From d8e6ff6a5656b268bf0605fe8259fbf3b242aa9d Mon Sep 17 00:00:00 2001
From: Miroslav <mgrepl@redhat.com>
Date: Nov 21 2011 13:10:30 +0000
Subject: - Allow mcelog_t to create dir and file in /var/run and label it cor

- Allow dbus to manage fusefs
- Mount needs to read process state when mounting gluster file syste
- Allow collectd-web to read collectd lib files
- Allow daemons and system processes started by init to read/write t
- Allow colord to get the attributes of tmpfs filesystem
- Add sanlock_use_nfs and sanlock_use_samba booleans
- Add bin_t label for /usr/lib/virtualbox/VBoxManage

---

diff --git a/policy-F16.patch b/policy-F16.patch
index cc3ea48..26c8f60 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1546,7 +1546,7 @@ index 75ce30f..63310a1 100644
 +	cron_use_system_job_fds(logwatch_mail_t)
 +')
 diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc
-index 56c43c0..0641226 100644
+index 56c43c0..409bbfc 100644
 --- a/policy/modules/admin/mcelog.fc
 +++ b/policy/modules/admin/mcelog.fc
 @@ -1 +1,5 @@
@@ -1554,9 +1554,9 @@ index 56c43c0..0641226 100644
 +
 +/var/log/mcelog.*	--	gen_context(system_u:object_r:mcelog_log_t,s0)
 +
-+/var/run/mcelog-client  -s 	gen_context(system_u:object_r:mcelog_var_run_t,s0)
++/var/run/mcelog.*	 	gen_context(system_u:object_r:mcelog_var_run_t,s0)
 diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..ef8bc09 100644
+index 5671977..034908d 100644
 --- a/policy/modules/admin/mcelog.te
 +++ b/policy/modules/admin/mcelog.te
 @@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
@@ -1586,7 +1586,7 @@ index 5671977..ef8bc09 100644
 +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
 +manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
 +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+files_pid_filetrans(mcelog_t, mcelog_var_run_t, sock_file )
++files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file } )
 +
  kernel_read_system_state(mcelog_t)
  
@@ -12678,7 +12678,7 @@ index 223ad43..d95e720 100644
  	rsync_exec(yam_t)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..0b0896b 100644
+index 3fae11a..5808202 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -12904,22 +12904,29 @@ index 3fae11a..0b0896b 100644
  /usr/share/apache2/[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
  ')
  
-@@ -375,8 +391,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +391,8 @@ ifdef(`distro_suse', `
  /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /var/lib/asterisk/agi-bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib64/yp/.+		--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
 +
- /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
--/usr/lib64/yp/.+		--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
  /var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +402,4 @@ ifdef(`distro_suse', `
+@@ -385,3 +401,11 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
-+/usr/lib/ruby/gems/.*/agents(/.*)?	gen_context(system_u:object_r:bin_t,s0)
++
++#
++# /usr/lib
++#
++
++/usr/lib/ruby/gems/.*/agents(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/virtualbox/VBoxManage		--	gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/yp/.+						--	gen_context(system_u:object_r:bin_t,s0)
 diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
 index 9e9263a..650e796 100644
 --- a/policy/modules/kernel/corecommands.if
@@ -18598,7 +18605,7 @@ index 22821ff..20251b0 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..e5652a1 100644
+index 97fcdac..50b0acf 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18844,7 +18851,33 @@ index 97fcdac..e5652a1 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -2080,6 +2222,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -1984,6 +2126,25 @@ interface(`fs_manage_fusefs_files',`
+ 	manage_files_pattern($1, fusefs_t, fusefs_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Create, read, write, and delete files
++##  on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`fs_manage_fusefs_symlinks',`
++    gen_require(`
++        type fusefs_t;
++    ')
++
++    manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Do not audit attempts to create,
+@@ -2080,6 +2241,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
  
