diff --git a/policy-F15.patch b/policy-F15.patch index 9e94667..1b291a4 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -1362,7 +1362,7 @@ index c633aea..c489eec 100644 optional_policy(` seutil_use_newrole_fds(gcc_config_t) diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..a8ef22f 100644 +index af55369..2abb1a0 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -1436,11 +1436,13 @@ index af55369..a8ef22f 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +163,26 @@ optional_policy(` +@@ -148,17 +163,28 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) - init_exec(prelink_cron_system_t) ++ fs_search_cgroup_dirs(prelink_cron_system_t) ++ + init_telinit(prelink_cron_system_t) libs_exec_ld_so(prelink_cron_system_t) @@ -3452,10 +3454,10 @@ index 00a19e3..55075f9 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..f9149e7 100644 +index f5afe78..4c9bd12 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,43 +1,523 @@ +@@ -1,44 +1,605 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -3699,11 +3701,10 @@ index f5afe78..f9149e7 100644 +## manage gnome homedir content (.config) +## +## - ## --## Role allowed access ++## +## Domain allowed access. - ## - ## ++## ++## +# +interface(`gnome_manage_config',` + gen_require(` @@ -3941,6 +3942,65 @@ index f5afe78..f9149e7 100644 +## +## read gconf config files +## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_gconf_config',` ++ gen_require(` ++ type gconf_etc_t; ++ ') ++ ++ allow $1 gconf_etc_t:dir list_dir_perms; ++ read_files_pattern($1, gconf_etc_t, gconf_etc_t) ++ files_search_etc($1) ++') ++ ++####################################### ++## ++## Manage gconf config files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_gconf_config',` ++ gen_require(` ++ type gconf_etc_t; ++ ') ++ ++ allow $1 gconf_etc_t:dir list_dir_perms; ++ manage_files_pattern($1, gconf_etc_t, gconf_etc_t) ++') ++ ++######################################## ++## ++## Execute gconf programs in ++## in the caller domain. ++## ++## + ## +-## Role allowed access ++## Domain allowed access. + ## + ## ++# ++interface(`gnome_exec_gconf',` ++ gen_require(` ++ type gconfd_exec_t; ++ ') ++ ++ can_exec($1, gconfd_exec_t) ++') ++ ++######################################## ++## ++## Execute gnome keyringd in the caller domain. ++## ## ## -## User domain for the role @@ -3949,60 +4009,98 @@ index f5afe78..f9149e7 100644 ## # -interface(`gnome_role',` -+interface(`gnome_read_gconf_config',` ++interface(`gnome_exec_keyringd',` gen_require(` - type gconfd_t, gconfd_exec_t; - type gconf_tmp_t; -+ type gconf_etc_t; ++ type gkeyringd_exec_t; ') - role $1 types gconfd_t; -- ++ can_exec($1, gkeyringd_exec_t) ++ corecmd_search_bin($1) ++') ++ ++######################################## ++## ++## Read gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ type data_home_t; ++ ') + - domain_auto_trans($2, gconfd_exec_t, gconfd_t) - allow gconfd_t $2:fd use; - allow gconfd_t $2:fifo_file write; - allow gconfd_t $2:unix_stream_socket connectto; -+ allow $1 gconf_etc_t:dir list_dir_perms; -+ read_files_pattern($1, gconf_etc_t, gconf_etc_t) -+ files_search_etc($1) ++ userdom_search_user_home_dirs($1) ++ allow $1 gconf_home_t:dir list_dir_perms; ++ allow $1 data_home_t:dir list_dir_perms; ++ read_files_pattern($1, gconf_home_t, gconf_home_t) ++ read_files_pattern($1, data_home_t, data_home_t) ++ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t) ++ read_lnk_files_pattern($1, data_home_t, data_home_t) +') - ps_process_pattern($2, gconfd_t) -+####################################### ++######################################## +## -+## Manage gconf config files ++## Search gkeyringd temporary directories. