home_t;
userdom_user_home_content(wine_home_t)
@@ -106662,6 +106704,7 @@ index b51923c..4906ce0 100644
+can_exec(wine_domain, wine_exec_t)
+
+manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
++manage_lnk_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
+userdom_tmpfs_filetrans(wine_domain, file)
+wine_filetrans_named_content(wine_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4e54ce3..073278f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 183%{?dist}
+Release: 184%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Sep 10 2014 Lukas Vrabec 3.12.1-184
+- ALlow wine domains to create wine_home symlinks.
+- Allow policykit_auth_t access check and read usr config files.
+- Dontaudit access check on home_root_t for policykit-auth.
+- update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent.
+- Fix label for /usr/bin/courier/bin/sendmail
+- Add files_dontaudit_access_check_home_dir() inteface.
+- Allow udev_t mounton udev_var_run_t dirs #(1128618)
+
* Thu Sep 04 2014 Lukas Vrabec 3.12.1-183
- Allow init to read all config files
- Add new interface to allow creation of file with lib_t type