  ########################################
  ## <summary>
@@ -18869,7 +18902,7 @@ index 97fcdac..e5652a1 100644
  ##	Read and write hugetlbfs files.
  ## </summary>
  ## <param name="domain">
-@@ -2148,6 +2308,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2327,7 @@ interface(`fs_list_inotifyfs',`
  	')
  
  	allow $1 inotifyfs_t:dir list_dir_perms;
@@ -18877,7 +18910,7 @@ index 97fcdac..e5652a1 100644
  ')
  
  ########################################
-@@ -2480,6 +2641,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2660,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -18885,7 +18918,7 @@ index 97fcdac..e5652a1 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2518,6 +2680,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2699,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -18893,7 +18926,7 @@ index 97fcdac..e5652a1 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2544,6 +2707,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2726,25 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -18919,7 +18952,7 @@ index 97fcdac..e5652a1 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2584,6 +2766,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2785,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -18962,7 +18995,7 @@ index 97fcdac..e5652a1 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2598,7 +2816,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2835,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -18971,7 +19004,7 @@ index 97fcdac..e5652a1 100644
  ')
  
  ########################################
-@@ -2736,7 +2954,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2973,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -18980,7 +19013,7 @@ index 97fcdac..e5652a1 100644
  ##	</summary>
  ## </param>
  #
-@@ -2772,7 +2990,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3009,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -18989,7 +19022,7 @@ index 97fcdac..e5652a1 100644
  ##	</summary>
  ## </param>
  #
-@@ -2965,6 +3183,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3202,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -18997,7 +19030,7 @@ index 97fcdac..e5652a1 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3005,6 +3224,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3243,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -19005,7 +19038,7 @@ index 97fcdac..e5652a1 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3045,6 +3265,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3284,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -19013,7 +19046,7 @@ index 97fcdac..e5652a1 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3958,6 +4179,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4198,42 @@ interface(`fs_dontaudit_list_tmpfs',`
  
  ########################################
  ## <summary>
@@ -19056,7 +19089,7 @@ index 97fcdac..e5652a1 100644
  ##	Create, read, write, and delete
  ##	tmpfs directories
  ## </summary>
-@@ -4175,6 +4432,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4451,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -19081,7 +19114,7 @@ index 97fcdac..e5652a1 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4251,6 +4526,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4545,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -19107,7 +19140,7 @@ index 97fcdac..e5652a1 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4457,6 +4751,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4770,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -19116,7 +19149,7 @@ index 97fcdac..e5652a1 100644
  ')
  
  ########################################
-@@ -4503,7 +4799,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4818,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -19125,7 +19158,7 @@ index 97fcdac..e5652a1 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4866,3 +5162,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5181,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -30696,10 +30729,10 @@ index 0000000..ed13d1e
 +
 diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
 new file mode 100644
-index 0000000..2ee2be0
+index 0000000..e4d7098
 --- /dev/null
 +++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,79 @@
 +policy_module(collectd, 1.0.0)
 +
 +########################################
@@ -30773,12 +30806,14 @@ index 0000000..2ee2be0
 +
 +optional_policy(`
 +	apache_content_template(collectd)
-+
++	
++	read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++	list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
 +	miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
 +')
 +
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..29aa481 100644
+index 74505cc..3824f02 100644
 --- a/policy/modules/services/colord.te
 +++ b/policy/modules/services/colord.te
 @@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
@@ -30813,7 +30848,7 @@ index 74505cc..29aa481 100644
  dev_read_video_dev(colord_t)
  dev_write_video_dev(colord_t)
  dev_rw_printer(colord_t)
-@@ -65,19 +73,29 @@ files_list_mnt(colord_t)
+@@ -65,19 +73,30 @@ files_list_mnt(colord_t)
  files_read_etc_files(colord_t)
  files_read_usr_files(colord_t)
  
@@ -30832,6 +30867,7 @@ index 74505cc..29aa481 100644
  miscfiles_read_localization(colord_t)
  
 -sysnet_dns_name_resolve(colord_t)
++fs_getattr_tmpfs(colord_t)
 +userdom_rw_user_tmpfs_files(colord_t)
  
  tunable_policy(`use_nfs_home_dirs',`
@@ -30844,7 +30880,7 @@ index 74505cc..29aa481 100644
  	fs_read_cifs_files(colord_t)
  ')
  