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`gnome_manage_gconf_config',` -+ gen_require(` -+ type gconf_etc_t; -+ ') ++interface(`gnome_search_gkeyringd_tmp_dirs',` ++ gen_require(` ++ type gkeyringd_tmp_t; ++ ') - #gnome_stream_connect_gconf_template($1, $2) - read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) - allow $2 gconfd_t:unix_stream_socket connectto; -+ allow $1 gconf_etc_t:dir list_dir_perms; -+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t) ++ files_search_tmp($1) ++ allow $1 gkeyringd_tmp_t:dir search_dir_perms; ') ######################################## ## -## Execute gconf programs in -+## Execute gconf programs in - ## in the caller domain. +-## in the caller domain. ++## search gconf homedir (.local) ## ## -@@ -56,27 +536,26 @@ interface(`gnome_exec_gconf',` + ## +@@ -46,37 +607,37 @@ interface(`gnome_role',` + ## + ## + # +-interface(`gnome_exec_gconf',` ++interface(`gnome_search_gconf',` + gen_require(` +- type gconfd_exec_t; ++ type gconf_home_t; + ') + +- can_exec($1, gconfd_exec_t) ++ allow $1 gconf_home_t:dir search_dir_perms; ++ userdom_search_user_home_dirs($1) + ') ######################################## ## -## Read gconf config files. -+## Execute gnome keyringd in the caller domain. ++## Set attributes of Gnome config dirs. ## -## +## @@ -4012,54 +4110,48 @@ index f5afe78..f9149e7 100644 ## # -template(`gnome_read_gconf_config',` -+interface(`gnome_exec_keyringd',` ++interface(`gnome_setattr_config_dirs',` gen_require(` - type gconf_etc_t; -+ type gkeyringd_exec_t; ++ type gnome_home_t; ') - allow $1 gconf_etc_t:dir list_dir_perms; - read_files_pattern($1, gconf_etc_t, gconf_etc_t) - files_search_etc($1) -+ can_exec($1, gkeyringd_exec_t) -+ corecmd_search_bin($1) ++ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) ++ files_search_home($1) ') -####################################### +######################################## ## -## Create, read, write, and delete gconf config files. -+## Read gconf home files ++## Manage generic gnome home files. ## ## ## -@@ -84,37 +563,43 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +645,37 @@ template(`gnome_read_gconf_config',` ## ## # -interface(`gnome_manage_gconf_config',` -+interface(`gnome_read_gconf_home_files',` ++interface(`gnome_manage_generic_home_files',` gen_require(` - type gconf_etc_t; -+ type gconf_home_t; -+ type data_home_t; ++ type gnome_home_t; ') - manage_files_pattern($1, gconf_etc_t, gconf_etc_t) - files_search_etc($1) + userdom_search_user_home_dirs($1) -+ allow $1 gconf_home_t:dir list_dir_perms; -+ allow $1 data_home_t:dir list_dir_perms; -+ read_files_pattern($1, gconf_home_t, gconf_home_t) -+ read_files_pattern($1, data_home_t, data_home_t) -+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t) -+ read_lnk_files_pattern($1, data_home_t, data_home_t) ++ manage_files_pattern($1, gnome_home_t, gnome_home_t) ') ######################################## ## -## gconf connection template. -+## Search gkeyringd temporary directories. ++## Manage generic gnome home directories. ## -## +## @@ -4069,140 +4161,76 @@ index f5afe78..f9149e7 100644 ## # -interface(`gnome_stream_connect_gconf',` -+interface(`gnome_search_gkeyringd_tmp_dirs',` ++interface(`gnome_manage_generic_home_dirs',` gen_require(` - type gconfd_t, gconf_tmp_t; -+ type gkeyringd_tmp_t; ++ type gnome_home_t; ') - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; -+ files_search_tmp($1) -+ allow $1 gkeyringd_tmp_t:dir search_dir_perms; ++ userdom_search_user_home_dirs($1) ++ allow $1 gnome_home_t:dir manage_dir_perms; ') ######################################## ## -## Run gconfd in gconfd domain. -+## search gconf homedir (.local) ++## Append gconf home files ## ## ## -@@ -122,12 +607,13 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +683,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # -interface(`gnome_domtrans_gconfd',` -+interface(`gnome_search_gconf',` ++interface(`gnome_append_gconf_home_files',` gen_require(` - type gconfd_t, gconfd_exec_t; + type gconf_home_t; ') - domtrans_pattern($1, gconfd_exec_t, gconfd_t) -+ allow $1 gconf_home_t:dir search_dir_perms; -+ userdom_search_user_home_dirs($1) ++ append_files_pattern($1, gconf_home_t, gconf_home_t) ') ######################################## -@@ -151,40 +637,328 @@ interface(`gnome_setattr_config_dirs',` - - ######################################## ## --## Read