- ## Do a domain transition to the specified
- ## domain when executing a program in the
-@@ -1589,6 +1937,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+ ## user home directory.
+ ##
+ ##
+@@ -1589,6 +1939,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -57558,7 +57707,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -1603,10 +1953,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1955,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -57573,7 +57722,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -1649,6 +2001,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2003,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -57599,7 +57748,7 @@ index 28b88de..b7339b1 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1700,12 +2071,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2073,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -57632,7 +57781,7 @@ index 28b88de..b7339b1 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2107,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2109,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -57650,7 +57799,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -1779,6 +2173,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2175,24 @@ interface(`userdom_delete_user_home_content_files',`
########################################
##
@@ -57675,7 +57824,7 @@ index 28b88de..b7339b1 100644
## Do not audit attempts to write user home files.
##
##
-@@ -1810,8 +2222,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2224,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -57685,7 +57834,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -1827,20 +2238,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2240,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -57710,7 +57859,7 @@ index 28b88de..b7339b1 100644
########################################
##
-@@ -2008,7 +2413,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2415,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -57719,7 +57868,7 @@ index 28b88de..b7339b1 100644
files_search_home($1)
')
-@@ -2182,7 +2587,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2589,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -57728,7 +57877,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -2435,13 +2840,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2842,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -57744,7 +57893,7 @@ index 28b88de..b7339b1 100644
##
##
##
-@@ -2462,26 +2868,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2870,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -57771,7 +57920,57 @@ index 28b88de..b7339b1 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2815,7 +3201,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2570,6 +2958,24 @@ interface(`userdom_use_user_ttys',`
+ allow $1 user_tty_device_t:chr_file rw_term_perms;
+ ')
+
++#######################################
++##
++## Read and write inherited user domain tty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_use_inherited_user_ttys',`
++ gen_require(`
++ type user_tty_device_t;
++ ')
++
++ allow $1 user_tty_device_t:chr_file { getattr read write append ioctl };
++')
++
+ ########################################
+ ##
+ ## Read and write a user domain pty.
+@@ -2588,6 +2994,24 @@ interface(`userdom_use_user_ptys',`
+ allow $1 user_devpts_t:chr_file rw_term_perms;
+ ')
+
++#######################################
++##
++## Read and write inherited user domain pty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_use_inherited_user_ptys',`
++ gen_require(`
++ type user_devpts_t;
++ ')
++
++ allow $1 user_devpts_t:chr_file { getattr read write append ioctl };
++')
++
+ ########################################
+ ##
+ ## Read and write a user TTYs and PTYs.
+@@ -2815,7 +3239,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -57780,7 +57979,7 @@ index 28b88de..b7339b1 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3217,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3255,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -57796,7 +57995,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -2917,7 +3305,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3343,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -57805,7 +58004,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -2972,7 +3360,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3398,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -57852,7 +58051,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -3009,6 +3435,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3473,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -57860,7 +58059,7 @@ index 28b88de..b7339b1 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3514,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3552,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -57885,7 +58084,7 @@ index 28b88de..b7339b1 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3139,3 +3584,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3622,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a22ada4..8e46c93 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 23%{?dist}
+Release: 24%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,23 @@ exit 0
%endif
%changelog
+* Tue May 17 2011 Miroslav Grepl 3.9.16-24
+- Allow logrotate to connect to init script using unix domain stream socket
+- Allow shorewall read and write inherited user domain pty/tty
+- virt will attempt to us another virtualizations pulsesaudio tmpfs_t, ignore error
+- Allow colord to get the attributes of fixed disk device nodes
+- Allow nsplugin_t to getattr on gpmctl
+- Allow mozilla_plugin to connect to pcscd over an unix stream socket
+- Allow logrotate to execute systemctl
+- colord wants to read files in users homedir
+- Remote login should create user_tmp_t content not its own tmp files
+- Allow psad signal
+- Fix cobbler_read_lib_files interface
+- Allow rlogind to r/w user terminals
+- Allow prelink_cron_system_t to relabel content and ignore obj_id
+- Allow gnomeclock_systemctl_t to list init_var_run_t
+- Dbus domains will inherit fds from the init system
+
* Fri May 6 2011 Miroslav Grepl 3.9.16-23
- Add label for /lib/upstart/init
- Allow colord to getattr on /proc/scsi/scsi