diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 1c68fc8..eb91778 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -1,2135 +1,5 @@ -diff --git a/Changelog b/Changelog -index 5fcca55..672e632 100644 ---- a/Changelog -+++ b/Changelog -@@ -1,216 +1,952 @@ --* Wed Apr 24 2013 Chris PeBenito - 2.20130424 --Chris PeBenito (78): -- Mcelog update from Guido Trentalancia. -- Add bird contrib module from Dominick Grift. -- Minor whitespace fix in udev.fc -- Module version bump for udev binary location update from Sven Vermeulen. -- clarify the file_contexts.subs_dist configuration file usage from Guido -- Trentalancia -- Update contrib. -- Remove trailing / from paths -- Module version bump for fc substitutions optimizations from Sven -- Vermeulen. -- Update contrib. -- Module version bump for /run/dhcpc directory creation by dhcp from Sven -- Vermeulen. -- Module version bump for fc fixes in devices module from Dominick Grift. -- Update contrib. -- Module version bump for /dev/mei type and label from Dominick Grift. -- Module version bump for init_daemon_run_dirs usage from Sven Vermeulen. -- Module version bump for lost+found labeling in /var/log from Guido -- Trentalancia. -- Module version bump for loop-control patch. -- Turn off all tunables by default, from Guido Trentalancia. -- Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH. -- Module version bump for various changes from Sven Vermeulen. -- Module version bump for ports update from Dominick Grift. -- Module version bump for Debian file context updates from Laurent -- Bigonville. -- Update contrib. -- Update contrib. -- split kmod fc into two lines. -- Module version bump for kmod fc from Laurent Bigonville. -- Module version bump for cfengine fc change from Dominick Grift. -- Module verision bump for Debian cert file fc update from Laurent -- Bigonville. -- Module version bump for ipsec net sysctls reading from Miroslav Grepl. -- Module version bump for srvloc port definition from Dominick Grift. -- Rename cachefiles_dev_t to cachefiles_device_t. -- Module version bump for cachefiles core support. -- Module version bump for changes from Dominick Grift and Sven Vermeulen. -- Module version bump for modutils patch from Dominick Grift. -- Module version bump for dhcp6 ports, from Russell Coker. -- Rearrange new xserver interfaces. -- Rename new xserver interfaces. -- Module version bump for xserver interfaces from Dominick Grift. -- Move kernel_stream_connect() declaration. -- Module version bump for kernel_stream_connect() from Dominick Grift. -- Rename logging_search_all_log_dirs to logging_search_all_logs -- Module version bump for minor logging and sysnet changes from Sven -- Vermeulen. -- Module version bump for dovecot libs from Mika Pflueger. -- Rearrange interfaces in files, clock, and udev. -- Module version bump for interfaces used by virt from Dominick Grift. -- Module version bump for arping setcap from Dominick Grift. -- Rearrange devices interfaces. -- Module version bump/contrib sync. -- Rearrange lines. -- Module version bump for user home content fixes from Dominick Grift. -- Rearrange files interfaces. -- Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen. -- Update contrib. -- Whitespace fix in miscfiles.fc. -- Adjust man cache interface names. -- Module version bump for man cache from Dominick Grift. -- Module version bump for Debian ssh-keysign location from Laurent -- Bigonville. -- Module version bump for userdomain portion of XDG updates from Dominick -- Grift. -- Module version bump for iptables fc entry from Sven Vermeulen and inn log -- from Dominick Grift. -- Module version bump for logging and tcpdump fixes from Sven Vermeulen. -- Move mcs_constrained() impementation. -- Module version bump for mcs_constrained from Dominick Grift. -- Update contrib. -- Module version bump from Debian changes from Laurent Bigonville. -- Module version bump for zfs labeling from Matthew Thode. -- Module version bump for misc updates from Sven Vermeulen. -- Update contrib. -- Module version bump for fixes from Dominick Grift. -- Module version bump for Debian updates from Laurent Bigonville. -- Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai. -- Update contrib -- Fix fc_sort.c warning uncovered by recent gcc -- Module version bump for chfn fixes from Sven Vermeulen. -- Add swapoff fc entry. -- Add conntrack fc entry. -- Update contrib. -- Update contrib -- Archive old Changelog for log format change. -- Bump module versions for release. -- --Dominick Grift (40): -- There can be more than a single watchdog interface -- Fix a suspected typo -- Intel® Active Management Technology -- Declare a loop control device node type and label /dev/loop-control -- accordingly -- Declare port types for ports used by Fedora but use /etc/services for port -- names rather than using fedora port names. If /etc/services does not -- have a port name for a port used by Fedora, skip for now. -- Remove var_log_t file context spec -- svrloc port type declaration from slpd policy module -- Declare a cachfiles device node type -- Implement files_create_all_files_as() for cachefilesd -- Restricted Xwindows user domains run windows managers in the windows -- managers domain -- Declare a cslistener port type for phpfpm -- Changes to the sysnetwork policy module -- Changes to the userdomain policy module -- Changes to the bootloader policy module -- Changes to the modutils policy module -- Changes to the xserver policy module -- Changes to various policy modules -- Changes to the kernel policy module -- For svirt_lxc_domain -- For svirt_lxc_domain -- For svirt_lxc_domain -- For virtd lxc -- For virtd_lxc -- For virtd_lxc -- For virtd lxc -- For virtd lxc -- For virtd -- Arping needs setcap to cap_set_proc -- For virtd -- Changes to the user domain policy module -- Samhain_admin() now requires a role for the role_transition from $1 to -- initrc_t via samhain_initrc_exec_t -- Changes to the user domain policy module -- Label /var/cache/man with a private man cache type for mandb -- Create a attribute user_home_content_type and assign it to all types that -- are classified userdom_user_home_content() -- These two attribute are unused -- System logger creates innd log files with a named file transition -- Implement mcs_constrained_type -- Changes to the init policy module -- Changes to the userdomain policy module -- NSCD related changes in various policy modules -- --Guido Trentalancia (1): -- add lost+found filesystem labels to support NSA security guidelines -- --Laurent Bigonville (21): -- Add Debian locations for GDM 3 -- Add Debian location for udisks helpers -- Add insmod_exec_t label for kmod executable -- Add Debian location for PKI files -- Add Debian location for ssh-keysign -- Properly label all the ssh host keys -- Allow udev_t domain to read files labeled as consolekit_var_run_t -- authlogin.if: Add auth_create_pam_console_data_dirs and -- auth_pid_filetrans_pam_var_console interfaces -- Label /etc/rc.d/init.d/x11-common as xdm_exec_t -- Drop /etc/rc.d/init.d/xfree86-common filecontext definition -- Label /var/run/shm as tmpfs_t for Debian -- Label /var/run/motd.dynamic as initrc_var_run_t -- Label /var/run/initctl as initctl_t -- udev.if: Call files_search_pid instead of files_search_var_lib in -- udev_manage_pid_files -- Label executables in /usr/lib/NetworkManager/ as bin_t -- Add support for rsyslog -- Label var_lock_t as a mountpoint -- Add mount_var_run_t type and allow mount_t domain to manage the files and -- directories -- Add initrc_t to use block_suspend capability -- Label executables under /usr/lib/gnome-settings-daemon/ as bin_t -- Label nut drivers that are installed in /lib/nut on Debian as bin_t -- --Matthew Thode (1): -- Implement zfs support -- --Mika Pflüger (2): -- Debian locations of gvfs and kde4 libexec binaries in /usr/lib -- Explicitly label dovecot libraries lib_t for debian -- --Miroslav Grepl (1): -- Allow ipsec to read kernel sysctl -- --Paul Moore (1): -- flask: add the attach_queue permission to the tun_socket object class -- --Russell Coker (1): -- Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for -- client control -- --Sven Vermeulen (27): -- New location for udevd binary -- Use substititions for /usr/local/lib and /etc/init.d -- DHCP client's hooks create /run/dhcpc directory -- Introduce init_daemon_run_dir transformation -- Use the init_daemon_run_dir interface for udev -- Allow initrc_t to create run dirs for core modules -- Puppet uses mount output for verification -- Allow syslogd to create /var/lib/syslog and -- /var/lib/misc/syslog-ng.persist -- Gentoo's openrc does not require initrc_exec_t for runscripts anymore -- Allow init scripts to read courier configuration -- Allow search within postgresql var directory for the stream connect -- interface -- Introduce logging_getattr_all_logs interface -- Introduce logging_search_all_log_dirs interface -- Support flushing routing cache -- Allow init to set attributes on device_t -- Introduce files_manage_all_pids interface -- Gentoo openrc migrates /var/run and /var/lock data to /run(/lock) -- Update files_manage_generic_locks with directory permissions -- Run ipset in iptables domain -- tcpdump chroots into /var/lib/tcpdump -- Remove generic log label for cron location -- Postgresql 9.2 connects to its unix stream socket -- lvscan creates the /run/lock/lvm directory if nonexisting (v2) -- Allow syslogger to manage cron log files (v2) -- Allow initrc_t to read stunnel configuration -- Introduce exec-check interfaces for passwd binaries and useradd binaries -- chfn_t reads in file context information and executes nscd -+- Mcelog update from Guido Trentalancia. -+- Added contrib modules: -+ bird (Dominick Grift) - -+* Wed Jul 25 2012 Chris PeBenito - 2.20120725 -+- Rename epollwakeup capability2 permission to block_suspend to match the -+ corresponding kernel capability rename. -+- Udev and init changes to support /run, from Sven Vermeulen. -+- auth_use_nsswitch updates from Miroslav Grepl. -+- Mount runtime files fix from Guido Trentalancia. -+- Update Python scripts to support Python 3, from Sven Vermeulen. -+- Update capability2 object class for new wake_alarm and epollwakeup -+ capabilities. -+- SEPostgresql updates from Kohei KaiGai. -+- Simplify file contexts based on file context path substitutions, from Sven -+ Vermeulen. -+- Add optional name for kernel and system filetrans interfaces. -+- Non-auth file attribute to eliminate set expressions, from James Carter. -+- Virt updates from Sven Vermeulen. -+- Various dontaudits from Sven Vermeulen. -+- Fix base module and monolithic role declaration ordering issue now that -+ role declarations must be explicit, from Harry Ciao. -+- Added contrib modules: -+ bacula (Stan Sander/Sven Vermeulen) -+ bcfg2 (Miroslav Grepl) -+ blueman (Miroslav Grepl) -+ -+* Wed Feb 15 2012 Chris PeBenito - 2.20120215 -+- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen. -+- Add slim and lxdm file contexts to xserver, from Sven Vermeulen. -+- Add userdom interfaces for user application domains, user tmp files, -+ and user tmpfs files. -+- Asterisk administration fixes from Sven Vermeulen. -+- Fix makefiles to install files with the correct DAC permissions if the -+ umask is not 022. -+- Remove deprecated support macros. -+- Remove rolemap and per-role template support. -+- Change corenetwork port declaration to apply the reserved port type -+ attribute only, when the type has ports above and below 1024. -+- Change secure_mode_policyload to disable only toggling of this Boolean -+ rather than disabling all Boolean toggling permissions. -+- Use role attributes to assist with domain transitions in interactive -+ programs. -+- Milter ports patch from Paul Howarth. -+- Separate portage fetch rules out of portage_run() and portage_domtrans() -+ from Sven Vermeulen. -+- Enhance corenetwork network_port() macro to support ports that do not have -+ a well defined port number, such as stunnel. -+- Opendkim support in dkim module from Paul Howarth. -+- Wireshark updates from Sven Vermeulen. -+- Change secure_mode_insmod to control sys_module capability rather than -+ controlling domain transitions to insmod. -+- Openrc and portage updates from Sven Vermeulen. -+- Allow user and role changes on dynamic transitions with the same -+ constraints as regular transitions. -+- New git service features from Dominick Grift. -+- Corenetwork policy size optimization from Dan Walsh. -+- Silence spurious udp_socket listen denials. -+- Fix unexpanded MLS/MCS fields in monolithic seusers file. -+- Type transition fix in Postgresql database objects from KaiGai Kohei. -+- Support for file context path substitutions (file_contexts.subs). -+- Added contrib modules: -+ glance (Dan Walsh) -+ rhsmcertd (Dan Walsh) -+ sanlock (Dan Walsh) -+ sblim (Dan Walsh) -+ uuidd (Dan Walsh) -+ vdagent (Dan Walsh) -+ -+* Tue Jul 26 2011 Chris PeBenito - 2.20110726 -+- Fix role declarations to handle role attribute compilers. -+- Rename audioentropy module to entropyd due to haveged support. -+- Add haveged support from Sven Vermeulen. -+- Authentication file patch from Matthew Ife. -+- Add agent support to zabbix from Sven Vermeulen. -+- Cyrus file context update for Gentoo from Corentin Labbe. -+- Portage updates from Sven Vermeulen. -+- Fix init_system_domain() description, pointed out by Elia Pinto. -+- Postgresql selabel_lookup update from KaiGai Kohei. -+- Dovecot managesieve support from Mika Pfluger. -+- Semicolon after interface/template calls cleanup from Elia Pinto. -+- Gentoo courier updates from Sven Vermeulen. -+- Amavis patch for connecting to nslcd from Miroslav Grepl. -+- Shorewall patch from Miroslav Grepl. -+- Cpufreqselector dbus patch from Guido Trentalancia. -+- Cron pam_namespace and pam_loginuid support from Harry Ciao. -+- Xserver update for startx from Sven Vermeulen. -+- Fix MLS constraint for contains permission from Harry Ciao. -+- Apache user webpages fix from Dominick Grift. -+- Change default build.conf to modular policy from Stephen Smalley. -+- Xen refinement patch from Stephen Smalley. -+- Sudo timestamp file location update from Sven Vermeulen. -+- XServer keyboard event patch from Sven Vermeulen. -+- RAID uevent patch from Sven Vermeulen. -+- Gentoo ALSA init script usage patch from Sven Vermeulen. -+- LVM semaphore usage patch from Sven Vermeulen. -+- Module load request patch for insmod from Sven Vermeulen. -+- Cron default contexts fix from Harry Ciao. -+- Man page fixes from Justin Mattock. -+- Add syslog capability. -+- Support for logging in to /dev/console, from Harry Ciao. -+- Database object class updates and associated SEPostgreSQL changes from -+ KaiGai Kohei. -+- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi. -+- Mount updates from Harry Ciao. -+- Semanage update for MLS systems from Harry Ciao. -+- Vlock terminal use update from Harry Ciao. -+- Hadoop CDH3 updates from Paul Nuzzi. -+- Add sepgsql_contexts appconfig files from KaiGai Kohei. -+- Added modules: -+ aiccu -+ bugzilla (Dan Walsh) -+ colord (Dan Walsh) -+ cmirrord (Miroslav Grepl) -+ mediawiki (Miroslav Grepl) -+ mpd (Miroslav Grepl) -+ ncftool -+ passenger (Miroslav Grepl) -+ qpid (Dan Walsh) -+ samhain (Harry Ciao) -+ telepathy (Dominick Grift) -+ tcsd (Stephen Smalley) -+ vnstatd (Dan Walsh) -+ zarafa (Miroslav Grepl) -+ -+* Mon Dec 13 2010 Chris PeBenito - 2.20101213 -+- Git man page from Dominick Grift. -+- Alsa and oident home content cleanup from Dominick Grift. -+- Add support for custom build options. -+- Unconditional staff and user oidentd home config access from Dominick Grift. -+- Conditional mmap_zero support from Dominick Grift. -+- Added devtmpfs support. -+- Dbadm updates from KaiGai Kohei. -+- Virtio disk file context update from Mika Pfluger. -+- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh. -+- Add JIT usage for freshclam. -+- Remove ethereal module since the application was renamed to wireshark. -+- Remove duplicate/redundant rules, from Russell Coker. -+- Increased default number of categories to 1024, from Russell Coker. -+- Added modules: -+ accountsd (Dan Walsh) -+ cgroup (Dominick Grift) -+ hadoop (Paul Nuzzi) -+ kdumpgui (Dan Walsh) -+ livecd (Dan Walsh) -+ mojomojo (Iain Arnell) -+ sambagui (Dan Walsh) -+ shutdown (Dan Walsh) -+ sosreport (Dan Walsh) -+ vlock (Harry Ciao) -+ -+* Mon May 24 2010 Chris PeBenito - 2.20100524 -+- Merged a significant portion of Fedora policy. -+- Move rules from mta mailserver delivery from interface to .te to use -+ attributes. -+- Remove concept of users from terminal module interfaces since the -+ attributes are not specific to users. -+- Add non-drawing X client support, for consolekit usage. -+- Misc Gentoo fixes from Chris Richards. -+- AFS and abrt fixes from Dominick Grift. -+- Improved the XML docs of 55 most-used interfaces. -+- Apcupsd and amavis fixes from Dominick Grift. -+- Fix network_port() in corenetwork to correctly handle port ranges. -+- SE-Postgresql updates from KaiGai Kohei. -+- X object manager revisions from Eamon Walsh. -+- Added modules: -+ aisexec (Dan Walsh) -+ chronyd (Miroslav Grepl) -+ cobbler (Dominick Grift) -+ corosync (Dan Walsh) -+ dbadm (KaiGai Kohei) -+ denyhosts (Dan Walsh) -+ nut (Stefan Schulze Frielinghaus, Miroslav Grepl) -+ likewise (Scott Salley) -+ plymouthd (Dan Walsh) -+ pyicqt (Stefan Schulze Frielinghaus) -+ rhcs (Dan Walsh) -+ rgmanager (Dan Walsh) -+ sectoolm (Miroslav Grepl) -+ usbmuxd (Dan Walsh) -+ vhostmd (Dan Walsh) -+ -+* Tue Nov 17 2009 Chris PeBenito - 2.20091117 -+- Add separate x_pointer and x_keyboard classes inheriting from x_device. -+ From Eamon Walsh. -+- Deprecated the userdom_xwindows_client_template(). -+- Misc Gentoo fixes from Corentin Labbe. -+- Debian policykit fixes from Martin Orr. -+- Fix unconfined_r use of unconfined_java_t. -+- Add missing x_device rules for XI2 functions, from Eamon Walsh. -+- Add missing rules to make unconfined_cronjob_t a valid cron job domain. -+- Add btrfs and ext4 to labeling targets. -+- Fix infrastructure to expand macros in initrc_context when installing. -+- Handle unix_chkpwd usage by useradd and groupadd. -+- Add missing compatibility aliases for xdm_xserver*_t types. -+- Added modules: -+ abrt (Dan Walsh) -+ dkim (Stefan Schulze Frielinghaus) -+ gitosis (Miroslav Grepl) -+ gnomeclock (Dan Walsh) -+ hddtemp (Dan Walsh) -+ kdump (Dan Walsh) -+ modemmanager(Dan Walsh) -+ nslcd (Dan Walsh) -+ puppet (Craig Grube) -+ rtkit (Dan Walsh) -+ seunshare (Dan Walsh) -+ shorewall (Dan Walsh) -+ tgtd (Matthew Ife) -+ tuned (Miroslav Grepl) -+ xscreensaver (Corentin Labbe) -+ -+* Thu Jul 30 2009 Chris PeBenito - 2.20090730 -+- Gentoo fixes for init scripts and system startup. -+- Remove read_default_t tunable. -+- Greylist milter from Paul Howarth. -+- Crack db access for su to handle password expiration, from Brandon Whalen. -+- Misc fixes for unix_update from Brandon Whalen. -+- Add x_device permissions for XI2 functions, from Eamon Walsh. -+- MLS constraints for the x_selection class, from Eamon Walsh. -+- Postgresql updates from KaiGai Kohei. -+- Milter state directory patch from Paul Howarth. -+- Add MLS constrains for ingress/egress and secmark from Paul Moore. -+- Drop write permission from fs_read_rpc_sockets(). -+- Remove unused udev_runtime_t type. -+- Patch for RadSec port from Glen Turner. -+- Enable network_peer_controls policy capability from Paul Moore. -+- Btrfs xattr support from Paul Moore. -+- Add db_procedure install permission from KaiGai Kohei. -+- Add support for network interfaces with access controlled by a Boolean -+ from the CLIP project. -+- Several fixes from the CLIP project. -+- Add support for labeled Booleans. -+- Remove node definitions and change node usage to generic nodes. -+- Add kernel_service access vectors, from Stephen Smalley. -+- Added modules: -+ certmaster (Dan Walsh) -+ cpufreqselector (Dan Walsh) -+ devicekit (Dan Walsh) -+ fprintd (Dan Walsh) -+ git (Dan Walsh) -+ gpsd (Miroslav Grepl) -+ guest (Dan Walsh) -+ ifplugd (Dan Walsh) -+ lircd (Miroslav Grepl) -+ logadm (Dan Walsh) -+ pads (Dan Walsh) -+ pingd (Dan Walsh) -+ policykit (Dan Walsh) -+ pulseaudio (Dan Walsh) -+ psad (Dan Walsh) -+ portreserve (Dan Walsh) -+ sssd (Dan Walsh) -+ ulogd (Dan Walsh) -+ varnishd (Dan Walsh) -+ webadm (Dan Walsh) -+ wm (Dan Walsh) -+ xguest (Dan Walsh) -+ zosremote (Dan Walsh) -+ -+* Wed Dec 10 2008 Chris PeBenito - 2.20081210 -+- Fix consistency of audioentropy and iscsi module naming. -+- Debian file context fix for xen from Russell Coker. -+- Xserver MLS fix from Eamon Walsh. -+- Add omapi port for dhcpcd. -+- Deprecate per-role templates and rolemap support. -+- Implement user-based access control for use as role separations. -+- Move shared library calls from individual modules to the domain module. -+- Enable open permission checks policy capability. -+- Remove hierarchy from portage module as it is not a good example of -+ hieararchy. -+- Remove enableaudit target from modular build as semodule -DB supplants it. -+- Added modules: -+ milter (Paul Howarth) -+ -+* Tue Oct 14 2008 Chris PeBenito - 20081014 -+- Debian update for NetworkManager/wpa_supplicant from Martin Orr. -+- Logrotate and Bind updates from Vaclav Ovsik. -+- Init script file and domain support. -+- Glibc 2.7 fix from Vaclav Ovsik. -+- Samba/winbind update from Mike Edenfield. -+- Policy size optimization with a non-security file attribute from James -+ Carter. -+- Database labeled networking update from KaiGai Kohei. -+- Several misc changes from the Fedora policy, cherry picked by David -+ Hardeman. -+- Large whitespace fix from Dominick Grift. -+- Pam_mount fix for local login from Stefan Schulze Frielinghaus. -+- Issuing commands to upstart is over a datagram socket, not the initctl -+ named pipe. Updated init_telinit() to match. -+- Added modules: -+ cyphesis (Dan Walsh) -+ memcached (Dan Walsh) -+ oident (Dominick Grift) -+ w3c (Dan Walsh) -+ -+* Wed Jul 02 2008 Chris PeBenito - 20080702 -+- Fix httpd_enable_homedirs to actually provide the access it is supposed to -+ provide. -+- Add unused interface/template parameter metadata in XML. -+- Patch to handle postfix data_directory from Vaclav Ovsik. -+- SE-Postgresql policy from KaiGai Kohei. -+- Patch for X.org dbus support from Martin Orr. -+- Patch for labeled networking controls in 2.6.25 from Paul Moore. -+- Module loading now requires setsched on kernel threads. -+- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik. -+- X application data class from Eamon Walsh and Ted Toth. -+- Move user roles into individual modules. -+- Make hald_log_t a log file. -+- Cryptsetup runs shell scripts. Patch from Martin Orr. -+- Add file for enabling policy capabilities. -+- Patch to fix leaky interface/template call depth calculator from Vaclav -+ Ovsik. -+- Added modules: -+ kerneloops (Dan Walsh) -+ kismet (Dan Walsh) -+ podsleuth (Dan Walsh) -+ prelude (Dan Walsh) -+ qemu (Dan Walsh) -+ virt (Dan Walsh) -+ -+* Wed Apr 02 2008 Chris PeBenito - 20080402 -+- Add core Security Enhanced X Windows support. -+- Fix winbind socket connection interface for default location of the -+ sock_file. -+- Add wireshark module based on ethereal module. -+- Revise upstart support in init module to use a tunable, as upstart is now -+ used in Fedora too. -+- Add iferror.m4 rather generate it out of the Makefiles. -+- Definitions for open permisson on file and similar objects from Eric -+ Paris. -+- Apt updates for ptys and logs, from Martin Orr. -+- RPC update from Vaclav Ovsik. -+- Exim updates on Debian from Devin Carrawy. -+- Pam and samba updates from Stefan Schulze Frielinghaus. -+- Backup update on Debian from Vaclav Ovsik. -+- Cracklib update on Debian from Vaclav Ovsik. -+- Label /proc/kallsyms with system_map_t. -+- 64-bit capabilities from Stephen Smalley. -+- Labeled networking peer object class updates. -+ -+* Fri Dec 14 2007 Chris PeBenito - 20071214 -+- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik. -+- Improve several tunables descriptions from Dan Walsh. -+- Patch to clean up ns switch usage in the policy from Dan Walsh. -+- More complete labeled networking infrastructure from KaiGai Kohei. -+- Add interface for libselinux constructor, for libselinux-linked -+ SELinux-enabled programs. -+- Patch to restructure user role templates to create restricted user roles -+ from Dan Walsh. -+- Russian man page translations from Andrey Markelov. -+- Remove unused types from dbus. -+- Add infrastructure for managing all user web content. -+- Deprecate some old file and dir permission set macros in favor of the -+ newer, more consistently-named macros. -+- Patch to clean up unescaped periods in several file context entries from -+ Jan-Frode Myklebust. -+- Merge shlib_t into lib_t. -+- Merge strict and targeted policies. The policy will now behave like the -+ strict policy if the unconfined module is not present. If it is, it will -+ behave like the targeted policy. Added an unconfined role to have a mix -+ of confined and unconfined users. -+- Added modules: -+ exim (Dan Walsh) -+ postfixpolicyd (Jan-Frode Myklebust) -+ -+* Fri Sep 28 2007 Chris PeBenito - 20070928 -+- Add support for setting the unknown permissions handling. -+- Fix XML building for external reference builds and headers builds. -+- Patch to add missing requirements in userdomain interfaces from Shintaro -+ Fujiwara. -+- Add tcpd_wrapped_domain() for services that use tcp wrappers. -+- Update MLS constraints from LSPP evaluated policy. -+- Allow initrc_t file descriptors to be inherited regardless of MLS level. -+ Accordingly drop MLS permissions from daemons that inherit from any level. -+- Files and radvd updates from Stefan Schulze Frielinghaus. -+- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with -+ mls_write_all_levels() and mls_read_all_levels(), for consistency. -+- Add make kernel and init ranged interfaces pass the range transition MLS -+ constraints. Also remove calls to mls_rangetrans_target() in modules that use -+ the kernel and init interfaces, since its redundant. -+- Add interfaces for all MLS attributes except X object classes. -+- Require all sensitivities and categories for MLS and MCS policies, not just -+ the low and high sensitivity and category. -+- Database userspace object manager classes from KaiGai Kohei. -+- Add third-party interface for Apache CGI. -+- Add getserv and shmemserv nscd permissions. -+- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. -+- Added modules: -+ application -+ awstats (Stefan Schulze Frielinghaus) -+ bitlbee (Devin Carraway) -+ brctl (Dan Walsh) -+ -+* Fri Jun 29 2007 Chris PeBenito - 20070629 -+- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the -+ libraries module. -+- Unified labeled networking policy from Paul Moore. -+- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. -+- Xen updates from Dan Walsh. -+- Filesystem updates from Dan Walsh. -+- Large samba update from Dan Walsh. -+- Drop snmpd_etc_t. -+- Confine sendmail and logrotate on targeted. -+- Tunable connection to postgresql for users from KaiGai Kohei. -+- Memprotect support patch from Stephen Smalley. -+- Add logging_send_audit_msgs() interface and deprecate -+ send_audit_msgs_pattern(). -+- Openct updates patch from Dan Walsh. -+- Merge restorecon into setfiles. -+- Patch to begin separating out hald helper programs from Dan Walsh. -+- Fixes for squid, dovecot, and snmp from Dan Walsh. -+- Miscellaneous consolekit fixes from Dan Walsh. -+- Patch to have avahi use the nsswitch interface rather than individual -+ permissions from Dan Walsh. -+- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh. -+- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes -+ to handle usage from userhelper from Dan Walsh. -+- Patch to allow amavis to read spamassassin libraries from Dan Walsh. -+- Patch to allow slocate to getattr other filesystems and directories on those -+ filesystems from Dan Walsh. -+- Fixes for RHEL4 from the CLIP project. -+- Replace the old lrrd fc entries with munin ones. -+- Move program admin template usage out of userdom_admin_user_template() to -+ sysadm policy in userdomain.te to fix usage of the template for third -+ parties. -+- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a -+ template instead of an interface. -+- Added modules: -+ amtu (Dan Walsh) -+ apcupsd (Dan Walsh) -+ rpcbind (Dan Walsh) -+ rwho (Nalin Dahyabhai) -+ -+* Tue Apr 17 2007 Chris PeBenito - 20070417 -+- Patch for sasl's use of kerberos from Dan Walsh. -+- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh. -+- Man page updates from Dan Walsh. -+- Two patches from Paul Moore to for ipsec to remove redundant rules and -+ have setkey read the config file. -+- Move booleans and tunables to modules when it is only used in a single -+ module. -+- Add support for tunables and booleans local to a module. -+- Merge sbin_t and ls_exec_t into bin_t. -+- Remove disable_trans booleans. -+- Output different header sets for kernel and userland from flask headers. -+- Marked the pax class as deprecated, changed it to userland so -+ it will be removed from the kernel. -+- Stop including netfilter contexts by default. -+- Add dontaudits for init fds and console to init_daemon_domain(). -+- Patch to allow gpg to create user keys dir. -+- Patch to support kvmfs from Dan Walsh. -+- Patch for misc fixes in sudo from Dan Walsh. -+- Patch to fix netlabel recvfrom MLS constraint from Paul Moore. -+- Patch for handling restart of nscd when ran from useradd, groupadd, and -+ admin passwd, from Dan Walsh. -+- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh. -+- Patch for setroubleshoot for validating file contexts from Dan Walsh. -+- Patch for gssd fixes from Dan Walsh. -+- Patch for lvm fixes from Dan Walsh. -+- Patch for ricci fixes from Dan Walsh. -+- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh. -+- Patch for kerberized telnet fixes from Dan Walsh. -+- Patch for kerberized ftp and other ftp fixes from Dan Walsh. -+- Patch for an additional wine executable from Dan Walsh. -+- Eight patches for file contexts in games, wine, networkmanager, miscfiles, -+ corecommands, devices, and java from Dan Walsh. -+- Add support for libselinux 2.0.5 init_selinuxmnt() changes. -+- Patch for misc fixes to bluetooth from Dan Walsh. -+- Patch for misc fixes to kerberos from Dan Walsh. -+- Patch to start deprecating usercanread attribute from Ryan Bradetich. -+- Add dccp_socket object class which was added in kernel 2.6.20. -+- Patch for prelink relabefrom it's temp files from Dan Walsh. -+- Patch for capability fix for auditd and networking fix for syslogd from -+ Dan Walsh. -+- Patch to remove redundant mls_trusted_object() call from Dan Walsh. -+- Patch for misc fixes to nis ypxfr policy from Dan Walsh. -+- Patch to allow apmd to telinit from Dan Walsh. -+- Patch for additional labeling of samba files from Stefan Schulze -+ Frielinghaus. -+- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich. -+- Fix ptys and ttys to be device nodes. -+- Fix explicit use of httpd_t in openca_domtrans(). -+- Clean up file context regexes in apache and java, from Eamon Walsh. -+- Patches from Dan Walsh: -+ Thu, 25 Jan 2007 -+- Added modules: -+ consolekit (Dan Walsh) -+ fail2ban (Dan Walsh) -+ zabbix (Dan Walsh) -+ -+* Tue Dec 12 2006 Chris PeBenito - 20061212 -+- Add policy patterns support macros. This changes the behavior of -+ the create_dir_perms and create_file_perms permission sets. -+- Association polmatch MLS constraint making unlabeled_t an exception -+ is no longer needed, patch from Venkat Yekkirala. -+- Context contains checking for PAM and cron from James Antill. -+- Add a reload target to Modules.devel and change the load -+ target to only insert modules that were changed. -+- Allow semanage to read from /root on strict non-MLS for -+ local policy modules. -+- Gentoo init script fixes for udev. -+- Allow udev to read kernel modules.inputmap. -+- Dnsmasq fixes from testing. -+- Allow kernel NFS server to getattr filesystems so df can work -+ on clients. -+- Patch from Matt Anderson for a MLS constraint exemption on a -+ file that can be written to from a subject whose range is -+ within the object's range. -+- Enhanced setransd support from Darrel Goeddel. -+- Patches from Dan Walsh: -+ Tue, 24 Oct 2006 -+ Wed, 29 Nov 2006 -+- Added modules: -+ aide (Matt Anderson) -+ ccs (Dan Walsh) -+ iscsi (Dan Walsh) -+ ricci (Dan Walsh) -+ -+* Wed Oct 18 2006 Chris PeBenito - 20061018 -+- Patch from Russell Coker Thu, 5 Oct 2006 -+- Move range transitions to modules. -+- Make number of MLS sensitivities, and number of MLS and MCS -+ categories configurable as build options. -+- Add role infrastructure. -+- Debian updates from Erich Schubert. -+- Add nscd_socket_use() to auth_use_nsswitch(). -+- Remove old selopt rules. -+- Full support for netfilter_contexts. -+- MRTG patch for daemon operation from Stefan. -+- Add authlogin interface to abstract common access for login programs. -+- Remove setbool auditallow, except for RHEL4. -+- Change eventpollfs to task SID labeling. -+- Add key support from Michael LeMay. -+- Add ftpdctl domain to ftp, from Paul Howarth. -+- Fix build system to not move type declarations out of optionals. -+- Add gcc-config domain to portage. -+- Add packet object class and support in corenetwork. -+- Add a copy of genhomedircon for monolithic policy building, so that a -+ policycoreutils package update is not required for RHEL4 systems. -+- Add appletalk sockets for use in cups. -+- Add Make target to validate module linking. -+- Make duplicate template and interface declarations a fatal error. -+- Patch to stabilize modules.conf `make conf` output, from Erich Schubert. -+- Move xconsole_device_t from devices to xserver since it is -+ not actually a device, it is a named pipe. -+- Handle nonexistant .fc and .if files in devel Makefile by -+ automatically creating empty files. -+- Remove unused devfs_control_t. -+- Add rhel4 distro, which also implies redhat distro. -+- Remove unneeded range_transition for su_exec_t and move the -+ type declaration back to the su module. -+- Constrain transitions in MCS so unconfined_t cannot have -+ arbitrary category sets. -+- Change reiserfs from xattr filesystem to genfscon as it's xattrs -+ are currently nonfunctional. -+- Change files and filesystem modules to use their own interfaces. -+- Add user fonts to xserver. -+- Additional interfaces in corecommands, miscfiles, and userdomain -+ from Joy Latten. -+- Miscellaneous fixes from Thomas Bleher. -+- Deprecate module name as first parameter of optional_policy() -+ now that optionals are allowed everywhere. -+- Enable optional blocks in base module and monolithic policy. -+ This requires checkpolicy 1.30.1. -+- Fix vpn module declaration. -+- Numerous fixes from Dan Walsh. -+- Change build order to preserve m4 line number information so policy -+ compile errors are useful again. -+- Additional MLS interfaces from Chad Hanson. -+- Move some rules out of domain_type() and domain_base_type() -+ to the TE file, to use the domain attribute to take advantage -+ of space savings from attribute use. -+- Add global stack smashing protector rule for urandom access from -+ Petre Rodan. -+- Fix temporary rules at the bottom of portmap. -+- Updated comments in mls file from Chad Hanson. -+- Patches from Dan Walsh: -+ Fri, 17 Mar 2006 -+ Wed, 29 Mar 2006 -+ Tue, 11 Apr 2006 -+ Fri, 14 Apr 2006 -+ Tue, 18 Apr 2006 -+ Thu, 20 Apr 2006 -+ Tue, 02 May 2006 -+ Mon, 15 May 2006 -+ Thu, 18 May 2006 -+ Tue, 06 Jun 2006 -+ Mon, 12 Jun 2006 -+ Tue, 20 Jun 2006 -+ Wed, 26 Jul 2006 -+ Wed, 23 Aug 2006 -+ Thu, 31 Aug 2006 -+ Fri, 01 Sep 2006 -+ Tue, 05 Sep 2006 -+ Wed, 20 Sep 2006 -+ Fri, 22 Sep 2006 -+ Mon, 25 Sep 2006 -+- Added modules: -+ afs -+ amavis (Erich Schubert) -+ apt (Erich Schubert) -+ asterisk -+ audioentropy -+ authbind -+ backup -+ calamaris -+ cipe -+ clamav (Erich Schubert) -+ clockspeed (Petre Rodan) -+ courier -+ dante -+ dcc -+ ddclient -+ dpkg (Erich Schubert) -+ dnsmasq -+ ethereal -+ evolution -+ games -+ gatekeeper -+ gift -+ gnome (James Carter) -+ imaze -+ ircd -+ jabber -+ monop -+ mozilla -+ mplayer -+ munin -+ nagios -+ nessus -+ netlabel (Paul Moore) -+ nsd -+ ntop -+ nx -+ oav -+ oddjob (Dan Walsh) -+ openca -+ openvpn (Petre Rodan) -+ perdition -+ portslave -+ postgrey -+ pxe -+ pyzor (Dan Walsh) -+ qmail (Petre Rodan) -+ razor -+ resmgr -+ rhgb -+ rssh -+ snort -+ soundserver -+ speedtouch -+ sxid -+ thunderbird -+ tor (Erich Schubert) -+ transproxy -+ tripwire -+ uptime -+ uwimap -+ vmware -+ watchdog -+ xen (Dan Walsh) -+ xprint -+ yam -+ -+* Tue Mar 07 2006 Chris PeBenito - 20060307 -+- Make all interface parameters required. -+- Move boot_t, system_map_t, and modules_object_t to files module, -+ and move bootloader to admin layer. -+- Add semanage policy for semodule from Dan Walsh. -+- Remove allow_execmem from targeted policy domain_base_type(). -+- Add users_extra and seusers support. -+- Postfix fixes from Serge Hallyn. -+- Run python and shell directly to interpret scripts so policy -+ sources need not be executable. -+- Add desc tag XML to booleans and tunables, and add summary -+ to param XML tag, to make future translations possible. -+- Remove unused lvm_vg_t. -+- Many interface renames to improve naming consistency. -+- Merge xdm into xserver. -+- Remove kernel module reversed interfaces. -+- Add filename attribute to module XML tag and lineno attribute to -+ interface XML tag. -+- Changed QUIET build option to a yes or no option. -+- Add a Makefile used for compiling loadable modules in a -+ user's development environment, building against policy headers. -+- Add Make target for installing policy headers. -+- Separate per-userdomain template expansion from the userdomain -+ module and add infrastructure to expand templates in the modules -+ that own the template. -+- Enable secadm only for MLS policies. -+- Remove role change rules in su and sudo since this functionality has been -+ removed from these programs. -+- Add ctags Make target from Thomas Bleher. -+- Collapse commands with grep piped to sed into one sed command. -+- Fix type_change bug in term_user_pty(). -+- Move ice_tmp_t from miscfiles to xserver. -+- Login fixes from Serge Hallyn. -+- Move xserver_log_t from xdm to xserver. -+- Add lpr per-userdomain policy to lpd. -+- Miscellaneous fixes from Dan Walsh. -+- Change initrc_var_run_t interface noun from script_pid to utmp, -+ for greater clarity. -+- Added modules: -+ certwatch -+ mono (Dan Walsh) -+ mrtg -+ portage -+ tvtime -+ userhelper -+ usernetctl -+ wine (Dan Walsh) -+ xserver -+ -+* Tue Jan 17 2006 Chris PeBenito - 20060117 -+- Adds support for generating corenetwork interfaces based on attributes -+ in addition to types. -+- Permits the listing of multiple nodes in a network_node() that will be -+ given the same type. -+- Add two new permission sets for stream sockets. -+- Rename file type transition interfaces verb from create to -+ filetrans to differentiate it from create interfaces without -+ type transitions. -+- Fix expansion of interfaces from disabled modules. -+- Rsync can be long running from init, -+ added rules to allow this. -+- Add polyinstantiation build option. -+- Add setcontext to the association object class. -+- Add apache relay and db connect tunables. -+- Rename texrel_shlib_t to textrel_shlib_t. -+- Add swat to samba module. -+- Numerous miscellaneous fixes from Dan Walsh. -+- Added modules: -+ alsa -+ automount -+ cdrecord -+ daemontools (Petre Rodan) -+ ddcprobe -+ djbdns (Petre Rodan) -+ fetchmail -+ irc -+ java -+ lockdev -+ logwatch (Dan Walsh) -+ openct -+ prelink (Dan Walsh) -+ publicfile (Petre Rodan) -+ readahead -+ roundup -+ screen -+ slocate (Dan Walsh) -+ slrnpull -+ smartmon -+ sysstat -+ ucspitcp (Petre Rodan) -+ usbmodules -+ vbetool (Dan Walsh) -+ -+* Wed Dec 07 2005 Chris PeBenito - 20051207 -+- Add unlabeled IPSEC association rule to domains with -+ networking permissions. -+- Merge systemuser back in to users, as these files -+ do not need to be split. -+- Add check for duplicate interface/template definitions. -+- Move domain, files, and corecommands modules to kernel -+ layer to resolve some layering inconsistencies. -+- Move policy build options out of Makefile into build.conf. -+- Add yppasswd to nis module. -+- Change optional_policy() to refer to the module name -+ rather than modulename.te. -+- Fix labeling targets to use installed file_contexts rather -+ than partial file_contexts in the policy source directory. -+- Fix build process to use make's internal vpath functions -+ to detect modules rather than using subshells and find. -+- Add install target for modular policy. -+- Add load target for modular policy. -+- Add appconfig dependency to the load target. -+- Miscellaneous fixes from Dan Walsh. -+- Fix corenetwork gen_context()'s to expand during the policy -+ build phase instead of during the generation phase. -+- Added policies: -+ amanda -+ avahi -+ canna -+ cyrus -+ dbskk -+ dovecot -+ distcc -+ i18n_input -+ irqbalance -+ lpd -+ networkmanager -+ pegasus -+ postfix -+ procmail -+ radius -+ rdisc -+ rpc -+ spamassassin -+ timidity -+ xdm -+ xfs -+ -+* Wed Oct 19 2005 Chris PeBenito - 20051019 -+- Many fixes to make loadable modules build. -+- Add targets for sechecker. -+- Updated to sedoctool to read bool files and tunable -+ files separately. -+- Changed the xml tag of to to be consistent -+ with gen_bool(). -+- Modified the implementation of segenxml to use regular -+ expressions. -+- Rename context_template() to gen_context() to clarify -+ that its not a Reference Policy template, but a support -+ macro. -+- Add disable_*_trans bool support for targeted policy. -+- Add MLS module to handle MLS constraint exceptions, -+ such as reading up and writing down. -+- Fix errors uncovered by sediff. -+- Added policies: -+ anaconda -+ apache -+ apm -+ arpwatch -+ bluetooth -+ dmidecode -+ finger -+ ftp -+ kudzu -+ mailman -+ ppp -+ radvd -+ sasl -+ webalizer -+ -+* Thu Sep 22 2005 Chris PeBenito - 20050922 -+- Make logrotate, sendmail, sshd, and rpm policies -+ unconfined in the targeted policy so no special -+ modules.conf is required. -+- Add experimental MCS support. -+- Add appconfig for MLS. -+- Add equivalents for old can_resolve(), can_ldap(), and -+ can_portmap() to sysnetwork. -+- Fix base module compile issues. -+- Added policies: -+ cpucontrol -+ cvs -+ ktalk -+ portmap -+ postgresql -+ rlogin -+ samba -+ snmp -+ stunnel -+ telnet -+ tftp -+ uucp -+ vpn -+ zebra -+ -+* Wed Sep 07 2005 Chris PeBenito - 20050907 -+- Fix errors uncovered by sediff. -+- Doc tool will explicitly say a module does not have interfaces -+ or templates on the module page. -+- Added policies: -+ comsat -+ dbus -+ dhcp -+ dictd -+ hal -+ inn -+ ntp -+ squid -+ -+* Fri Aug 26 2005 Chris PeBenito - 20050826 -+- Add Makefile support for building loadable modules. -+- Add genclassperms.py tool to add require blocks -+ for loadable modules. -+- Change sedoctool to make required modules part of base -+ by default, otherwise make as modules, in modules.conf. -+- Fix segenxml to handle modules with no interfaces. -+- Rename ipsec connect interface for consistency. -+- Add missing parts of unix stream socket connect interface -+ of ipsec. -+- Rename inetd connect interface for consistency. -+- Rename interface for purging contents of tmp, for clarity, -+ since it allows deletion of classes other than file. -+- Misc. cleanups. -+- Added policies: -+ acct -+ bind -+ firstboot -+ gpm -+ howl -+ ldap -+ loadkeys -+ mysql -+ privoxy -+ quota -+ rshd -+ rsync -+ su -+ sudo -+ tcpd -+ tmpreaper -+ updfstab -+ -+* Tue Aug 2 2005 Chris PeBenito - 20050802 -+- Fix comparison bug in fc_sort. -+- Fix handling of ordered and unordered HTML lists. -+- Corenetwork now supports multiple network interfaces having the -+ same type. -+- Doc tool now creates pages for global Booleans and global tunables. -+- Doc tool now links directly to the interface/template in the -+ module page when it is selected in the interface/template index. -+- Added support for layer summaries. -+- Added policies: -+ ipsec -+ nscd -+ pcmcia -+ raid -+ -+* Thu Jul 7 2005 Chris PeBenito - 20050707 -+- Changed xml to have modules encapsulated by layer tags, rather -+ than putting layer="foo" in the module tags. Also in the future -+ we can put a summary and description for each layer. -+- Added tool to infer interface, module, and layer tags. This will -+ now list all interfaces, even if they are missing xml docs. -+- Shortened xml tag names. -+- Added macros to declare interfaces and templates. -+- Added interface call trace. -+- Updated all xml documentation for shorter and inferred tags. -+- Doc tool now displays templates in the web pages. -+- Doc tool retains the user's settings in modules.conf and -+ tunables.conf if the files already exist. -+- Modules.conf behavior has been changed to be a list of all -+ available modules, and the user can specify if the module is -+ built as a loadable module, included in the monolithic policy, -+ or excluded. -+- Added policies: -+ fstools (fsck, mkfs, swapon, etc. tools) -+ logrotate -+ inetd -+ kerberos -+ nis (ypbind and ypserv) -+ ssh (server, client, and agent) -+ unconfined -+- Added infrastructure for targeted policy support, only missing -+ transition boolean support. -+ -+* Wed Jun 15 2005 Chris PeBenito - 20050615 -+ - Initial release -diff --git a/Changelog.old b/Changelog.old -deleted file mode 100644 -index 672e632..0000000 ---- a/Changelog.old -+++ /dev/null -@@ -1,952 +0,0 @@ --- Mcelog update from Guido Trentalancia. --- Added contrib modules: -- bird (Dominick Grift) -- --* Wed Jul 25 2012 Chris PeBenito - 2.20120725 --- Rename epollwakeup capability2 permission to block_suspend to match the -- corresponding kernel capability rename. --- Udev and init changes to support /run, from Sven Vermeulen. --- auth_use_nsswitch updates from Miroslav Grepl. --- Mount runtime files fix from Guido Trentalancia. --- Update Python scripts to support Python 3, from Sven Vermeulen. --- Update capability2 object class for new wake_alarm and epollwakeup -- capabilities. --- SEPostgresql updates from Kohei KaiGai. --- Simplify file contexts based on file context path substitutions, from Sven -- Vermeulen. --- Add optional name for kernel and system filetrans interfaces. --- Non-auth file attribute to eliminate set expressions, from James Carter. --- Virt updates from Sven Vermeulen. --- Various dontaudits from Sven Vermeulen. --- Fix base module and monolithic role declaration ordering issue now that -- role declarations must be explicit, from Harry Ciao. --- Added contrib modules: -- bacula (Stan Sander/Sven Vermeulen) -- bcfg2 (Miroslav Grepl) -- blueman (Miroslav Grepl) -- --* Wed Feb 15 2012 Chris PeBenito - 2.20120215 --- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen. --- Add slim and lxdm file contexts to xserver, from Sven Vermeulen. --- Add userdom interfaces for user application domains, user tmp files, -- and user tmpfs files. --- Asterisk administration fixes from Sven Vermeulen. --- Fix makefiles to install files with the correct DAC permissions if the -- umask is not 022. --- Remove deprecated support macros. --- Remove rolemap and per-role template support. --- Change corenetwork port declaration to apply the reserved port type -- attribute only, when the type has ports above and below 1024. --- Change secure_mode_policyload to disable only toggling of this Boolean -- rather than disabling all Boolean toggling permissions. --- Use role attributes to assist with domain transitions in interactive -- programs. --- Milter ports patch from Paul Howarth. --- Separate portage fetch rules out of portage_run() and portage_domtrans() -- from Sven Vermeulen. --- Enhance corenetwork network_port() macro to support ports that do not have -- a well defined port number, such as stunnel. --- Opendkim support in dkim module from Paul Howarth. --- Wireshark updates from Sven Vermeulen. --- Change secure_mode_insmod to control sys_module capability rather than -- controlling domain transitions to insmod. --- Openrc and portage updates from Sven Vermeulen. --- Allow user and role changes on dynamic transitions with the same -- constraints as regular transitions. --- New git service features from Dominick Grift. --- Corenetwork policy size optimization from Dan Walsh. --- Silence spurious udp_socket listen denials. --- Fix unexpanded MLS/MCS fields in monolithic seusers file. --- Type transition fix in Postgresql database objects from KaiGai Kohei. --- Support for file context path substitutions (file_contexts.subs). --- Added contrib modules: -- glance (Dan Walsh) -- rhsmcertd (Dan Walsh) -- sanlock (Dan Walsh) -- sblim (Dan Walsh) -- uuidd (Dan Walsh) -- vdagent (Dan Walsh) -- --* Tue Jul 26 2011 Chris PeBenito - 2.20110726 --- Fix role declarations to handle role attribute compilers. --- Rename audioentropy module to entropyd due to haveged support. --- Add haveged support from Sven Vermeulen. --- Authentication file patch from Matthew Ife. --- Add agent support to zabbix from Sven Vermeulen. --- Cyrus file context update for Gentoo from Corentin Labbe. --- Portage updates from Sven Vermeulen. --- Fix init_system_domain() description, pointed out by Elia Pinto. --- Postgresql selabel_lookup update from KaiGai Kohei. --- Dovecot managesieve support from Mika Pfluger. --- Semicolon after interface/template calls cleanup from Elia Pinto. --- Gentoo courier updates from Sven Vermeulen. --- Amavis patch for connecting to nslcd from Miroslav Grepl. --- Shorewall patch from Miroslav Grepl. --- Cpufreqselector dbus patch from Guido Trentalancia. --- Cron pam_namespace and pam_loginuid support from Harry Ciao. --- Xserver update for startx from Sven Vermeulen. --- Fix MLS constraint for contains permission from Harry Ciao. --- Apache user webpages fix from Dominick Grift. --- Change default build.conf to modular policy from Stephen Smalley. --- Xen refinement patch from Stephen Smalley. --- Sudo timestamp file location update from Sven Vermeulen. --- XServer keyboard event patch from Sven Vermeulen. --- RAID uevent patch from Sven Vermeulen. --- Gentoo ALSA init script usage patch from Sven Vermeulen. --- LVM semaphore usage patch from Sven Vermeulen. --- Module load request patch for insmod from Sven Vermeulen. --- Cron default contexts fix from Harry Ciao. --- Man page fixes from Justin Mattock. --- Add syslog capability. --- Support for logging in to /dev/console, from Harry Ciao. --- Database object class updates and associated SEPostgreSQL changes from -- KaiGai Kohei. --- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi. --- Mount updates from Harry Ciao. --- Semanage update for MLS systems from Harry Ciao. --- Vlock terminal use update from Harry Ciao. --- Hadoop CDH3 updates from Paul Nuzzi. --- Add sepgsql_contexts appconfig files from KaiGai Kohei. --- Added modules: -- aiccu -- bugzilla (Dan Walsh) -- colord (Dan Walsh) -- cmirrord (Miroslav Grepl) -- mediawiki (Miroslav Grepl) -- mpd (Miroslav Grepl) -- ncftool -- passenger (Miroslav Grepl) -- qpid (Dan Walsh) -- samhain (Harry Ciao) -- telepathy (Dominick Grift) -- tcsd (Stephen Smalley) -- vnstatd (Dan Walsh) -- zarafa (Miroslav Grepl) -- --* Mon Dec 13 2010 Chris PeBenito - 2.20101213 --- Git man page from Dominick Grift. --- Alsa and oident home content cleanup from Dominick Grift. --- Add support for custom build options. --- Unconditional staff and user oidentd home config access from Dominick Grift. --- Conditional mmap_zero support from Dominick Grift. --- Added devtmpfs support. --- Dbadm updates from KaiGai Kohei. --- Virtio disk file context update from Mika Pfluger. --- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh. --- Add JIT usage for freshclam. --- Remove ethereal module since the application was renamed to wireshark. --- Remove duplicate/redundant rules, from Russell Coker. --- Increased default number of categories to 1024, from Russell Coker. --- Added modules: -- accountsd (Dan Walsh) -- cgroup (Dominick Grift) -- hadoop (Paul Nuzzi) -- kdumpgui (Dan Walsh) -- livecd (Dan Walsh) -- mojomojo (Iain Arnell) -- sambagui (Dan Walsh) -- shutdown (Dan Walsh) -- sosreport (Dan Walsh) -- vlock (Harry Ciao) -- --* Mon May 24 2010 Chris PeBenito - 2.20100524 --- Merged a significant portion of Fedora policy. --- Move rules from mta mailserver delivery from interface to .te to use -- attributes. --- Remove concept of users from terminal module interfaces since the -- attributes are not specific to users. --- Add non-drawing X client support, for consolekit usage. --- Misc Gentoo fixes from Chris Richards. --- AFS and abrt fixes from Dominick Grift. --- Improved the XML docs of 55 most-used interfaces. --- Apcupsd and amavis fixes from Dominick Grift. --- Fix network_port() in corenetwork to correctly handle port ranges. --- SE-Postgresql updates from KaiGai Kohei. --- X object manager revisions from Eamon Walsh. --- Added modules: -- aisexec (Dan Walsh) -- chronyd (Miroslav Grepl) -- cobbler (Dominick Grift) -- corosync (Dan Walsh) -- dbadm (KaiGai Kohei) -- denyhosts (Dan Walsh) -- nut (Stefan Schulze Frielinghaus, Miroslav Grepl) -- likewise (Scott Salley) -- plymouthd (Dan Walsh) -- pyicqt (Stefan Schulze Frielinghaus) -- rhcs (Dan Walsh) -- rgmanager (Dan Walsh) -- sectoolm (Miroslav Grepl) -- usbmuxd (Dan Walsh) -- vhostmd (Dan Walsh) -- --* Tue Nov 17 2009 Chris PeBenito - 2.20091117 --- Add separate x_pointer and x_keyboard classes inheriting from x_device. -- From Eamon Walsh. --- Deprecated the userdom_xwindows_client_template(). --- Misc Gentoo fixes from Corentin Labbe. --- Debian policykit fixes from Martin Orr. --- Fix unconfined_r use of unconfined_java_t. --- Add missing x_device rules for XI2 functions, from Eamon Walsh. --- Add missing rules to make unconfined_cronjob_t a valid cron job domain. --- Add btrfs and ext4 to labeling targets. --- Fix infrastructure to expand macros in initrc_context when installing. --- Handle unix_chkpwd usage by useradd and groupadd. --- Add missing compatibility aliases for xdm_xserver*_t types. --- Added modules: -- abrt (Dan Walsh) -- dkim (Stefan Schulze Frielinghaus) -- gitosis (Miroslav Grepl) -- gnomeclock (Dan Walsh) -- hddtemp (Dan Walsh) -- kdump (Dan Walsh) -- modemmanager(Dan Walsh) -- nslcd (Dan Walsh) -- puppet (Craig Grube) -- rtkit (Dan Walsh) -- seunshare (Dan Walsh) -- shorewall (Dan Walsh) -- tgtd (Matthew Ife) -- tuned (Miroslav Grepl) -- xscreensaver (Corentin Labbe) -- --* Thu Jul 30 2009 Chris PeBenito - 2.20090730 --- Gentoo fixes for init scripts and system startup. --- Remove read_default_t tunable. --- Greylist milter from Paul Howarth. --- Crack db access for su to handle password expiration, from Brandon Whalen. --- Misc fixes for unix_update from Brandon Whalen. --- Add x_device permissions for XI2 functions, from Eamon Walsh. --- MLS constraints for the x_selection class, from Eamon Walsh. --- Postgresql updates from KaiGai Kohei. --- Milter state directory patch from Paul Howarth. --- Add MLS constrains for ingress/egress and secmark from Paul Moore. --- Drop write permission from fs_read_rpc_sockets(). --- Remove unused udev_runtime_t type. --- Patch for RadSec port from Glen Turner. --- Enable network_peer_controls policy capability from Paul Moore. --- Btrfs xattr support from Paul Moore. --- Add db_procedure install permission from KaiGai Kohei. --- Add support for network interfaces with access controlled by a Boolean -- from the CLIP project. --- Several fixes from the CLIP project. --- Add support for labeled Booleans. --- Remove node definitions and change node usage to generic nodes. --- Add kernel_service access vectors, from Stephen Smalley. --- Added modules: -- certmaster (Dan Walsh) -- cpufreqselector (Dan Walsh) -- devicekit (Dan Walsh) -- fprintd (Dan Walsh) -- git (Dan Walsh) -- gpsd (Miroslav Grepl) -- guest (Dan Walsh) -- ifplugd (Dan Walsh) -- lircd (Miroslav Grepl) -- logadm (Dan Walsh) -- pads (Dan Walsh) -- pingd (Dan Walsh) -- policykit (Dan Walsh) -- pulseaudio (Dan Walsh) -- psad (Dan Walsh) -- portreserve (Dan Walsh) -- sssd (Dan Walsh) -- ulogd (Dan Walsh) -- varnishd (Dan Walsh) -- webadm (Dan Walsh) -- wm (Dan Walsh) -- xguest (Dan Walsh) -- zosremote (Dan Walsh) -- --* Wed Dec 10 2008 Chris PeBenito - 2.20081210 --- Fix consistency of audioentropy and iscsi module naming. --- Debian file context fix for xen from Russell Coker. --- Xserver MLS fix from Eamon Walsh. --- Add omapi port for dhcpcd. --- Deprecate per-role templates and rolemap support. --- Implement user-based access control for use as role separations. --- Move shared library calls from individual modules to the domain module. --- Enable open permission checks policy capability. --- Remove hierarchy from portage module as it is not a good example of -- hieararchy. --- Remove enableaudit target from modular build as semodule -DB supplants it. --- Added modules: -- milter (Paul Howarth) -- --* Tue Oct 14 2008 Chris PeBenito - 20081014 --- Debian update for NetworkManager/wpa_supplicant from Martin Orr. --- Logrotate and Bind updates from Vaclav Ovsik. --- Init script file and domain support. --- Glibc 2.7 fix from Vaclav Ovsik. --- Samba/winbind update from Mike Edenfield. --- Policy size optimization with a non-security file attribute from James -- Carter. --- Database labeled networking update from KaiGai Kohei. --- Several misc changes from the Fedora policy, cherry picked by David -- Hardeman. --- Large whitespace fix from Dominick Grift. --- Pam_mount fix for local login from Stefan Schulze Frielinghaus. --- Issuing commands to upstart is over a datagram socket, not the initctl -- named pipe. Updated init_telinit() to match. --- Added modules: -- cyphesis (Dan Walsh) -- memcached (Dan Walsh) -- oident (Dominick Grift) -- w3c (Dan Walsh) -- --* Wed Jul 02 2008 Chris PeBenito - 20080702 --- Fix httpd_enable_homedirs to actually provide the access it is supposed to -- provide. --- Add unused interface/template parameter metadata in XML. --- Patch to handle postfix data_directory from Vaclav Ovsik. --- SE-Postgresql policy from KaiGai Kohei. --- Patch for X.org dbus support from Martin Orr. --- Patch for labeled networking controls in 2.6.25 from Paul Moore. --- Module loading now requires setsched on kernel threads. --- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik. --- X application data class from Eamon Walsh and Ted Toth. --- Move user roles into individual modules. --- Make hald_log_t a log file. --- Cryptsetup runs shell scripts. Patch from Martin Orr. --- Add file for enabling policy capabilities. --- Patch to fix leaky interface/template call depth calculator from Vaclav -- Ovsik. --- Added modules: -- kerneloops (Dan Walsh) -- kismet (Dan Walsh) -- podsleuth (Dan Walsh) -- prelude (Dan Walsh) -- qemu (Dan Walsh) -- virt (Dan Walsh) -- --* Wed Apr 02 2008 Chris PeBenito - 20080402 --- Add core Security Enhanced X Windows support. --- Fix winbind socket connection interface for default location of the -- sock_file. --- Add wireshark module based on ethereal module. --- Revise upstart support in init module to use a tunable, as upstart is now -- used in Fedora too. --- Add iferror.m4 rather generate it out of the Makefiles. --- Definitions for open permisson on file and similar objects from Eric -- Paris. --- Apt updates for ptys and logs, from Martin Orr. --- RPC update from Vaclav Ovsik. --- Exim updates on Debian from Devin Carrawy. --- Pam and samba updates from Stefan Schulze Frielinghaus. --- Backup update on Debian from Vaclav Ovsik. --- Cracklib update on Debian from Vaclav Ovsik. --- Label /proc/kallsyms with system_map_t. --- 64-bit capabilities from Stephen Smalley. --- Labeled networking peer object class updates. -- --* Fri Dec 14 2007 Chris PeBenito - 20071214 --- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik. --- Improve several tunables descriptions from Dan Walsh. --- Patch to clean up ns switch usage in the policy from Dan Walsh. --- More complete labeled networking infrastructure from KaiGai Kohei. --- Add interface for libselinux constructor, for libselinux-linked -- SELinux-enabled programs. --- Patch to restructure user role templates to create restricted user roles -- from Dan Walsh. --- Russian man page translations from Andrey Markelov. --- Remove unused types from dbus. --- Add infrastructure for managing all user web content. --- Deprecate some old file and dir permission set macros in favor of the -- newer, more consistently-named macros. --- Patch to clean up unescaped periods in several file context entries from -- Jan-Frode Myklebust. --- Merge shlib_t into lib_t. --- Merge strict and targeted policies. The policy will now behave like the -- strict policy if the unconfined module is not present. If it is, it will -- behave like the targeted policy. Added an unconfined role to have a mix -- of confined and unconfined users. --- Added modules: -- exim (Dan Walsh) -- postfixpolicyd (Jan-Frode Myklebust) -- --* Fri Sep 28 2007 Chris PeBenito - 20070928 --- Add support for setting the unknown permissions handling. --- Fix XML building for external reference builds and headers builds. --- Patch to add missing requirements in userdomain interfaces from Shintaro -- Fujiwara. --- Add tcpd_wrapped_domain() for services that use tcp wrappers. --- Update MLS constraints from LSPP evaluated policy. --- Allow initrc_t file descriptors to be inherited regardless of MLS level. -- Accordingly drop MLS permissions from daemons that inherit from any level. --- Files and radvd updates from Stefan Schulze Frielinghaus. --- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with -- mls_write_all_levels() and mls_read_all_levels(), for consistency. --- Add make kernel and init ranged interfaces pass the range transition MLS -- constraints. Also remove calls to mls_rangetrans_target() in modules that use -- the kernel and init interfaces, since its redundant. --- Add interfaces for all MLS attributes except X object classes. --- Require all sensitivities and categories for MLS and MCS policies, not just -- the low and high sensitivity and category. --- Database userspace object manager classes from KaiGai Kohei. --- Add third-party interface for Apache CGI. --- Add getserv and shmemserv nscd permissions. --- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. --- Added modules: -- application -- awstats (Stefan Schulze Frielinghaus) -- bitlbee (Devin Carraway) -- brctl (Dan Walsh) -- --* Fri Jun 29 2007 Chris PeBenito - 20070629 --- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the -- libraries module. --- Unified labeled networking policy from Paul Moore. --- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. --- Xen updates from Dan Walsh. --- Filesystem updates from Dan Walsh. --- Large samba update from Dan Walsh. --- Drop snmpd_etc_t. --- Confine sendmail and logrotate on targeted. --- Tunable connection to postgresql for users from KaiGai Kohei. --- Memprotect support patch from Stephen Smalley. --- Add logging_send_audit_msgs() interface and deprecate -- send_audit_msgs_pattern(). --- Openct updates patch from Dan Walsh. --- Merge restorecon into setfiles. --- Patch to begin separating out hald helper programs from Dan Walsh. --- Fixes for squid, dovecot, and snmp from Dan Walsh. --- Miscellaneous consolekit fixes from Dan Walsh. --- Patch to have avahi use the nsswitch interface rather than individual -- permissions from Dan Walsh. --- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh. --- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes -- to handle usage from userhelper from Dan Walsh. --- Patch to allow amavis to read spamassassin libraries from Dan Walsh. --- Patch to allow slocate to getattr other filesystems and directories on those -- filesystems from Dan Walsh. --- Fixes for RHEL4 from the CLIP project. --- Replace the old lrrd fc entries with munin ones. --- Move program admin template usage out of userdom_admin_user_template() to -- sysadm policy in userdomain.te to fix usage of the template for third -- parties. --- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a -- template instead of an interface. --- Added modules: -- amtu (Dan Walsh) -- apcupsd (Dan Walsh) -- rpcbind (Dan Walsh) -- rwho (Nalin Dahyabhai) -- --* Tue Apr 17 2007 Chris PeBenito - 20070417 --- Patch for sasl's use of kerberos from Dan Walsh. --- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh. --- Man page updates from Dan Walsh. --- Two patches from Paul Moore to for ipsec to remove redundant rules and -- have setkey read the config file. --- Move booleans and tunables to modules when it is only used in a single -- module. --- Add support for tunables and booleans local to a module. --- Merge sbin_t and ls_exec_t into bin_t. --- Remove disable_trans booleans. --- Output different header sets for kernel and userland from flask headers. --- Marked the pax class as deprecated, changed it to userland so -- it will be removed from the kernel. --- Stop including netfilter contexts by default. --- Add dontaudits for init fds and console to init_daemon_domain(). --- Patch to allow gpg to create user keys dir. --- Patch to support kvmfs from Dan Walsh. --- Patch for misc fixes in sudo from Dan Walsh. --- Patch to fix netlabel recvfrom MLS constraint from Paul Moore. --- Patch for handling restart of nscd when ran from useradd, groupadd, and -- admin passwd, from Dan Walsh. --- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh. --- Patch for setroubleshoot for validating file contexts from Dan Walsh. --- Patch for gssd fixes from Dan Walsh. --- Patch for lvm fixes from Dan Walsh. --- Patch for ricci fixes from Dan Walsh. --- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh. --- Patch for kerberized telnet fixes from Dan Walsh. --- Patch for kerberized ftp and other ftp fixes from Dan Walsh. --- Patch for an additional wine executable from Dan Walsh. --- Eight patches for file contexts in games, wine, networkmanager, miscfiles, -- corecommands, devices, and java from Dan Walsh. --- Add support for libselinux 2.0.5 init_selinuxmnt() changes. --- Patch for misc fixes to bluetooth from Dan Walsh. --- Patch for misc fixes to kerberos from Dan Walsh. --- Patch to start deprecating usercanread attribute from Ryan Bradetich. --- Add dccp_socket object class which was added in kernel 2.6.20. --- Patch for prelink relabefrom it's temp files from Dan Walsh. --- Patch for capability fix for auditd and networking fix for syslogd from -- Dan Walsh. --- Patch to remove redundant mls_trusted_object() call from Dan Walsh. --- Patch for misc fixes to nis ypxfr policy from Dan Walsh. --- Patch to allow apmd to telinit from Dan Walsh. --- Patch for additional labeling of samba files from Stefan Schulze -- Frielinghaus. --- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich. --- Fix ptys and ttys to be device nodes. --- Fix explicit use of httpd_t in openca_domtrans(). --- Clean up file context regexes in apache and java, from Eamon Walsh. --- Patches from Dan Walsh: -- Thu, 25 Jan 2007 --- Added modules: -- consolekit (Dan Walsh) -- fail2ban (Dan Walsh) -- zabbix (Dan Walsh) -- --* Tue Dec 12 2006 Chris PeBenito - 20061212 --- Add policy patterns support macros. This changes the behavior of -- the create_dir_perms and create_file_perms permission sets. --- Association polmatch MLS constraint making unlabeled_t an exception -- is no longer needed, patch from Venkat Yekkirala. --- Context contains checking for PAM and cron from James Antill. --- Add a reload target to Modules.devel and change the load -- target to only insert modules that were changed. --- Allow semanage to read from /root on strict non-MLS for -- local policy modules. --- Gentoo init script fixes for udev. --- Allow udev to read kernel modules.inputmap. --- Dnsmasq fixes from testing. --- Allow kernel NFS server to getattr filesystems so df can work -- on clients. --- Patch from Matt Anderson for a MLS constraint exemption on a -- file that can be written to from a subject whose range is -- within the object's range. --- Enhanced setransd support from Darrel Goeddel. --- Patches from Dan Walsh: -- Tue, 24 Oct 2006 -- Wed, 29 Nov 2006 --- Added modules: -- aide (Matt Anderson) -- ccs (Dan Walsh) -- iscsi (Dan Walsh) -- ricci (Dan Walsh) -- --* Wed Oct 18 2006 Chris PeBenito - 20061018 --- Patch from Russell Coker Thu, 5 Oct 2006 --- Move range transitions to modules. --- Make number of MLS sensitivities, and number of MLS and MCS -- categories configurable as build options. --- Add role infrastructure. --- Debian updates from Erich Schubert. --- Add nscd_socket_use() to auth_use_nsswitch(). --- Remove old selopt rules. --- Full support for netfilter_contexts. --- MRTG patch for daemon operation from Stefan. --- Add authlogin interface to abstract common access for login programs. --- Remove setbool auditallow, except for RHEL4. --- Change eventpollfs to task SID labeling. --- Add key support from Michael LeMay. --- Add ftpdctl domain to ftp, from Paul Howarth. --- Fix build system to not move type declarations out of optionals. --- Add gcc-config domain to portage. --- Add packet object class and support in corenetwork. --- Add a copy of genhomedircon for monolithic policy building, so that a -- policycoreutils package update is not required for RHEL4 systems. --- Add appletalk sockets for use in cups. --- Add Make target to validate module linking. --- Make duplicate template and interface declarations a fatal error. --- Patch to stabilize modules.conf `make conf` output, from Erich Schubert. --- Move xconsole_device_t from devices to xserver since it is -- not actually a device, it is a named pipe. --- Handle nonexistant .fc and .if files in devel Makefile by -- automatically creating empty files. --- Remove unused devfs_control_t. --- Add rhel4 distro, which also implies redhat distro. --- Remove unneeded range_transition for su_exec_t and move the -- type declaration back to the su module. --- Constrain transitions in MCS so unconfined_t cannot have -- arbitrary category sets. --- Change reiserfs from xattr filesystem to genfscon as it's xattrs -- are currently nonfunctional. --- Change files and filesystem modules to use their own interfaces. --- Add user fonts to xserver. --- Additional interfaces in corecommands, miscfiles, and userdomain -- from Joy Latten. --- Miscellaneous fixes from Thomas Bleher. --- Deprecate module name as first parameter of optional_policy() -- now that optionals are allowed everywhere. --- Enable optional blocks in base module and monolithic policy. -- This requires checkpolicy 1.30.1. --- Fix vpn module declaration. --- Numerous fixes from Dan Walsh. --- Change build order to preserve m4 line number information so policy -- compile errors are useful again. --- Additional MLS interfaces from Chad Hanson. --- Move some rules out of domain_type() and domain_base_type() -- to the TE file, to use the domain attribute to take advantage -- of space savings from attribute use. --- Add global stack smashing protector rule for urandom access from -- Petre Rodan. --- Fix temporary rules at the bottom of portmap. --- Updated comments in mls file from Chad Hanson. --- Patches from Dan Walsh: -- Fri, 17 Mar 2006 -- Wed, 29 Mar 2006 -- Tue, 11 Apr 2006 -- Fri, 14 Apr 2006 -- Tue, 18 Apr 2006 -- Thu, 20 Apr 2006 -- Tue, 02 May 2006 -- Mon, 15 May 2006 -- Thu, 18 May 2006 -- Tue, 06 Jun 2006 -- Mon, 12 Jun 2006 -- Tue, 20 Jun 2006 -- Wed, 26 Jul 2006 -- Wed, 23 Aug 2006 -- Thu, 31 Aug 2006 -- Fri, 01 Sep 2006 -- Tue, 05 Sep 2006 -- Wed, 20 Sep 2006 -- Fri, 22 Sep 2006 -- Mon, 25 Sep 2006 --- Added modules: -- afs -- amavis (Erich Schubert) -- apt (Erich Schubert) -- asterisk -- audioentropy -- authbind -- backup -- calamaris -- cipe -- clamav (Erich Schubert) -- clockspeed (Petre Rodan) -- courier -- dante -- dcc -- ddclient -- dpkg (Erich Schubert) -- dnsmasq -- ethereal -- evolution -- games -- gatekeeper -- gift -- gnome (James Carter) -- imaze -- ircd -- jabber -- monop -- mozilla -- mplayer -- munin -- nagios -- nessus -- netlabel (Paul Moore) -- nsd -- ntop -- nx -- oav -- oddjob (Dan Walsh) -- openca -- openvpn (Petre Rodan) -- perdition -- portslave -- postgrey -- pxe -- pyzor (Dan Walsh) -- qmail (Petre Rodan) -- razor -- resmgr -- rhgb -- rssh -- snort -- soundserver -- speedtouch -- sxid -- thunderbird -- tor (Erich Schubert) -- transproxy -- tripwire -- uptime -- uwimap -- vmware -- watchdog -- xen (Dan Walsh) -- xprint -- yam -- --* Tue Mar 07 2006 Chris PeBenito - 20060307 --- Make all interface parameters required. --- Move boot_t, system_map_t, and modules_object_t to files module, -- and move bootloader to admin layer. --- Add semanage policy for semodule from Dan Walsh. --- Remove allow_execmem from targeted policy domain_base_type(). --- Add users_extra and seusers support. --- Postfix fixes from Serge Hallyn. --- Run python and shell directly to interpret scripts so policy -- sources need not be executable. --- Add desc tag XML to booleans and tunables, and add summary -- to param XML tag, to make future translations possible. --- Remove unused lvm_vg_t. --- Many interface renames to improve naming consistency. --- Merge xdm into xserver. --- Remove kernel module reversed interfaces. --- Add filename attribute to module XML tag and lineno attribute to -- interface XML tag. --- Changed QUIET build option to a yes or no option. --- Add a Makefile used for compiling loadable modules in a -- user's development environment, building against policy headers. --- Add Make target for installing policy headers. --- Separate per-userdomain template expansion from the userdomain -- module and add infrastructure to expand templates in the modules -- that own the template. --- Enable secadm only for MLS policies. --- Remove role change rules in su and sudo since this functionality has been -- removed from these programs. --- Add ctags Make target from Thomas Bleher. --- Collapse commands with grep piped to sed into one sed command. --- Fix type_change bug in term_user_pty(). --- Move ice_tmp_t from miscfiles to xserver. --- Login fixes from Serge Hallyn. --- Move xserver_log_t from xdm to xserver. --- Add lpr per-userdomain policy to lpd. --- Miscellaneous fixes from Dan Walsh. --- Change initrc_var_run_t interface noun from script_pid to utmp, -- for greater clarity. --- Added modules: -- certwatch -- mono (Dan Walsh) -- mrtg -- portage -- tvtime -- userhelper -- usernetctl -- wine (Dan Walsh) -- xserver -- --* Tue Jan 17 2006 Chris PeBenito - 20060117 --- Adds support for generating corenetwork interfaces based on attributes -- in addition to types. --- Permits the listing of multiple nodes in a network_node() that will be -- given the same type. --- Add two new permission sets for stream sockets. --- Rename file type transition interfaces verb from create to -- filetrans to differentiate it from create interfaces without -- type transitions. --- Fix expansion of interfaces from disabled modules. --- Rsync can be long running from init, -- added rules to allow this. --- Add polyinstantiation build option. --- Add setcontext to the association object class. --- Add apache relay and db connect tunables. --- Rename texrel_shlib_t to textrel_shlib_t. --- Add swat to samba module. --- Numerous miscellaneous fixes from Dan Walsh. --- Added modules: -- alsa -- automount -- cdrecord -- daemontools (Petre Rodan) -- ddcprobe -- djbdns (Petre Rodan) -- fetchmail -- irc -- java -- lockdev -- logwatch (Dan Walsh) -- openct -- prelink (Dan Walsh) -- publicfile (Petre Rodan) -- readahead -- roundup -- screen -- slocate (Dan Walsh) -- slrnpull -- smartmon -- sysstat -- ucspitcp (Petre Rodan) -- usbmodules -- vbetool (Dan Walsh) -- --* Wed Dec 07 2005 Chris PeBenito - 20051207 --- Add unlabeled IPSEC association rule to domains with -- networking permissions. --- Merge systemuser back in to users, as these files -- do not need to be split. --- Add check for duplicate interface/template definitions. --- Move domain, files, and corecommands modules to kernel -- layer to resolve some layering inconsistencies. --- Move policy build options out of Makefile into build.conf. --- Add yppasswd to nis module. --- Change optional_policy() to refer to the module name -- rather than modulename.te. --- Fix labeling targets to use installed file_contexts rather -- than partial file_contexts in the policy source directory. --- Fix build process to use make's internal vpath functions -- to detect modules rather than using subshells and find. --- Add install target for modular policy. --- Add load target for modular policy. --- Add appconfig dependency to the load target. --- Miscellaneous fixes from Dan Walsh. --- Fix corenetwork gen_context()'s to expand during the policy -- build phase instead of during the generation phase. --- Added policies: -- amanda -- avahi -- canna -- cyrus -- dbskk -- dovecot -- distcc -- i18n_input -- irqbalance -- lpd -- networkmanager -- pegasus -- postfix -- procmail -- radius -- rdisc -- rpc -- spamassassin -- timidity -- xdm -- xfs -- --* Wed Oct 19 2005 Chris PeBenito - 20051019 --- Many fixes to make loadable modules build. --- Add targets for sechecker. --- Updated to sedoctool to read bool files and tunable -- files separately. --- Changed the xml tag of to to be consistent -- with gen_bool(). --- Modified the implementation of segenxml to use regular -- expressions. --- Rename context_template() to gen_context() to clarify -- that its not a Reference Policy template, but a support -- macro. --- Add disable_*_trans bool support for targeted policy. --- Add MLS module to handle MLS constraint exceptions, -- such as reading up and writing down. --- Fix errors uncovered by sediff. --- Added policies: -- anaconda -- apache -- apm -- arpwatch -- bluetooth -- dmidecode -- finger -- ftp -- kudzu -- mailman -- ppp -- radvd -- sasl -- webalizer -- --* Thu Sep 22 2005 Chris PeBenito - 20050922 --- Make logrotate, sendmail, sshd, and rpm policies -- unconfined in the targeted policy so no special -- modules.conf is required. --- Add experimental MCS support. --- Add appconfig for MLS. --- Add equivalents for old can_resolve(), can_ldap(), and -- can_portmap() to sysnetwork. --- Fix base module compile issues. --- Added policies: -- cpucontrol -- cvs -- ktalk -- portmap -- postgresql -- rlogin -- samba -- snmp -- stunnel -- telnet -- tftp -- uucp -- vpn -- zebra -- --* Wed Sep 07 2005 Chris PeBenito - 20050907 --- Fix errors uncovered by sediff. --- Doc tool will explicitly say a module does not have interfaces -- or templates on the module page. --- Added policies: -- comsat -- dbus -- dhcp -- dictd -- hal -- inn -- ntp -- squid -- --* Fri Aug 26 2005 Chris PeBenito - 20050826 --- Add Makefile support for building loadable modules. --- Add genclassperms.py tool to add require blocks -- for loadable modules. --- Change sedoctool to make required modules part of base -- by default, otherwise make as modules, in modules.conf. --- Fix segenxml to handle modules with no interfaces. --- Rename ipsec connect interface for consistency. --- Add missing parts of unix stream socket connect interface -- of ipsec. --- Rename inetd connect interface for consistency. --- Rename interface for purging contents of tmp, for clarity, -- since it allows deletion of classes other than file. --- Misc. cleanups. --- Added policies: -- acct -- bind -- firstboot -- gpm -- howl -- ldap -- loadkeys -- mysql -- privoxy -- quota -- rshd -- rsync -- su -- sudo -- tcpd -- tmpreaper -- updfstab -- --* Tue Aug 2 2005 Chris PeBenito - 20050802 --- Fix comparison bug in fc_sort. --- Fix handling of ordered and unordered HTML lists. --- Corenetwork now supports multiple network interfaces having the -- same type. --- Doc tool now creates pages for global Booleans and global tunables. --- Doc tool now links directly to the interface/template in the -- module page when it is selected in the interface/template index. --- Added support for layer summaries. --- Added policies: -- ipsec -- nscd -- pcmcia -- raid -- --* Thu Jul 7 2005 Chris PeBenito - 20050707 --- Changed xml to have modules encapsulated by layer tags, rather -- than putting layer="foo" in the module tags. Also in the future -- we can put a summary and description for each layer. --- Added tool to infer interface, module, and layer tags. This will -- now list all interfaces, even if they are missing xml docs. --- Shortened xml tag names. --- Added macros to declare interfaces and templates. --- Added interface call trace. --- Updated all xml documentation for shorter and inferred tags. --- Doc tool now displays templates in the web pages. --- Doc tool retains the user's settings in modules.conf and -- tunables.conf if the files already exist. --- Modules.conf behavior has been changed to be a list of all -- available modules, and the user can specify if the module is -- built as a loadable module, included in the monolithic policy, -- or excluded. --- Added policies: -- fstools (fsck, mkfs, swapon, etc. tools) -- logrotate -- inetd -- kerberos -- nis (ypbind and ypserv) -- ssh (server, client, and agent) -- unconfined --- Added infrastructure for targeted policy support, only missing -- transition boolean support. -- --* Wed Jun 15 2005 Chris PeBenito - 20050615 -- - Initial release diff --git a/Makefile b/Makefile -index ec7b5cb..7bfdfc6 100644 +index 85d4cfb..7bfdfc6 100644 --- a/Makefile +++ b/Makefile @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule @@ -2140,15 +10,7 @@ index ec7b5cb..7bfdfc6 100644 LOADPOLICY ?