gnome homedir content (.config) -+## Manage generic gnome home files. +-## Set attributes of Gnome config dirs. ++## manage gconf home files ## --## -+## + ## ## - ## Domain allowed access. +@@ -140,51 +701,307 @@ interface(`gnome_domtrans_gconfd',` ## ## # --template(`gnome_read_config',` -+interface(`gnome_manage_generic_home_files',` +-interface(`gnome_setattr_config_dirs',` ++interface(`gnome_manage_gconf_home_files',` gen_require(` - type gnome_home_t; +- type gnome_home_t; ++ type gconf_home_t; ') -- list_dirs_pattern($1, gnome_home_t, gnome_home_t) -- read_files_pattern($1, gnome_home_t, gnome_home_t) -- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, gnome_home_t, gnome_home_t) +- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) +- files_search_home($1) ++ allow $1 gconf_home_t:dir list_dir_perms; ++ manage_files_pattern($1, gconf_home_t, gconf_home_t) ') ######################################## ## --## manage gnome homedir content (.config) -+## Manage generic gnome home directories. - ## --## -+## - ## - ## Domain allowed access. - ## - ## - # --interface(`gnome_manage_config',` -+interface(`gnome_manage_generic_home_dirs',` - gen_require(` - type gnome_home_t; - ') - -+ userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir manage_dir_perms; -- allow $1 gnome_home_t:file manage_file_perms; -+') -+ -+######################################## -+## -+## Append gconf home files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_append_gconf_home_files',` -+ gen_require(` -+ type gconf_home_t; -+ ') -+ -+ append_files_pattern($1, gconf_home_t, gconf_home_t) -+') -+ -+######################################## -+## -+## manage gconf home files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_gconf_home_files',` -+ gen_require(` -+ type gconf_home_t; -+ ') -+ -+ allow $1 gconf_home_t:dir list_dir_perms; -+ manage_files_pattern($1, gconf_home_t, gconf_home_t) -+') -+ -+######################################## -+## +-## Read gnome homedir content (.config) +## Connect to gnome over an unix stream socket. -+## + ## +## +## +## Domain allowed access. +## +## -+## -+## + ## + ## +## The type of the user domain. +## +## @@ -4222,12 +4250,14 @@ index f5afe78..f9149e7 100644 +## +## +## -+## Domain allowed access. -+## -+## -+# + ## Domain allowed access. + ## + ## + # +-template(`gnome_read_config',` +interface(`gnome_list_home_config',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + type config_home_t; + ') + @@ -4266,23 +4296,28 @@ index f5afe78..f9149e7 100644 +interface(`gnome_read_home_config',` + gen_require(` + type config_home_t; -+ ') -+ + ') + +- list_dirs_pattern($1, gnome_home_t, gnome_home_t) +- read_files_pattern($1, gnome_home_t, gnome_home_t) +- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) + list_dirs_pattern($1, config_home_t, config_home_t) + read_files_pattern($1, config_home_t, config_home_t) + read_lnk_files_pattern($1, config_home_t, config_home_t) -+') -+ -+######################################## -+## -+## manage gnome homedir content (.config) -+## + ') + + ######################################## + ## + ## manage gnome homedir content (.config) + ## +-## +## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## Domain allowed access. + ## + ## + # +-interface(`gnome_manage_config',` +template(`gnome_manage_home_config',` + gen_require(` + type config_home_t; @@ -4368,10 +4403,12 @@ index f5afe78..f9149e7 100644 +## +# +interface(`gnome_home_dir_filetrans',` -+ gen_require(` -+ type gnome_home_t; -+ ') -+ + gen_require(` + type gnome_home_t; + ') + +- allow $1 gnome_home_t:dir manage_dir_perms; +- allow $1 gnome_home_t:file manage_file_perms; + userdom_user_home_dir_filetrans($1, gnome_home_t, dir) userdom_search_user_home_dirs($1) ') @@ -4444,6 +4481,49 @@ index f5afe78..f9149e7 100644 + allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; +') + ++####################################### ++## ++## Execute gnome-keyring executable ++## in the specified domain. ++## ++## ++##