-@@ -89,6 +107,10 @@ optional_policy(`
+@@ -89,6 +108,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30855,7 +30891,7 @@ index 74505cc..29aa481 100644
  	policykit_dbus_chat(colord_t)
  	policykit_domtrans_auth(colord_t)
  	policykit_read_lib(colord_t)
-@@ -96,5 +118,16 @@ optional_policy(`
+@@ -96,5 +119,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33272,7 +33308,7 @@ index 81eba14..d0ab56c 100644
  /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
  /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..843d5fd 100644
+index 1a1becd..0aa5aaf 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
 @@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -33297,7 +33333,7 @@ index 1a1becd..843d5fd 100644
  	ubac_constrained($1_dbusd_t)
  	role $2 types $1_dbusd_t;
  
-@@ -62,107 +61,26 @@ template(`dbus_role_template',`
+@@ -62,106 +61,31 @@ template(`dbus_role_template',`
  	# Local policy
  	#
  
@@ -33403,16 +33439,19 @@ index 1a1becd..843d5fd 100644
 -	optional_policy(`
 -		hal_dbus_chat($1_dbusd_t)
 -	')
--
++	auth_use_nsswitch($1_dbusd_t)
+ 
 -	optional_policy(`
 -		xserver_use_xdm_fds($1_dbusd_t)
 -		xserver_rw_xdm_pipes($1_dbusd_t)
--	')
-+	auth_use_nsswitch($1_dbusd_t)
++	tunable_policy(`use_fusefs_home_dirs',`
++    	fs_manage_fusefs_dirs($1_dbusd_t)
++    	fs_manage_fusefs_files($1_dbusd_t)
++    	fs_manage_fusefs_symlinks($1_dbusd_t)
+ 	')
  ')
  
- #######################################
-@@ -181,11 +99,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,11 +105,12 @@ interface(`dbus_system_bus_client',`
  		type system_dbusd_t, system_dbusd_t;
  		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
  		class dbus send_msg;
@@ -33426,7 +33465,7 @@ index 1a1becd..843d5fd 100644
  
  	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  	files_search_var_lib($1)
-@@ -198,6 +117,34 @@ interface(`dbus_system_bus_client',`
+@@ -198,6 +123,34 @@ interface(`dbus_system_bus_client',`
  
  #######################################
  ## <summary>
@@ -33461,7 +33500,7 @@ index 1a1becd..843d5fd 100644
  ##	Template for creating connections to
  ##	a user DBUS.
  ## </summary>
-@@ -218,6 +165,8 @@ interface(`dbus_session_bus_client',`
+@@ -218,6 +171,8 @@ interface(`dbus_session_bus_client',`
  
  	# For connecting to the bus
  	allow $1 session_bus_type:unix_stream_socket connectto;
@@ -33470,7 +33509,7 @@ index 1a1becd..843d5fd 100644
  ')
  
  ########################################
-@@ -322,6 +271,11 @@ interface(`dbus_connect_session_bus',`
+@@ -322,6 +277,11 @@ interface(`dbus_connect_session_bus',`
  ##	Allow a application domain to be started
  ##	by the session dbus.
  ## </summary>
@@ -33482,7 +33521,7 @@ index 1a1becd..843d5fd 100644
  ## <param name="domain">
  ##	<summary>
  ##	Type to be used as a domain.
-@@ -336,13 +290,13 @@ interface(`dbus_connect_session_bus',`
+@@ -336,13 +296,13 @@ interface(`dbus_connect_session_bus',`
  #
  interface(`dbus_session_domain',`
  	gen_require(`
@@ -33500,7 +33539,7 @@ index 1a1becd..843d5fd 100644
  ')
  
  ########################################
-@@ -421,27 +375,16 @@ interface(`dbus_system_bus_unconfined',`
+@@ -421,27 +381,16 @@ interface(`dbus_system_bus_unconfined',`
  #
  interface(`dbus_system_domain',`
  	gen_require(`
@@ -33530,7 +33569,7 @@ index 1a1becd..843d5fd 100644
  ')
  