= $(tc_usrsbindir)/load_policy SETFILES ?= $(tc_sbindir)/setfiles XMLLINT ?= $(BINDIR)/xmllint -@@ -97,7 +98,6 @@ support := support - genxml := $(PYTHON) -E $(support)/segenxml.py - gendoc := $(PYTHON) -E $(support)/sedoctool.py - genperm := $(PYTHON) -E $(support)/genclassperms.py --policyvers := $(PYTHON) -E $(support)/policyvers.py - fcsort := $(tmpdir)/fc_sort - setbools := $(AWK) -f $(support)/set_bools_tuns.awk - get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed -@@ -250,7 +250,7 @@ seusers := $(appconf)/seusers +@@ -249,7 +250,7 @@ seusers := $(appconf)/seusers appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) @@ -2157,7 +19,7 @@ index ec7b5cb..7bfdfc6 100644 net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -@@ -609,15 +609,17 @@ resetlabels: +@@ -608,15 +609,17 @@ resetlabels: # Clean everything # bare: clean @@ -2196,26 +58,6 @@ index 313d837..ef3c532 100644 @echo "Success." ######################################## -diff --git a/Rules.monolithic b/Rules.monolithic -index 808a539..7c4d035 100644 ---- a/Rules.monolithic -+++ b/Rules.monolithic -@@ -5,7 +5,7 @@ - - # determine the policy version and current kernel version if possible - pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') --kv := $(shell $(policyvers)) -+kv := $(shell cat /selinux/policyvers) - - # dont print version warnings if we are unable to determine - # the currently running kernel's policy version -diff --git a/VERSION b/VERSION -index d060af8..37b3df8 100644 ---- a/VERSION -+++ b/VERSION -@@ -1 +1 @@ --2.20130424 -+2.20120725 diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts index 881a292..80110a4 100644 --- a/config/appconfig-mcs/staff_u_default_contexts @@ -2961,7 +803,7 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index a94b169..33cd946 100644 +index 28802c5..33cd946 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -3009,7 +851,17 @@ index a94b169..33cd946 100644 } # Define the access vector interpretation for controlling -@@ -865,3 +877,20 @@ inherits database +@@ -827,6 +839,9 @@ class kernel_service + + class tun_socket + inherits socket ++{ ++ attach_queue ++} + + class x_pointer + inherits x_device +@@ -862,3 +877,20 @@ inherits database implement execute } @@ -3304,7 +1156,7 @@ index 216b3d1..064ec83 100644 + ') dnl end enable_mcs diff --git a/policy/mls b/policy/mls -index f11e5e2..094a319 100644 +index d218387..094a319 100644 --- a/policy/mls +++ b/policy/mls @@ -156,9 +156,6 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } @@ -3349,54 +1201,11 @@ index f11e5e2..094a319 100644 # # MLS policy for the process class # -@@ -666,42 +666,6 @@ mlsconstrain x_application_data { paste_after_confirm } - ( l1 dom l2 ); - - --# --# MLS policy for the x_pointer class --# -- --# the x_pointer "read" ops --mlsconstrain x_pointer { getattr use read getfocus grab } -- (( l1 dom l2 ) or -- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or -- ( t1 == mlsxwinread )); -- --# the x_pointer "write" ops (implicit single level) --mlsconstrain x_pointer { setattr write setfocus bell force_cursor freeze manage } -- (( l1 eq l2 ) or -- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -- ( t1 == mlsxwinwritexinput ) or -- ( t1 == mlsxwinwrite )); -- -- --# --# MLS policy for the x_keyboard class --# -- --# the x_keyboard "read" ops --mlsconstrain x_keyboard { getattr use read getfocus grab } -- (( l1 dom l2 ) or -- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or -- ( t1 == mlsxwinread )); -- --# the x_keyboard "write" ops (implicit single level) --mlsconstrain x_keyboard { setattr write setfocus bell force_cursor freeze manage } -- (( l1 eq l2 ) or -- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -- ( t1 == mlsxwinwritexinput ) or -- ( t1 == mlsxwinwrite )); -- -- - - # - # MLS policy for the dbus class diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc -index 2626ebf..5745bb2 100644 +index 7a6f06f..5745bb2 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc -@@ -1,11 +1,16 @@ +@@ -1,9 +1,16 @@ +/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) @@ -3417,8 +1226,6 @@ index 2626ebf..5745bb2 100644 +/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) --/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0) --/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if index cc8df9d..34c2a4e 100644 @@ -3575,15 +1382,10 @@ index cc8df9d..34c2a4e 100644 + files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index 0fd5c5f..ee8e830 100644 +index e3dbbb8..ee8e830 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te -@@ -1,12 +1,12 @@ --policy_module(bootloader, 1.14.0) -+policy_module(bootloader, 1.13.2) - - ######################################## - # +@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2) # Declarations # @@ -4013,16 +1815,10 @@ index c6ca761..0c86bfd 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c359..b0a385b 100644 +index 8128de8..b0a385b 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te -@@ -1,4 +1,4 @@ --policy_module(netutils, 1.12.1) -+policy_module(netutils, 1.11.2) - - ######################################## - # -@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) +@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2) ## ##

@@ -4077,12 +1873,10 @@ index c44c359..b0a385b 100644 userdom_use_all_users_fds(netutils_t) optional_policy(` -@@ -106,15 +109,14 @@ optional_policy(` +@@ -106,13 +109,14 @@ optional_policy(` # allow ping_t self:capability { setuid net_raw }; --# When ping is installed with capabilities instead of setuid --allow ping_t self:process { getcap setcap }; +allow ping_t self:process setcap; + dontaudit ping_t self:capability sys_tty_config; @@ -4097,7 +1891,7 @@ index c44c359..b0a385b 100644 corenet_all_recvfrom_netlabel(ping_t) corenet_tcp_sendrecv_generic_if(ping_t) corenet_raw_sendrecv_generic_if(ping_t) -@@ -124,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t) +@@ -122,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) fs_dontaudit_getattr_xattr_fs(ping_t) @@ -4105,7 +1899,7 @@ index c44c359..b0a385b 100644 domain_use_interactive_fds(ping_t) -@@ -131,14 +134,13 @@ files_read_etc_files(ping_t) +@@ -129,14 +134,13 @@ files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) kernel_read_system_state(ping_t) @@ -4123,7 +1917,7 @@ index c44c359..b0a385b 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -149,11 +151,25 @@ ifdef(`hide_broken_symptoms',` +@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -4149,7 +1943,7 @@ index c44c359..b0a385b 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -161,6 +177,15 @@ optional_policy(` +@@ -159,6 +177,15 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -4165,7 +1959,7 @@ index c44c359..b0a385b 100644 ######################################## # # Traceroute local policy -@@ -174,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms; +@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) @@ -4173,7 +1967,7 @@ index c44c359..b0a385b 100644 corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t) -@@ -198,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -4181,7 +1975,7 @@ index c44c359..b0a385b 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -206,11 +231,17 @@ auth_use_nsswitch(traceroute_t) +@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t) logging_send_syslog_msg(traceroute_t) @@ -4971,15 +2765,10 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..049a211 100644 +index d555767..049a211 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te -@@ -1,22 +1,22 @@ --policy_module(usermanage, 1.19.0) -+policy_module(usermanage, 1.18.1) - - ######################################## - # +@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) # Declarations # @@ -5101,7 +2890,7 @@ index 1d732f1..049a211 100644 files_read_etc_runtime_files(chfn_t) files_dontaudit_search_var(chfn_t) files_dontaudit_search_home(chfn_t) -@@ -120,12 +135,13 @@ files_dontaudit_search_home(chfn_t) +@@ -120,19 +135,29 @@ files_dontaudit_search_home(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(chfn_t) @@ -5111,17 +2900,17 @@ index 1d732f1..049a211 100644 logging_send_syslog_msg(chfn_t) --seutil_read_file_contexts(chfn_t) +-# uses unix_chkpwd for checking passwords +-seutil_dontaudit_search_config(chfn_t) +userdom_manage_user_tmp_files(chfn_t) +userdom_tmp_filetrans_user_tmp(chfn_t, { file }) userdom_use_unpriv_users_fds(chfn_t) # user generally runs this from their home directory, so do not audit a search -@@ -133,7 +149,13 @@ userdom_use_unpriv_users_fds(chfn_t) + # on user home dir userdom_dontaudit_search_user_home_content(chfn_t) - optional_policy(` -- nscd_run(chfn_t, chfn_roles) ++optional_policy(` + rssh_exec(chfn_t) +') + @@ -5129,10 +2918,12 @@ index 1d732f1..049a211 100644 +optional_policy(` + # allow to exec tmux + screen_exec(chfn_t) - ') - ++') ++ ######################################## -@@ -212,8 +234,8 @@ selinux_compute_create_context(groupadd_t) + # + # Crack local policy +@@ -209,8 +234,8 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -5143,7 +2934,7 @@ index 1d732f1..049a211 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -221,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t) +@@ -218,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t) domain_use_interactive_fds(groupadd_t) @@ -5153,7 +2944,7 @@ index 1d732f1..049a211 100644 files_read_etc_runtime_files(groupadd_t) files_read_usr_symlinks(groupadd_t) -@@ -232,14 +254,15 @@ corecmd_exec_bin(groupadd_t) +@@ -229,14 +254,15 @@ corecmd_exec_bin(groupadd_t) logging_send_audit_msgs(groupadd_t) logging_send_syslog_msg(groupadd_t) @@ -5172,7 +2963,7 @@ index 1d732f1..049a211 100644 auth_relabel_shadow(groupadd_t) auth_etc_filetrans_shadow(groupadd_t) -@@ -256,7 +279,8 @@ optional_policy(` +@@ -253,7 +279,8 @@ optional_policy(` ') optional_policy(` @@ -5182,7 +2973,7 @@ index 1d732f1..049a211 100644 ') optional_policy(` -@@ -273,7 +297,7 @@ optional_policy(` +@@ -270,7 +297,7 @@ optional_policy(` # Passwd local policy # @@ -5191,7 +2982,7 @@ index 1d732f1..049a211 100644 dontaudit passwd_t self:capability sys_tty_config; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; -@@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; +@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; @@ -5199,7 +2990,7 @@ index 1d732f1..049a211 100644 allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) -@@ -296,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t) +@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -5207,7 +2998,7 @@ index 1d732f1..049a211 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -310,26 +336,38 @@ selinux_compute_create_context(passwd_t) +@@ -307,26 +336,38 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -5251,7 +3042,7 @@ index 1d732f1..049a211 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -338,12 +376,11 @@ init_use_fds(passwd_t) +@@ -335,12 +376,11 @@ init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) @@ -5265,27 +3056,27 @@ index 1d732f1..049a211 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -352,9 +389,18 @@ userdom_read_user_tmp_files(passwd_t) +@@ -349,9 +389,18 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) +userdom_stream_connect(passwd_t) -+ -+optional_policy(` + + optional_policy(` +- nscd_run(passwd_t, passwd_roles) + gnome_exec_keyringd(passwd_t) + gnome_manage_cache_home_dir(passwd_t) + gnome_manage_generic_cache_sockets(passwd_t) + gnome_stream_connect_gkeyringd(passwd_t) +') - - optional_policy(` -- nscd_run(passwd_t, passwd_roles) ++ ++optional_policy(` + #nscd_run(passwd_t, passwd_roles) + nscd_domtrans(passwd_t) ') ######################################## -@@ -401,9 +447,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -398,9 +447,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -5298,7 +3089,7 @@ index 1d732f1..049a211 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -416,7 +463,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -413,7 +463,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -5306,7 +3097,7 @@ index 1d732f1..049a211 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -426,19 +472,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -423,19 +472,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -5328,7 +3119,7 @@ index 1d732f1..049a211 100644 ') ######################################## -@@ -446,7 +490,8 @@ optional_policy(` +@@ -443,7 +490,8 @@ optional_policy(` # Useradd local policy # @@ -5338,7 +3129,7 @@ index 1d732f1..049a211 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -461,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; +@@ -458,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -5349,7 +3140,7 @@ index 1d732f1..049a211 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,36 +517,37 @@ corecmd_exec_shell(useradd_t) +@@ -465,36 +517,37 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -5399,7 +3190,7 @@ index 1d732f1..049a211 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -508,33 +558,36 @@ init_rw_utmp(useradd_t) +@@ -505,33 +558,36 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -5429,10 +3220,10 @@ index 1d732f1..049a211 100644 userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) +userdom_delete_all_user_home_content(useradd_t) @@ -5450,7 +3241,7 @@ index 1d732f1..049a211 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -545,7 +598,12 @@ optional_policy(` +@@ -542,7 +598,12 @@ optional_policy(` ') optional_policy(` @@ -5464,7 +3255,7 @@ index 1d732f1..049a211 100644 ') optional_policy(` -@@ -553,6 +611,11 @@ optional_policy(` +@@ -550,6 +611,11 @@ optional_policy(` ') optional_policy(` @@ -5476,7 +3267,7 @@ index 1d732f1..049a211 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +625,12 @@ optional_policy(` +@@ -559,3 +625,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -5660,15 +3451,8 @@ index 7590165..85186a9 100644 +tunable_policy(`use_fusefs_home_dirs',` + fs_mounton_fusefs(seunshare_domain) ') -diff --git a/policy/modules/contrib b/policy/modules/contrib -index 298b887..662a00b 160000 ---- a/policy/modules/contrib -+++ b/policy/modules/contrib -@@ -1 +1 @@ --Subproject commit 298b887411b663a7da40a7a465915a7352bac80d -+Subproject commit 662a00bca8f52af8056f41abd0fdec77ea835b2a diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8d..3656744 100644 +index 644d4d7..3656744 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -5739,11 +3523,8 @@ index 33e0f8d..3656744 100644 /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) -@@ -132,13 +145,14 @@ ifdef(`distro_debian',` - # /lib - # +@@ -134,10 +147,12 @@ ifdef(`distro_debian',` --/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) -/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) @@ -5756,7 +3537,7 @@ index 33e0f8d..3656744 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -149,10 +163,12 @@ ifdef(`distro_gentoo',` +@@ -148,10 +163,12 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') @@ -5770,7 +3551,7 @@ index 33e0f8d..3656744 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -168,6 +184,7 @@ ifdef(`distro_gentoo',` +@@ -167,6 +184,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -5778,7 +3559,7 @@ index 33e0f8d..3656744 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,38 +196,52 @@ ifdef(`distro_gentoo',` +@@ -178,33 +196,49 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -5813,7 +3594,6 @@ index 33e0f8d..3656744 100644 /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0) +/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -5838,17 +3618,12 @@ index 33e0f8d..3656744 100644 /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -218,19 +249,31 @@ ifdef(`distro_gentoo',` +@@ -215,18 +249,31 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) -/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -5882,7 +3657,7 @@ index 33e0f8d..3656744 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -245,26 +288,39 @@ ifdef(`distro_gentoo',` +@@ -241,26 +288,39 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -5927,7 +3702,7 @@ index 33e0f8d..3656744 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -273,6 +329,7 @@ ifdef(`distro_gentoo',` +@@ -269,6 +329,7 @@ ifdef(`distro_gentoo',` /usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) @@ -5935,7 +3710,7 @@ index 33e0f8d..3656744 100644 /usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -280,10 +337,15 @@ ifdef(`distro_gentoo',` +@@ -276,10 +337,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -5951,7 +3726,7 @@ index 33e0f8d..3656744 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -298,16 +360,22 @@ ifdef(`distro_gentoo',` +@@ -294,16 +360,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -5976,7 +3751,7 @@ index 33e0f8d..3656744 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,20 +393,27 @@ ifdef(`distro_redhat', ` +@@ -321,20 +393,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -6005,7 +3780,7 @@ index 33e0f8d..3656744 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -346,6 +421,7 @@ ifdef(`distro_redhat', ` +@@ -342,6 +421,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -6013,7 +3788,7 @@ index 33e0f8d..3656744 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -387,11 +463,16 @@ ifdef(`distro_suse', ` +@@ -383,11 +463,16 @@ ifdef(`distro_suse', ` # # /var # @@ -6031,7 +3806,7 @@ index 33e0f8d..3656744 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -401,3 +482,12 @@ ifdef(`distro_suse', ` +@@ -397,3 +482,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6302,15 +4077,9 @@ index 9e9263a..77e6c8c 100644 + filetrans_pattern($1, bin_t, $2, $3, $4) +') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te -index 20c76cf..a784e8e 100644 +index 43090a0..a784e8e 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te -@@ -1,4 +1,4 @@ --policy_module(corecommands, 1.18.1) -+policy_module(corecommands, 1.17.3) - - ######################################## - # @@ -13,7 +13,8 @@ attribute exec_type; # # bin_t is the type of files in the system bin/sbin directories. @@ -7893,15 +5662,10 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..8a190ce 100644 +index 4edc40d..8a190ce 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in -@@ -1,10 +1,11 @@ --policy_module(corenetwork, 1.19.2) -+policy_module(corenetwork, 1.18.4) - - ######################################## - # +@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) # Declarations # @@ -7972,7 +5736,7 @@ index b191055..8a190ce 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -84,54 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) @@ -8040,7 +5804,7 @@ index b191055..8a190ce 100644 network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) +network_port(gear, tcp,43273,s0, udp,43273,s0) - network_port(gdomap, tcp,538,s0, udp,538,s0) ++network_port(gdomap, tcp,538,s0, udp,538,s0) network_port(gds_db, tcp,3050,s0, udp,3050,s0) network_port(giftd, tcp,1213,s0) network_port(git, tcp,9418,s0, udp,9418,s0) @@ -8050,7 +5814,7 @@ index b191055..8a190ce 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -139,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -8118,7 +5882,7 @@ index b191055..8a190ce 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -185,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -8159,7 +5923,7 @@ index b191055..8a190ce 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -215,66 +269,74 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,64 +269,74 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -8174,7 +5938,7 @@ index b191055..8a190ce 100644 network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) +network_port(time, tcp,37,s0, udp,37,s0) - network_port(redis, tcp,6379,s0) ++network_port(redis, tcp,6379,s0) network_port(repository, tcp, 6363, s0) network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) @@ -8228,7 +5992,6 @@ index b191055..8a190ce 100644 +network_port(tram, tcp, 4567, s0) network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) --network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0) network_port(ups, tcp,3493,s0) network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -8246,7 +6009,7 @@ index b191055..8a190ce 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +350,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -285,19 +350,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -8273,7 +6036,7 @@ index b191055..8a190ce 100644 ######################################## # -@@ -333,6 +399,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +399,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -8282,7 +6045,7 @@ index b191055..8a190ce 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +413,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +413,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -10949,15 +8712,9 @@ index 76f285e..830c1c5 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..b31a5e8 100644 +index 6529bd9..b31a5e8 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te -@@ -1,4 +1,4 @@ --policy_module(devices, 1.15.0) -+policy_module(devices, 1.14.5) - - ######################################## - # @@ -15,11 +15,12 @@ attribute devices_unconfined_type; # type device_t; @@ -11771,7 +9528,7 @@ index cf04cb5..a290c56 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..1a210d2 100644 +index c2c6e05..1a210d2 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -12013,16 +9770,14 @@ index b876c48..1a210d2 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -269,5 +294,6 @@ ifndef(`distro_redhat',` - +@@ -270,3 +295,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) --/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..255728e 100644 +index 64ff4d7..255728e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -12861,103 +10616,94 @@ index f962f76..255728e 100644 ## Do not audit attempts to set the attributes on all mount points. ## ## -@@ -1655,38 +2097,38 @@ interface(`files_dontaudit_search_all_mountpoints',` - - ######################################## - ##

--## List all mount points. -+## Do not audit listing of all mount points. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_list_all_mountpoints',` -+interface(`files_dontaudit_list_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') - -- allow $1 mountpoint:dir list_dir_perms; -+ dontaudit $1 mountpoint:dir list_dir_perms; - ') +@@ -1673,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## --## Do not audit listing of all mount points. +## Write all mount points. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_list_all_mountpoints',` -- gen_require(` -- attribute mountpoint; -- ') ++## ++## ++# +interface(`files_write_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') - -- dontaudit $1 mountpoint:dir list_dir_perms; ++ + allow $1 mountpoint:dir write; - ') - - ######################################## -@@ -1709,72 +2151,145 @@ interface(`files_dontaudit_write_all_mountpoints',` ++') ++ ++######################################## ++## + ## Do not audit attempts to write to mount points. + ## + ## +@@ -1691,6 +2151,42 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## --## List the contents of the root directory. +## Do not audit attempts to unmount all mount points. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_list_root',` ++## ++## ++# +interface(`files_dontaudit_unmount_all_mountpoints',` - gen_require(` -- type root_t; ++ gen_require(` + attribute mountpoint; - ') - -- allow $1 root_t:dir list_dir_perms; -- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ++ ') ++ + dontaudit $1 mountpoint:filesystem unmount; - ') - - ######################################## - ## --## Do not audit attempts to write to / dirs. ++') ++ ++######################################## ++## +## Write all file type directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_all_dirs',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ allow $1 file_type:dir write; ++') ++ ++######################################## ++## + ## List the contents of the root directory. ## ## - ## --## Domain to not audit. -+## Domain allowed access. +@@ -1707,7 +2203,6 @@ interface(`files_list_root',` + allow $1 root_t:dir list_dir_perms; + allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; + ') +- + ######################################## + ## + ## Do not audit attempts to write to / dirs. +@@ -1718,18 +2213,17 @@ interface(`files_list_root',` ## ## # -interface(`files_dontaudit_write_root_dirs',` -+interface(`files_write_all_dirs',` ++interface(`files_write_root_dirs',` gen_require(` -- type root_t; -+ attribute file_type; + type root_t; ') - dontaudit $1 root_t:dir write; -+ allow $1 file_type:dir write; ++ allow $1 root_t:dir write; ') -################### @@ -12965,59 +10711,15 @@ index f962f76..255728e 100644 ## -## Do not audit attempts to write -## files in the root directory. -+## List the contents of the root directory. ++## Do not audit attempts to write to / dirs. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -1737,7 +2231,26 @@ interface(`files_dontaudit_write_root_dirs',` ## ## # -interface(`files_dontaudit_rw_root_dir',` -+interface(`files_list_root',` - gen_require(` - type root_t; - ') - -- dontaudit $1 root_t:dir rw_dir_perms; -+ allow $1 root_t:dir list_dir_perms; -+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; - ') -- - ######################################## - ## --## Create an object in the root directory, with a private --## type using a type transition. -+## Do not audit attempts to write to / dirs. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## --## --## -+# -+interface(`files_write_root_dirs',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ allow $1 root_t:dir write; -+') -+ -+######################################## -+## -+## Do not audit attempts to write to / dirs. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# +interface(`files_dontaudit_write_root_dirs',` + gen_require(` + type root_t; @@ -13038,15 +10740,13 @@ index f962f76..255728e 100644 +## +# +interface(`files_dontaudit_rw_root_dir',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ dontaudit $1 root_t:dir rw_dir_perms; -+') -+ -+######################################## -+## + gen_require(` + type root_t; + ') +@@ -1747,6 +2260,26 @@ interface(`files_dontaudit_rw_root_dir',` + + ######################################## + ## +## Do not audit attempts to check the +## access on root directory. +## @@ -13067,20 +10767,10 @@ index f962f76..255728e 100644 + +######################################## +## -+## Create an object in the root directory, with a private -+## type using a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## - ## The type of the object to be created. - ## - ## -@@ -1892,25 +2407,25 @@ interface(`files_delete_root_dir_entry',` + ## Create an object in the root directory, with a private + ## type using a type transition. + ## +@@ -1874,25 +2407,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -13112,7 +10802,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -1923,7 +2438,7 @@ interface(`files_relabel_rootfs',` +@@ -1905,7 +2438,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -13121,7 +10811,7 @@ index f962f76..255728e 100644 ') ######################################## -@@ -1946,6 +2461,42 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2461,42 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -13164,7 +10854,7 @@ index f962f76..255728e 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2732,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2163,6 +2732,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -13189,7 +10879,7 @@ index f962f76..255728e 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3214,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +3214,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -13214,7 +10904,7 @@ index f962f76..255728e 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3303,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +3303,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -13222,7 +10912,7 @@ index f962f76..255728e 100644 ') ######################################## -@@ -2724,7 +3312,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +3312,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -13231,7 +10921,7 @@ index f962f76..255728e 100644 ## ## # -@@ -2780,6 +3368,25 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +3368,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -13257,7 +10947,7 @@ index f962f76..255728e 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3405,24 @@ interface(`files_delete_etc_files',` +@@ -2780,6 +3405,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -13282,7 +10972,7 @@ index f962f76..255728e 100644 ## Execute generic files in /etc. ## ## -@@ -2963,24 +3588,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,24 +3588,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -13307,7 +10997,7 @@ index f962f76..255728e 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3021,9 +3628,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3003,9 +3628,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -13318,7 +11008,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -3031,18 +3636,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3636,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -13340,7 +11030,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -3060,6 +3664,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,6 +3664,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -13367,7 +11057,7 @@ index f962f76..255728e 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3077,6 +3701,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3059,6 +3701,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -13375,7 +11065,7 @@ index f962f76..255728e 100644 ') ######################################## -@@ -3098,6 +3723,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3723,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -13383,7 +11073,7 @@ index f962f76..255728e 100644 ') ######################################## -@@ -3150,6 +3776,44 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3776,44 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -13428,7 +11118,7 @@ index f962f76..255728e 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3223,11 +3887,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3205,11 +3887,10 @@ interface(`files_delete_isid_type_dirs',` delete_dirs_pattern($1, file_t, file_t) ') @@ -13442,7 +11132,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -3235,18 +3898,18 @@ interface(`files_delete_isid_type_dirs',` +@@ -3217,18 +3898,18 @@ interface(`files_delete_isid_type_dirs',` ## ## # @@ -13465,7 +11155,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -3254,12 +3917,88 @@ interface(`files_manage_isid_type_dirs',` +@@ -3236,17 +3917,17 @@ interface(`files_manage_isid_type_dirs',` ## ## # @@ -13477,11 +11167,144 @@ index f962f76..255728e 100644 - allow $1 file_t:dir { search_dir_perms mounton }; + allow $1 file_t:dir mounton; + ') + + ######################################## + ## +-## Read files on new filesystems ++## Relabelfrom all file opbjects on new filesystems + ## that have not yet been labeled. + ## + ## +@@ -3255,18 +3936,18 @@ interface(`files_mounton_isid_type_dirs',` + ## + ## + # +-interface(`files_read_isid_type_files',` ++interface(`files_relabelfrom_isid_type',` + gen_require(` + type file_t; + ') + +- allow $1 file_t:file read_file_perms; ++ dontaudit $1 file_t:dir_file_class_set relabelfrom; + ') + + ######################################## + ## +-## Delete files on new filesystems +-## that have not yet been labeled. ++## Create, read, write, and delete directories ++## on new filesystems that have not yet been labeled. + ## + ## + ## +@@ -3274,18 +3955,18 @@ interface(`files_read_isid_type_files',` + ## + ## + # +-interface(`files_delete_isid_type_files',` ++interface(`files_manage_isid_type_dirs',` + gen_require(` + type file_t; + ') + +- delete_files_pattern($1, file_t, file_t) ++ allow $1 file_t:dir manage_dir_perms; + ') + + ######################################## + ## +-## Delete symbolic links on new filesystems +-## that have not yet been labeled. ++## Mount a filesystem on a directory on new filesystems ++## that has not yet been labeled. + ## + ## + ## +@@ -3293,18 +3974,18 @@ interface(`files_delete_isid_type_files',` + ## + ## + # +-interface(`files_delete_isid_type_symlinks',` ++interface(`files_mounton_isid_type_dirs',` + gen_require(` + type file_t; + ') + +- delete_lnk_files_pattern($1, file_t, file_t) ++ allow $1 file_t:dir { search_dir_perms mounton }; + ') + + ######################################## + ## +-## Delete named pipes on new filesystems +-## that have not yet been labeled. ++## Mount a filesystem on a new chr_file ++## that has not yet been labeled. + ## + ## + ## +@@ -3312,17 +3993,17 @@ interface(`files_delete_isid_type_symlinks',` + ## + ## + # +-interface(`files_delete_isid_type_fifo_files',` ++interface(`files_mounton_isid_type_chr_file',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- delete_fifo_files_pattern($1, file_t, file_t) ++ allow $1 unlabeled_t:chr_file mounton; + ') + + ######################################## + ## +-## Delete named sockets on new filesystems ++## Read files on new filesystems + ## that have not yet been labeled. + ## + ## +@@ -3331,17 +4012,17 @@ interface(`files_delete_isid_type_fifo_files',` + ## + ## + # +-interface(`files_delete_isid_type_sock_files',` ++interface(`files_read_isid_type_files',` + gen_require(` + type file_t; + ') + +- delete_sock_files_pattern($1, file_t, file_t) ++ allow $1 file_t:file read_file_perms; + ') + + ######################################## + ## +-## Delete block files on new filesystems ++## Delete files on new filesystems + ## that have not yet been labeled. + ## + ## +@@ -3350,12 +4031,88 @@ interface(`files_delete_isid_type_sock_files',` + ## + ## + # +-interface(`files_delete_isid_type_blk_files',` ++interface(`files_delete_isid_type_files',` + gen_require(` + type file_t; + ') + +- delete_blk_files_pattern($1, file_t, file_t) ++ delete_files_pattern($1, file_t, file_t) +') + +######################################## +## -+## Relabelfrom all file opbjects on new filesystems ++## Delete symbolic links on new filesystems +## that have not yet been labeled. +## +## @@ -13490,18 +11313,18 @@ index f962f76..255728e 100644 +## +## +# -+interface(`files_relabelfrom_isid_type',` ++interface(`files_delete_isid_type_symlinks',` + gen_require(` + type file_t; + ') + -+ dontaudit $1 file_t:dir_file_class_set relabelfrom; ++ delete_lnk_files_pattern($1, file_t, file_t) +') + +######################################## +## -+## Create, read, write, and delete directories -+## on new filesystems that have not yet been labeled. ++## Delete named pipes on new filesystems ++## that have not yet been labeled. +## +## +## @@ -13509,18 +11332,18 @@ index f962f76..255728e 100644 +## +## +# -+interface(`files_manage_isid_type_dirs',` ++interface(`files_delete_isid_type_fifo_files',` + gen_require(` + type file_t; + ') + -+ allow $1 file_t:dir manage_dir_perms; ++ delete_fifo_files_pattern($1, file_t, file_t) +') + +######################################## +## -+## Mount a filesystem on a directory on new filesystems -+## that has not yet been labeled. ++## Delete named sockets on new filesystems ++## that have not yet been labeled. +## +## +## @@ -13528,18 +11351,18 @@ index f962f76..255728e 100644 +## +## +# -+interface(`files_mounton_isid_type_dirs',` ++interface(`files_delete_isid_type_sock_files',` + gen_require(` + type file_t; + ') + -+ allow $1 file_t:dir { search_dir_perms mounton }; ++ delete_sock_files_pattern($1, file_t, file_t) +') + +######################################## +## -+## Mount a filesystem on a new chr_file -+## that has not yet been labeled. ++## Delete block files on new filesystems ++## that have not yet been labeled. +## +## +## @@ -13547,16 +11370,16 @@ index f962f76..255728e 100644 +## +## +# -+interface(`files_mounton_isid_type_chr_file',` ++interface(`files_delete_isid_type_blk_files',` + gen_require(` -+ type unlabeled_t; ++ type file_t; + ') + -+ allow $1 unlabeled_t:chr_file mounton; ++ delete_blk_files_pattern($1, file_t, file_t) ') ######################################## -@@ -3473,6 +4212,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +4212,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -13582,7 +11405,7 @@ index f962f76..255728e 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3552,6 +4310,27 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3534,6 +4310,27 @@ interface(`files_dontaudit_getattr_home_dir',` ######################################## ## @@ -13610,7 +11433,7 @@ index f962f76..255728e 100644 ## Search home directories root (/home). ## ## -@@ -3814,20 +4593,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4593,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -13654,7 +11477,7 @@ index f962f76..255728e 100644 ') ######################################## -@@ -4217,6 +5014,172 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,6 +5014,172 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13827,7 +11650,7 @@ index f962f76..255728e 100644 ######################################## ## ## Allow the specified type to associate -@@ -4239,6 +5202,26 @@ interface(`files_associate_tmp',` +@@ -4221,6 +5202,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -13854,7 +11677,7 @@ index f962f76..255728e 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5235,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4234,17 +5235,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -13893,7 +11716,7 @@ index f962f76..255728e 100644 ## ## # -@@ -4289,6 +5292,7 @@ interface(`files_search_tmp',` +@@ -4271,6 +5292,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -13901,7 +11724,7 @@ index f962f76..255728e 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5329,7 @@ interface(`files_list_tmp',` +@@ -4307,6 +5329,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -13909,7 +11732,7 @@ index f962f76..255728e 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5339,7 @@ interface(`files_list_tmp',` +@@ -4316,7 +5339,7 @@ interface(`files_list_tmp',` ## ## ## @@ -13918,7 +11741,7 @@ index f962f76..255728e 100644 ## ## # -@@ -4346,6 +5351,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4328,6 +5351,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -13944,7 +11767,7 @@ index f962f76..255728e 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4361,6 +5385,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4343,6 +5385,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -13952,12 +11775,13 @@ index f962f76..255728e 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5427,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4384,25 +5427,33 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## +-## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. -+## + ## +## +##