++## Execute a telepathy executable ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++##

++## This interface was added to handle ++## the ssh-agent policy. ++##

++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`gnome_command_domtrans_gkeyringd', ` ++ gen_require(` ++ type gkeyringd_exec_t; ++ ') ++ ++ allow $2 gkeyringd_exec_t:file entrypoint; ++ domain_transition_pattern($1, gkeyringd_exec_t, $2) ++ type_transition $1 gkeyringd_exec_t:process $2; ++') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 2505654..95f89db 100644 --- a/policy/modules/apps/gnome.te @@ -8793,7 +8873,7 @@ index 0000000..8a7ed4f +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if new file mode 100644 -index 0000000..16ff623 +index 0000000..7023ea2 --- /dev/null +++ b/policy/modules/apps/telepathy.if @@ -0,0 +1,264 @@ @@ -8879,14 +8959,14 @@ index 0000000..16ff623 + telepathy_msn_stream_connect($2) + telepathy_salut_stream_connect($2) + -+ dbus_session_domain($2, telepathy_gabble_exec_t, telepathy_gabble_t) -+ dbus_session_domain($2, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) -+ dbus_session_domain($2, telepathy_idle_exec_t, telepathy_idle_t) -+ dbus_session_domain($2, telepathy_mission_control_exec_t, telepathy_mission_control_t) -+ dbus_session_domain($2, telepathy_salut_exec_t, telepathy_salut_t) -+ dbus_session_domain($2, telepathy_sunshine_exec_t, telepathy_sunshine_t) -+ dbus_session_domain($2, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) -+ dbus_session_domain($2, telepathy_msn_exec_t, telepathy_msn_t) ++ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t) ++ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) ++ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t) ++ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t) ++ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t) ++ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) ++ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) ++ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) +') + +######################################## @@ -14104,7 +14184,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..fb6c6bd 100644 +index 2be17d2..01d3647 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,51 @@ policy_module(staff, 2.2.0) @@ -14273,9 +14353,9 @@ index 2be17d2..fb6c6bd 100644 + sudo_role_template(staff, staff_r, staff_t) +') + -+optional_policy(` -+ telepathy_dbus_session_role(staff_r, staff_t) -+') ++#optional_policy(` ++ #telepathy_dbus_session_role(staff_r, staff_t, staff) ++#') + +optional_policy(` + userhelper_console_role_template(staff, staff_r, staff_usertype) @@ -15376,10 +15456,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..693d944 +index 0000000..dc3f3b7 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,502 @@ +@@ -0,0 +1,503 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -15666,6 +15746,7 @@ index 0000000..693d944 + optional_policy(` + gnomeclock_dbus_chat(unconfined_usertype) + gnome_dbus_chat_gconfdefault(unconfined_usertype) ++ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) + ') + + optional_policy(` @@ -15883,7 +15964,7 @@ index 0000000..693d944 + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..b56a290 100644 +index e5bfdd4..4ac582b 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -12,15 +12,74 @@ role user_r; @@ -15953,9 +16034,9 @@ index e5bfdd4..b56a290 100644 + setroubleshoot_dontaudit_stream_connect(user_t) +') + -+optional_policy(` -+ telepathy_dbus_session_role(user_r, user_t) -+') ++#optional_policy(` ++ #telepathy_dbus_session_role(user_r, user_t, user) ++#') + +optional_policy(` vlock_run(user_t, user_r) @@ -16003,7 +16084,7 @@ index 0ecc786..dbf2710 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..9d37855 100644 +index e88b95f..69ade9e 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) @@ -16092,9 +16173,10 @@ index e88b95f..9d37855 100644 + +optional_policy(` + gnome_role(xguest_r, xguest_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) + gnomeclock_dontaudit_dbus_chat(xguest_t) +') + @@ -16104,10 +16186,9 @@ index e88b95f..9d37855 100644 + +optional_policy(` + mono_role_template(xguest, xguest_r, xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` + mozilla_run_plugin(xguest_t, xguest_r) +') + @@ -16162,9 +16243,9 @@ index e88b95f..9d37855 100644 + corenet_tcp_connect_transproxy_port(xguest_usertype) ') + -+ optional_policy(` -+ telepathy_dbus_session_role(xguest_r, xguest_t) -+ ') ++# optional_policy(` ++ #telepathy_dbus_session_role(xguest_r, xguest_t, xguest) ++# ') +') + +optional_policy(` @@ -21777,10 +21858,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..ee24611 +index 0000000..52ad073 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,105 @@ +@@ -0,0 +1,109 @@ +policy_module(colord,1.0.0) + +######################################## @@ -21807,6 +21888,9 @@ index 0000000..ee24611 +# +# colord local policy +# ++ ++allow colord_t self:process signal; ++ +allow colord_t self:fifo_file rw_fifo_file_perms; +allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; +allow colord_t self:udp_socket create_socket_perms; @@ -21845,6 +21929,7 @@ index 0000000..ee24611 + +domain_use_interactive_fds(colord_t) + ++files_list_mnt(colord_t) +files_read_etc_files(colord_t) +files_read_usr_files(colord_t) + @@ -23072,7 +23157,7 @@ index 305ddf4..777091a 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..cda064a 100644 +index 0f28095..a3a6265 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -23184,11 +23269,12 @@ index 0f28095..cda064a 100644 files_search_all_mountpoints(cupsd_config_t) -@@ -425,11 +438,10 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +438,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) +userdom_rw_user_tmp_files(cupsd_config_t) ++userdom_read_user_tmp_symlinks(cupsd_config_t) cups_stream_connect(cupsd_config_t) @@ -23197,7 +23283,7 @@ index 0f28095..cda064a 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +465,10 @@ optional_policy(` +@@ -453,6 +466,10 @@ optional_policy(` ') optional_policy(` @@ -23208,7 +23294,7 @@ index 0f28095..cda064a 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +483,10 @@ optional_policy(` +@@ -467,6 +484,10 @@ optional_policy(` ') optional_policy(` @@ -23219,7 +23305,7 @@ index 0f28095..cda064a 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -587,13 +607,17 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,13 +608,17 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -23239,7 +23325,7 @@ index 0f28095..cda064a 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) -@@ -606,6 +630,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -606,6 +631,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') @@ -23250,7 +23336,7 @@ index 0f28095..cda064a 100644 ######################################## # # HPLIP local policy -@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -23259,7 +23345,7 @@ index 0f28095..cda064a 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -23267,7 +23353,7 @@ index 0f28095..cda064a 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -25802,7 +25888,7 @@ index 6bef7f8..464669c 100644 + admin_pattern($1, exim_var_run_t) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te -index f28f64b..18c3c33 100644 +index f28f64b..0b19f11 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -6,24 +6,24 @@ policy_module(exim, 1.5.0) @@ -25813,7 +25899,7 @@ index f28f64b..18c3c33 100644 -## Allow exim to connect to databases (postgres, mysql) -##