  ########################################
-@@ -464,26 +407,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -464,26 +413,25 @@ interface(`dbus_use_system_bus_fds',`
  
  ########################################
  ## <summary>
@@ -33563,7 +33602,7 @@ index 1a1becd..843d5fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -491,10 +433,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +439,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -57061,10 +57100,10 @@ index 0000000..486d53d
 +')
 diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
 new file mode 100644
-index 0000000..0c1e385
+index 0000000..96adff5
 --- /dev/null
 +++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,100 @@
 +policy_module(sanlock,1.0.0)
 +
 +########################################
@@ -57072,6 +57111,20 @@ index 0000000..0c1e385
 +# Declarations
 +#
 +
++## <desc>
++##  <p>
++##  Allow confined virtual guests to manage nfs files
++##  </p>
++## </desc>
++gen_tunable(sanlock_use_nfs, false)
++
++## <desc>
++##  <p>
++##  Allow confined virtual guests to manage cifs files
++##  </p>
++## </desc>
++gen_tunable(sanlock_use_samba, false)
++
 +type sanlock_t;
 +type sanlock_exec_t;
 +init_daemon_domain(sanlock_t, sanlock_exec_t)
@@ -57128,6 +57181,20 @@ index 0000000..0c1e385
 +
 +miscfiles_read_localization(sanlock_t)
 +
++tunable_policy(`sanlock_use_nfs',`
++    fs_manage_nfs_dirs(sanlock_t)
++    fs_manage_nfs_files(sanlock_t)
++    fs_manage_nfs_named_sockets(sanlock_t)
++    fs_read_nfs_symlinks(sanlock_t)
++')
++
++tunable_policy(`sanlock_use_samba',`
++    fs_manage_cifs_dirs(sanlock_t)
++    fs_manage_cifs_files(sanlock_t)
++    fs_manage_cifs_named_sockets(sanlock_t)
++    fs_read_cifs_symlinks(sanlock_t)
++')
++
 +optional_policy(`
 +	wdmd_stream_connect(sanlock_t)
 +')
@@ -57877,7 +57944,7 @@ index 623c8fa..0a802f7 100644
  /var/run/snmpd(/.*)?		gen_context(system_u:object_r:snmpd_var_run_t,s0)
  /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
 diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
-index 275f9fb..4f4a192 100644
+index 275f9fb..2a0e198 100644
 --- a/policy/modules/services/snmp.if
 +++ b/policy/modules/services/snmp.if
 @@ -11,12 +11,12 @@
@@ -57897,7 +57964,33 @@ index 275f9fb..4f4a192 100644
  ')
  
  ########################################
-@@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
+@@ -47,6 +47,25 @@ interface(`snmp_udp_chat',`
+ 	refpolicywarn(`$0($*) has been deprecated.')
+ ')
+ 
++#######################################
++## <summary>
++##  Allow caller domain to read snmpd libraries dirs.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`snmp_read_snmp_var_lib_dirs',`
++    gen_require(`
++        type snmpd_var_lib_t;
++    ')
++
++    files_search_var_lib($1)
++    allow $1 snmpd_var_lib_t:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Read snmpd libraries.
+@@ -62,6 +81,7 @@ interface(`snmp_read_snmp_var_lib_files',`
  		type snmpd_var_lib_t;
  	')
  
@@ -57905,7 +57998,7 @@ index 275f9fb..4f4a192 100644
  	allow $1 snmpd_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
  	read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-@@ -69,6 +70,45 @@ interface(`snmp_read_snmp_var_lib_files',`
+@@ -69,6 +89,45 @@ interface(`snmp_read_snmp_var_lib_files',`
  
  ########################################
  ## <summary>
@@ -57951,7 +58044,7 @@ index 275f9fb..4f4a192 100644
  ##	dontaudit Read snmpd libraries.
  ## </summary>
  ## <param name="domain">
-@@ -81,9 +121,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+@@ -81,9 +140,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
  	gen_require(`
  		type snmpd_var_lib_t;
  	')
@@ -57963,7 +58056,7 @@ index 275f9fb..4f4a192 100644
  ')
  
