+ ## All of the rules required to administrate
+@@ -93,12 +132,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
#
interface(`dovecot_admin',`
gen_require(`
@@ -36288,7 +36322,7 @@ index e1d7dc5..673f185 100644
')
allow $1 dovecot_t:process { ptrace signal_perms };
-@@ -112,8 +130,11 @@ interface(`dovecot_admin',`
+@@ -112,8 +149,11 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
@@ -36302,7 +36336,7 @@ index e1d7dc5..673f185 100644
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
-@@ -121,6 +142,9 @@ interface(`dovecot_admin',`
+@@ -121,6 +161,9 @@ interface(`dovecot_admin',`
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
@@ -38168,24 +38202,31 @@ index 9d3201b..7da7267 100644
+ ftp_systemctl($1)
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..3bc14c3 100644
+index 8a74a83..cd27af1 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
-@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
+@@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false)
##
##
-+## Allow ftp servers to use connect to mysql database
++## Allow ftp servers to connect to mysql database ports
+##
+##
+gen_tunable(ftpd_connect_db, false)
+
+##
+##
++## Allow ftp servers to connect to all ports > 1023
++##
++##
++gen_tunable(ftpd_connect_all_unreserved, false)
++
++##
++##
## Allow ftp to read and write files in the user home directories
##
##
-@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false)
+@@ -70,6 +84,14 @@ gen_tunable(sftpd_enable_homedirs, false)
##
gen_tunable(sftpd_full_access, false)
@@ -38200,7 +38241,7 @@ index 8a74a83..3bc14c3 100644
type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
-@@ -85,6 +100,9 @@ files_config_file(ftpd_etc_t)
+@@ -85,6 +107,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -38210,7 +38251,7 @@ index 8a74a83..3bc14c3 100644
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
-@@ -115,6 +133,10 @@ ifdef(`enable_mcs',`
+@@ -115,6 +140,10 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')
@@ -38221,7 +38262,7 @@ index 8a74a83..3bc14c3 100644
########################################
#
# anon-sftp local policy
-@@ -122,6 +144,7 @@ ifdef(`enable_mcs',`
+@@ -122,6 +151,7 @@ ifdef(`enable_mcs',`
files_read_etc_files(anon_sftpd_t)
@@ -38229,7 +38270,7 @@ index 8a74a83..3bc14c3 100644
miscfiles_read_public_files(anon_sftpd_t)
tunable_policy(`sftpd_anon_write',`
-@@ -133,7 +156,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +163,7 @@ tunable_policy(`sftpd_anon_write',`
# ftpd local policy
#
@@ -38238,7 +38279,7 @@ index 8a74a83..3bc14c3 100644
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +174,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +181,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -38246,7 +38287,7 @@ index 8a74a83..3bc14c3 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +185,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +192,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -38262,7 +38303,7 @@ index 8a74a83..3bc14c3 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -196,9 +218,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
+@@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
@@ -38274,7 +38315,7 @@ index 8a74a83..3bc14c3 100644
corenet_sendrecv_ftp_server_packets(ftpd_t)
domain_use_interactive_fds(ftpd_t)
-@@ -212,13 +233,11 @@ fs_search_auto_mountpoints(ftpd_t)
+@@ -212,13 +240,11 @@ fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)
@@ -38290,16 +38331,20 @@ index 8a74a83..3bc14c3 100644
init_rw_utmp(ftpd_t)
-@@ -261,7 +280,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+@@ -261,7 +287,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
- auth_manage_all_files_except_shadow(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
++')
++
++tunable_policy(`ftpd_connect_all_unreserved',`
++ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
-@@ -270,10 +289,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +300,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -38317,7 +38362,7 @@ index 8a74a83..3bc14c3 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,6 +331,10 @@ optional_policy(`
+@@ -309,6 +342,10 @@ optional_policy(`
')
optional_policy(`
@@ -38328,7 +38373,7 @@ index 8a74a83..3bc14c3 100644
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
-@@ -316,6 +342,25 @@ optional_policy(`
+@@ -316,6 +353,25 @@ optional_policy(`
')
optional_policy(`
@@ -38354,7 +38399,7 @@ index 8a74a83..3bc14c3 100644
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -347,16 +392,17 @@ optional_policy(`
+@@ -347,16 +403,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -38374,7 +38419,7 @@ index 8a74a83..3bc14c3 100644
########################################
#
-@@ -365,18 +411,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +422,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -38411,7 +38456,7 @@ index 8a74a83..3bc14c3 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,7 +455,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,7 +466,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -58033,7 +58078,7 @@ index 7e94c7c..5700fb8 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..1c27bd6 100644
+index 22dac1f..75081a5 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -58072,9 +58117,14 @@ index 22dac1f..1c27bd6 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -129,6 +130,9 @@ optional_policy(`
+@@ -128,7 +129,14 @@ optional_policy(`
+ ')
optional_policy(`
++ dovecot_write_inherited_tmp_files(sendmail_t)
++')
++
++optional_policy(`
exim_domtrans(sendmail_t)
+ exim_manage_spool_files(sendmail_t)
+ exim_manage_spool_dirs(sendmail_t)
@@ -58082,7 +58132,7 @@ index 22dac1f..1c27bd6 100644
')
optional_policy(`
-@@ -149,7 +153,9 @@ optional_policy(`
+@@ -149,7 +157,9 @@ optional_policy(`
')
optional_policy(`
@@ -58092,7 +58142,7 @@ index 22dac1f..1c27bd6 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +174,13 @@ optional_policy(`
+@@ -168,20 +178,13 @@ optional_policy(`
')
optional_policy(`
@@ -66827,7 +66877,7 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..59742f4 100644
+index 28ad538..40f76db 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -5,6 +5,7 @@
@@ -66846,7 +66896,16 @@ index 28ad538..59742f4 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -45,5 +47,4 @@ ifdef(`distro_gentoo', `
+@@ -39,11 +41,13 @@ ifdef(`distro_gentoo', `
+ /var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
+
++/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++
+ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
+ /var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
+ /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
@@ -71360,7 +71419,7 @@ index 831b909..efe1038 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..5684c8a 100644
+index b6ec597..8c7803a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2)
@@ -71512,7 +71571,7 @@ index b6ec597..5684c8a 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -426,10 +466,20 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -426,9 +466,18 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -71529,11 +71588,9 @@ index b6ec597..5684c8a 100644
+domain_read_all_domains_state(syslogd_t)
domain_use_interactive_fds(syslogd_t)
-+domain_read_all_domains_state(syslogd_t)
files_read_etc_files(syslogd_t)
- files_read_usr_files(syslogd_t)
-@@ -448,6 +498,7 @@ term_write_console(syslogd_t)
+@@ -448,6 +497,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -71541,7 +71598,7 @@ index b6ec597..5684c8a 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +510,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +509,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -71549,7 +71606,7 @@ index b6ec597..5684c8a 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +548,20 @@ optional_policy(`
+@@ -496,11 +547,20 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c49e147..4bb53d5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 72%{?dist}
+Release: 73%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jan 20 2012 Miroslav Grepl 3.10.0-73
+- Backport colord policy from F17
+
* Mon Jan 16 2012 Miroslav Grepl 3.10.0-72
- Allow deltacloudd dac_override, setuid, setgid caps
- Allow aisexec to execute shell