+##

-+## Allow exim to connect to databases (postgres, mysql) ++## Allow exim to connect to databases (PostgreSQL, MySQL) +##

## gen_tunable(exim_can_connect_db, false) @@ -26084,7 +26170,7 @@ index 0000000..84d1768 +') diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te new file mode 100644 -index 0000000..b439f82 +index 0000000..0e3e71d --- /dev/null +++ b/policy/modules/services/firewalld.te @@ -0,0 +1,70 @@ @@ -26115,7 +26201,7 @@ index 0000000..b439f82 +# +# firewalld local policy +# -+ ++dontaudit firewalld_t self:capability sys_tty_config; +allow firewalld_t self:fifo_file rw_fifo_file_perms; +allow firewalld_t self:unix_stream_socket create_stream_socket_perms; + @@ -31437,14 +31523,14 @@ index 64268e4..0d7da33 100644 + exim_manage_log(user_mail_domain) +') diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc -index fd71d69..2e9f2a3 100644 +index fd71d69..bf90863 100644 --- a/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc @@ -51,6 +51,7 @@ /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/munin_* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -35876,7 +35962,7 @@ index 09aeffa..dd70b14 100644 postgresql_tcp_connect($1) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 8ed5067..f31634f 100644 +index 8ed5067..a5603cd 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,16 +19,16 @@ gen_require(` @@ -35887,7 +35973,7 @@ index 8ed5067..f31634f 100644 -## Allow unprived users to execute DDL statement -##