+## Allow shared library text relocations in tmp files. @@ -13966,26 +11790,58 @@ index f962f76..255728e 100644 +## This is added to support java policy. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`files_manage_generic_tmp_files',` +interface(`files_execmod_tmp',` -+ gen_require(` + gen_require(` +- type tmp_t; + attribute tmpfile; + ') + +- manage_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file execmod; + ') + + ######################################## + ## +-## Read symbolic links in the tmp directory (/tmp). ++## Manage temporary files and directories in /tmp. + ## + ## + ## +@@ -4410,7 +5461,25 @@ interface(`files_manage_generic_tmp_files',` + ## + ## + # +-interface(`files_read_generic_tmp_symlinks',` ++interface(`files_manage_generic_tmp_files',` ++ gen_require(` ++ type tmp_t; + ') + -+ allow $1 tmpfile:file execmod; ++ manage_files_pattern($1, tmp_t, tmp_t) +') + +######################################## +## - ## Manage temporary files and directories in /tmp. - ## - ## -@@ -4456,6 +5507,42 @@ interface(`files_rw_generic_tmp_sockets',` ++## Read symbolic links in the tmp directory (/tmp). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_tmp_symlinks',` + gen_require(` + type tmp_t; + ') +@@ -4438,6 +5507,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -14028,7 +11884,7 @@ index f962f76..255728e 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4474,6 +5561,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4456,6 +5561,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -14089,7 +11945,7 @@ index f962f76..255728e 100644 ## List all tmp directories. ## ## -@@ -4519,7 +5660,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4501,7 +5660,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -14098,7 +11954,7 @@ index f962f76..255728e 100644 ## ## # -@@ -4579,7 +5720,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4561,7 +5720,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -14107,7 +11963,7 @@ index f962f76..255728e 100644 ## ## # -@@ -4611,6 +5752,44 @@ interface(`files_read_all_tmp_files',` +@@ -4593,6 +5752,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -14152,7 +12008,7 @@ index f962f76..255728e 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4664,6 +5843,16 @@ interface(`files_purge_tmp',` +@@ -4646,6 +5843,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -14169,7 +12025,7 @@ index f962f76..255728e 100644 ') ######################################## -@@ -5112,6 +6301,24 @@ interface(`files_create_kernel_symbol_table',` +@@ -5094,6 +6301,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -14194,7 +12050,7 @@ index f962f76..255728e 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6448,24 @@ interface(`files_list_var',` +@@ -5223,6 +6448,24 @@ interface(`files_list_var',` ######################################## ## @@ -14219,7 +12075,7 @@ index f962f76..255728e 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6553,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5310,7 +6553,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -14228,7 +12084,7 @@ index f962f76..255728e 100644 ') ######################################## -@@ -5525,6 +6750,23 @@ interface(`files_rw_var_lib_dirs',` +@@ -5507,6 +6750,23 @@ interface(`files_rw_var_lib_dirs',` rw_dirs_pattern($1, var_lib_t, var_lib_t) ') @@ -14252,7 +12108,7 @@ index f962f76..255728e 100644 ######################################## ## ## Create objects in the /var/lib directory -@@ -5596,6 +6838,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5578,6 +6838,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -14278,7 +12134,7 @@ index f962f76..255728e 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6902,7 @@ interface(`files_manage_mounttab',` +@@ -5623,7 +6902,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -14287,7 +12143,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -5649,12 +6910,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6910,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -14303,7 +12159,7 @@ index f962f76..255728e 100644 ') ######################################## -@@ -5672,6 +6934,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6934,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -14311,7 +12167,7 @@ index f962f76..255728e 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6961,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6961,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -14339,7 +12195,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -5706,13 +6988,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6988,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -14356,7 +12212,7 @@ index f962f76..255728e 100644 ') ######################################## -@@ -5731,7 +7012,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +7012,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -14365,7 +12221,7 @@ index f962f76..255728e 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +7045,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +7045,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -14373,7 +12229,7 @@ index f962f76..255728e 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +7059,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5761,7 +7059,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -14382,7 +12238,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -5787,13 +7067,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5769,13 +7067,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -14417,7 +12273,7 @@ index f962f76..255728e 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7109,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +7109,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -14435,7 +12291,7 @@ index f962f76..255728e 100644 ') ######################################## -@@ -5834,9 +7133,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +7133,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -14446,7 +12302,7 @@ index f962f76..255728e 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7175,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +7175,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -14456,7 +12312,7 @@ index f962f76..255728e 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7197,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +7197,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -14466,7 +12322,7 @@ index f962f76..255728e 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7234,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +7234,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -14476,7 +12332,7 @@ index f962f76..255728e 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7273,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5961,7 +7273,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -14485,7 +12341,7 @@ index f962f76..255728e 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7293,48 @@ interface(`files_search_pids',` +@@ -5981,33 +7293,108 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -14494,26 +12350,40 @@ index f962f76..255728e 100644 search_dirs_pattern($1, var_t, var_run_t) ') +-######################################## +###################################### -+## + ## +-## Do not audit attempts to search +-## the /var/run directory. +## Add and remove entries from pid directories. -+## -+## + ## + ## +-## +-## Domain to not audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_search_pids',` +- gen_require(` +- type var_run_t; +- ') +interface(`files_rw_pid_dirs',` + gen_require(` + type var_run_t; + ') -+ + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; + allow $1 var_run_t:dir rw_dir_perms; -+') -+ + ') + +-######################################## +####################################### -+## + ## +-## List the contents of the runtime process +## Create generic pid directory. +## +## @@ -14531,100 +12401,88 @@ index f962f76..255728e 100644 + allow $1 var_run_t:dir create_dir_perms; +') + - ######################################## - ## - ## Do not audit attempts to search -@@ -6025,40 +7357,77 @@ interface(`files_dontaudit_search_pids',` - - ######################################## - ## --## List the contents of the runtime process --## ID directories (/var/run). ++######################################## ++## +## Do not audit attempts to search -+## the all /var/run directory. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_list_pids',` -+interface(`files_dontaudit_search_all_pids',` - gen_require(` -- type var_t, var_run_t; -+ attribute pidfile; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -+ dontaudit $1 pidfile:dir search_dir_perms; - ') - - ######################################## - ## --## Read generic process ID files. -+## Allow search the all /var/run directory. - ## - ## - ## --## Domain allowed access. ++## the /var/run directory. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_read_generic_pids',` -+interface(`files_search_all_pids',` - gen_require(` -- type var_t, var_run_t; -+ attribute pidfile; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ allow $1 pidfile:dir search_dir_perms; ++## ++## ++# ++interface(`files_dontaudit_search_pids',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir search_dir_perms; +') + +######################################## +## -+## List the contents of the runtime process -+## ID directories (/var/run). ++## Do not audit attempts to search ++## the all /var/run directory. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_list_pids',` ++interface(`files_dontaudit_search_all_pids',` + gen_require(` -+ type var_t, var_run_t; ++ attribute pidfile; + ') + -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) ++ dontaudit $1 pidfile:dir search_dir_perms; +') + +######################################## +## -+## Read generic process ID files. ++## Allow search the all /var/run directory. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_read_generic_pids',` ++interface(`files_search_all_pids',` + gen_require(` -+ type var_t, var_run_t; ++ attribute pidfile; + ') + ++ allow $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List the contents of the runtime process + ## ID directories (/var/run). + ## + ## +@@ -6021,7 +7408,7 @@ interface(`files_list_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + ') + +@@ -6040,7 +7427,7 @@ interface(`files_read_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7447,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6060,7 +7447,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -14633,7 +12491,7 @@ index f962f76..255728e 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7509,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +7509,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14641,7 +12499,7 @@ index f962f76..255728e 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7537,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6151,6 +7537,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -14666,7 +12524,7 @@ index f962f76..255728e 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7568,7 @@ interface(`files_rw_generic_pids',` +@@ -6164,7 +7568,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -14675,7 +12533,7 @@ index f962f76..255728e 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7635,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,55 +7635,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -14738,7 +12596,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -6305,42 +7679,35 @@ interface(`files_delete_all_pids',` +@@ -6287,42 +7679,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -14788,7 +12646,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -6348,18 +7715,18 @@ interface(`files_manage_all_pids',` +@@ -6330,18 +7715,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -14812,7 +12670,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -6367,37 +7734,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6349,37 +7734,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -14864,7 +12722,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -6405,18 +7775,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6387,18 +7775,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -14887,7 +12745,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -6424,18 +7793,18 @@ interface(`files_list_spool',` +@@ -6406,18 +7793,18 @@ interface(`files_list_spool',` ## ## # @@ -14911,7 +12769,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -6443,19 +7812,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6425,19 +7812,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -14936,7 +12794,7 @@ index f962f76..255728e 100644 ## ## ## -@@ -6463,55 +7831,112 @@ interface(`files_read_generic_spool',` +@@ -6445,55 +7831,130 @@ interface(`files_read_generic_spool',` ## ## # @@ -14964,11 +12822,6 @@ index f962f76..255728e 100644 ## ## -## --## --## Type to which the created node will be transitioned. --## --## --## +## +# +interface(`files_delete_all_pids',` @@ -14992,12 +12845,11 @@ index f962f76..255728e 100644 +## +## ## --## Object class(es) (single or set including {}) for which this --## the transition will occur. +-## Type to which the created node will be transitioned. +## Domain allowed access. ## ## --## +-## +# +interface(`files_delete_all_pid_dirs',` + gen_require(` @@ -15043,15 +12895,37 @@ index f962f76..255728e 100644 +## +## ## --## The name of the object being created. +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +## Type of the file to be used as a +## spool file. ## ## +-## +## ++# ++interface(`files_spool_file',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ files_type($1) ++ typeattribute $1 spoolfile; ++') ++ ++######################################## ++## ++## Create all spool sockets ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## # -interface(`files_spool_filetrans',` -+interface(`files_spool_file',` ++interface(`files_create_all_spool_sockets',` gen_require(` - type var_t, var_spool_t; + attribute spoolfile; @@ -15059,24 +12933,23 @@ index f962f76..255728e 100644 - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_spool_t, $2, $3, $4) -+ files_type($1) -+ typeattribute $1 spoolfile; ++ allow $1 spoolfile:sock_file create_sock_file_perms; ') ######################################## ## -## Allow access to manage all polyinstantiated -## directories on the system. -+## Create all spool sockets ++## Delete all spool sockets ## ## ## -@@ -6519,53 +7944,17 @@ interface(`files_spool_filetrans',` +@@ -6501,16 +7962,208 @@ interface(`files_spool_filetrans',` ## ## # -interface(`files_polyinstantiate_all',` -+interface(`files_create_all_spool_sockets',` ++interface(`files_delete_all_spool_sockets',` gen_require(` - attribute polydir, polymember, polyparent; - type poly_t; @@ -15085,64 +12958,10 @@ index f962f76..255728e 100644 - # Need to give access to /selinux/member - selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) -- -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -- ') -+ allow $1 spoolfile:sock_file create_sock_file_perms; - ') - - ######################################## - ## --## Unconfined access to files. -+## Delete all spool sockets - ## - ## - ## -@@ -6573,10 +7962,802 @@ interface(`files_polyinstantiate_all',` - ## - ## - # --interface(`files_unconfined',` -+interface(`files_delete_all_spool_sockets',` - gen_require(` -- attribute files_unconfined_type; -+ attribute spoolfile; -+ ') -+ + allow $1 spoolfile:sock_file delete_sock_file_perms; +') -+ + +- # Need sys_admin capability for mounting +######################################## +## +## Relabel to and from all spool @@ -15337,54 +13156,10 @@ index f962f76..255728e 100644 + selinux_compute_member($1) + + # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated -+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; -+ -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) -+ allow $1 polyparent:dir { getattr mounton }; -+ -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; -+ allow $1 polydir: dir { write add_name open }; -+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -+ -+ # Default type for mountpoints -+ allow $1 poly_t:dir { create mounton }; -+ fs_unmount_xattr_fs($1) -+ -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) -+ -+ ifdef(`distro_redhat',` -+ # namespace.init -+ files_search_tmp($1) -+ files_search_home($1) -+ corecmd_exec_bin($1) -+ seutil_domtrans_setfiles($1) -+ ') -+') -+ -+######################################## -+## -+## Unconfined access to files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_unconfined',` -+ gen_require(` -+ attribute files_unconfined_type; - ') + allow $1 self:capability { chown fsetid sys_admin fowner }; + + # Need to give access to the directories to be polyinstantiated +@@ -6562,3 +8215,549 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -15935,15 +13710,10 @@ index f962f76..255728e 100644 + allow $1 etc_t:service status; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 1a03abd..b5a89ba 100644 +index 148d87a..b5a89ba 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te -@@ -1,16 +1,20 @@ --policy_module(files, 1.18.1) -+policy_module(files, 1.17.5) - - ######################################## - # +@@ -5,12 +5,16 @@ policy_module(files, 1.17.5) # Declarations # @@ -16051,7 +13821,7 @@ index 1a03abd..b5a89ba 100644 files_mountpoint(root_t) files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) -@@ -133,45 +156,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) +@@ -133,52 +156,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) # type src_t; files_mountpoint(src_t) @@ -16104,9 +13874,10 @@ index 1a03abd..b5a89ba 100644 type var_lock_t; +files_base_file(var_lock_t) files_lock_file(var_lock_t) - files_mountpoint(var_lock_t) ++files_mountpoint(var_lock_t) -@@ -180,6 +212,7 @@ files_mountpoint(var_lock_t) + # + # var_run_t is the type of /var/run, usually # used for pid and other runtime files. # type var_run_t; @@ -16114,7 +13885,7 @@ index 1a03abd..b5a89ba 100644 files_pid_file(var_run_t) files_mountpoint(var_run_t) -@@ -187,7 +220,9 @@ files_mountpoint(var_run_t) +@@ -186,7 +220,9 @@ files_mountpoint(var_run_t) # var_spool_t is the type of /var/spool # type var_spool_t; @@ -16124,7 +13895,7 @@ index 1a03abd..b5a89ba 100644 ######################################## # -@@ -226,10 +261,11 @@ fs_associate_tmpfs(tmpfsfile) +@@ -225,10 +261,11 @@ fs_associate_tmpfs(tmpfsfile) # Create/access any file in a labeled filesystem; allow files_unconfined_type file_type:{ file chr_file } ~execmod; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; @@ -16138,7 +13909,7 @@ index 1a03abd..b5a89ba 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index d7c11a0..7b26d12 100644 +index cda5588..7b26d12 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1,9 +1,12 @@ @@ -16157,22 +13928,14 @@ index d7c11a0..7b26d12 100644 /dev/shm/.* <> /lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) -@@ -11,13 +14,12 @@ - /lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +@@ -12,5 +15,11 @@ /lib/udev/devices/shm/.* <> --/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) --/sys/fs/cgroup/.* <> -- --/sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0) --/sys/fs/pstore/.* <> -+# for systemd systems: + # for systemd systems: +-/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +-/sys/fs/cgroup/.* <> +/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) - --ifdef(`distro_debian',` --/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0) --/var/run/shm/.* <> --') ++ +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/usr/lib/udev/devices/hugepages/.* <> +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) @@ -17596,15 +15359,9 @@ index 8416beb..c6cd3eb 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..bf31a0e 100644 +index 9e603f5..bf31a0e 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -1,4 +1,4 @@ --policy_module(filesystem, 1.17.2) -+policy_module(filesystem, 1.16.2) - - ######################################## - # @@ -26,14 +26,18 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); @@ -17632,7 +15389,7 @@ index e7d1738..bf31a0e 100644 type bdev_t; fs_type(bdev_t) -@@ -63,15 +68,22 @@ fs_type(binfmt_misc_fs_t) +@@ -63,12 +68,18 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) @@ -17650,14 +15407,9 @@ index e7d1738..bf31a0e 100644 -type cgroup_t; +type cgroup_t alias cgroupfs_t; fs_type(cgroup_t) -+files_type(cgroup_t) + files_type(cgroup_t) files_mountpoint(cgroup_t) --dev_associate_sysfs(cgroup_t) -+dev_associate_sysfs(cgroup_t) # only for systemd systems - genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) - - type configfs_t; -@@ -88,6 +100,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -89,6 +100,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -17669,7 +15421,7 @@ index e7d1738..bf31a0e 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -96,6 +113,7 @@ type hugetlbfs_t; +@@ -97,6 +113,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -17677,7 +15429,7 @@ index e7d1738..bf31a0e 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -118,17 +136,16 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -119,12 +136,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -17688,18 +15440,14 @@ index e7d1738..bf31a0e 100644 fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) --type pstore_t; --fs_type(pstore_t) --files_mountpoint(pstore_t) --dev_associate_sysfs(pstore_t) --genfscon pstore / gen_context(system_u:object_r:pstore_t,s0) +type pstorefs_t; +fs_type(pstorefs_t) +genfscon pstore / gen_context(system_u:object_r:pstorefs_t,s0) - ++ type ramfs_t; fs_type(ramfs_t) -@@ -150,11 +167,6 @@ fs_type(spufs_t) + files_mountpoint(ramfs_t) +@@ -145,11 +167,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -17711,7 +15459,7 @@ index e7d1738..bf31a0e 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -172,16 +184,19 @@ type vxfs_t; +@@ -167,6 +184,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -17720,10 +15468,7 @@ index e7d1738..bf31a0e 100644 # # tmpfs_t is the type for tmpfs filesystems - # - type tmpfs_t; --dev_associate(tmpfs_t) - fs_type(tmpfs_t) +@@ -176,6 +195,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -17732,7 +15477,7 @@ index e7d1738..bf31a0e 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +276,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +276,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -17741,7 +15486,7 @@ index e7d1738..bf31a0e 100644 files_mountpoint(removable_t) # -@@ -280,6 +297,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +297,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -17758,7 +15503,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..1debeb2 100644 +index 649e458..1debeb2 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -18159,17 +15904,16 @@ index e100d88..1debeb2 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2630,6 +2866,9 @@ interface(`kernel_sendrecv_unlabeled_association',` - ') - +@@ -2632,7 +2868,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; -+ -+ # temporary hack until labeling on packets is supported + + # temporary hack until labeling on packets is supported +- allow $1 unlabeled_t:packet { send recv }; +# allow $1 unlabeled_t:packet { send recv }; ') ######################################## -@@ -2667,6 +2906,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2670,6 +2906,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -18194,7 +15938,7 @@ index e100d88..1debeb2 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2694,6 +2951,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2697,6 +2951,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -18220,7 +15964,7 @@ index e100d88..1debeb2 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +3079,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2806,6 +3079,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -18254,7 +15998,7 @@ index e100d88..1debeb2 100644 ######################################## ## -@@ -2958,6 +3261,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2961,6 +3261,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -18279,7 +16023,7 @@ index e100d88..1debeb2 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3293,300 @@ interface(`kernel_unconfined',` +@@ -2975,5 +3293,300 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -18582,15 +16326,9 @@ index e100d88..1debeb2 100644 + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..cdc610d 100644 +index 6fac350..cdc610d 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -1,4 +1,4 @@ --policy_module(kernel, 1.17.1) -+policy_module(kernel, 1.16.1) - - ######################################## - # @@ -25,6 +25,9 @@ attribute kern_unconfined; # regular entries in proc attribute proc_type; @@ -18932,15 +16670,9 @@ index b08a6e8..43d504b 100644 + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') +') diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te -index 2da98c2..8067370 100644 +index 5cbeb54..8067370 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te -@@ -1,4 +1,4 @@ --policy_module(mcs, 1.3.0) -+policy_module(mcs, 1.2.1) - - ######################################## - # @@ -11,3 +11,4 @@ attribute mcssetcats; attribute mcswriteall; attribute mcsreadall; @@ -18954,7 +16686,7 @@ index 7be4ddf..4d4c577 100644 -# This module currently does not have any file contexts. +/selinux -l gen_context(system_u:object_r:security_t,s0) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 6d0811d..a02d444 100644 +index 81440c5..a02d444 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` @@ -19022,17 +16754,17 @@ index 6d0811d..a02d444 100644 allow $1 security_t:filesystem getattr; ') -@@ -220,7 +234,9 @@ interface(`selinux_search_fs',` +@@ -220,6 +234,9 @@ interface(`selinux_search_fs',` type security_t; ') + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir search_dir_perms; ') -@@ -244,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',` +@@ -243,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',` ######################################## ## @@ -19061,7 +16793,7 @@ index 6d0811d..a02d444 100644 ## Do not audit attempts to read ## generic selinuxfs entries ## -@@ -258,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',` +@@ -257,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',` type security_t; ') @@ -19069,24 +16801,22 @@ index 6d0811d..a02d444 100644 dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') -@@ -279,7 +318,8 @@ interface(`selinux_get_enforce_mode',` +@@ -278,6 +318,8 @@ interface(`selinux_get_enforce_mode',` type security_t; ') -- dev_search_sysfs($1) + selinux_get_fs_mount($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; ') -@@ -310,22 +350,9 @@ interface(`selinux_set_enforce_mode',` +@@ -308,21 +350,9 @@ interface(`selinux_set_enforce_mode',` gen_require(` type security_t; attribute can_setenforce; - bool secure_mode_policyload; ') -- dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; typeattribute $1 can_setenforce; @@ -19102,7 +16832,7 @@ index 6d0811d..a02d444 100644 ') ######################################## -@@ -342,22 +369,14 @@ interface(`selinux_load_policy',` +@@ -339,21 +369,14 @@ interface(`selinux_load_policy',` gen_require(` type security_t; attribute can_load_policy; @@ -19110,7 +16840,7 @@ index 6d0811d..a02d444 100644 ') + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -19127,17 +16857,17 @@ index 6d0811d..a02d444 100644 ') ######################################## -@@ -375,7 +394,9 @@ interface(`selinux_read_policy',` +@@ -371,6 +394,9 @@ interface(`selinux_read_policy',` type security_t; ') + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; allow $1 security_t:security read_policy; -@@ -438,19 +459,16 @@ interface(`selinux_set_boolean',` +@@ -433,17 +459,16 @@ interface(`selinux_set_boolean',` interface(`selinux_set_generic_booleans',` gen_require(` type security_t; @@ -19146,8 +16876,7 @@ index 6d0811d..a02d444 100644 + typeattribute $1 can_setbool; + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) -- ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -19161,7 +16890,7 @@ index 6d0811d..a02d444 100644 ') ######################################## -@@ -479,25 +497,16 @@ interface(`selinux_set_all_booleans',` +@@ -472,23 +497,16 @@ interface(`selinux_set_all_booleans',` gen_require(` type security_t, secure_mode_policyload_t; attribute boolean_type; @@ -19171,8 +16900,7 @@ index 6d0811d..a02d444 100644 + typeattribute $1 can_setbool; + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) -- ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; - allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; @@ -19193,77 +16921,77 @@ index 6d0811d..a02d444 100644 ') ######################################## -@@ -528,7 +537,9 @@ interface(`selinux_set_parameters',` +@@ -519,6 +537,9 @@ interface(`selinux_set_parameters',` attribute can_setsecparam; ') + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security setsecparam; -@@ -552,7 +563,9 @@ interface(`selinux_validate_context',` +@@ -542,6 +563,9 @@ interface(`selinux_validate_context',` type security_t; ') + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security check_context; -@@ -595,7 +608,9 @@ interface(`selinux_compute_access_vector',` +@@ -584,6 +608,9 @@ interface(`selinux_compute_access_vector',` type security_t; ') + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_av; -@@ -617,7 +632,9 @@ interface(`selinux_compute_create_context',` +@@ -605,6 +632,9 @@ interface(`selinux_compute_create_context',` type security_t; ') + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_create; -@@ -639,7 +656,9 @@ interface(`selinux_compute_member',` +@@ -626,6 +656,9 @@ interface(`selinux_compute_member',` type security_t; ') + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_member; -@@ -669,7 +688,9 @@ interface(`selinux_compute_relabel_context',` +@@ -655,6 +688,9 @@ interface(`selinux_compute_relabel_context',` type security_t; ') + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_relabel; -@@ -690,7 +711,9 @@ interface(`selinux_compute_user_contexts',` +@@ -675,6 +711,9 @@ interface(`selinux_compute_user_contexts',` type security_t; ') + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) ++ dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_user; -@@ -712,4 +735,29 @@ interface(`selinux_unconfined',` +@@ -696,4 +735,29 @@ interface(`selinux_unconfined',` ') typeattribute $1 selinux_unconfined_type; @@ -19294,15 +17022,9 @@ index 6d0811d..a02d444 100644 ') + diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te -index e0a973b..85f484d 100644 +index 522ab32..85f484d 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te -@@ -1,4 +1,4 @@ --policy_module(selinux, 1.12.1) -+policy_module(selinux, 1.12.0) - - ######################################## - # @@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false) attribute boolean_type; attribute can_load_policy; @@ -19412,7 +17134,7 @@ index 54f1827..39faa3f 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 64c4cd0..ca6c727 100644 +index 1700ef2..ca6c727 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` @@ -19467,25 +17189,10 @@ index 64c4cd0..ca6c727 100644 dev_add_entry_generic_dirs($1) ') -@@ -260,18 +284,55 @@ interface(`storage_manage_fixed_disk',` - ## Domain allowed access. - ## - ## --## --## --## Optional filename of the block device to be created --## --## - # - interface(`storage_dev_filetrans_fixed_disk',` - gen_require(` - type fixed_disk_device_t; - ') +@@ -269,6 +293,48 @@ interface(`storage_dev_filetrans_fixed_disk',` + dev_filetrans($1, fixed_disk_device_t, blk_file) + ') -- dev_filetrans($1, fixed_disk_device_t, blk_file, $2) -+ dev_filetrans($1, fixed_disk_device_t, blk_file) -+') -+ +####################################### +## +## Create block devices in /dev with the fixed disk type @@ -19526,10 +17233,12 @@ index 64c4cd0..ca6c727 100644 + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") - ') - ++') ++ ######################################## -@@ -295,6 +356,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',` + ## + ## Create block devices in on a tmpfs filesystem with the +@@ -290,6 +356,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',` ######################################## ## @@ -19555,7 +17264,7 @@ index 64c4cd0..ca6c727 100644 ## Relabel fixed disk device nodes. ## ## -@@ -716,6 +796,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` +@@ -711,6 +796,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') @@ -19580,7 +17289,7 @@ index 64c4cd0..ca6c727 100644 ######################################## ## ## Allow the caller to directly read -@@ -813,3 +911,452 @@ interface(`storage_unconfined',` +@@ -808,3 +911,452 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -20048,10 +17757,10 @@ index 156c333..02f5a3c 100644 + dev_manage_generic_blk_files(fixed_disk_raw_write) +') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 0ea25b6..a3e5a1e 100644 +index 7d45d15..a3e5a1e 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc -@@ -14,12 +14,13 @@ +@@ -14,11 +14,13 @@ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) @@ -20061,13 +17770,12 @@ index 0ea25b6..a3e5a1e 100644 +/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) --/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) +/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0) +/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) -@@ -42,3 +43,7 @@ ifdef(`distro_gentoo',` +@@ -41,3 +43,7 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) ') @@ -20076,7 +17784,7 @@ index 0ea25b6..a3e5a1e 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index cbb729b..e3722ab 100644 +index 771bce1..e3722ab 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_user_tty',` @@ -20452,10 +18160,11 @@ index cbb729b..e3722ab 100644 ## ## # -@@ -1513,21 +1713,435 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1512,3 +1712,436 @@ interface(`term_dontaudit_use_all_user_ttys',` + refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') - ++ +#################################### +## +## Getattr on the virtio console. @@ -20474,27 +18183,17 @@ index cbb729b..e3722ab 100644 + allow $1 virtio_device_t:chr_file getattr_chr_file_perms; +') + - ##################################### - ## --## Read from and write virtio console. ++##################################### ++## +## Read from and write to the virtio console. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # - interface(`term_use_virtio_console',` -- gen_require(` -- type virtio_device_t; -- ') -- -- dev_list_all_dev_nodes($1) -- allow $1 virtio_device_t:chr_file rw_term_perms; ++## ++# ++interface(`term_use_virtio_console',` + gen_require(` + type virtio_device_t; + ') @@ -20897,17 +18596,11 @@ index cbb729b..e3722ab 100644 + dev_filetrans($1, tty_device_t, chr_file, "xvc7") + dev_filetrans($1, tty_device_t, chr_file, "xvc8") + dev_filetrans($1, tty_device_t, chr_file, "xvc9") - ') ++') diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te -index 66e116a..a97d7cc 100644 +index c0b88bf..a97d7cc 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te -@@ -1,4 +1,4 @@ --policy_module(terminal, 1.11.1) -+policy_module(terminal, 1.10.1) - - ######################################## - # @@ -29,6 +29,7 @@ files_mountpoint(devpts_t) fs_associate_tmpfs(devpts_t) fs_type(devpts_t) @@ -20916,7 +18609,7 @@ index 66e116a..a97d7cc 100644 # # devtty_t is the type of /dev/tty. -@@ -54,8 +55,11 @@ dev_node(tty_device_t) +@@ -54,5 +55,11 @@ dev_node(tty_device_t) # # usbtty_device_t is the type of /dev/usr/tty* # @@ -20924,12 +18617,12 @@ index 66e116a..a97d7cc 100644 -dev_node(usbtty_device_t) +type usbtty_device_t; +term_tty(usbtty_device_t) - ++ +# +# virtio_device_t is the type of /dev/vport[0-9]p[0-9] +# - type virtio_device_t, serial_device; - dev_node(virtio_device_t) ++type virtio_device_t, serial_device; ++dev_node(virtio_device_t) diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc new file mode 100644 index 0000000..f310b9d @@ -21071,16 +18764,10 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..147eab1 100644 +index 5da7870..147eab1 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -1,4 +1,4 @@ --policy_module(staff, 2.4.0) -+policy_module(staff, 2.3.1) - - ######################################## - # -@@ -8,12 +8,71 @@ policy_module(staff, 2.4.0) +@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1) role staff_r; userdom_unpriv_user_template(staff) @@ -21476,15 +19163,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..e49b8da 100644 +index 88d0028..e49b8da 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -1,43 +1,91 @@ --policy_module(sysadm, 2.6.1) -+policy_module(sysadm, 2.5.1) - - ######################################## - # +@@ -5,39 +5,87 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -21667,18 +19349,21 @@ index 2522ca6..e49b8da 100644 dmesg_exec(sysadm_t) ') -@@ -156,6 +217,10 @@ optional_policy(` +@@ -156,11 +217,11 @@ optional_policy(` ') optional_policy(` +- fstools_run(sysadm_t, sysadm_r) + firewalld_dbus_chat(sysadm_t) -+') -+ -+optional_policy(` - fstools_run(sysadm_t, sysadm_r) ') -@@ -175,6 +240,13 @@ optional_policy(` + optional_policy(` +- git_role(sysadm_r, sysadm_t) ++ fstools_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +@@ -179,6 +240,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -21692,7 +19377,7 @@ index 2522ca6..e49b8da 100644 ') optional_policy(` -@@ -182,15 +254,20 @@ optional_policy(` +@@ -186,15 +254,20 @@ optional_policy(` ') optional_policy(` @@ -21704,19 +19389,19 @@ index 2522ca6..e49b8da 100644 - libs_run_ldconfig(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` ++ kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) -+ kudzu_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r) ') optional_policy(` -@@ -210,22 +287,20 @@ optional_policy(` +@@ -214,22 +287,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -21745,7 +19430,7 @@ index 2522ca6..e49b8da 100644 ') optional_policy(` -@@ -237,14 +312,28 @@ optional_policy(` +@@ -241,14 +312,28 @@ optional_policy(` ') optional_policy(` @@ -21774,7 +19459,7 @@ index 2522ca6..e49b8da 100644 ') optional_policy(` -@@ -252,10 +341,20 @@ optional_policy(` +@@ -256,10 +341,20 @@ optional_policy(` ') optional_policy(` @@ -21795,7 +19480,7 @@ index 2522ca6..e49b8da 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +365,41 @@ optional_policy(` +@@ -270,35 +365,41 @@ optional_policy(` ') optional_policy(` @@ -21844,7 +19529,7 @@ index 2522ca6..e49b8da 100644 ') optional_policy(` -@@ -308,6 +413,7 @@ optional_policy(` +@@ -312,6 +413,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -21852,7 +19537,7 @@ index 2522ca6..e49b8da 100644 ') optional_policy(` -@@ -315,12 +421,20 @@ optional_policy(` +@@ -319,12 +421,20 @@ optional_policy(` ') optional_policy(` @@ -21874,7 +19559,7 @@ index 2522ca6..e49b8da 100644 ') optional_policy(` -@@ -345,7 +459,18 @@ optional_policy(` +@@ -349,7 +459,18 @@ optional_policy(` ') optional_policy(` @@ -21894,7 +19579,7 @@ index 2522ca6..e49b8da 100644 ') optional_policy(` -@@ -356,19 +481,15 @@ optional_policy(` +@@ -360,19 +481,15 @@ optional_policy(` ') optional_policy(` @@ -21916,7 +19601,7 @@ index 2522ca6..e49b8da 100644 ') optional_policy(` -@@ -380,10 +501,6 @@ optional_policy(` +@@ -384,10 +501,6 @@ optional_policy(` ') optional_policy(` @@ -21927,7 +19612,7 @@ index 2522ca6..e49b8da 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +508,9 @@ optional_policy(` +@@ -395,6 +508,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -21937,7 +19622,7 @@ index 2522ca6..e49b8da 100644 ') optional_policy(` -@@ -398,31 +518,34 @@ optional_policy(` +@@ -402,31 +518,34 @@ optional_policy(` ') optional_policy(` @@ -21978,7 +19663,7 @@ index 2522ca6..e49b8da 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +558,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +558,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21989,7 +19674,7 @@ index 2522ca6..e49b8da 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +578,79 @@ ifndef(`distro_redhat',` +@@ -463,15 +578,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23123,22 +20808,22 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 6d77e81..c3271fb 100644 +index cdfddf4..c3271fb 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -1,4 +1,11 @@ --policy_module(unprivuser, 2.4.0) -+policy_module(unprivuser, 2.3.1) -+ +@@ -1,5 +1,12 @@ + policy_module(unprivuser, 2.3.1) + +## +##