  ########################################
-@@ -123,12 +164,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+@@ -123,12 +183,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
  #
  interface(`snmp_admin',`
  	gen_require(`
@@ -65824,10 +65917,21 @@ index c9981d1..11013a6 100644
  
  	corenet_sendrecv_zabbix_agent_client_packets($1)
 diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 7f88f5f..bd6493d 100644
+index 7f88f5f..5f1e19c 100644
 --- a/policy/modules/services/zabbix.te
 +++ b/policy/modules/services/zabbix.te
-@@ -36,16 +36,17 @@ files_pid_file(zabbix_var_run_t)
+@@ -23,6 +23,10 @@ init_script_file(zabbix_agent_initrc_exec_t)
+ type zabbix_log_t;
+ logging_log_file(zabbix_log_t)
+ 
++# tmp files
++type zabbix_tmp_t;
++files_tmp_file(zabbix_tmp_t)
++
+ # shared memory
+ type zabbix_tmpfs_t;
+ files_tmpfs_file(zabbix_tmpfs_t)
+@@ -36,19 +40,25 @@ files_pid_file(zabbix_var_run_t)
  # zabbix local policy
  #
  
@@ -65849,22 +65953,64 @@ index 7f88f5f..bd6493d 100644
  manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
  logging_log_filetrans(zabbix_t, zabbix_log_t, file)
  
-@@ -58,11 +59,15 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
++# tmp files
++manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
++manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
++files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file })
++
+ # shared memory
+ rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+ fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
+@@ -58,14 +68,25 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
  manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
  
++kernel_read_system_state(zabbix_t)
 +kernel_read_kernel_sysctls(zabbix_t)
 +
++corecmd_exec_bin(zabbix_t)
++corecmd_exec_shell(zabbix_t)
++
  corenet_tcp_bind_generic_node(zabbix_t)
  corenet_tcp_bind_zabbix_port(zabbix_t)
++#needed by zabbix-server-mysql
++corenet_tcp_connect_http_port(zabbix_t)
++
++dev_read_urand(zabbix_t)
  
  files_read_etc_files(zabbix_t)
++files_read_usr_files(zabbix_t)
  
+-miscfiles_read_localization(zabbix_t)
 +auth_use_nsswitch(zabbix_t)
+ 
+-sysnet_dns_name_resolve(zabbix_t)
++miscfiles_read_localization(zabbix_t)
+ 
+ zabbix_agent_tcp_connect(zabbix_t)
+ 
+@@ -74,9 +95,21 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	netutils_domtrans_ping(zabbix_t)
++')
 +
- miscfiles_read_localization(zabbix_t)
++optional_policy(`
+ 	postgresql_stream_connect(zabbix_t)
+ ')
  
- sysnet_dns_name_resolve(zabbix_t)
++optional_policy(`
++	snmp_read_snmp_var_lib_dirs(zabbix_t)
++')
++
++optional_policy(`
++	sysnet_dns_name_resolve(zabbix_t)
++')
++
+ ########################################
+ #
+ # zabbix agent local policy
 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
 index 3defaa1..2ad2488 100644
 --- a/policy/modules/services/zarafa.fc
@@ -68112,7 +68258,7 @@ index 94fd8dd..f2689e3 100644
 +	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..49a7fbd 100644
+index 29a9565..7d9e51c 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -68312,7 +68458,8 @@ index 29a9565..49a7fbd 100644
  
 +storage_raw_rw_fixed_disk(init_t)
 +
-+optional_policy(`
+ optional_policy(`
+-	auth_rw_login_records(init_t)
 +	modutils_domtrans_insmod(init_t)
 +')
 +
@@ -68422,8 +68569,7 @@ index 29a9565..49a7fbd 100644
 +	lvm_rw_pipes(init_t)
 +')
 +
- optional_policy(`
--	auth_rw_login_records(init_t)
++optional_policy(`
 +	consolekit_manage_log(init_t)
  ')
  