+##

-+## Allow unprived users to execute DDL statement ++## Allow unprivileged users to execute DDL statement +##

## gen_tunable(sepgsql_enable_users_ddl, true) @@ -36586,7 +36672,7 @@ index 2855a44..0456b11 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..69fa687 100644 +index 64c5f95..ebb9b4d 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -36604,7 +36690,7 @@ index 64c5f95..69fa687 100644 ##

-## Allow Puppet client to manage all file -## types. -+## Allow Puppet master to use connect to mysql and postgresql database ++## Allow Puppet master to use connect to MySQL and PostgreSQL database ##

## -gen_tunable(puppet_manage_all_files, false) @@ -47085,10 +47171,10 @@ index c26ecf5..b906c48 100644 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc new file mode 100644 -index 0000000..72059b2 +index 0000000..28cd477 --- /dev/null +++ b/policy/modules/services/zarafa.fc -@@ -0,0 +1,29 @@ +@@ -0,0 +1,33 @@ + +/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) + @@ -47102,6 +47188,8 @@ index 0000000..72059b2 + +/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) + ++/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) ++ +/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) + +/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) @@ -47110,6 +47198,7 @@ index 0000000..72059b2 +/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) +/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) +/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) ++/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) +/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) + +/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) @@ -47117,6 +47206,7 @@ index 0000000..72059b2 +/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) +/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) ++/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if new file mode 100644 @@ -47248,10 +47338,10 @@ index 0000000..8a909f5 +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te new file mode 100644 -index 0000000..fec9997 +index 0000000..850b8b5 --- /dev/null +++ b/policy/modules/services/zarafa.te -@@ -0,0 +1,141 @@ +@@ -0,0 +1,146 @@ +policy_module(zarafa, 1.0.0) + +######################################## @@ -47262,6 +47352,7 @@ index 0000000..fec9997 +attribute zarafa_domain; + +zarafa_domain_template(monitor) ++zarafa_domain_template(indexer) +zarafa_domain_template(ical) +zarafa_domain_template(server) +zarafa_domain_template(spooler) @@ -47283,6 +47374,8 @@ index 0000000..fec9997 +type zarafa_share_t; +files_type(zarafa_share_t) + ++permissive zarafa_indexer_t; ++ +######################################## +# +# zarafa-deliver local policy @@ -47311,6 +47404,8 @@ index 0000000..fec9997 +manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) +files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir }) + ++stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) ++ +corenet_tcp_bind_zarafa_port(zarafa_server_t) + +files_read_usr_files(zarafa_server_t) @@ -55967,7 +56062,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..f690d75 100644 +index 28b88de..b7339b1 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -56893,7 +56988,7 @@ index 28b88de..f690d75 100644 ############################## # # Local policy -@@ -874,45 +1030,114 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1030,116 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -56952,6 +57047,8 @@ index 28b88de..f690d75 100644 + optional_policy(` + gnome_read_usr_config($1_usertype) + gnome_role_gkeyringd($1, $1_r, $1_t) ++ # cjp: telepathy F15 bugs ++ telepathy_dbus_session_role($1_r, $1_t, $1) ') optional_policy(` @@ -57019,7 +57116,7 @@ index 28b88de..f690d75 100644 ') ') -@@ -947,7 +1172,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1174,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -57028,7 +57125,7 @@ index 28b88de..f690d75 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1181,83 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1183,83 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -57142,7 +57239,7 @@ index 28b88de..f690d75 100644 ') ') -@@ -1039,7 +1293,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1295,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -57151,7 +57248,7 @@ index 28b88de..f690d75 100644 ') ############################## -@@ -1066,6 +1320,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1322,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -57159,7 +57256,7 @@ index 28b88de..f690d75 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1329,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1331,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -57169,7 +57266,7 @@ index 28b88de..f690d75 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1346,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1348,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -57177,7 +57274,7 @@ index 28b88de..f690d75 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1364,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1366,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -57191,7 +57288,7 @@ index 28b88de..f690d75 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,15 +1381,19 @@ template(`userdom_admin_user_template',` +@@ -1119,15 +1383,19 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -57211,7 +57308,7 @@ index 28b88de..f690d75 100644 term_use_all_terms($1_t) -@@ -1141,7 +1407,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1409,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -57223,7 +57320,7 @@ index 28b88de..f690d75 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1479,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1481,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -57232,7 +57329,7 @@ index 28b88de..f690d75 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1493,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1495,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -57240,7 +57337,7 @@ index 28b88de..f690d75 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1509,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1511,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -57248,7 +57345,7 @@ index 28b88de..f690d75 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1552,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1554,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -57286,7 +57383,7 @@ index 28b88de..f690d75 100644 ubac_constrained($1) ') -@@ -1395,6 +1694,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1696,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -57294,7 +57391,7 @@ index 28b88de..f690d75 100644 files_search_home($1) ') -@@ -1441,6 +1741,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1743,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -57309,7 +57406,7 @@ index 28b88de..f690d75 100644 ') ######################################## -@@ -1456,9 +1764,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1766,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -57321,7 +57418,7 @@ index 28b88de..f690d75 100644 ') ######################################## -@@ -1515,10 +1825,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1827,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -57334,7 +57431,7 @@ index 28b88de..f690d75 100644 ## ## ## -@@ -1526,21 +1836,57 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,21 +1838,57 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -57400,7 +57497,7 @@ index 28b88de..f690d75 100644 ##