+## Allow unprivileged user to create and transition to svirt domains. +##

+## +gen_tunable(unprivuser_use_svirt, false) - ++ # this module should be named user, but that is # a compile error since user is a keyword. + @@ -12,12 +19,102 @@ role user_r; userdom_unpriv_user_template(user) @@ -23666,15 +21351,9 @@ index 9d2f311..9e87525 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 0306134..19dfc1f 100644 +index 346d011..19dfc1f 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te -@@ -1,4 +1,4 @@ --policy_module(postgresql, 1.16.0) -+policy_module(postgresql, 1.15.4) - - gen_require(` - class db_database all_db_database_perms; @@ -19,25 +19,32 @@ gen_require(` # @@ -24635,16 +22314,10 @@ index fe0c682..e8dcfa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..980e658 100644 +index 5fc0391..980e658 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -1,4 +1,4 @@ --policy_module(ssh, 2.4.2) -+policy_module(ssh, 2.3.3) - - ######################################## - # -@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2) +@@ -6,43 +6,65 @@ policy_module(ssh, 2.3.3) # ## @@ -24725,21 +22398,19 @@ index cc877c7..980e658 100644 type ssh_t; type ssh_exec_t; -@@ -73,9 +95,11 @@ type ssh_home_t; +@@ -73,6 +95,11 @@ type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) +files_poly_parent(ssh_home_t) - --type sshd_keytab_t; --files_type(sshd_keytab_t) ++ +ifdef(`enable_mcs',` + init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) +') ############################## # -@@ -86,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +@@ -83,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -24747,7 +22418,7 @@ index cc877c7..980e658 100644 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; -@@ -93,15 +118,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -90,15 +118,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -24764,7 +22435,7 @@ index cc877c7..980e658 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -110,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -107,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -24812,7 +22483,7 @@ index cc877c7..980e658 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -157,40 +187,46 @@ files_read_var_files(ssh_t) +@@ -154,40 +187,46 @@ files_read_var_files(ssh_t) logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) @@ -24878,7 +22549,7 @@ index cc877c7..980e658 100644 ') optional_policy(` -@@ -198,6 +234,7 @@ optional_policy(` +@@ -195,6 +234,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -24886,7 +22557,7 @@ index cc877c7..980e658 100644 ############################## # # ssh_keysign_t local policy -@@ -209,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -24894,13 +22565,11 @@ index cc877c7..980e658 100644 files_read_etc_files(ssh_keysign_t) -@@ -226,39 +264,56 @@ optional_policy(` +@@ -223,33 +264,56 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; - --allow sshd_t sshd_keytab_t:file read_file_perms; -- -manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) @@ -24927,9 +22596,6 @@ index cc877c7..980e658 100644 +corenet_tcp_bind_vnc_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) --ifdef(`distro_debian',` -- allow sshd_t self:process { getcap setcap }; --') +auth_exec_login_program(sshd_t) +auth_signal_chk_passwd(sshd_t) + @@ -24939,7 +22605,7 @@ index cc877c7..980e658 100644 +userdom_spec_domtrans_unpriv_users(sshd_t) +userdom_signal_unpriv_users(sshd_t) +userdom_dyntransition_unpriv_users(sshd_t) - ++ tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to @@ -24965,7 +22631,7 @@ index cc877c7..980e658 100644 ') optional_policy(` -@@ -266,12 +321,28 @@ optional_policy(` +@@ -257,11 +321,28 @@ optional_policy(` ') optional_policy(` @@ -24986,8 +22652,7 @@ index cc877c7..980e658 100644 ') optional_policy(` -- kerberos_read_keytab(sshd_t) -- kerberos_use(sshd_t) +- kerberos_keytab_template(sshd, sshd_t) + lvm_domtrans(sshd_t) +') + @@ -24996,7 +22661,7 @@ index cc877c7..980e658 100644 ') optional_policy(` -@@ -279,6 +350,10 @@ optional_policy(` +@@ -269,6 +350,10 @@ optional_policy(` ') optional_policy(` @@ -25007,7 +22672,7 @@ index cc877c7..980e658 100644 rpm_use_script_fds(sshd_t) ') -@@ -289,13 +364,93 @@ optional_policy(` +@@ -279,13 +364,93 @@ optional_policy(` ') optional_policy(` @@ -25101,7 +22766,7 @@ index cc877c7..980e658 100644 ######################################## # # ssh_keygen local policy -@@ -304,19 +459,33 @@ optional_policy(` +@@ -294,19 +459,33 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -25136,7 +22801,7 @@ index cc877c7..980e658 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -332,7 +501,14 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -322,7 +501,14 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) @@ -25151,7 +22816,7 @@ index cc877c7..980e658 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -341,3 +517,148 @@ optional_policy(` +@@ -331,3 +517,148 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -25301,7 +22966,7 @@ index cc877c7..980e658 100644 +') + diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..696dd0e 100644 +index d1f64a0..696dd0e 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,36 @@ @@ -25382,12 +23047,13 @@ index 8274418..696dd0e 100644 # /usr # --/usr/s?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +-/usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +-/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) +-/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +-/usr/(s)?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/s?bin/gdm3? -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) --/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) --/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/s?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -25407,7 +23073,7 @@ index 8274418..696dd0e 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -92,26 +131,51 @@ ifndef(`distro_debian',` +@@ -92,25 +131,51 @@ ifndef(`distro_debian',` /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -25436,7 +23102,6 @@ index 8274418..696dd0e 100644 + +/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) --/var/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -25445,7 +23110,7 @@ index 8274418..696dd0e 100644 /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) --/var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) +-/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -27100,15 +24765,9 @@ index 6bf0ecc..30ca475 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..5be1645 100644 +index 2696452..5be1645 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te -@@ -1,4 +1,4 @@ --policy_module(xserver, 3.9.4) -+policy_module(xserver, 3.8.4) - - gen_require(` - class x_drawable all_x_drawable_perms; @@ -26,28 +26,59 @@ gen_require(` # @@ -27178,7 +24837,7 @@ index 8b40377..5be1645 100644 # X Events attribute xevent_type; -@@ -107,67 +138,85 @@ xserver_object_types_template(remote) +@@ -107,44 +138,54 @@ xserver_object_types_template(remote) xserver_common_x_domain_template(remote, remote_t) type user_fonts_t; @@ -27234,10 +24893,7 @@ index 8b40377..5be1645 100644 typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; userdom_user_tmp_file(xauth_tmp_t) - # this is not actually a device, its a pipe - type xconsole_device_t; - files_type(xconsole_device_t) --dev_associate(xconsole_device_t) +@@ -154,19 +195,28 @@ files_type(xconsole_device_t) fs_associate_tmpfs(xconsole_device_t) files_associate_tmp(xconsole_device_t) @@ -27269,7 +24925,7 @@ index 8b40377..5be1645 100644 type xdm_var_lib_t; files_type(xdm_var_lib_t) -@@ -175,13 +224,27 @@ files_type(xdm_var_lib_t) +@@ -174,13 +224,27 @@ files_type(xdm_var_lib_t) type xdm_var_run_t; files_pid_file(xdm_var_run_t) @@ -27298,7 +24954,7 @@ index 8b40377..5be1645 100644 # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -194,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; +@@ -193,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) @@ -27317,7 +24973,7 @@ index 8b40377..5be1645 100644 userdom_user_tmpfs_file(xserver_tmpfs_t) type xsession_exec_t; -@@ -226,21 +287,33 @@ optional_policy(` +@@ -225,21 +287,33 @@ optional_policy(` # allow iceauth_t iceauth_home_t:file manage_file_perms; @@ -27332,12 +24988,16 @@ index 8b40377..5be1645 100644 -userdom_use_user_terminals(iceauth_t) +userdom_use_inherited_user_terminals(iceauth_t) userdom_read_user_tmp_files(iceauth_t) -+userdom_read_all_users_state(iceauth_t) -+userdom_home_manager(iceauth_t) - +- -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(iceauth_t) -') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_files(iceauth_t) ++userdom_read_all_users_state(iceauth_t) ++userdom_home_manager(iceauth_t) ++ +ifdef(`hide_broken_symptoms',` + dev_dontaudit_read_urand(iceauth_t) + dev_dontaudit_rw_dri(iceauth_t) @@ -27345,9 +25005,7 @@ index 8b40377..5be1645 100644 + fs_dontaudit_list_inotifyfs(iceauth_t) + fs_dontaudit_rw_anon_inodefs_files(iceauth_t) + term_dontaudit_use_unallocated_ttys(iceauth_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files(iceauth_t) ++ + userdom_dontaudit_read_user_home_content_files(iceauth_t) + userdom_dontaudit_write_user_home_content_files(iceauth_t) + userdom_dontaudit_write_user_tmp_files(iceauth_t) @@ -27358,7 +25016,7 @@ index 8b40377..5be1645 100644 ') ######################################## -@@ -248,48 +321,90 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,48 +321,90 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -27460,7 +25118,7 @@ index 8b40377..5be1645 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -300,64 +415,109 @@ optional_policy(` +@@ -299,64 +415,109 @@ optional_policy(` # XDM Local policy # @@ -27580,7 +25238,7 @@ index 8b40377..5be1645 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -27613,7 +25271,7 @@ index 8b40377..5be1645 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -27667,7 +25325,7 @@ index 8b40377..5be1645 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +612,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +612,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -27696,7 +25354,7 @@ index 8b40377..5be1645 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -27745,7 +25403,7 @@ index 8b40377..5be1645 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +689,151 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +689,151 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -27903,7 +25561,7 @@ index 8b40377..5be1645 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -503,11 +847,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +847,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -27930,11 +25588,14 @@ index 8b40377..5be1645 100644 ') optional_policy(` -@@ -519,7 +878,28 @@ optional_policy(` - dbus_connect_system_bus(xdm_t) +@@ -514,12 +874,57 @@ optional_policy(` + ') - optional_policy(` -- accountsd_dbus_chat(xdm_t) + optional_policy(` ++ dbus_system_bus_client(xdm_t) ++ dbus_connect_system_bus(xdm_t) ++ ++ optional_policy(` + bluetooth_dbus_chat(xdm_t) + ') + @@ -27957,10 +25618,13 @@ index 8b40377..5be1645 100644 + + optional_policy(` + networkmanager_dbus_chat(xdm_t) - ') - ') - -@@ -530,6 +910,21 @@ optional_policy(` ++ ') ++') ++ ++optional_policy(` + # Talk to the console mouse server. + gpm_stream_connect(xdm_t) + gpm_setattr_gpmctl(xdm_t) ') optional_policy(` @@ -27982,7 +25646,7 @@ index 8b40377..5be1645 100644 hostname_exec(xdm_t) ') -@@ -547,28 +942,78 @@ optional_policy(` +@@ -537,28 +942,78 @@ optional_policy(` ') optional_policy(` @@ -28070,7 +25734,7 @@ index 8b40377..5be1645 100644 ') optional_policy(` -@@ -580,6 +1025,14 @@ optional_policy(` +@@ -570,6 +1025,14 @@ optional_policy(` ') optional_policy(` @@ -28085,7 +25749,7 @@ index 8b40377..5be1645 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -584,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -28094,7 +25758,7 @@ index 8b40377..5be1645 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -28107,7 +25771,7 @@ index 8b40377..5be1645 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -28123,7 +25787,7 @@ index 8b40377..5be1645 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -28134,7 +25798,7 @@ index 8b40377..5be1645 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28156,7 +25820,7 @@ index 8b40377..5be1645 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -651,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -28170,7 +25834,7 @@ index 8b40377..5be1645 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1151,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1151,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28202,7 +25866,7 @@ index 8b40377..5be1645 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -704,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28220,7 +25884,7 @@ index 8b40377..5be1645 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1206,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1206,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -28244,7 +25908,7 @@ index 8b40377..5be1645 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -28253,7 +25917,7 @@ index 8b40377..5be1645 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,16 +1269,44 @@ optional_policy(` +@@ -775,16 +1269,44 @@ optional_policy(` ') optional_policy(` @@ -28299,7 +25963,7 @@ index 8b40377..5be1645 100644 unconfined_domtrans(xserver_t) ') -@@ -803,6 +1315,10 @@ optional_policy(` +@@ -793,6 +1315,10 @@ optional_policy(` ') optional_policy(` @@ -28310,7 +25974,7 @@ index 8b40377..5be1645 100644 xfs_stream_connect(xserver_t) ') -@@ -818,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -28324,7 +25988,7 @@ index 8b40377..5be1645 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -829,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -28333,7 +25997,7 @@ index 8b40377..5be1645 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1358,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1358,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28368,7 +26032,7 @@ index 8b40377..5be1645 100644 ') optional_policy(` -@@ -912,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -28377,7 +26041,7 @@ index 8b40377..5be1645 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1477,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1477,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -28409,7 +26073,7 @@ index 8b40377..5be1645 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -28733,7 +26397,7 @@ index c6fdab7..af71c62 100644 sudo_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 2479587..ed25543 100644 +index 28ad538..ed25543 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,14 +1,28 @@ @@ -28797,7 +26461,7 @@ index 2479587..ed25543 100644 /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -@@ -30,21 +56,24 @@ ifdef(`distro_gentoo', ` +@@ -30,20 +56,24 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -28825,9 +26489,7 @@ index 2479587..ed25543 100644 /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) --/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) --/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 3efd5b6..3accfe3 100644 --- a/policy/modules/system/authlogin.if @@ -29692,15 +27354,10 @@ index 3efd5b6..3accfe3 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..837948b 100644 +index 104037e..837948b 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te -@@ -1,10 +1,23 @@ --policy_module(authlogin, 2.5.1) -+policy_module(authlogin, 2.4.2) - - ######################################## - # +@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2) # Declarations # @@ -30223,15 +27880,9 @@ index d475c2d..55305d5 100644 + files_etc_filetrans($1, adjtime_t, file, "adjtime" ) +') diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te -index edece47..7fcd27a 100644 +index 3694bfe..7fcd27a 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te -@@ -1,4 +1,4 @@ --policy_module(clock, 1.7.0) -+policy_module(clock, 1.6.2) - - ######################################## - # @@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t) term_dontaudit_use_console(hwclock_t) @@ -30267,7 +27918,7 @@ index edece47..7fcd27a 100644 ') diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index 948ce2a..ce0abe6 100644 +index a97a096..ce0abe6 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -1,4 +1,3 @@ @@ -30283,11 +27934,8 @@ index 948ce2a..ce0abe6 100644 /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -33,17 +31,57 @@ - /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -35,13 +33,55 @@ /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) --/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -30324,7 +27972,7 @@ index 948ce2a..ce0abe6 100644 +/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -30372,15 +28020,9 @@ index 016a770..1effeb4 100644 + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") +') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 3f48d30..9eebe0b 100644 +index 6c4b6ee..9eebe0b 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te -@@ -1,4 +1,4 @@ --policy_module(fstools, 1.16.1) -+policy_module(fstools, 1.15.0) - - ######################################## - # @@ -13,6 +13,9 @@ role system_r types fsadm_t; type fsadm_log_t; logging_log_file(fsadm_log_t) @@ -30576,15 +28218,9 @@ index e4376aa..2c98c56 100644 + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index f6743ea..4740426 100644 +index fc38c9c..4740426 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te -@@ -1,4 +1,4 @@ --policy_module(getty, 1.10.0) -+policy_module(getty, 1.9.1) - - ######################################## - # @@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t) type getty_var_run_t; files_pid_file(getty_var_run_t) @@ -30672,16 +28308,10 @@ index 187f04f..cf0af09 100644 interface(`hostname_exec',` gen_require(` diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index 24a7889..51e9aef 100644 +index f6cbda9..51e9aef 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te -@@ -1,4 +1,4 @@ --policy_module(hostname, 1.8.1) -+policy_module(hostname, 1.8.0) - - ######################################## - # -@@ -23,40 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config; +@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config; kernel_list_proc(hostname_t) kernel_read_proc_symlinks(hostname_t) @@ -30719,7 +28349,6 @@ index 24a7889..51e9aef 100644 -miscfiles_read_localization(hostname_t) --sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t) sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t) sysnet_read_config(hostname_t) sysnet_dns_name_resolve(hostname_t) @@ -30759,15 +28388,9 @@ index 40eb10c..2a0a32c 100644 corecmd_search_bin($1) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te -index b2097e7..7ebb938 100644 +index bb5c4a6..7ebb938 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te -@@ -1,4 +1,4 @@ --policy_module(hotplug, 1.16.0) -+policy_module(hotplug, 1.15.1) - - ######################################## - # @@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) # @@ -30820,7 +28443,7 @@ index b2097e7..7ebb938 100644 ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index bc0ffc8..9d960bb 100644 +index 9a4d3a7..9d960bb 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -1,6 +1,9 @@ @@ -30845,7 +28468,7 @@ index bc0ffc8..9d960bb 100644 /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) # because nowadays, /sbin/init is often a symlink to /sbin/upstart /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) -@@ -42,20 +50,33 @@ ifdef(`distro_gentoo', ` +@@ -42,19 +50,33 @@ ifdef(`distro_gentoo', ` # /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -30870,7 +28493,6 @@ index bc0ffc8..9d960bb 100644 # # /var # --/var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0) +/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0) /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) @@ -30880,13 +28502,13 @@ index bc0ffc8..9d960bb 100644 ifdef(`distro_debian',` /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) -@@ -74,3 +95,4 @@ ifdef(`distro_suse', ` +@@ -73,3 +95,4 @@ ifdef(`distro_suse', ` /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..6a39d34 100644 +index 24e7804..6a39d34 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -31670,82 +29292,33 @@ index 79a45f6..6a39d34 100644 ## init scripts over dbus. ## ## -@@ -1488,47 +1827,45 @@ interface(`init_use_script_ptys',` - - ######################################## - ## --## Read and write inherited init script ptys. -+## Do not audit attempts to read and -+## write the init script pty. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`init_use_inherited_script_ptys',` -+interface(`init_dontaudit_use_script_ptys',` - gen_require(` - type initrc_devpts_t; - ') - -- term_list_ptys($1) -- allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; -- -- init_use_fds($1) -+ dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; - ') +@@ -1526,6 +1865,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## --## Do not audit attempts to read and --## write the init script pty. -+## Get the attributes of init script ++## Manage init script +## status files. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`init_dontaudit_use_script_ptys',` -+interface(`init_getattr_script_status_files',` - gen_require(` -- type initrc_devpts_t; ++## ++## ++# ++interface(`init_manage_script_status_files',` ++ gen_require(` + type initrc_state_t; - ') - -- dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; -+ getattr_files_pattern($1, initrc_state_t, initrc_state_t) - ') - - ######################################## - ## --## Get the attributes of init script -+## Manage init script ++ ') ++ ++ manage_files_pattern($1, initrc_state_t, initrc_state_t) ++') ++ ++######################################## ++## + ## Do not audit attempts to read init script ## status files. ## - ## -@@ -1537,12 +1874,12 @@ interface(`init_dontaudit_use_script_ptys',` - ## - ## - # --interface(`init_getattr_script_status_files',` -+interface(`init_manage_script_status_files',` - gen_require(` - type initrc_state_t; - ') - -- getattr_files_pattern($1, initrc_state_t, initrc_state_t) -+ manage_files_pattern($1, initrc_state_t, initrc_state_t) - ') - - ######################################## -@@ -1605,6 +1942,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1584,6 +1942,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -31770,7 +29343,7 @@ index 79a45f6..6a39d34 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1677,6 +2032,43 @@ interface(`init_read_utmp',` +@@ -1656,6 +2032,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -31814,7 +29387,7 @@ index 79a45f6..6a39d34 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1765,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1744,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -31823,7 +29396,7 @@ index 79a45f6..6a39d34 100644 ') ######################################## -@@ -1806,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',` +@@ -1785,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -31957,7 +29530,7 @@ index 79a45f6..6a39d34 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1840,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -32409,15 +29982,9 @@ index 79a45f6..6a39d34 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..3b2baa7 100644 +index dd3be8d..3b2baa7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -1,4 +1,4 @@ --policy_module(init, 1.20.1) -+policy_module(init, 1.19.6) - - gen_require(` - class passwd rootok; @@ -11,10 +11,31 @@ gen_require(` ## @@ -32956,19 +30523,19 @@ index 17eda24..3b2baa7 100644 ') ######################################## -@@ -225,9 +570,9 @@ optional_policy(` +@@ -225,8 +570,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ sys_admin sys_module }; -+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module }; - allow initrc_t self:capability2 block_suspend; -dontaudit initrc_t self:capability sys_module; # sysctl is triggering this ++allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module }; ++allow initrc_t self:capability2 block_suspend; +dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -32985,7 +30552,7 @@ index 17eda24..3b2baa7 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -33028,7 +30595,7 @@ index 17eda24..3b2baa7 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -33040,7 +30607,7 @@ index 17eda24..3b2baa7 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +677,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +677,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -33051,7 +30618,7 @@ index 17eda24..3b2baa7 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +688,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +688,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -33061,7 +30628,7 @@ index 17eda24..3b2baa7 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +697,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +697,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -33069,7 +30636,7 @@ index 17eda24..3b2baa7 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -33077,7 +30644,7 @@ index 17eda24..3b2baa7 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +712,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +712,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -33095,7 +30662,7 @@ index 17eda24..3b2baa7 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +730,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +730,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -33109,7 +30676,7 @@ index 17eda24..3b2baa7 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +745,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +745,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -33123,7 +30690,7 @@ index 17eda24..3b2baa7 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,6 +758,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +758,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -33131,7 +30698,7 @@ index 17eda24..3b2baa7 100644 selinux_get_enforce_mode(initrc_t) -@@ -398,6 +770,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +770,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -33139,7 +30706,7 @@ index 17eda24..3b2baa7 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +789,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +789,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -33163,7 +30730,7 @@ index 17eda24..3b2baa7 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +822,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +822,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -33171,7 +30738,7 @@ index 17eda24..3b2baa7 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +856,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +856,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -33182,7 +30749,7 @@ index 17eda24..3b2baa7 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +880,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +880,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -33191,7 +30758,7 @@ index 17eda24..3b2baa7 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +895,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +895,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -33199,7 +30766,7 @@ index 17eda24..3b2baa7 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +916,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +916,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -33207,7 +30774,7 @@ index 17eda24..3b2baa7 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +926,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +926,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -33252,7 +30819,7 @@ index 17eda24..3b2baa7 100644 ') optional_policy(` -@@ -559,14 +971,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +971,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -33284,7 +30851,7 @@ index 17eda24..3b2baa7 100644 ') ') -@@ -577,6 +1006,39 @@ ifdef(`distro_suse',` +@@ -576,6 +1006,39 @@ ifdef(`distro_suse',` ') ') @@ -33324,7 +30891,7 @@ index 17eda24..3b2baa7 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1051,8 @@ optional_policy(` +@@ -588,6 +1051,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -33333,7 +30900,7 @@ index 17eda24..3b2baa7 100644 ') optional_policy(` -@@ -610,6 +1074,7 @@ optional_policy(` +@@ -609,6 +1074,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -33341,7 +30908,7 @@ index 17eda24..3b2baa7 100644 ') optional_policy(` -@@ -626,6 +1091,17 @@ optional_policy(` +@@ -625,6 +1091,17 @@ optional_policy(` ') optional_policy(` @@ -33359,7 +30926,7 @@ index 17eda24..3b2baa7 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1118,13 @@ optional_policy(` +@@ -641,9 +1118,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -33373,7 +30940,7 @@ index 17eda24..3b2baa7 100644 ') optional_policy(` -@@ -657,15 +1137,11 @@ optional_policy(` +@@ -656,15 +1137,11 @@ optional_policy(` ') optional_policy(` @@ -33391,7 +30958,7 @@ index 17eda24..3b2baa7 100644 ') optional_policy(` -@@ -686,6 +1162,15 @@ optional_policy(` +@@ -685,6 +1162,15 @@ optional_policy(` ') optional_policy(` @@ -33407,7 +30974,7 @@ index 17eda24..3b2baa7 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1211,7 @@ optional_policy(` +@@ -725,6 +1211,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -33415,7 +30982,7 @@ index 17eda24..3b2baa7 100644 ') optional_policy(` -@@ -743,7 +1229,13 @@ optional_policy(` +@@ -742,7 +1229,13 @@ optional_policy(` ') optional_policy(` @@ -33430,7 +30997,7 @@ index 17eda24..3b2baa7 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1258,10 @@ optional_policy(` +@@ -765,6 +1258,10 @@ optional_policy(` ') optional_policy(` @@ -33441,7 +31008,7 @@ index 17eda24..3b2baa7 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1271,20 @@ optional_policy(` +@@ -774,10 +1271,20 @@ optional_policy(` ') optional_policy(` @@ -33462,7 +31029,7 @@ index 17eda24..3b2baa7 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1293,10 @@ optional_policy(` +@@ -786,6 +1293,10 @@ optional_policy(` ') optional_policy(` @@ -33473,7 +31040,7 @@ index 17eda24..3b2baa7 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1318,6 @@ optional_policy(` +@@ -807,8 +1318,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -33482,7 +31049,7 @@ index 17eda24..3b2baa7 100644 ') optional_policy(` -@@ -818,6 +1326,10 @@ optional_policy(` +@@ -817,6 +1326,10 @@ optional_policy(` ') optional_policy(` @@ -33493,7 +31060,7 @@ index 17eda24..3b2baa7 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1339,12 @@ optional_policy(` +@@ -826,10 +1339,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -33506,7 +31073,7 @@ index 17eda24..3b2baa7 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,12 +1371,35 @@ optional_policy(` +@@ -856,12 +1371,35 @@ optional_policy(` ') optional_policy(` @@ -33543,7 +31110,7 @@ index 17eda24..3b2baa7 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -872,6 +1409,18 @@ optional_policy(` +@@ -871,6 +1409,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -33562,7 +31129,7 @@ index 17eda24..3b2baa7 100644 ') optional_policy(` -@@ -887,6 +1436,10 @@ optional_policy(` +@@ -886,6 +1436,10 @@ optional_policy(` ') optional_policy(` @@ -33573,7 +31140,7 @@ index 17eda24..3b2baa7 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1450,218 @@ optional_policy(` +@@ -896,3 +1450,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -34054,15 +31621,9 @@ index 0d4c8d3..3a3ec52 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd04..5338f4d 100644 +index 9e54bf9..5338f4d 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te -@@ -1,4 +1,4 @@ --policy_module(ipsec, 1.14.0) -+policy_module(ipsec, 1.13.3) - - ######################################## - # @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) corecmd_shell_entry_type(ipsec_mgmt_t) role system_r types ipsec_mgmt_t; @@ -34352,10 +31913,10 @@ index 312cd04..5338f4d 100644 +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 73a1c4e..957deb0 100644 +index 1b93eb7..957deb0 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc -@@ -1,22 +1,32 @@ +@@ -1,21 +1,32 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -34383,7 +31944,6 @@ index 73a1c4e..957deb0 100644 /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) --/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -34445,15 +32005,9 @@ index c42fbc3..174cfdb 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..187eadd 100644 +index 5dfa44b..187eadd 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te -@@ -1,4 +1,4 @@ --policy_module(iptables, 1.14.0) -+policy_module(iptables, 1.13.1) - - ######################################## - # @@ -16,15 +16,15 @@ role iptables_roles types iptables_t; type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -35077,15 +32631,9 @@ index 808ba93..57a68da 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 54f8fa5..5a985c8 100644 +index 23a645e..5a985c8 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te -@@ -1,4 +1,4 @@ --policy_module(libraries, 2.10.0) -+policy_module(libraries, 2.9.2) - - ######################################## - # @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) # lib_t is the type of files in the system lib directories. # @@ -35273,15 +32821,9 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 446fa99..7b55414 100644 +index c04ac46..7b55414 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te -@@ -1,4 +1,4 @@ --policy_module(locallogin, 1.12.0) -+policy_module(locallogin, 1.11.1) - - ######################################## - # @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) type local_login_lock_t; files_lock_file(local_login_lock_t) @@ -36107,14 +33649,10 @@ index 4e94884..8de26ad 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..93ce51a 100644 +index 39ea221..93ce51a 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -1,9 +1,24 @@ --policy_module(logging, 1.20.1) -+policy_module(logging, 1.19.6) - - ######################################## +@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) # # Declarations # @@ -36309,26 +33847,23 @@ index 59b04c1..93ce51a 100644 mls_file_read_all_levels(klogd_t) -@@ -353,15 +394,13 @@ optional_policy(` - +@@ -354,12 +395,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog --# sys_nice for rsyslog # cjp: why net_admin! --allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; +-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; +allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; dontaudit syslogd_t self:capability sys_tty_config; +allow syslogd_t self:capability2 { syslog block_suspend }; # setpgid for metalog # setrlimit for syslog-ng -# getsched for syslog-ng --# setsched for rsyslog --allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched }; +-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched }; +allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit }; # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,8 +408,10 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -367,8 +408,10 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -36339,7 +33874,15 @@ index 59b04c1..93ce51a 100644 # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -389,30 +430,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -377,6 +420,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) + # create/append log files. + manage_files_pattern(syslogd_t, var_log_t, var_log_t) + rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) ++files_search_spool(syslogd_t) + + # Allow access for syslog-ng + allow syslogd_t var_log_t:dir { create setattr }; +@@ -386,28 +430,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -36356,12 +33899,11 @@ index 59b04c1..93ce51a 100644 +kernel_rw_stream_socket_perms(syslogd_t) kernel_read_system_state(syslogd_t) - kernel_read_network_state(syslogd_t) ++kernel_read_network_state(syslogd_t) kernel_read_kernel_sysctls(syslogd_t) kernel_read_proc_symlinks(syslogd_t) # Allow access to /proc/kmsg for syslog-ng kernel_read_messages(syslogd_t) --kernel_read_vm_sysctls(syslogd_t) +kernel_request_load_module(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) @@ -36385,7 +33927,7 @@ index 59b04c1..93ce51a 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +474,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -417,6 +474,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -36394,7 +33936,7 @@ index 59b04c1..93ce51a 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +486,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -427,9 +486,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -36422,7 +33964,7 @@ index 59b04c1..93ce51a 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -447,14 +518,19 @@ files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +518,19 @@ files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -36442,7 +33984,7 @@ index 59b04c1..93ce51a 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +542,11 @@ init_use_fds(syslogd_t) +@@ -461,11 +542,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -36457,7 +33999,7 @@ index 59b04c1..93ce51a 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +573,8 @@ optional_policy(` +@@ -492,6 +573,8 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -36466,7 +34008,7 @@ index 59b04c1..93ce51a 100644 ') optional_policy(` -@@ -507,15 +585,40 @@ optional_policy(` +@@ -502,15 +585,40 @@ optional_policy(` ') optional_policy(` @@ -36507,7 +34049,7 @@ index 59b04c1..93ce51a 100644 ') optional_policy(` -@@ -526,3 +629,26 @@ optional_policy(` +@@ -521,3 +629,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -36535,10 +34077,10 @@ index 59b04c1..93ce51a 100644 + +logging_stream_connect_syslog(syslog_client_type) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 6b91740..633e449 100644 +index 879bb1e..633e449 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc -@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',` +@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',` /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) @@ -36547,7 +34089,10 @@ index 6b91740..633e449 100644 # # /lib # -@@ -33,19 +35,23 @@ ifdef(`distro_gentoo',` + /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) + /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) + # # /sbin # @@ -36572,7 +34117,7 @@ index 6b91740..633e449 100644 /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -89,8 +95,72 @@ ifdef(`distro_gentoo',` +@@ -88,8 +95,72 @@ ifdef(`distro_gentoo',` # # /usr # @@ -36647,7 +34192,7 @@ index 6b91740..633e449 100644 # # /var -@@ -98,5 +168,9 @@ ifdef(`distro_gentoo',` +@@ -97,5 +168,9 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) @@ -36827,15 +34372,9 @@ index 58bc27f..f887230 100644 +') + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c4..b22837c 100644 +index e8c59a5..b22837c 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te -@@ -1,4 +1,4 @@ --policy_module(lvm, 1.15.2) -+policy_module(lvm, 1.14.1) - - ######################################## - # @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) type clvmd_initrc_exec_t; init_script_file(clvmd_initrc_exec_t) @@ -37061,7 +34600,7 @@ index 79048c4..b22837c 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,16 +374,31 @@ optional_policy(` +@@ -333,14 +374,30 @@ optional_policy(` ') optional_policy(` @@ -37090,10 +34629,8 @@ index 79048c4..b22837c 100644 + +optional_policy(` udev_read_db(lvm_t) -- udev_read_pid_files(lvm_t) ') - optional_policy(` diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 9fe8e01..83acb32 100644 --- a/policy/modules/system/miscfiles.fc @@ -37418,14 +34955,10 @@ index fc28bc3..faa2281 100644 + files_var_filetrans($1, public_content_t, dir, "ftp") +') diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te -index 1361961..8f8d80d 100644 +index d6293de..8f8d80d 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te -@@ -1,10 +1,9 @@ --policy_module(miscfiles, 1.11.0) -+policy_module(miscfiles, 1.10.2) - - ######################################## +@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2) # # Declarations # @@ -37622,15 +35155,10 @@ index 7449974..23bbbf2 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a363b8..82004c9 100644 +index 7a49e28..82004c9 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te -@@ -1,11 +1,11 @@ --policy_module(modutils, 1.14.0) -+policy_module(modutils, 1.13.3) - - ######################################## - # +@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3) # Declarations # @@ -37894,10 +35422,10 @@ index 7a363b8..82004c9 100644 ifdef(`distro_gentoo',` diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc -index a38605e..f035d9f 100644 +index 72c746e..f035d9f 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc -@@ -1,6 +1,26 @@ +@@ -1,4 +1,26 @@ +/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -37905,8 +35433,7 @@ index a38605e..f035d9f 100644 -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) - --/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++ +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) + @@ -38252,15 +35779,10 @@ index 4584457..8a190ae 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 459a0ef..d941116 100644 +index 6a50270..d941116 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te -@@ -1,47 +1,62 @@ --policy_module(mount, 1.16.1) -+policy_module(mount, 1.15.1) - - ######################################## - # +@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1) # Declarations # @@ -38296,8 +35818,13 @@ index 459a0ef..d941116 100644 type mount_tmp_t; files_tmp_file(mount_tmp_t) - type mount_var_run_t; - files_pid_file(mount_var_run_t) +-# causes problems with interfaces when +-# this is optionally declared in monolithic +-# policy--duplicate type declaration +-type unconfined_mount_t; +-application_domain(unconfined_mount_t, mount_exec_t) ++type mount_var_run_t; ++files_pid_file(mount_var_run_t) +dev_associate(mount_var_run_t) + +# showmount - show mount information for an NFS server @@ -38311,12 +35838,7 @@ index 459a0ef..d941116 100644 +type mount_ecryptfs_exec_t; +application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t) +role system_r types mount_ecryptfs_t; - --# causes problems with interfaces when --# this is optionally declared in monolithic --# policy--duplicate type declaration --type unconfined_mount_t; --application_domain(unconfined_mount_t, mount_exec_t) ++ +type mount_ecryptfs_tmpfs_t; +files_tmpfs_file(mount_ecryptfs_tmpfs_t) @@ -38336,20 +35858,16 @@ index 459a0ef..d941116 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -52,15 +67,24 @@ can_exec(mount_t, mount_exec_t) +@@ -49,9 +67,24 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) --create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t) --create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) --rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) --files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount") +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) +files_pid_filetrans(mount_t,mount_var_run_t,{ dir file }) +files_var_filetrans(mount_t,mount_var_run_t,dir) +dev_filetrans(mount_t, mount_var_run_t, dir) - ++ +# In order to mount reiserfs_t +kernel_dontaudit_getattr_core_if(mount_t) +kernel_list_unlabeled(mount_t) @@ -38358,15 +35876,15 @@ index 459a0ef..d941116 100644 kernel_read_system_state(mount_t) +kernel_read_network_state(mount_t) kernel_read_kernel_sysctls(mount_t) +-kernel_dontaudit_getattr_core_if(mount_t) +kernel_relabelfrom_unlabeled_fs(mount_t) +kernel_manage_debugfs(mount_t) - kernel_setsched(mount_t) --kernel_dontaudit_getattr_core_if(mount_t) ++kernel_setsched(mount_t) +kernel_use_fds(mount_t) kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -69,60 +93,87 @@ kernel_request_load_module(mount_t) +@@ -60,31 +93,47 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -38417,8 +35935,7 @@ index 459a0ef..d941116 100644 files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) --files_list_all_mountpoints(mount_t) -+files_list_mnt(mount_t) +@@ -92,28 +141,39 @@ files_list_mnt(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) @@ -38464,7 +35981,7 @@ index 459a0ef..d941116 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -130,16 +181,21 @@ auth_use_nsswitch(mount_t) +@@ -121,16 +181,21 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -38488,7 +36005,7 @@ index 459a0ef..d941116 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -155,26 +211,27 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +211,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -38528,7 +36045,7 @@ index 459a0ef..d941116 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -188,6 +245,9 @@ optional_policy(` +@@ -179,6 +245,9 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -38538,7 +36055,7 @@ index 459a0ef..d941116 100644 ') optional_policy(` -@@ -195,6 +255,40 @@ optional_policy(` +@@ -186,6 +255,40 @@ optional_policy(` ') optional_policy(` @@ -38579,7 +36096,7 @@ index 459a0ef..d941116 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -203,28 +297,132 @@ optional_policy(` +@@ -194,24 +297,132 @@ optional_policy(` ') optional_policy(` @@ -38595,10 +36112,10 @@ index 459a0ef..d941116 100644 +optional_policy(` + #modutils_run_insmod(mount_t, mount_roles) + modutils_domtrans_insmod(mount_t) - modutils_read_module_deps(mount_t) - ') - - optional_policy(` ++ modutils_read_module_deps(mount_t) ++') ++ ++optional_policy(` + fstools_domtrans(mount_t) + #fstools_run(mount_t, mount_roles) +') @@ -39435,15 +36952,9 @@ index 3822072..270bde3 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc46420..8dae06f 100644 +index ec01d0b..8dae06f 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te -@@ -1,4 +1,4 @@ --policy_module(selinuxutil, 1.17.2) -+policy_module(selinuxutil, 1.17.0) - - gen_require(` - bool secure_mode; @@ -11,14 +11,16 @@ gen_require(` attribute can_write_binary_policy; @@ -39969,7 +37480,7 @@ index dc46420..8dae06f 100644 ') ######################################## -@@ -522,111 +598,196 @@ ifdef(`distro_ubuntu',` +@@ -522,108 +598,196 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -39994,8 +37505,6 @@ index dc46420..8dae06f 100644 -kernel_dontaudit_list_all_sysctls(setfiles_t) - -dev_relabel_all_dev_nodes(setfiles_t) --# to handle when /dev/console needs to be relabeled --dev_rw_generic_chr_files(setfiles_t) - -domain_use_interactive_fds(setfiles_t) -domain_dontaudit_search_all_domains_state(setfiles_t) @@ -40005,7 +37514,6 @@ index dc46420..8dae06f 100644 -files_list_all(setfiles_t) -files_relabel_all_files(setfiles_t) -files_read_usr_symlinks(setfiles_t) --files_dontaudit_read_all_symlinks(setfiles_t) - -fs_getattr_xattr_fs(setfiles_t) -fs_list_all(setfiles_t) @@ -40311,7 +37819,7 @@ index 1447687..d5e6fb9 100644 seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 40edc18..95f4458 100644 +index 346a7cc..95f4458 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -17,23 +17,29 @@ ifdef(`distro_debian',` @@ -40379,18 +37887,23 @@ index 40edc18..95f4458 100644 /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) # -@@ -77,3 +99,6 @@ ifdef(`distro_debian',` - /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +@@ -72,3 +94,11 @@ ifdef(`distro_redhat',` + ifdef(`distro_gentoo',` + /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') - ++ ++ifdef(`distro_debian',` ++/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ++') ++ +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..fd3a212 100644 +index 6944526..fd3a212 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if -@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` +@@ -38,11 +38,49 @@ interface(`sysnet_domtrans_dhcpc',` # interface(`sysnet_run_dhcpc',` gen_require(` @@ -40418,10 +37931,29 @@ index 2cea692..fd3a212 100644 + ') + + seutil_run_setfiles(dhcpc_t, $2) ++') ++ ++######################################## ++## ++## Do not audit attempts to read and ++## write dhcpc udp socket descriptors. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',` ++ gen_require(` ++ type dhcpc_t; ++ ') ++ ++ dontaudit $1 dhcpc_t:udp_socket { read write }; ') ######################################## -@@ -231,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',` +@@ -212,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',` ') files_search_etc($1) @@ -40430,7 +37962,7 @@ index 2cea692..fd3a212 100644 ') ######################################## -@@ -269,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',` +@@ -250,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',` type dhcpc_state_t; ') @@ -40438,7 +37970,7 @@ index 2cea692..fd3a212 100644 read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') -@@ -290,6 +310,43 @@ interface(`sysnet_delete_dhcpc_state',` +@@ -271,6 +310,43 @@ interface(`sysnet_delete_dhcpc_state',` delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') @@ -40482,10 +38014,16 @@ index 2cea692..fd3a212 100644 ####################################### ## ## Set the attributes of network config files. -@@ -311,6 +368,44 @@ interface(`sysnet_setattr_config',` +@@ -287,7 +363,45 @@ interface(`sysnet_setattr_config',` + ') - ####################################### - ## + files_search_etc($1) +- allow $1 net_conf_t:file setattr; ++ allow $1 net_conf_t:file setattr_file_perms; ++') ++ ++####################################### ++## +## Allow caller to relabel net_conf files +## +## @@ -40520,16 +38058,19 @@ index 2cea692..fd3a212 100644 + ') + + allow $1 net_conf_t:file relabelto; -+') -+ -+####################################### -+## - ## Read network config files. - ## - ## -@@ -355,7 +450,10 @@ interface(`sysnet_read_config',` - ') + ') + + ####################################### +@@ -329,8 +443,17 @@ interface(`sysnet_read_config',` + files_search_etc($1) + allow $1 net_conf_t:file read_file_perms; ++ ifdef(`distro_debian',` ++ files_search_pids($1) ++ allow $1 net_conf_t:dir list_dir_perms; ++ read_files_pattern($1, net_conf_t, net_conf_t) ++ ') ++ ifdef(`distro_redhat',` + files_search_all_pids($1) + init_search_pid_dirs($1) @@ -40538,7 +38079,7 @@ index 2cea692..fd3a212 100644 read_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -438,6 +536,42 @@ interface(`sysnet_etc_filetrans_config',` +@@ -413,6 +536,42 @@ interface(`sysnet_etc_filetrans_config',` ') files_etc_filetrans($1, net_conf_t, file, $2) @@ -40581,7 +38122,7 @@ index 2cea692..fd3a212 100644 ') ####################################### -@@ -453,7 +587,7 @@ interface(`sysnet_etc_filetrans_config',` +@@ -428,12 +587,51 @@ interface(`sysnet_etc_filetrans_config',` interface(`sysnet_manage_config',` gen_require(` type net_conf_t; @@ -40590,9 +38131,11 @@ index 2cea692..fd3a212 100644 allow $1 net_conf_t:file manage_file_perms; -@@ -463,7 +597,41 @@ interface(`sysnet_manage_config',` - ') - ++ ifdef(`distro_debian',` ++ files_search_pids($1) ++ manage_files_pattern($1, net_conf_t, net_conf_t) ++ ') ++ ifdef(`distro_redhat',` + files_search_all_pids($1) + init_search_pid_dirs($1) @@ -40632,7 +38175,7 @@ index 2cea692..fd3a212 100644 ') ') -@@ -501,6 +669,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -471,6 +669,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -40640,7 +38183,7 @@ index 2cea692..fd3a212 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -610,6 +779,25 @@ interface(`sysnet_signull_ifconfig',` +@@ -580,6 +779,25 @@ interface(`sysnet_signull_ifconfig',` ######################################## ## @@ -40666,7 +38209,7 @@ index 2cea692..fd3a212 100644 ## Read the DHCP configuration files. ## ## -@@ -626,6 +814,7 @@ interface(`sysnet_read_dhcp_config',` +@@ -596,6 +814,7 @@ interface(`sysnet_read_dhcp_config',` files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) @@ -40674,7 +38217,7 @@ index 2cea692..fd3a212 100644 ') ######################################## -@@ -647,6 +836,26 @@ interface(`sysnet_search_dhcp_state',` +@@ -617,6 +836,26 @@ interface(`sysnet_search_dhcp_state',` allow $1 dhcp_state_t:dir search_dir_perms; ') @@ -40701,7 +38244,7 @@ index 2cea692..fd3a212 100644 ######################################## ## ## Create DHCP state data. -@@ -711,8 +920,6 @@ interface(`sysnet_dns_name_resolve',` +@@ -681,8 +920,6 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; @@ -40710,7 +38253,7 @@ index 2cea692..fd3a212 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -720,8 +927,13 @@ interface(`sysnet_dns_name_resolve',` +@@ -690,8 +927,13 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) @@ -40724,7 +38267,7 @@ index 2cea692..fd3a212 100644 sysnet_read_config($1) optional_policy(` -@@ -750,8 +962,6 @@ interface(`sysnet_use_ldap',` +@@ -720,8 +962,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -40733,7 +38276,7 @@ index 2cea692..fd3a212 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -760,9 +970,14 @@ interface(`sysnet_use_ldap',` +@@ -730,9 +970,14 @@ interface(`sysnet_use_ldap',` # Support for LDAPS dev_read_rand($1) @@ -40748,7 +38291,7 @@ index 2cea692..fd3a212 100644 ') ######################################## -@@ -784,7 +999,6 @@ interface(`sysnet_use_portmap',` +@@ -754,7 +999,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -40756,7 +38299,7 @@ index 2cea692..fd3a212 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1010,125 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +1010,125 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -40883,15 +38426,10 @@ index 2cea692..fd3a212 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..f94755e 100644 +index b7686d5..f94755e 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te -@@ -1,10 +1,17 @@ --policy_module(sysnetwork, 1.15.4) -+policy_module(sysnetwork, 1.14.6) - - ######################################## - # +@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) # Declarations # @@ -40916,20 +38454,16 @@ index a392fc4..f94755e 100644 type dhcpc_state_t; files_type(dhcpc_state_t) -@@ -36,22 +45,22 @@ type ifconfig_exec_t; +@@ -36,18 +45,22 @@ type ifconfig_exec_t; init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; --type net_conf_t alias resolv_conf_t; --files_type(net_conf_t) +type ifconfig_var_run_t; +files_pid_file(ifconfig_var_run_t) +files_mountpoint(ifconfig_var_run_t) - --ifdef(`distro_debian',` -- init_daemon_run_dir(net_conf_t, "network") --') -+type net_conf_t alias resolv_conf_t; ++ + type net_conf_t alias resolv_conf_t; +-files_type(net_conf_t) +files_config_file(net_conf_t) ######################################## @@ -40946,7 +38480,7 @@ index a392fc4..f94755e 100644 allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; -@@ -64,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) +@@ -60,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -40958,7 +38492,7 @@ index a392fc4..f94755e 100644 # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -74,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) +@@ -70,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -40967,7 +38501,7 @@ index a392fc4..f94755e 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -95,39 +109,40 @@ kernel_rw_net_sysctls(dhcpc_t) +@@ -91,14 +109,13 @@ kernel_rw_net_sysctls(dhcpc_t) corecmd_exec_bin(dhcpc_t) corecmd_exec_shell(dhcpc_t) @@ -40988,14 +38522,10 @@ index a392fc4..f94755e 100644 corenet_tcp_sendrecv_all_ports(dhcpc_t) corenet_udp_sendrecv_all_ports(dhcpc_t) corenet_tcp_bind_all_nodes(dhcpc_t) - corenet_udp_bind_all_nodes(dhcpc_t) - corenet_tcp_bind_dhcpc_port(dhcpc_t) - corenet_udp_bind_dhcpc_port(dhcpc_t) --corenet_udp_bind_all_unreserved_ports(dhcpc_t) +@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) --corenet_sendrecv_all_server_packets(dhcpc_t) -+corenet_sendrecv_dhcpc_server_packets(dhcpc_t) + corenet_sendrecv_dhcpc_server_packets(dhcpc_t) +corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t) +corenet_udp_bind_all_unreserved_ports(dhcpc_t) @@ -41019,7 +38549,7 @@ index a392fc4..f94755e 100644 fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) -@@ -137,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -41036,7 +38566,7 @@ index a392fc4..f94755e 100644 modutils_run_insmod(dhcpc_t, dhcpc_roles) -@@ -161,7 +180,14 @@ ifdef(`distro_ubuntu',` +@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -41052,7 +38582,7 @@ index a392fc4..f94755e 100644 ') optional_policy(` -@@ -179,10 +205,6 @@ optional_policy(` +@@ -174,10 +205,6 @@ optional_policy(` ') optional_policy(` @@ -41063,7 +38593,7 @@ index a392fc4..f94755e 100644 hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) -@@ -195,23 +217,36 @@ optional_policy(` +@@ -190,23 +217,36 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) @@ -41100,7 +38630,7 @@ index a392fc4..f94755e 100644 ') optional_policy(` -@@ -221,7 +256,11 @@ optional_policy(` +@@ -216,7 +256,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -41113,7 +38643,7 @@ index a392fc4..f94755e 100644 ') optional_policy(` -@@ -233,6 +272,10 @@ optional_policy(` +@@ -228,6 +272,10 @@ optional_policy(` ') optional_policy(` @@ -41124,7 +38654,7 @@ index a392fc4..f94755e 100644 vmware_append_log(dhcpc_t) ') -@@ -264,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -259,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -41149,7 +38679,7 @@ index a392fc4..f94755e 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -279,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -274,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -41182,7 +38712,7 @@ index a392fc4..f94755e 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,31 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -41203,11 +38733,10 @@ index a392fc4..f94755e 100644 seutil_use_runinit_fds(ifconfig_t) --sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t) +-userdom_use_user_terminals(ifconfig_t) +sysnet_dns_name_resolve(ifconfig_t) +sysnet_filetrans_named_content_ifconfig(ifconfig_t) - --userdom_use_user_terminals(ifconfig_t) ++ +userdom_use_inherited_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) @@ -41240,22 +38769,21 @@ index a392fc4..f94755e 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,12 +427,11 @@ ifdef(`hide_broken_symptoms',` - ') - - optional_policy(` -- devicekit_read_pid_files(ifconfig_t) -+ dnsmasq_domtrans(ifconfig_t) +@@ -329,8 +427,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` - hal_dontaudit_rw_pipes(ifconfig_t) - hal_dontaudit_rw_dgram_sockets(ifconfig_t) ++ dnsmasq_domtrans(ifconfig_t) ++') ++ ++optional_policy(` + devicekit_dontaudit_read_pid_files(ifconfig_t) ') optional_policy(` -@@ -350,7 +440,15 @@ optional_policy(` +@@ -339,7 +440,15 @@ optional_policy(` ') optional_policy(` @@ -41272,7 +38800,7 @@ index a392fc4..f94755e 100644 ') optional_policy(` -@@ -371,3 +469,13 @@ optional_policy(` +@@ -360,3 +469,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -43450,7 +40978,7 @@ index 0000000..ea7a44f +read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) + diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index f41857e..49fd32e 100644 +index 40928d8..49fd32e 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -1,6 +1,8 @@ @@ -43481,7 +41009,7 @@ index f41857e..49fd32e 100644 -/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) - -/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) --/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) + +/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -43503,7 +41031,7 @@ index f41857e..49fd32e 100644 ifdef(`distro_debian',` /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 9a1650d..d7e8a01 100644 +index 0f64692..d7e8a01 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` @@ -43708,7 +41236,7 @@ index 9a1650d..d7e8a01 100644 + role system_r; ') -- files_search_pids($1) +- files_search_var_lib($1) - manage_files_pattern($1, udev_var_run_t, udev_var_run_t) + allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms; +') @@ -43747,15 +41275,9 @@ index 9a1650d..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f..26bc8ba 100644 +index a5ec88b..26bc8ba 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te -@@ -1,4 +1,4 @@ --policy_module(udev, 1.16.2) -+policy_module(udev, 1.15.4) - - ######################################## - # @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) @@ -43777,7 +41299,7 @@ index 39f185f..26bc8ba 100644 ifdef(`enable_mcs',` kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh) -@@ -37,10 +38,11 @@ ifdef(`enable_mcs',` +@@ -37,9 +38,11 @@ ifdef(`enable_mcs',` # Local policy # @@ -43785,14 +41307,13 @@ index 39f185f..26bc8ba 100644 +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; +allow udev_t self:capability2 { block_suspend compromise_kernel }; dontaudit udev_t self:capability sys_tty_config; --allow udev_t self:capability2 block_suspend; -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + +allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; -@@ -54,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto; +@@ -53,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; @@ -43800,10 +41321,11 @@ index 39f185f..26bc8ba 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -64,31 +67,41 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -63,31 +67,41 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; +-# create udev database in /dev/.udevdb -allow udev_t udev_tbl_t:file manage_file_perms; -dev_filetrans(udev_t, udev_tbl_t, file) +allow udev_t udev_tmp_t:dir manage_dir_perms; @@ -43819,8 +41341,7 @@ index 39f185f..26bc8ba 100644 +manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) --manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) --files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev") +-files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) +files_pid_filetrans(udev_t, udev_var_run_t, { file dir }) +allow udev_t udev_var_run_t:file mounton; +allow udev_t udev_var_run_t:dir mounton; @@ -43848,7 +41369,7 @@ index 39f185f..26bc8ba 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -99,6 +112,7 @@ corecmd_exec_all_executables(udev_t) +@@ -98,6 +112,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -43856,7 +41377,7 @@ index 39f185f..26bc8ba 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -107,23 +121,31 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -106,23 +121,31 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -43892,7 +41413,7 @@ index 39f185f..26bc8ba 100644 mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) -@@ -145,17 +167,20 @@ auth_use_nsswitch(udev_t) +@@ -144,17 +167,20 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -43914,37 +41435,20 @@ index 39f185f..26bc8ba 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -169,24 +194,13 @@ sysnet_read_dhcpc_pid(udev_t) +@@ -168,7 +194,11 @@ sysnet_read_dhcpc_pid(udev_t) sysnet_delete_dhcpc_pid(udev_t) sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) -sysnet_etc_filetrans_config(udev_t) -- --userdom_dontaudit_search_user_home_content(udev_t) +sysnet_filetrans_named_content(udev_t) +#sysnet_etc_filetrans_config(udev_t) - --ifdef(`distro_debian',` -- files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug") ++ +systemd_login_read_pid_files(udev_t) +systemd_getattr_unit_files(udev_t) -- optional_policy(` -- # for /usr/lib/avahi/avahi-daemon-check-dns.sh -- kernel_read_vm_sysctls(udev_t) -- corenet_udp_bind_generic_node(udev_t) -- miscfiles_read_generic_certs(udev_t) -- avahi_create_pid_dirs(udev_t) -- avahi_initrc_domtrans(udev_t) -- avahi_manage_pid_files(udev_t) -- avahi_filetrans_pid(udev_t, dir, "avahi-daemon") -- ') --') -+userdom_dontaudit_search_user_home_content(udev_t) + userdom_dontaudit_search_user_home_content(udev_t) - ifdef(`distro_gentoo',` - # during boot, init scripts use /dev/.rcsysinit -@@ -195,16 +209,9 @@ ifdef(`distro_gentoo',` +@@ -179,16 +209,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -43963,7 +41467,7 @@ index 39f185f..26bc8ba 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -242,24 +249,38 @@ optional_policy(` +@@ -226,19 +249,38 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) @@ -43972,12 +41476,10 @@ index 39f185f..26bc8ba 100644 optional_policy(` dbus_system_bus_client(udev_t) -- dbus_use_system_bus_fds(udev_t) - - optional_policy(` -- consolekit_dbus_chat(udev_t) ++ ++ optional_policy(` + systemd_dbus_chat_logind(udev_t) - ') ++ ') ') optional_policy(` @@ -44004,21 +41506,18 @@ index 39f185f..26bc8ba 100644 ') optional_policy(` -@@ -281,11 +302,11 @@ optional_policy(` +@@ -264,6 +306,10 @@ optional_policy(` ') optional_policy(` -- lvm_domtrans(udev_t) -+ mount_domtrans(udev_t) - ') - - optional_policy(` -- mount_domtrans(udev_t) + networkmanager_dbus_chat(udev_t) ++') ++ ++optional_policy(` + openct_read_pid_files(udev_t) + openct_domtrans(udev_t) ') - - optional_policy(` -@@ -303,6 +324,15 @@ optional_policy(` +@@ -278,6 +324,15 @@ optional_policy(` ') optional_policy(` @@ -44034,7 +41533,7 @@ index 39f185f..26bc8ba 100644 unconfined_signal(udev_t) ') -@@ -315,6 +345,7 @@ optional_policy(` +@@ -290,6 +345,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) @@ -44069,7 +41568,7 @@ index 0abaf84..8b34dbc 100644 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 5ca20a9..01e03ec 100644 +index db7aabb..01e03ec 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,53 +12,57 @@ @@ -44147,16 +41646,15 @@ index 5ca20a9..01e03ec 100644 # auditallow $1 self:process execstack; ') -@@ -67,6 +71,8 @@ interface(`unconfined_domain_noaudit',` - ') - +@@ -69,6 +73,7 @@ interface(`unconfined_domain_noaudit',` optional_policy(` -+ # Communicate via dbusd. -+ dbus_system_bus_unconfined($1) - dbus_unconfined($1) + # Communicate via dbusd. + dbus_system_bus_unconfined($1) ++ dbus_unconfined($1) ') -@@ -121,9 +127,13 @@ interface(`unconfined_domain_noaudit',` + optional_policy(` +@@ -122,9 +127,13 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` @@ -44171,7 +41669,7 @@ index 5ca20a9..01e03ec 100644 auditallow $1 self:process execheap; ') ') -@@ -149,7 +159,7 @@ interface(`unconfined_domain',` +@@ -150,7 +159,7 @@ interface(`unconfined_domain',` ## # interface(`unconfined_alias_domain',` @@ -44180,7 +41678,7 @@ index 5ca20a9..01e03ec 100644 ') ######################################## -@@ -175,414 +185,5 @@ interface(`unconfined_alias_domain',` +@@ -176,414 +185,5 @@ interface(`unconfined_alias_domain',` ## # interface(`unconfined_execmem_alias_program',` @@ -44597,14 +42095,10 @@ index 5ca20a9..01e03ec 100644 + refpolicywarn(`$0() has been deprecated.') ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902d..61f19e9 100644 +index 0280b32..61f19e9 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,207 +1,7 @@ --policy_module(unconfined, 3.5.1) -+policy_module(unconfined, 3.5.0) - - ######################################## +@@ -4,237 +4,4 @@ policy_module(unconfined, 3.5.0) # # Declarations # @@ -44680,6 +42174,40 @@ index 5fe902d..61f19e9 100644 -') - -optional_policy(` +- init_dbus_chat_script(unconfined_t) +- +- dbus_stub(unconfined_t) +- +- optional_policy(` +- avahi_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- bluetooth_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- consolekit_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- cups_dbus_chat_config(unconfined_t) +- ') +- +- optional_policy(` +- hal_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- networkmanager_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- oddjob_dbus_chat(unconfined_t) +- ') +-') +- +-optional_policy(` - firstboot_run(unconfined_t, unconfined_r) -') - @@ -44749,10 +42277,6 @@ index 5fe902d..61f19e9 100644 -') - -optional_policy(` -- rtkit_scheduled(unconfined_t) --') -- --optional_policy(` - rpm_run(unconfined_t, unconfined_r) -') - @@ -44775,10 +42299,6 @@ index 5fe902d..61f19e9 100644 -') - -optional_policy(` -- unconfined_dbus_chat(unconfined_t) --') -- --optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r) -') - @@ -44807,7 +42327,14 @@ index 5fe902d..61f19e9 100644 -unconfined_domain_noaudit(unconfined_execmem_t) - -optional_policy(` +- dbus_stub(unconfined_execmem_t) +- +- init_dbus_chat_script(unconfined_execmem_t) - unconfined_dbus_chat(unconfined_execmem_t) +- +- optional_policy(` +- hal_dbus_chat(unconfined_execmem_t) +- ') -') +attribute unconfined_services; diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc @@ -44847,7 +42374,7 @@ index db75976..cb4a211 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..4ce3586 100644 +index 3c5dba7..4ce3586 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -46006,7 +43533,7 @@ index 9dc60c6..4ce3586 100644 ############################## # # Local policy -@@ -907,53 +1190,134 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,42 +1190,99 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -46101,27 +43628,26 @@ index 9dc60c6..4ce3586 100644 + optional_policy(` + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- cups_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) -+ ') -+ -+ optional_policy(` -+ fprintd_dbus_chat($1_t) ') optional_policy(` -- cups_dbus_chat($1_t) +- gnome_role_template($1, $1_r, $1_t) ++ fprintd_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + realmd_dbus_chat($1_t) ') optional_policy(` -- gnome_role_template($1, $1_r, $1_t) - wm_role_template($1, $1_r, $1_t) - ') +@@ -951,12 +1291,33 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -46156,7 +43682,7 @@ index 9dc60c6..4ce3586 100644 ') ####################################### -@@ -987,27 +1351,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1351,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -46194,7 +43720,7 @@ index 9dc60c6..4ce3586 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1388,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1388,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -46251,21 +43777,21 @@ index 9dc60c6..4ce3586 100644 + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) ++ ') ++ ++ optional_policy(` ++ wine_role_template($1, $1_r, $1_t) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) -+ wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1450,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1450,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -46276,7 +43802,7 @@ index 9dc60c6..4ce3586 100644 ') ') -@@ -1079,7 +1488,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1488,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -46287,7 +43813,7 @@ index 9dc60c6..4ce3586 100644 ') ############################## -@@ -1095,6 +1506,7 @@ template(`userdom_admin_user_template',` +@@ -1098,6 +1506,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -46295,7 +43821,7 @@ index 9dc60c6..4ce3586 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1517,8 @@ template(`userdom_admin_user_template',` +@@ -1108,14 +1517,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -46312,7 +43838,7 @@ index 9dc60c6..4ce3586 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1534,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1534,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -46320,7 +43846,7 @@ index 9dc60c6..4ce3586 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1552,15 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1552,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -46336,7 +43862,7 @@ index 9dc60c6..4ce3586 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1571,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1571,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -46379,7 +43905,7 @@ index 9dc60c6..4ce3586 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1612,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1612,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -46388,7 +43914,7 @@ index 9dc60c6..4ce3586 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1621,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1621,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -46407,7 +43933,7 @@ index 9dc60c6..4ce3586 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1667,7 @@ template(`userdom_admin_user_template',` +@@ -1243,7 +1667,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -46416,7 +43942,7 @@ index 9dc60c6..4ce3586 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1677,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1677,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -46425,7 +43951,7 @@ index 9dc60c6..4ce3586 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1691,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1691,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -46437,7 +43963,7 @@ index 9dc60c6..4ce3586 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1705,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1705,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -46480,7 +44006,7 @@ index 9dc60c6..4ce3586 100644 ') optional_policy(` -@@ -1357,14 +1790,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1790,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -46499,7 +44025,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -1405,6 +1841,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1841,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -46551,7 +44077,7 @@ index 9dc60c6..4ce3586 100644 ## ## ## Domain allowed access. -@@ -1509,11 +1990,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1990,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -46583,7 +44109,7 @@ index 9dc60c6..4ce3586 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2056,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +2056,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -46598,7 +44124,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -1570,9 +2079,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2079,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -46610,7 +44136,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -1629,6 +2140,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2140,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -46653,7 +44179,7 @@ index 9dc60c6..4ce3586 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1704,10 +2251,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1707,10 +2251,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -46668,7 +44194,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -1741,10 +2290,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2290,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -46683,7 +44209,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -1769,7 +2320,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2320,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -46710,7 +44236,7 @@ index 9dc60c6..4ce3586 100644 ## ## ## -@@ -1779,53 +2348,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,53 +2348,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -46793,7 +44319,7 @@ index 9dc60c6..4ce3586 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1845,6 +2431,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2431,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -46819,7 +44345,7 @@ index 9dc60c6..4ce3586 100644 ## Mmap user home files. ## ## -@@ -1875,14 +2480,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2480,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -46857,7 +44383,7 @@ index 9dc60c6..4ce3586 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2520,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2520,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -46875,59 +44401,62 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -1938,7 +2568,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2568,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## -## Delete all user home content files. +## Delete files in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_user_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ allow $1 user_home_t:file delete_file_perms; -+') -+ -+######################################## -+## -+## Delete all files in a user home subdirectory. ## ## ## -@@ -1948,17 +2596,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1949,19 +2576,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` + ## + ## # - interface(`userdom_delete_all_user_home_content_files',` +-interface(`userdom_delete_all_user_home_content_files',` ++interface(`userdom_delete_user_home_content_files',` gen_require(` - attribute user_home_content_type; - type user_home_dir_t; -+ attribute user_home_type; ++ type user_home_t; ') - userdom_search_user_home_content($1) -- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) -+ allow $1 user_home_type:file delete_file_perms; +- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type) ++ allow $1 user_home_t:file delete_file_perms; ') ######################################## ## -## Delete files in a user home subdirectory. -+## Delete sock files in a user home subdirectory. ++## Delete all files in a user home subdirectory. ## ## ## -@@ -1966,12 +2612,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2594,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # -interface(`userdom_delete_user_home_content_files',` ++interface(`userdom_delete_all_user_home_content_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:file delete_file_perms; ++') ++ ++######################################## ++## ++## Delete sock files in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_delete_user_home_content_sock_files',` gen_require(` type user_home_t; @@ -46974,7 +44503,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -2007,8 +2689,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2689,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -46984,7 +44513,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -2024,20 +2705,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2705,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -47009,7 +44538,7 @@ index 9dc60c6..4ce3586 100644 ######################################## ## -@@ -2120,7 +2795,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2795,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -47018,7 +44547,7 @@ index 9dc60c6..4ce3586 100644 ## ## ## -@@ -2128,19 +2803,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2803,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -47042,7 +44571,7 @@ index 9dc60c6..4ce3586 100644 ## ## ## -@@ -2148,12 +2821,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2821,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -47058,7 +44587,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -2390,11 +3063,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +3063,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -47073,7 +44602,7 @@ index 9dc60c6..4ce3586 100644 files_search_tmp($1) ') -@@ -2414,7 +3087,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3087,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -47082,7 +44611,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -2538,6 +3211,26 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2541,6 +3211,26 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -47109,7 +44638,7 @@ index 9dc60c6..4ce3586 100644 ## temporary symbolic links. ## ## -@@ -2566,6 +3259,27 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2569,6 +3259,27 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -47137,7 +44666,7 @@ index 9dc60c6..4ce3586 100644 interface(`userdom_manage_user_tmp_pipes',` gen_require(` type user_tmp_t; -@@ -2661,6 +3375,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3375,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -47163,7 +44692,7 @@ index 9dc60c6..4ce3586 100644 ######################################## ## ## Read user tmpfs files. -@@ -2677,13 +3410,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3410,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -47179,7 +44708,7 @@ index 9dc60c6..4ce3586 100644 ## ## ## -@@ -2704,7 +3438,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3438,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -47188,7 +44717,7 @@ index 9dc60c6..4ce3586 100644 ## ## ## -@@ -2712,14 +3446,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3446,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -47223,7 +44752,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -2814,6 +3564,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3564,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -47248,7 +44777,7 @@ index 9dc60c6..4ce3586 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3600,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3600,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -47291,7 +44820,7 @@ index 9dc60c6..4ce3586 100644 ## ## ## -@@ -2856,14 +3636,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3636,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -47329,7 +44858,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -2882,8 +3681,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3681,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -47359,7 +44888,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -2955,69 +3773,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3773,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -47460,7 +44989,7 @@ index 9dc60c6..4ce3586 100644 ## ## ## -@@ -3025,12 +3842,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3842,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -47475,7 +45004,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -3094,7 +3911,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3911,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -47484,7 +45013,7 @@ index 9dc60c6..4ce3586 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,16 +3927,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,16 +3927,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -47506,7 +45035,7 @@ index 9dc60c6..4ce3586 100644 ## ## ## -@@ -3127,35 +3946,17 @@ interface(`userdom_search_user_home_content',` +@@ -3130,35 +3946,17 @@ interface(`userdom_search_user_home_content',` ## ## # @@ -47545,7 +45074,7 @@ index 9dc60c6..4ce3586 100644 ## ## ## -@@ -3214,7 +4015,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +4015,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -47572,7 +45101,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -3269,7 +4088,83 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +4088,83 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -47657,7 +45186,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -3287,7 +4182,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +4182,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -47666,7 +45195,7 @@ index 9dc60c6..4ce3586 100644 ') ######################################## -@@ -3306,6 +4201,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4201,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -47674,7 +45203,7 @@ index 9dc60c6..4ce3586 100644 kernel_search_proc($1) ') -@@ -3382,6 +4278,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4278,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -47717,7 +45246,7 @@ index 9dc60c6..4ce3586 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4334,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4334,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -47742,7 +45271,7 @@ index 9dc60c6..4ce3586 100644 ## Create keys for all user domains. ## ## -@@ -3420,6 +4370,24 @@ interface(`userdom_create_all_users_keys',` +@@ -3423,6 +4370,24 @@ interface(`userdom_create_all_users_keys',` ######################################## ## @@ -47767,7 +45296,7 @@ index 9dc60c6..4ce3586 100644 ## Send a dbus message to all user domains. ## ## -@@ -3435,4 +4403,1664 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4403,1664 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -49433,16 +46962,10 @@ index 9dc60c6..4ce3586 100644 + ') ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38d..37730c1 100644 +index e2b538b..37730c1 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te -@@ -1,4 +1,4 @@ --policy_module(userdomain, 4.9.1) -+policy_module(userdomain, 4.8.5) - - ######################################## - # -@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) +@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5) ## ##

@@ -50115,32 +47638,3 @@ index b96e9b3..ff7340f 100644 QUIET ?= y genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py -diff --git a/support/fc_sort.c b/support/fc_sort.c -index e03ef3b..6c43035 100644 ---- a/support/fc_sort.c -+++ b/support/fc_sort.c -@@ -1,4 +1,4 @@ --/* Copyright 2005,2013 Tresys Technology -+/* Copyright 2005, Tresys Technology - * - * Some parts of this came from matchpathcon.c in libselinux - */ -@@ -523,7 +523,7 @@ int main(int argc, char *argv[]) - fc_merge_sort(master); - - /* Open the output file. */ -- if (!(out_file = fopen(output_name, "w"))) { -+ if (!(out_file = fopen(argv[2], "w"))) { - printf("Error: failure opening output file for write.\n"); - return -1; - } -diff --git a/support/policyvers.py b/support/policyvers.py -deleted file mode 100644 -index 0d969a4..0000000 ---- a/support/policyvers.py -+++ /dev/null -@@ -1,4 +0,0 @@ --#!/usr/bin/python --import selinux --if selinux.is_selinux_enabled(): -- print selinux.security_policyvers() diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 061e335..b11cf3b 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -1,1085 +1,8 @@ -diff --git a/Changelog b/Changelog -deleted file mode 100644 -index 8b9356a..0000000 ---- a/Changelog -+++ /dev/null -@@ -1,1071 +0,0 @@ --* Wed Apr 24 2013 Chris PeBenito - 2.20130424 --Chris PeBenito (18): -- Rewrite of mcelog module from Guido Trentalancia -- Remove unnecessary lines in mcelog.te. -- Slight rearrangement in mcelog.te. -- Module version bump for mcelog update from Guido Trentalancia. -- Module version bump for ntp module fixes from Dominick Grift. -- Module version bump for fc substitutions optimizations from Sven -- Vermeulen. -- Module version bump for postfix/mta misc fixes from Sven Vermeulen. -- Module version bump for init_daemon_run_dirs usage from Sven Vermeulen. -- Turn off all tunables by default, from Guido Trentalancia. -- Module version bump for tunable default change. -- Module version bump for saslauthd tcp mysql connections from Mika Flueger. -- Move kernel request line in quota. -- Module version bump for quota kernel module request from Mika Pflueger. -- Module version bump for djbdns ports fixes from Russell Coker. -- Remove stray + in keystone.te. -- Whitespace fixes in cron.fc. -- Module version bump for pulseaudio type_transition conflict fix from Sven -- Vermeulen. -- Bump module versions for release. -- --Dominick Grift (889): -- Initial BIRD Internet Routing Daemon policy -- oident daemon fixes -- Introduce ntp_conf_t -- Allow ntp_admin() to manage ntp_drift_t content. -- List etc_t directories -- Use "Role allowed access." for consistency -- Use permissions sets for compatibility. -- Remove getattr permision from ntp_admin() -- Initial Sensord policy module -- Various block_suspend capability2 support from Fedora -- Gitolite3 support from Fedora -- /var/lib/sqlgrey is greylist milter data from Fedora -- Terminal related fixes for plymouthd from Fedora Support block_suspend -- capability2 for plymouth -- Support minimal polkit in new location -- Support ldap for user authentication from Fedora -- Sanlock sends kill signals to non-root processes from Fedora Various -- other capabilities for sanlock from Fedora -- Initial support for sqlgrey from Fedora -- Tor reads network sysctls from Fedora -- GPG agent reads /dev/random from Fedora -- Freshclam reads system and network state from Fedora -- Execute wpa_cli in the NetworkManager_t domain for wicd from Fedora -- lpstat.cups reads fips_enabled from Fedora -- Initial system tap compile server policy module -- Systemtap server admin manages stapserver_var_lib_t content -- Telepathy Idle reads gschemas.compiled from Fedora -- Initial slpd policy module -- Initial lightsquid policy module -- Initial wdmd policy module -- Initial mailscanner policy module and some depencies. -- Support slpd log rotation -- Initial numad policy module -- Open log files for append only -- CGClear reads CGConfig files from Fedora Cosmetic changes to cgroup -- policy module File contexts of cgroup app executables files in -- /sbin also apply to /usr/sbin Make cgroup_admin() a bit more -- compact -- Initial svnserve policy module -- Various small changes to ucspitcp -- Initial fcoe policy module -- Initial lldpad policy module -- fcoemon sends to lldpad with a dgram socket -- Initial quantum policy module -- Initial dspam policy module -- Module version bump for Telepathy file context spec fixes from Laurent -- Bigonville. -- Initial isns policy module -- Various changes to tcs policy module -- Initial ctdb policy module -- Various changes to the sblim policy module and its dependencies -- Initial polipo policy module -- Module version bump for networkmanager fixes -- Fixes to the polipo policy module -- Module version bump for smartmon fixes from Laurent Bigonville. -- Module version bump for accountsd file context spec fix from Laurent -- Bigonville. -- Various changes to the raid module -- Module version bump for rtkit file context spec fix from Laurent -- Bigonville -- Initial couchdb policy module -- Changes to the bind policy module -- Initial dnssectrigger policy module -- Initial man2html policy module -- Initial openhpi policy module -- Bind sends/receives http server instead of client packets conditionally -- Two file context regular expression fixes by Eric Paris -- Type mdadm_t is no longer a unconfined type -- Initial pkcs policy module -- Initial cfengine policy module -- Initial keystone policy module -- Initial l2tp policy module -- Initial mongodb policy module -- cfengine whitespace cleanup -- Changes to the accountsservice policy module -- Changes to the acct policy module -- Changes to the ada policy module -- changes to the afs policy module -- Changes to the accountsservice policy module -- Changes to the aiccu policy module -- Changes to the aide policy module -- Syntax error in afs_admin() -- Changes to the aisexec policy module -- Changes to the alsa policy module -- Changes to the amanda policy module -- Changes to the amavisd policy module and relevant dependencies -- Changes to the amtu policy module -- Changes to the anaconda policy module -- Changes to the abrt policy module and relevant dependencies -- numad sends/receives msgs from Fedora -- Amtu executable file in installed in /usr/sbin in Fedora -- The (usr/)? expression does not work consistently so better not use it -- at all -- Changes to the httpd policy module -- Merge branch 'master' of -- ssh://dgrift@oss.tresys.com/home/git/refpolicy-contrib -- Fixes to the apache policy module and dependencies -- Changes to the apcupsd policy module -- Role attributes for lightsquid application domain -- Changes to the mailscanner module -- Changes to the svnserve policy module -- Changes to the quantum policy module -- Changes to the dspam module -- Changes to the ctdb policy module -- Changes to the couchdb policy module -- Changes to the openhpid policy module -- Changes to the keystone policy module -- Changes to the l2tp policy module -- Changes to the apm module and relevant dependencies -- Changes to the arpwatch policy module -- Changes to the apcupsd policy module -- Changes to the abrt policy module -- Changes to the apache policy module -- Changes to the asterisk policy module and dependencies -- Changes to the authbind policy module -- Changes to the automount policy module -- Change acpid lock file context spec -- Changes to the avahi policy module and dependencies -- Changes to the awstats policy module -- Changes to the bacula policy module -- Changes to the bcfg2 policy module -- Changes to the apt policy module -- Changes to the apache policy module -- Changes to the backup module -- Changes to the bind policy module -- Bird module clean up -- Fix arpwatch connected_stream_socket_perms -- Changes to the bitlbee policy module -- Changes to the blueman policy module -- Changes to the bluetooth policy module -- Changes to the brctl policy module -- Changes to the apache policy module -- Changes to the bugzilla policy module -- Changes to the calamaris policy module -- Implement lightsquid_admin() -- Changes to the apache policy module and dependencies -- Initial boinc policy module -- Initial callweaver policy module -- Changes to the canna policy module -- Changes to the ccs policy module -- Changes to the cdrecord policy module -- Changes to the certmaster policy module and various role attribute fixes -- cdrecord needs to read and write callers unix domain stream socket not -- create it -- Changes to the certmonger policy module and its dependencies -- Initial cachefilesd policy module -- Changes to the certwatch policy module -- Changes to the chronyd policy module -- Changes to the cipe policy module -- Changes to the clamav policy module -- Various network clean up -- Add dev_rw_cachefiles() to cachefilesd policy module -- Changes to the clockspeed policy module -- Changes to the clogd policy module -- Changes to the cmirrord policy module -- Changes to the cobbler policy module -- Changes to the colord policy module -- Changes to the comsat policy module -- Initial collectd policy module -- Initial condor policy module and relevant dependencies -- Changes to the consolekit policy module and relevant dependencies -- Changes to the corosync policy module and relevant dependencies -- Clean up couchdb network rules -- Changes to the courier policy module -- Changes to the cpucontrol policy module -- Changes to the cpufreqselector policy module -- Changes to the cron policy module and relevant dependencies -- Changes to the cups policy module and relevant dependencies -- Changes to the cvs policy module -- Remove redundant connect avperms -- Changes to the cyphesis policy module -- Remove redundant rules from apache_admin() -- Changes to the cyrus policy module -- Changes to the daemontools policy module -- Changes to the dante policy module -- Modify dbadm boolean descriptions -- Changes to the dbus policy module and its dependencies -- Changes to the dcc policy module -- Changes to the ddclient policy module -- Changes to the ddcprobe policy module -- Changes to the denyhosts policy module -- Changes to the devicekit policy module and relevant dependencies -- Changes to the dhcpd policy module -- Changes tothe dictd policy module -- Changes to the discc policy module -- Changes to the djbdns policy module -- Changes to the dkim policy module -- Changes to the dmidecode policy module -- Module bump for Laurent Bigonville trousers init script file context -- specification fix -- Module bump for Laurent Bigonville libvirt init script file context -- specification fix -- Changes to the dnsmasq policy module and relevant dependencies -- Changes to the dovecot policy module -- Changes to the dpkg policy module -- Changes to the entropyd policy module -- Changes to the evolution policy module -- Changes to the exim policy module and relevant dependencies -- Changes to the cron policy module -- Changes to the fail2ban policy module -- fcoemon XML clean up -- Changes to the fetchmail policy module -- Changes to the fingerd policy module -- Initial firewalld policy module -- Changes to the firstboot policy module -- Changes to the fprint policy module and relevant dependencies -- Changes to the ftp module -- Changes to the games policy module -- Clean up evolution and cdrecord XML -- Changes to the gatekeeper policy module -- Changes to the gift policy module -- Changes to the git policy module -- Changes to the gitosis policy module -- Changes to the glance policy module -- Initial glusterfs policy module -- Add gatekeeper newline -- Deprecate glusterd_admin() use glusterfs_admin() instead -- Portage module version bump for autofs support by Matthew Thode and -- clean up -- cfengine: This location is now labeled with a cfengine private type -- Changes to the slpd policy module -- Changes to the gnomeclock policy module and relevant dependencies -- Changes to the gpg policy module -- Changes to the gpm policy module -- Changes to the gpsd policy module and relevant dependencies -- changes to the guest policy module -- Changes to the gnomeclock policy module -- Deprecate various DBUS interfaces and relevant dependencies -- Changes to the cachefilesd policy module -- Remove file context specification for kgpg which is a GUI frontend to -- GPG. Domain transition to gpg_t will happen when kgpg runs gpg. -- (rhbz#862229) -- Initial mandb policy module -- Changes to the hadoop policy module -- Changes to the hald policy module -- Changes to the hddtemp policy module -- Changes to the howl policy module -- changes to the mandb policy module -- Changes to the dbus policy module -- Changes to the rpm policy module -- Changes to the i18n_input policy module -- Changes to the icecast policy module -- Changes to the ifplugd policy module -- Changes to the imaze policy module -- Changes to the inetd policy module and relevant dependencies -- Changes to the innd policy module -- Changes to the irc policy module -- Changes to the ircd policy module -- Changes to the irc policy module -- Changes to the dbus policy module -- Changes to the avahi policy module -- Changes to the bluetooth policy module -- Changes to the aiccu policy module -- Changes to the bacula policy module -- Changes to the boinc policy module -- Changes to the bugzilla policy module -- Changes to the ccs policy module -- Changes to the clamav policy module -- Changes to the cobbler policy module -- Changes to the cyphesis policy module -- Changes to the dante policy module -- Changes to the dbskk policy module -- Changes to the ddclient policy module -- Changes to the denyhosts policy module -- Changes to the dnssectrigger policy module -- Changes to the dovecot policy module -- Changes to the drbd policy module -- Changes to the evolution policy module -- Changes to the fail2ban policy module -- Changes to the firewalld policy module -- Changes to the firstboot policy module -- Changes to the games policy module -- Changes to the gift policy module -- Changes to the glance policy module -- Changes to the hald policy module -- Changes to the dbus policy module -- Changes to the git policy module -- Changes to the polipo policy module -- Changes to the firewalld policy module -- Changes to the gpg policy module -- Tab clean up in ircbalance file context file -- Changes to the irqbalance policy module -- Tab clean up in iscsi file context file -- Changes to the iscsi policy module -- Tab clean up in jabber file context file -- Changes to the jabberd policy module -- Changes to the pyicqt policy module -- Tab clean up in java file context file -- Changes to the java policy module -- Changes to the dbus policy module -- Changes to the gnome policy module -- Changes to the apache policy module -- Changes to the accountsd policy module -- Changes to the alsa policy module -- Changes to the evolution policy module -- Changes to the bluetooth policy module -- Changes to the games policy module -- Changes to the gift policy module -- Changes to the gpg policy module -- Changes to the hadoop policy module -- Tab clean up in kdump file context file -- Changes to the kdump policy module -- Changes to the gpg policy module -- Changes to the dbus policy module -- Changes to the evolution policy module -- Changes to the gpm policy module -- Version bump for evolution file context fixes by Laurent Bigonville -- Version bump for nut file context fixes by Laurent Bigonville -- Changes to the kdumpgui policy module -- Tab clean up in kerberos file context file -- Changes to the kerberos policy module and relevant dependencies -- Changes to the kerneloops policy module -- Tab clean up in kerberos file context file -- Changes to the kismet policy module -- Clean up amavis XML header -- Initial keyboardd policy module -- Tab clean up in ksmtuned file context file -- Changes to the ksmtuned policy module -- Tab clean up in ktalk file context file -- Changes to the ktalk policy module -- Changes to the kudzu policy module -- Initial iodine policy module -- Initial dirmngr policy module -- Changes to the iodine policy module -- Changes to the kerberos policy module -- Changes to the kdumpgui policy module -- Update deprecated interface calls ( gnome_read_config -> -- gnome_read_generic_home_content ) -- Changes to the mozilla policy module -- Changes to the thunderbird policy module -- Changes to the l2tp policy module -- Tab clean up in ldap file context file -- Changes to the ldap policy module -- Tab clean up in likewise file context file -- Changes to the likewise policy module -- Tab clean up in lircd file context file -- Changes to the lircd policy module -- Changes to the livecd policy module -- Tab clean up in loadkeys file context file -- Changes to the loadkeys policy module and relevant dependencies -- Tab clean up in lockdev file context file -- Changes to the lockdev policy module -- Tab clean up in logrotate file context file -- Changes to the logrotate policy module and relevant dependencies -- Tab clean up in logwatch file context file -- Changes to the logrotate policy module -- Changes to the logwatch policy module -- Tab clean up in lpd file context file -- Changes to the lpd policy module -- Tab clean up in cron policy module -- Changes to the lpd policy module -- Changes to the consolekit policy module -- Tab fix in cron policy module -- Tab clean up in mailman file context file -- Changes to the mailman policy module and relevant dependencies -- Tab clean up in mcelog file context file -- Changes to the mcelog policy module -- Tab clean up in mediawiki file context file -- Mediawiki XML clean up -- Tab clean up in memcached file context file -- Changes to the memcached policy module -- Changes to the apache policy module -- Tab clean up in milter file context file -- Changes to the milter policy module and relevant dependencies -- Changes to the modemmanager policy module -- Tab clean up in mojomojo file context file -- Changes to the mojomojo policy module and relevant dependencies -- Changes to the gpg policy module -- Changes to the mongodb policy module -- Changes to the mono policy module -- Changes to the monop policy module -- Tab clean up in mozilla file context file -- Changes to the mozilla policy module and relevant dependencies -- Changes to the mozilla policy module -- Changes to the apache policy module -- Tab clean up in mpd file context file -- Changes to the mpd policy module -- Tab clean up in mplayer file context file -- Changes to the evolution policy module -- Changes to the mplayer policy module -- Changes to the irc policy module -- Tab clean up in mrtg file context file -- Changes to the mrtg policy module -- Tab clean up in mta file context file -- Changes to the mta policy module and relevant dependencies -- Changes to the mta policy module and relevant dependencies -- Get rid of mozilla_conf_t as it is unused -- Changes to the logrotate policy module -- Changes to the logwatch policy module -- Changes to the java policy module -- Changes to the apache module and relevant dependencies -- Tab clean up in munin file context file -- Changes to the munin policy module and relevant dependencies -- Tab clean up in mysql file context file -- Changes to mysqld policy module -- Changes to various policy modules -- Changes to the munin policy module -- Changes to the dovecot policy module -- Changes to various policy modules -- Changes to the mta policy module -- Changes to the certmonger policy module and relavant dependencies -- Tab clean up in nagios file context file -- Changes to the nagios policy module and relevant dependencies -- Changes to the modutils policy module -- Tab cleanup in the nessus file context file -- Changes to the nessus policy module -- Tab clean up in the network manager file context file -- Changes to the networkmanager policy module and relevant dependencies -- Changes to the mozilla policy module -- Changes to the cobbler policy module -- Initial rngd policy module -- Tab clean up in the nis file context file -- Changes to the nis policy module -- Tab clean up in the nscd file context file -- Changes to the nscd policy module -- Tab clean up in the nsd file context file -- Changes to the nsd policy module -- Tab clean up in the nslcd file context file -- Changes to the nslcd policy module -- Tab clean up in the ntop file context file -- Changes to the ntop policy module -- Tab clean up in the ntp file context file -- Changes to the ntp policy module -- Changes to the numad policy module -- Tab clean up in the nut file context file -- Changes to the nut policy module -- Tab clean up in the nx file context file -- Changes to the nx policy module -- Changes to the oav policy module -- Initial obex policy module -- Tab clean up in the oddjob file context file -- Tab clean up in gpg policy module -- Changes to the oddjob policy module -- Changes to the mozilla policy module -- Initial pacemaker policy module -- Tab clean up in the oidentd file context file -- Changes to the oident policy module -- Tab clean up in the openca file context file -- Changes to the openca policy module -- Tab clean up in the openct file context file -- Changes to the openct policy module -- Tab clean up in the openvpn file context file -- Changes to the openvpn policy module -- Tab clean up in the pads file context file -- Changes to the pads policy module -- Tab clean up in the passenger file context file -- Changes to the passenger policy module and relevant dependencies -- Tab clean up in the pcmcia file context file -- Changes to the pcmcia policy module -- Tab clean up in the pcscd file context file -- Changes to the pcscd policy module and relevant dependencies -- Tab clean up in the pegasus file context file -- Changes to the pegasus policy module -- Tab clean up in the perdition file context file -- Changes to the perdition policy module -- Tab clean up in the pingd file context file -- Changes to the pingd policy module -- Changes to the plymouthd policy module -- Changes to the mozilla policy module -- Changes to the plymouth policy module -- Tab clean up in the podsleuth file context file -- Changes to the podsleuth policy module -- Tab clean up in the policykit file context file -- Changes to the policykit policy module and relevant dependencies -- Tab clean up in the portage file context file -- Changes to the portage policy module -- Tab clean up in the portmap file context file -- Changes to the portmap policy module -- Tab clean up in the portreserve file context file -- Changes to the portreserve policy module -- Tab clean up in the portslave file context file -- Changes to the portslave policy module and relevant dependencies -- Tab clean up in the postfix file context file -- Changes to the postfix policy module and relevant dependencies -- Fixes to various policy modules -- Tab clean up in the postfixpolicyd file context file -- Changes to the postfixpolicyd policy module -- Tab clean up in the postgrey file context file -- Changes to the postgrey policy module -- Tab clean up in the ppp file context file -- Changes to the ppp policy module and relevant dependencies -- Tab clean up in the prelink file context file -- Changes to the prelink policy module and relevant dependencies -- Tab clean up in the prelude file context file -- Changes to the prelude policy module -- Tab clean up in the privoxy file context file -- Changes to the privoxy policy module -- Tab clean up in the procmail file context file -- Changes to the procmail policy module -- Tab clean up in the psad file context file -- Changes to the psad policy module -- Changes to the ptchown policy module -- Tab clean up in the publicfile file context file -- Changes to the publicfile policy module -- Fix a fatal syntax error in mozilla_plugin_role() -- Changes to the plymouth policy module -- Changes to the policykit policy module -- Module version bump for fixes in shorewall, fail2ban and portage policy -- modules by Sven Vermeulen -- Tab clean up in the puppet file context file -- Changes to ther puppet policy module and relevant dependencies -- Initial pwauth policy module -- Tab clean up in the pxe file context file -- Changes to the pxe policy module -- Tab clean up in the pyzor file context file -- Changes to the pyzor policy module -- Tab clean up in the qemu file context file -- Changes to the qemu policy module -- Tab clean up in the virt file context file -- Changes to the virt policy module and relevant depedencies -- Changes to the virt policy module -- Changes to the cron policy module -- Changes to the qemu policy module -- Changes to the virt policy module -- Epylog wants sys_nice and setsched -- Tab clean up in the qmail file context file -- Changes to the qmail policy module -- Tab clean up in the qpid file context file -- Changes to the qpid policy module -- Tab clean up in the quota file context file -- Changes to the quota policy module and relevant dependencies -- Initial rabbitmq policy module -- Tab clean up in the radius file context file -- Changes to the radius policy module -- Tab clean up in the radvd file context file -- Changes to the radvd policy module -- Changes to the raid policy module -- Tab clean up in the razor file context file -- Changes to the razor policy module and relevant dependencies -- Smokeping cgi needs to run ping with a domain transition Remove -- redundant socket create already provided by -- sysnet_dns_name_resolve() -- Changes to the virt policy module -- Changes to the apache policy module -- Changes to the gnome policy module -- Changes to the rdisc policy mpdule -- Changes to the readahead policy module -- Changes to the remotelogin policy module -- Tab clean up in the resmgr file context file -- Changes to the resmgr policy module -- Tab clean up in the rgmanager file context file -- Changes to the rgmanager policy module -- Initial Realmd policy module and relevant dependencies -- Fix resmgrd init script file context specification -- Changes to the cups policy module -- automount reads overcommit_memory -- Changes to the networkmanager policy module -- Freshclam manages amavis spool content -- Changes to the tftp policy module -- Changes to the cobbler policy module -- Tab clean up in the rhcs file context file -- Changes to the rhcs policy module and relevant dependencies -- Tab clean up in the rhgb file context file -- Changes to the rhgb policy module -- Tab clean up in the rhsmcertd file context file -- Changes to the rhsmcertd policy module -- Tab clean up in the ricci file context file -- Changes to the ricci policy module -- Tab clean up in the rlogin file context file -- Changes to the rlogin policy module -- Tab clean up in the roundup file context file -- Changes to the roundup policy module -- Changes to the remotelogin policy module -- Changes to the apache policy module -- Changes to the awstats policy module -- fix puppet_admin() need to require types that it uses -- Replace wrong type in puppet_admin() -- Fix a syntax error in ricci_domtrans() -- Catch all rpcbind content in /var/run -- Changes to the cups policy module -- Tab clean up in the rpc file context file -- Changes to the rpc policy module -- Tab clean up in the rpcbind file context file -- Changes to the rpcbind policy module -- Tab clean up in the rpm file context file -- Changes to the rpm policy module and depedencies -- Changes to the rshd policy module -- Changes to the virt policy module -- Changes to the rssh policy module -- Tab clean up in the rsync file context file -- Fix a typo in apache XML -- Changes to the rsync policy module -- Changes to the rtkit policy module -- Tab clean up in the rwho file context file -- Changes to the rwho policy module -- Reads /proc/sys/kernel/random/poolsize -- Tab clean up in the samba file context file -- Changes to the samba policy module and relevant dependencies -- Tab clean up in the sambagui file context file -- Changes to the sambagui policy module -- Initial firewallgui policy module -- Tab clean up in the samhain file context file -- Changes to the samhain policy module -- Tab clean up in the sanlock file context file -- Changes to the sanlock policy module and relevant dependencies -- Tab clean up in the sasl file context file -- Changes to the sasl policy module -- Chnages to the sblim policy module -- Tab clean up in the screen file context file -- Changes to the screen policy module -- Tab clean up in the sectoolm file context file -- Changes to firewallgui policy module -- Changes to the sectoolm policy module -- Tab clean up in the sendmail file context file -- Changes to the sendmail policy module and relevant dependencies -- Tab clean up in the setroubleshoot file context file -- Changes to the setroubleshoot policy module -- Tab clean up in the shorewall file context file -- Changes to the shorewall policy module -- Tab clean up in the shutdown file context file -- Changes to the shutdown policy module and relevant dependencies -- Tab clean up in the slocate file context file -- Changes to the slocate policy module and relevant dependencies -- These domains transition to shutdown domain now so they no longer need -- direct access -- Re-add missing network rule in screen policy module -- fail2ban server sets scheduler -- shutdown XML clean up -- libvirtd sets kernel scheduler -- mongod reads cpuinfo_max_freq -- Changes to the slrnpull policy module -- Tab clean up in the smartmon file context file -- Changes to the smartmon policy module -- Tab clean up in the smokeping file context file -- Changes to the smokeping policy module -- Tab clean up in the smoltclient file context file -- Changes to the smoltclient policy module -- Tab clean up in the snmp file context file -- Changes to the snmp policy module -- Tab clean up in the snort file context file -- Changes to the snort policy module -- Changes to the sosreport policy module and relevant dependencies -- Tab clean up in the soundserver file context file -- Changes to the soundserver policy module -- Tab clean up in the spamassassin file context file -- Changes to the spamassassin policy module and relevant dependendies -- spamassassin_role callers create ~/.spamd with the spamd_home_t user -- home type instead -- Re-add sys_admin capability that was lost with porting from Fedora -- Move mailscanner content to mailscanner module -- Changes to the speedtouch policy module -- Tab clean up in the squid file context file -- Changes to the squid policy module -- Changes to the sssd policy module -- Tab clean up in the stunnel file context file -- Changes to the stunnel policy module -- Tab clean up in the sxid file context file -- Changes to the sxid policy module -- Tab clean up in the sysstat file context file -- Changes to the sysstat policy module -- Tab clean up in the tcpd file context file -- Changes to the tcpd policy module -- Changes to the tcsd policy module -- Tab clean up in the telepathy file context file -- Changes to the telepathy policy module -- Tab clean up in the telnet file context file -- Changes to the telnet policy module -- Tab clean up in the tftp file context file -- Changes to the tftp policy module -- Tab clean up in the tgtd file context file -- Changes to the tgtd policy module -- Tab clean up in the thunderbird file context file -- Changes to the thunderbird policy module -- Catch /var/log/cron directory as well -- Dovecot module version bump for fixes by Sven Vermeulen -- Portage module version bump for fixes by Sven Vermeulen -- Cron module version bump for fixes by Sven Vermeulen -- Changes to the exim policy module -- Entropyd reads /proc/meminfo -- Blueman reads tmp_t directories -- Do not audit attempts by cups config to read tmp_t directories -- Do not audit attempts by fail2ban to read tmp_t directories -- Do not audit attempts by firewalld to read tmp_t directories -- Gnomeclock reads urandom and realtime clock -- Kdumpctl needs sys_chroot capability -- Various kdumpgui fixes from Fedora -- Do not audit attempts by logwatch to read tmp_t directories -- Catch all alias files -- Refine aliases file transition with names -- Realmd dbus chat policykit and networkmanager from Fedora -- Do not audit attempts by tuned to read tmp_t directories -- Changes to the timidity policy module -- Tab clean up in the tmpreaper file context file -- Changes to the tmpreaper policy module and relevant dependencies -- Tab clean up in the tor file context file -- Changes to the tor policy module -- Changes to the transproxy policy module -- Tab clean up in the tripwire file context file -- Changes to the tripwire policy module -- Tab clean up in the tuned file context file -- Changes to the tuned policy module -- Tab clean up in the tvtime file context file -- Changes to the tvtime policy module -- Changes to the tzdata policy module -- Changes to the ucspitcp policy module -- Tab clean up in the ulogd file context file -- Changes to the ulogd policy module -- Tab clean up in the uml file context file -- Changes to the uml policy module -- Make it so that irc clients can also get attributes of cifs, nfs, fuse -- and other file systems -- Changes to the updfstab policy module -- Changes to the uptime policy module -- Tab clean up in the usbmodules file context file -- Changes to the usbmodule policy module -- Changes to the usbmuxd policy module -- Tab clean up in the userhelper file context file -- Screen sends child terminated signals to all interactive fd domains -- Changes to the userhelper policy module and relevant dependencies -- Changes to the virt policy module -- Module version bump for fail2ban changes by Sven Vermeulen -- Changes to the rpm policy module -- fix smartmon init script file context specification -- Changes to the usernetctl policy module -- Tab clean up in the uucp file