@@ -68431,18 +68577,18 @@ index 29a9565..49a7fbd 100644
 +	dbus_connect_system_bus(init_t)
  	dbus_system_bus_client(init_t)
 +	dbus_delete_pid_files(init_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(init_t)
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
 +	# The master process of dovecot will manage this file.
 +	dovecot_dontaudit_unlink_lib_files(initrc_t)
- ')
- 
- optional_policy(`
--	nscd_socket_use(init_t)
++')
++
++optional_policy(`
 +	plymouthd_stream_connect(init_t)
 +	plymouthd_exec_plymouth(init_t)
  ')
@@ -69006,7 +69152,7 @@ index 29a9565..49a7fbd 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -854,3 +1248,160 @@ optional_policy(`
+@@ -854,3 +1248,157 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -69064,7 +69210,7 @@ index 29a9565..49a7fbd 100644
 +	allow daemon init_t:unix_dgram_socket sendto;
 +	# need write to /var/run/systemd/notify
 +	init_write_pid_socket(daemon)
-+	dontaudit daemon init_t:unix_stream_socket { read ioctl getattr };
++	allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
 +')
 +
 +# daemons started from init will
@@ -69101,16 +69247,13 @@ index 29a9565..49a7fbd 100644
 +allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
 +allow systemprocess initrc_transition_domain:fd use;
 +
-+dontaudit systemprocess init_t:unix_stream_socket getattr;
-+
-+
 +tunable_policy(`init_systemd',`
 +	# Handle upstart/systemd direct transition to a executable
 +	allow init_t systemprocess:process { dyntransition siginh };
 +	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
 +	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
 +	allow systemprocess init_t:unix_dgram_socket sendto;
-+	dontaudit systemprocess init_t:unix_stream_socket { read getattr ioctl };
++	allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
 +')
 +
 +ifdef(`hide_broken_symptoms',`
@@ -70148,9 +70291,9 @@ index 808ba93..4ff705d 100644
 +	')
 +
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
-+	#files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
++	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
-+	#files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
++	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
 +')
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
 index e5836d3..eae9427 100644
@@ -71950,7 +72093,7 @@ index 8b5c196..da41726 100644
 +    role $2 types showmount_t;
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..4930474 100644
+index 15832c7..bb2ac39 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -17,17 +17,29 @@ type mount_exec_t;
@@ -71993,8 +72136,8 @@ index 15832c7..4930474 100644
  
  # setuid/setgid needed to mount cifs 
 -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
-+allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin sys_nice dac_override dac_read_search chown sys_tty_config setuid setgid };
++allow mount_t self:process { getcap getsched setsched ptrace setcap setrlimit signal };
 +allow mount_t self:fifo_file rw_fifo_file_perms;
 +allow mount_t self:unix_stream_socket create_stream_socket_perms;
 +allow mount_t self:unix_dgram_socket create_socket_perms; 
@@ -72051,7 +72194,7 @@ index 15832c7..4930474 100644
  dev_dontaudit_rw_generic_chr_files(mount_t)
  
  domain_use_interactive_fds(mount_t)
-+domain_dontaudit_search_all_domains_state(mount_t)
++domain_read_all_domains_state(mount_t)
  
  files_search_all(mount_t)
  files_read_etc_files(mount_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cf6329d..40f4ad3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 57%{?dist}
+Release: 58%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Nov 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-58
+- Allow mcelog_t to create dir and file in /var/run and label it correctly
+- Allow dbus to manage fusefs
+- Mount needs to read process state when mounting gluster file systems
+- Allow collectd-web to read collectd lib files
+- Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr
+- Allow colord to get the attributes of tmpfs filesystem
+- Add sanlock_use_nfs and sanlock_use_samba booleans
+- Add bin_t label for /usr/lib/virtualbox/VBoxManage
+
 * Thu Nov 16 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-57
 - We need to treat port_t and unreserved_port_t as generic_port types