## Do a domain transition to the specified ## domain when executing a program in the -@@ -1589,6 +1935,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1937,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -57409,7 +57506,7 @@ index 28b88de..f690d75 100644 ') ######################################## -@@ -1603,10 +1951,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1953,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -57424,7 +57521,7 @@ index 28b88de..f690d75 100644 ') ######################################## -@@ -1649,6 +1999,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2001,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ##

@@ -57450,7 +57547,7 @@ index 28b88de..f690d75 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2069,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2071,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -57483,7 +57580,7 @@ index 28b88de..f690d75 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2105,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2107,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -57501,7 +57598,7 @@ index 28b88de..f690d75 100644 ') ######################################## -@@ -1779,6 +2171,24 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2173,24 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -57526,7 +57623,7 @@ index 28b88de..f690d75 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2220,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2222,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -57536,7 +57633,7 @@ index 28b88de..f690d75 100644 ') ######################################## -@@ -1827,20 +2236,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2238,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -57561,7 +57658,7 @@ index 28b88de..f690d75 100644 ######################################## ## -@@ -2008,7 +2411,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2413,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -57570,7 +57667,7 @@ index 28b88de..f690d75 100644 files_search_home($1) ') -@@ -2182,7 +2585,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2587,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -57579,7 +57676,7 @@ index 28b88de..f690d75 100644 ') ######################################## -@@ -2435,13 +2838,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2840,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -57595,7 +57692,7 @@ index 28b88de..f690d75 100644 ## ## ## -@@ -2462,26 +2866,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2868,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -57622,7 +57719,7 @@ index 28b88de..f690d75 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2815,7 +3199,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3201,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -57631,7 +57728,7 @@ index 28b88de..f690d75 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3215,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3217,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -57647,7 +57744,7 @@ index 28b88de..f690d75 100644 ') ######################################## -@@ -2917,7 +3303,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3305,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -57656,7 +57753,7 @@ index 28b88de..f690d75 100644 ') ######################################## -@@ -2972,7 +3358,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3360,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -57703,7 +57800,7 @@ index 28b88de..f690d75 100644 ') ######################################## -@@ -3009,6 +3433,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3435,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -57711,7 +57808,7 @@ index 28b88de..f690d75 100644 kernel_search_proc($1) ') -@@ -3087,6 +3512,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3514,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -57736,7 +57833,7 @@ index 28b88de..f690d75 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3582,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3584,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index a9f3ec6..1e408e7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 21%{?dist} +Release: 22%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,12 @@ exit 0 %endif %changelog +* Thu May 5 2011 Miroslav Grepl 3.9.16-22 +- Make telepathy working with confined users +- Allow colord signal +- prelink_cron_system_t needs to be able to detect systemd +- Allow cupsd_config_t to read user's symlinks in /tmp + * Mon May 2 2011 Dan Walsh 3.9.16-21 - Fixes for colord and vnstatd policy - telepathy needs to dbus chat with unconfined_t and unconfined_dbusd_t