context file -- Changes to the uucp policy module -- Changes to the virt policy module -- Tab clean up in the uuid file context file -- Changes to the uuidd policy module -- Tab clean up in the uwimap file context file -- Changes to the uwimap policy module -- Tab clean up in the varnishd file context file -- Changes to the varnishd policy module -- Changes to the vbetool policy module -- Tab clean up in the vdagent file context file -- Changes to the vdagent policy module -- Tab clean up in the vhostmd file context file -- Changes to the vhostmd policy module -- Changes to the vlock policy module -- Tab clean up in the vmware file context file -- Changes to the vmware policy module -- Tab clean up in the vnstatd file context file -- Changes to the vnstatd policy module -- Tab clean up in the vpn file context file -- Changes to the vpnc policy module -- Tab clean up in the w3c file context file -- Changes to the w3c policy module -- Tab clean up in the watchdog file context file -- Changes to the watchdog policy module -- Changes to the wdmd policy module -- Changes to the webadm policy modules -- Changes to the webalizer policy module -- White space fix in apache policy module -- Changes to the wine policy module -- Tab clean up in the wireshark file context file -- Changes to the wireshark policy module -- Tab clean up in the wm file context file -- Changes to the wm policy module -- Changes to the inn policy module -- Move man cache file type to miscfiles -- Changes to the inn policy module -- More accurate dbadm boolean descriptions -- mysql_admin() has access to ~/.my.cnf files -- Tab clean up in the xen file context file -- Changes to the xen policy module and relevant dependencies -- Tab clean up in the xfs file context file -- Changes to the xfs policy module -- Changes to the xguest policy module and relevant dependencies -- Changes to the xprint policy module -- Changes to the xscreensaver policy module -- Tab clean up in the yam file context file -- Changes to the yam policy module -- Tab clean up in the zabbix file context file -- Changes to the zabbix policy module -- Tab clean up in the zarafa file context file -- Changes to the zarafa policy module -- Tab clean up in the zebra file context file -- Changes to the zebra policy module -- Changes to the zosremote policy module -- Changes to the mysql policy module -- Tab clean up in the pulseaudio file context file -- Changes to the pulseaudio policy module and relevant dependencies -- Changes to the pulseaudio policy module -- One chown too many -- Changes to the mplayer policy module -- The prelink cron script now runs in its own domain -- Initial smstools policy module -- Initial openvswitch policy module and relevant dependencies -- Reads pcsd pid files -- Reads random device -- winbind manages smbd pid sock files from Fedora -- Changes to the bind policy module -- CG rules daemon reads all sysctls -- Runs consoletype and searches nfs state data from Fedora -- Support munin unbound plugin from Fedora -- Zabbix sends signals from Fedora -- Blueman sets scheduler and sends signals from Fedora -- pcscd_read_pub_files is deprecated, use pcscd_read_pid_files instead -- Module version bumps for fixes in portage and virt modules by Sven -- Vermeulen -- Policy module version bumps for various changes by Sven Vermeulen -- Changes to the openvpn policy module -- Module version bumps for various fixes by Sven Vermeulen -- Changes to the mandb policy module -- Changes to the tmpreaper policy module -- Changes to the munin policy module -- Changes to the rngd policy module -- Changes to the awstats policy module and relevant dependencies -- Changes to the apache policy module -- Changes to various policy modules -- Changes to the abrt policy module -- Changes to the passenger policy module and relevant depedencies -- Changes to the pegagus policy module -- Changes to the mta policy module -- Changes to the fetchmail policy module -- Changes to the bitlbee policy module -- Changes to the blueman policy module and relevant dependencies -- Changes to the amavis policy module -- Changes to the userhelper policy module -- Changes to the blueman policy module -- Changes to the squid policy module -- Changes to the sblim policy module -- Changes to the kdumpgui policy module -- Changes to the mailman policy module -- Changes to the realmd policy module -- Changes to the raid policy module -- Changes to the samba policy module -- Changes to the various policy modules -- Changes to the snmp policy module -- Changes to the spamassassin policy module -- Changes to the sssd policy module -- Changes to the l2tpd policy module -- Changes to the shorewall policy module -- Changes to the xen policy module -- Changes to the tftp policy modules -- Changes to the accountsd policy module -- Changes to the tgtd policy module -- Changes to the corosync policy module -- Changes to the kdump policy module -- Changes to the openvswitch policy module -- Changes to the mpd policy module -- Changes to the mozilla policy module -- Changes to the zarafa policy module -- Changes to the boinc policy module -- Changes to the setroubleshoot policy module -- Changes to the dspam policy module -- Changes to the rgrmanager policy module and relevant dependencies -- Changes to the svnserve policy module -- Changes to the virt policy module -- Changes to the prelink policy module -- Changes to the apache policy module -- Changes to the gnomeclock policy module -- Changes to various policy modules -- Changes to the pegagus policy module -- Changes to the shorewall policy module -- Changes to the kerberos policy module -- Changes to the rhcs policy module -- Changes to the irc policy module -- Changes to the clamav policy module -- Changes to the mrtg policy module -- Changes to the munin policy module -- Changes to the amavis policy module -- Changes to the ppp policy module -- Initial jockey policy module -- Module version bumps for "several named transition for directories -- created in /var/run by initscripts" in various modules by Laurent -- Bigonville -- Module version bumps for fixes in various modules by Laurent Bigonville -- Module version bump for changes to the consolekit policy module by -- Laurent Bigonville -- Changes to the stunnel policy module -- Module version bumps for fixes in various modules by Sven Vermeulen -- Changes to the virt policy module -- Changes to the apache policy module -- Changes to the wm policy module -- Changes to the samba policy module -- Changes to the certmonger policy module -- Changes to the mozilla policy module -- Changes to the corosync policy module -- Changes to the pacemaker policy module -- Changes to the tuned policy module -- Changes to the cups module and relevant dependencies -- Changes to the rhsmcertd policy module -- Changes to the lpd policy module -- Changes to the munin policy module -- Changes to the ntp policy module -- Changes to the tor policy module -- Changes to the firewalld policy module -- Changes to the dspam policy module -- Changes to the setroubleshoot policy module -- Changes to the condor policy module -- Changes to the kerberos policy module -- Changes to the passenger policy module -- Changes to the ppp policy module -- Changes to the the dkim policy module -- Changes to the abrt policy module -- Changes to the lircd policy module -- Changes to the dkim policy module -- Changes to the virt policy module -- Changes to the munin policy module -- Changes to the dovecot policy module -- Changes to the cobbler policy module -- Changes to the userhelper policy module -- Changes to the logwatch policy module -- Changes to the wdmd policy module and relevant dependencies -- Changes to the nscd policy module and relevant dependencies -- Changes to the dbus policy module -- Module version bumps for fixes in various policy modules by Laurent -- Bigonville -- Changes to the cups policy module -- Changes to the dbus policy module -- Changes to the apcupsd policy module -- Remove redundant net_bind_service capabilities in various modules -- Changes to the virt policy module -- Changes to the puppet policy module -- Module version bumps for fixes in various policy module by Sven -- Vermeulen -- Module version bumps for file context fixes in various policy modules by -- Laurent Bigonville -- Make httpd_manage_all_user_content() do what it advertises -- Add more networking rules to mplayer policy module for compatibility -- Fix fcronsighup file context. Should be crontab_exec_t as per previous -- spec -- Module version bumps for changes in various modules by Sven Vermeulen -- Move asterisk_exec() and modify XML header -- Consolekit creates /var/run/console directories with a type transition -- unconditionally -- Module version bump in consolekit policy module for changes by Sven -- Vermeulen -- The imaplogin executable file should be courier_pop_exec_t according to -- existing file context specification -- Module version bump for changes to the fail2ban policy module by Sven -- Vermeulen -- Modules version bumps for changes in various policy modules by Sven -- Vermeulen -- --Laurent Bigonville (28): -- Add Debian locations for Telepathy connection managers -- Label telepathy-rakia as telepathy-sofiasip -- Allow smartd daemon to write in /var/lib/smartmontools directory -- Add Debian location for smartd daemon initscript -- Add Debian location for accounts-daemon daemon -- Add Debian location for rtkit-daemon daemon -- Add Debian location for tcsd init script -- Add Debian location for libvirtd init script -- Add Debian location for evolution executables -- Add Debian locationis for nut executables and configuration files -- Add several named transition for directories created in /var/run by -- initscripts -- Run packagekit under apt_t context on Debian distribution -- Add proper label for colord daemon in debian -- Allow the system dbus to search cgroup directories -- Allow virtd_t context to read sysctl_crypto_t -- Allow colord_t context to read sysctl_crypto_t -- Add proper label for gconfd-2 daemon in Debian -- Ensure that consolekit can create /var/run/console directory on Debian -- Properly label nm-dispatcher.action on Debian -- policykit.fc: Properly label polkit-agent-helper-1 on Debian -- cups.fc: Properly label cups-pk-helper-mechanism on Debian -- Allow pcscd the fsetid capability -- Allow networkmanager_t to read crypto_sysctl_t -- Allow virsh_t context to read sysctl_crypto_t -- Allow cupsd_t to read cupsd_log_t -- gnomeclock.fc: Properly label gsd-datetime-mechanism in Debian -- ptchown.fc: Properly label pt_chown executable in Debian -- Label /usr/bin/kvm as qemu_exec_t -- --Matthew Thode (2): -- added autofs support and nsswitch support -- removing refrences to named_var_lib_t as it doesn't exist anymore for -- bind.if -- --Mika Pflüger (3): -- Allow saslauthd_t to talk to mysqld via TCP -- Quota policy adjustments: * Allow quota_t to load kernel modules -- Debian locations for dovecot deliver and dovecot auth. -- --Russell Coker (1): -- Fix djbdns ports -- --Sven Vermeulen (75): -- Update with new substitutions -- Mark the pid directory as a pid directory -- Add in transitions for queue types when the queues are created -- Fix typo in interface postfix_exec_postqueue -- Allow maildelivery to use dotlock files in the mail spool -- Allow postfix local to change ownership of mailfiles -- Use libexec location for postfix binaries -- Allow initrc_t to create run dirs for contrib modules -- Update logwatch location in file context -- Sandbox is an inherent part of the portage inner workings -- Fix startup issue with fail2ban-client -- Be able to get output from fail2ban-client -- Ignore searches when ran from the user home directory -- Shorewall admins execute shorewall too -- Shorewall needs sys_admin capability for manipulating network stack -- Be able to display dovecot errors -- Remove transition to ldconfig -- Adding interfaces for handling cron log files -- Fail2ban client checks state of log files before telling the server -- Support mysql init script -- Support initial creation of mysql database files -- Portage fetch domain needs to access certificates -- Make samba domtrans optional in virt -- Fix typo in tunable declaration for fcron_crond -- Introducing cron_manage_log_files interface -- Introduce dontaudit interfaces for leaked fd and unix stream sockets -- Dontaudit attempts by system_mail_t to use leaked fd or stream sockets -- Support at service -- Additional postfix admin requirements -- Reintroduce postfix_var_run_t for pid directory and fowner capability -- Postfix deferred queue should not mark mails as postfix_spool_maildrop_t -- Running qemu with SDL support requires more xserver-related privileges -- Fix typo in clockspeed comment -- Support openvpn status file -- Asterisk voicemail messages are generated from tmp -- Make rtkit calls optional -- Gentoo installs dovecot certs in /etc/ssl/dovecot -- Moving sandbox code to sandbox section (v2) -- Allow sandbox to log violations -- Use rw_fifo_file_perms -- Apache should not depend on gpg -- Named init script creates rundir -- Add ~/.maildir as a valid maildir destination -- Support stunnel_read_config for startup -- Updates on stunnel policy -- More .maildir fixes -- Mark make.profile entry as portage_conf_t (v2) -- Move mta call (coding style) -- Changes to puppet domain -- Allow rpc admin to run exportfs -- Grant sys_admin capability to puppet -- Puppet module helper scripts are puppet_var_lib_t -- Support netlink_route_socket creation for puppet -- Puppet initscript creates /run/puppet -- Puppet runs statfs against selinuxfs -- mplayer streams HTTP resources -- fcron and fcronsighup binaries are moved -- Asterisk needs to search through logs -- Denial in mail log on node bind -- Fix typo in mcelog_admin (missing bracket) -- Add in contexts for fcron rm.systab and systab.tmp -- Remove pulseaudio filename_trans conflict -- Allow asterisk admins to execute asterisk binary directly -- Support tagfiles for consolekit -- ConsoleKit needs to read the dbus machine-id -- File context updates for courier-imap -- Update on file contexts for OpenLDAP -- Update on file contexts for wpa_supplicant -- Allow IRC clients to read certificates -- Allow reading /proc/self for fail2ban due to FAM support -- Update file contexts for puppet -- Support ~/.tmux.conf as tmux configuration file -- Add setuid/setgid capability to ulogd_t -- Support tmux control socket -- Postfix creates defer(red) queue locations -- diff --git a/abrt.fc b/abrt.fc -index 1a93dc5..b5f4f9a 100644 +index e4f84de..b5f4f9a 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,31 +1,48 @@ +@@ -1,30 +1,48 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -1108,7 +31,6 @@ index 1a93dc5..b5f4f9a 100644 -/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) -/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) --/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) +/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) + @@ -1646,16 +568,16 @@ index 058d908..cf17e67 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..1dc58bb 100644 +index cc43d25..1dc58bb 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ --policy_module(abrt, 1.4.1) +-policy_module(abrt, 1.3.4) +policy_module(abrt, 1.2.0) ######################################## # -@@ -6,118 +6,134 @@ policy_module(abrt, 1.4.1) +@@ -6,105 +6,134 @@ policy_module(abrt, 1.3.4) # ## @@ -1673,23 +595,18 @@ index eb50f07..1dc58bb 100644 ## -##

--## Determine whether abrt-handle-upload --## can modify public files used for public file --## transfer services in /var/spool/abrt-upload/. +-## Determine whether ABRT can run in +-## the abrt_handle_event_t domain to +-## handle ABRT event scripts. -##

+##

+## Allow abrt-handle-upload to modify public files +## used for public file transfer services in /var/spool/abrt-upload/. +##

- ## - gen_tunable(abrt_upload_watch_anon_write, true) - - ## --##

--## Determine whether ABRT can run in --## the abrt_handle_event_t domain to --## handle ABRT event scripts. --##

++## ++gen_tunable(abrt_upload_watch_anon_write, true) ++ ++## +##

+## Allow ABRT to run in abrt_handle_event_t domain +## to handle ABRT event scripts @@ -1801,15 +718,13 @@ index eb50f07..1dc58bb 100644 +abrt_basic_types_template(abrt_watch_log) init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t) --type abrt_upload_watch_t, abrt_domain; --type abrt_upload_watch_exec_t; -+# Support for abrt-upload-watch -+abrt_basic_types_template(abrt_upload_watch) - init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) -') ++# Support for abrt-upload-watch ++abrt_basic_types_template(abrt_upload_watch) ++init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t) ++ +type abrt_upload_watch_tmp_t; +files_tmp_file(abrt_upload_watch_tmp_t) @@ -1841,7 +756,7 @@ index eb50f07..1dc58bb 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -125,23 +141,30 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -112,23 +141,30 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -1874,7 +789,7 @@ index eb50f07..1dc58bb 100644 kernel_request_load_module(abrt_t) kernel_rw_kernel_sysctl(abrt_t) -@@ -150,16 +173,14 @@ corecmd_exec_shell(abrt_t) +@@ -137,16 +173,14 @@ corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) corenet_all_recvfrom_netlabel(abrt_t) @@ -1893,7 +808,7 @@ index eb50f07..1dc58bb 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -176,29 +197,43 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +197,43 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -1927,9 +842,9 @@ index eb50f07..1dc58bb 100644 +logging_read_syslog_pid(abrt_t) + +auth_use_nsswitch(abrt_t) - -+init_read_utmp(abrt_t) + ++init_read_utmp(abrt_t) + +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) +miscfiles_dontaudit_access_check_cert(abrt_t) @@ -1940,7 +855,7 @@ index eb50f07..1dc58bb 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +241,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +241,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -1957,7 +872,7 @@ index eb50f07..1dc58bb 100644 ') optional_policy(` -@@ -222,6 +253,20 @@ optional_policy(` +@@ -209,6 +253,20 @@ optional_policy(` ') optional_policy(` @@ -1978,7 +893,7 @@ index eb50f07..1dc58bb 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +279,11 @@ optional_policy(` +@@ -221,6 +279,11 @@ optional_policy(` ') optional_policy(` @@ -1990,7 +905,7 @@ index eb50f07..1dc58bb 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +293,7 @@ optional_policy(` +@@ -230,6 +293,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -1998,7 +913,7 @@ index eb50f07..1dc58bb 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +304,21 @@ optional_policy(` +@@ -240,9 +304,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -2021,7 +936,7 @@ index eb50f07..1dc58bb 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +329,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +329,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -2036,7 +951,7 @@ index eb50f07..1dc58bb 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -2044,7 +959,7 @@ index eb50f07..1dc58bb 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -2065,7 +980,7 @@ index eb50f07..1dc58bb 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +378,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +378,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -2092,7 +1007,7 @@ index eb50f07..1dc58bb 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -2106,7 +1021,7 @@ index eb50f07..1dc58bb 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +432,11 @@ optional_policy(` +@@ -330,10 +432,11 @@ optional_policy(` ####################################### # @@ -2120,7 +1035,7 @@ index eb50f07..1dc58bb 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,46 +455,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +455,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -2190,7 +1105,7 @@ index eb50f07..1dc58bb 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,27 +521,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +521,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -2202,12 +1117,14 @@ index eb50f07..1dc58bb 100644 ####################################### # --# Upload watch local policy +-# Global local policy +# abrt-upload-watch local policy # +-kernel_read_system_state(abrt_domain) +allow abrt_upload_watch_t self:capability { dac_override chown }; -+ + +-files_read_etc_files(abrt_domain) +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) @@ -2217,38 +1134,33 @@ index eb50f07..1dc58bb 100644 + +manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t) + - corecmd_exec_bin(abrt_upload_watch_t) - ++corecmd_exec_bin(abrt_upload_watch_t) ++ +dev_read_urand(abrt_upload_watch_t) + +files_search_spool(abrt_upload_watch_t) -+ + +-logging_send_syslog_msg(abrt_domain) +auth_read_passwd(abrt_upload_watch_t) -+ - tunable_policy(`abrt_upload_watch_anon_write',` -- miscfiles_manage_public_files(abrt_upload_watch_t) + +-miscfiles_read_localization(abrt_domain) ++tunable_policy(`abrt_upload_watch_anon_write',` + miscfiles_manage_public_files(abrt_upload_watch_t) +') + +optional_policy(` + dbus_system_bus_client(abrt_upload_watch_t) - ') - - ####################################### - # --# Global local policy ++') ++ ++####################################### ++# +# Local policy for all abrt domain - # - --kernel_read_system_state(abrt_domain) ++# ++ +allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms; +allow abrt_domain abrt_var_run_t:unix_stream_socket connectto; - - files_read_etc_files(abrt_domain) -- --logging_send_syslog_msg(abrt_domain) -- --miscfiles_read_localization(abrt_domain) ++ ++files_read_etc_files(abrt_domain) diff --git a/accountsd.fc b/accountsd.fc index f9d8d7a..0682710 100644 --- a/accountsd.fc @@ -2320,14 +1232,10 @@ index bd5ec9a..a5ed692 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 3593510..6e0a894 100644 +index 313b33f..6e0a894 100644 --- a/accountsd.te +++ b/accountsd.te -@@ -1,9 +1,13 @@ --policy_module(accountsd, 1.1.0) -+policy_module(accountsd, 1.0.6) - - gen_require(` +@@ -4,6 +4,10 @@ gen_require(` class passwd all_passwd_perms; ') @@ -2363,16 +1271,18 @@ index 3593510..6e0a894 100644 fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) -@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t) +@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t) auth_read_login_records(accountsd_t) auth_read_shadow(accountsd_t) -miscfiles_read_localization(accountsd_t) +init_dbus_chat(accountsd_t) - logging_list_logs(accountsd_t) ++logging_list_logs(accountsd_t) logging_send_syslog_msg(accountsd_t) -@@ -66,9 +73,16 @@ optional_policy(` + logging_set_loginuid(accountsd_t) + +@@ -65,9 +73,16 @@ optional_policy(` ') optional_policy(` @@ -2434,15 +1344,9 @@ index 81280d0..bc4038b 100644 domain_system_change_exemption($1) role_transition $2 acct_initrc_exec_t system_r; diff --git a/acct.te b/acct.te -index 8b9ad83..d538827 100644 +index 1a1c91a..d538827 100644 --- a/acct.te +++ b/acct.te -@@ -1,4 +1,4 @@ --policy_module(acct, 1.6.0) -+policy_module(acct, 1.5.1) - - ######################################## - # @@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t) dev_read_sysfs(acct_t) dev_read_urand(acct_t) @@ -2470,15 +1374,9 @@ index 8b9ad83..d538827 100644 userdom_dontaudit_use_unpriv_user_fds(acct_t) diff --git a/ada.te b/ada.te -index 8d42c97..8ce8f26 100644 +index 8b5ad06..8ce8f26 100644 --- a/ada.te +++ b/ada.te -@@ -1,4 +1,4 @@ --policy_module(ada, 1.5.0) -+policy_module(ada, 1.4.1) - - ######################################## - # @@ -20,7 +20,7 @@ role ada_roles types ada_t; allow ada_t self:process { execstack execmem }; @@ -2539,15 +1437,9 @@ index 3b41be6..97d99f9 100644 afs_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/afs.te b/afs.te -index 90ce637..7726644 100644 +index 6690cdf..7726644 100644 --- a/afs.te +++ b/afs.te -@@ -1,4 +1,4 @@ --policy_module(afs, 1.9.0) -+policy_module(afs, 1.8.2) - - ######################################## - # @@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) kernel_rw_afs_state(afs_t) @@ -2721,15 +1613,9 @@ index 3b5dcb9..fbe187f 100644 domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/aiccu.te b/aiccu.te -index 5d2b90e..7564732 100644 +index 72c33c2..7564732 100644 --- a/aiccu.te +++ b/aiccu.te -@@ -1,4 +1,4 @@ --policy_module(aiccu, 1.1.0) -+policy_module(aiccu, 1.0.2) - - ######################################## - # @@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t) corenet_tcp_bind_generic_node(aiccu_t) corenet_tcp_sendrecv_generic_if(aiccu_t) @@ -2766,18 +1652,15 @@ index 5d2b90e..7564732 100644 sysnet_domtrans_ifconfig(aiccu_t) ') diff --git a/aide.fc b/aide.fc -index b2f47de..4b99c25 100644 +index df6e4d0..4b99c25 100644 --- a/aide.fc +++ b/aide.fc -@@ -1,7 +1,6 @@ --/usr/bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh) - /usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh) - --/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh) -+/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh) +@@ -3,4 +3,4 @@ + /var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh) /var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh) - /var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) +-/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) ++/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) diff --git a/aide.if b/aide.if index 01cbb67..94a4a24 100644 --- a/aide.if @@ -2798,15 +1681,9 @@ index 01cbb67..94a4a24 100644 files_list_etc($1) diff --git a/aide.te b/aide.te -index 03831e6..a8e2f01 100644 +index 4b28ab3..a8e2f01 100644 --- a/aide.te +++ b/aide.te -@@ -1,4 +1,4 @@ --policy_module(aide, 1.7.1) -+policy_module(aide, 1.6.1) - - ######################################## - # @@ -10,6 +10,7 @@ attribute_role aide_roles; type aide_t; type aide_exec_t; @@ -2875,15 +1752,9 @@ index a2997fa..861cebd 100644 domain_system_change_exemption($1) role_transition $2 aisexec_initrc_exec_t system_r; diff --git a/aisexec.te b/aisexec.te -index 4e4f063..3b5354f 100644 +index 196f7cf..3b5354f 100644 --- a/aisexec.te +++ b/aisexec.te -@@ -1,4 +1,4 @@ --policy_module(aisexec, 1.2.0) -+policy_module(aisexec, 1.1.1) - - ######################################## - # @@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) kernel_read_system_state(aisexec_t) @@ -3088,20 +1959,10 @@ index 0000000..a95a4ad +') + diff --git a/alsa.fc b/alsa.fc -index 33d9d31..6620b08 100644 +index 5de1e01..6620b08 100644 --- a/alsa.fc +++ b/alsa.fc -@@ -1,9 +1,5 @@ - HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) - --ifdef(`distro_debian',` --/\.config(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) --') -- - /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) - - /etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -@@ -23,4 +19,10 @@ ifdef(`distro_debian',` +@@ -19,4 +19,10 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) @@ -3114,7 +1975,7 @@ index 33d9d31..6620b08 100644 + +/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0) diff --git a/alsa.if b/alsa.if -index ca8d8cf..cc78465 100644 +index 708b743..cc78465 100644 --- a/alsa.if +++ b/alsa.if @@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',` @@ -3125,7 +1986,7 @@ index ca8d8cf..cc78465 100644 ') ######################################## -@@ -210,68 +211,85 @@ interface(`alsa_relabel_home_files',` +@@ -210,49 +211,85 @@ interface(`alsa_relabel_home_files',` ######################################## ##

@@ -3140,11 +2001,6 @@ index ca8d8cf..cc78465 100644 ## ## -## --## --## Class of the object being created. --## --## --## +# +interface(`alsa_read_lib',` + gen_require(` @@ -3161,43 +2017,40 @@ index ca8d8cf..cc78465 100644 +## +## ## --## The name of the object being created. +-## Class of the object being created. +## Domain allowed access. ## ## - # --interface(`alsa_home_filetrans_alsa_home',` +-## ++# +interface(`alsa_filetrans_home_content',` - gen_require(` - type alsa_home_t; - ') - -- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) ++ gen_require(` ++ type alsa_home_t; ++ ') ++ + userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc") - ') - - ######################################## - ## --## Read Alsa lib files. ++') ++ ++######################################## ++## +## Transition to alsa named content - ## - ## ++## ++## ## --## Domain allowed access. +-## The name of the object being created. +## Domain allowed access. ## ## # --interface(`alsa_read_lib',` +-interface(`alsa_home_filetrans_alsa_home',` +interface(`alsa_filetrans_named_content',` gen_require(` -+ type alsa_home_t; + type alsa_home_t; + type alsa_etc_rw_t; - type alsa_var_lib_t; ++ type alsa_var_lib_t; ') -- files_search_var_lib($1) -- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) +- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) + files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state") + files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm") + files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound") @@ -3206,10 +2059,9 @@ index ca8d8cf..cc78465 100644 + files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa") ') --######################################### -+######################################## + ######################################## ## --## Write Alsa lib files. +-## Read Alsa lib files. +## Execute alsa server in the alsa domain. ## ## @@ -3219,7 +2071,7 @@ index ca8d8cf..cc78465 100644 ## ## # --interface(`alsa_write_lib',` +-interface(`alsa_read_lib',` +interface(`alsa_systemctl',` gen_require(` - type alsa_var_lib_t; @@ -3228,7 +2080,7 @@ index ca8d8cf..cc78465 100644 ') - files_search_var_lib($1) -- write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) +- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) + systemd_exec_systemctl($1) + allow $1 alsa_unit_file_t:file read_file_perms; + allow $1 alsa_unit_file_t:service manage_service_perms; @@ -3236,16 +2088,10 @@ index ca8d8cf..cc78465 100644 + ps_process_pattern($1, alsa_t) ') diff --git a/alsa.te b/alsa.te -index 4b153f1..e1c91b5 100644 +index cda6d20..e1c91b5 100644 --- a/alsa.te +++ b/alsa.te -@@ -1,4 +1,4 @@ --policy_module(alsa, 1.12.2) -+policy_module(alsa, 1.11.4) - - ######################################## - # -@@ -15,25 +15,32 @@ role alsa_roles types alsa_t; +@@ -15,22 +15,32 @@ role alsa_roles types alsa_t; type alsa_etc_rw_t; files_config_file(alsa_etc_rw_t) @@ -3255,9 +2101,6 @@ index 4b153f1..e1c91b5 100644 type alsa_tmp_t; files_tmp_file(alsa_tmp_t) --type alsa_tmpfs_t; --files_tmpfs_file(alsa_tmpfs_t) -- type alsa_var_lib_t; files_type(alsa_var_lib_t) @@ -3283,7 +2126,7 @@ index 4b153f1..e1c91b5 100644 allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket { accept listen }; -@@ -46,28 +53,31 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) +@@ -43,6 +53,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) can_exec(alsa_t, alsa_exec_t) @@ -3293,11 +2136,7 @@ index 4b153f1..e1c91b5 100644 manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) - userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) - --allow alsa_t alsa_tmpfs_t:file manage_file_perms; --fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file) -- +@@ -51,7 +64,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) @@ -3311,17 +2150,15 @@ index 4b153f1..e1c91b5 100644 corecmd_exec_bin(alsa_t) --dev_getattr_fs(alsa_t) - dev_read_sound(alsa_t) +@@ -59,7 +78,6 @@ dev_read_sound(alsa_t) dev_read_sysfs(alsa_t) --dev_read_urand(alsa_t) dev_write_sound(alsa_t) -files_read_usr_files(alsa_t) files_search_var_lib(alsa_t) term_dontaudit_use_console(alsa_t) -@@ -80,35 +90,10 @@ init_use_fds(alsa_t) +@@ -72,8 +90,6 @@ init_use_fds(alsa_t) logging_send_syslog_msg(alsa_t) @@ -3330,33 +2167,6 @@ index 4b153f1..e1c91b5 100644 userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) userdom_search_user_home_dirs(alsa_t) - --ifdef(`distro_debian',` -- term_dontaudit_use_unallocated_ttys(alsa_t) -- -- # Gnome 3.4 bug -- dev_associate(alsa_tmpfs_t) -- -- allow alsa_t self:capability kill; -- -- manage_lnk_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) -- files_root_filetrans(alsa_t, alsa_var_lib_t, dir, ".config") -- -- fs_list_tmpfs(alsa_t) -- -- optional_policy(` -- dbus_read_lib_files(alsa_t) -- ') -- -- optional_policy(` -- pulseaudio_run(alsa_t, system_r) -- pulseaudio_tmpfs_content(alsa_tmpfs_t) -- ') --') -- - optional_policy(` - hal_use_fds(alsa_t) - hal_write_log(alsa_t) diff --git a/amanda.fc b/amanda.fc index 7f4dfbc..e5c9f45 100644 --- a/amanda.fc @@ -3378,15 +2188,9 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c..f367ba0 100644 +index ed45974..f367ba0 100644 --- a/amanda.te +++ b/amanda.te -@@ -1,4 +1,4 @@ --policy_module(amanda, 1.15.0) -+policy_module(amanda, 1.14.2) - - ####################################### - # @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; roleattribute system_r amanda_recover_roles; @@ -3546,15 +2350,9 @@ index 60d4f8c..18ef077 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 91fa72a..a95b541 100644 +index ab55ba7..a95b541 100644 --- a/amavis.te +++ b/amavis.te -@@ -1,4 +1,4 @@ --policy_module(amavis, 1.15.0) -+policy_module(amavis, 1.14.3) - - ######################################## - # @@ -39,7 +39,7 @@ type amavis_quarantine_t; files_type(amavis_quarantine_t) @@ -3637,26 +2435,10 @@ index 91fa72a..a95b541 100644 postfix_read_config(amavis_t) postfix_list_spool(amavis_t) ') -diff --git a/amtu.fc b/amtu.fc -index b21a14a..67e5f70 100644 ---- a/amtu.fc -+++ b/amtu.fc -@@ -1,4 +1,5 @@ - /etc/rc\.d/init\.d/amtu -- gen_context(system_u:object_r:amtu_initrc_exec_t,s0) - - /usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0) -+ - /usr/sbin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0) diff --git a/amtu.te b/amtu.te -index 16d0d66..486e9ed 100644 +index c960f92..486e9ed 100644 --- a/amtu.te +++ b/amtu.te -@@ -1,4 +1,4 @@ --policy_module(amtu, 1.3.0) -+policy_module(amtu, 1.2.3) - - ######################################## - # @@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t) files_manage_boot_files(amtu_t) @@ -3742,14 +2524,10 @@ index 14a61b7..21bbf36 100644 +') + diff --git a/anaconda.te b/anaconda.te -index aa44abf..f226596 100644 +index 6f1384c..f226596 100644 --- a/anaconda.te +++ b/anaconda.te -@@ -1,9 +1,13 @@ --policy_module(anaconda, 1.7.0) -+policy_module(anaconda, 1.6.1) - - gen_require(` +@@ -4,6 +4,10 @@ gen_require(` class passwd all_passwd_perms; ') @@ -4477,10 +3255,10 @@ index 0000000..cb58319 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..044b13d 100644 +index 550a69e..044b13d 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,214 @@ +@@ -1,161 +1,214 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -4785,7 +3563,7 @@ index 7caefc3..044b13d 100644 -/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) - -/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0) +-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -4795,7 +3573,6 @@ index 7caefc3..044b13d 100644 -/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0) -/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -4835,7 +3612,7 @@ index 7caefc3..044b13d 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..fca846b 100644 +index 83e899c..fca846b 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -5000,11 +3777,11 @@ index f6eb485..fca846b 100644 - ') + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) -+ -+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) ++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; ++ + # apache runs the script: + domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) + allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto; @@ -5236,10 +4013,12 @@ index f6eb485..fca846b 100644 - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd unix domain stream sockets. +## Allow attempts to read and write Apache +## unix domain stream sockets. +## @@ -5255,12 +4034,10 @@ index f6eb485..fca846b 100644 + ') + + allow $1 httpd_t:unix_stream_socket { getattr read write }; - ') - - ######################################## - ## --## Do not audit attempts to read and --## write httpd unix domain stream sockets. ++') ++ ++######################################## ++## +## Do not audit attempts to read and write Apache +## unix domain stream sockets. ## @@ -5728,11 +4505,31 @@ index f6eb485..fca846b 100644 -######################################## +###################################### ++## ++## Allow the specified domain to read ++## apache system content rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_read_sys_content_rw_files',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ ++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ## -## Create, read, write, and delete -## httpd system rw content. +## Allow the specified domain to read -+## apache system content rw files. ++## apache system content rw dirs. ## ## ## @@ -5742,32 +4539,12 @@ index f6eb485..fca846b 100644 +## # -interface(`apache_manage_sys_rw_content',` -+interface(`apache_read_sys_content_rw_files',` ++interface(`apache_read_sys_content_rw_dirs',` gen_require(` type httpd_sys_rw_content_t; ') - apache_search_sys_content($1) -+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+###################################### -+## -+## Allow the specified domain to read -+## apache system content rw dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_sys_content_rw_dirs',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ + list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + @@ -5946,18 +4723,16 @@ index f6eb485..fca846b 100644 ## ## ## -@@ -1071,18 +1274,21 @@ interface(`apache_search_sys_scripts',` +@@ -1070,13 +1273,22 @@ interface(`apache_search_sys_scripts',` + ## # interface(`apache_manage_all_user_content',` - gen_require(` -- type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t; -- type httpd_user_htaccess_t, httpd_user_script_exec_t; +- refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.') +- apache_manage_all_content($1) ++ gen_require(` + attribute httpd_user_content_type, httpd_user_script_exec_type; - ') - -- manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }) -- manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }) -- manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }) ++ ') ++ + manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) + manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) + manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) @@ -5974,7 +4749,7 @@ index f6eb485..fca846b 100644 ## ## ## -@@ -1100,7 +1306,8 @@ interface(`apache_search_sys_script_state',` +@@ -1094,7 +1306,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -5984,7 +4759,7 @@ index f6eb485..fca846b 100644 ## ## ## -@@ -1117,10 +1324,29 @@ interface(`apache_read_tmp_files',` +@@ -1111,10 +1324,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -6016,7 +4791,7 @@ index f6eb485..fca846b 100644 ## ## ## -@@ -1133,7 +1359,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1127,7 +1359,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -6025,7 +4800,7 @@ index f6eb485..fca846b 100644 ') ######################################## -@@ -1142,6 +1368,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1136,6 +1368,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -6035,7 +4810,7 @@ index f6eb485..fca846b 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1171,8 +1400,30 @@ interface(`apache_cgi_domain',` +@@ -1165,8 +1400,30 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -6068,16 +4843,16 @@ index f6eb485..fca846b 100644 ## ## ## -@@ -1189,18 +1440,19 @@ interface(`apache_cgi_domain',` +@@ -1183,18 +1440,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; type httpd_t, httpd_config_t, httpd_log_t; - type httpd_modules_t, httpd_lock_t, httpd_helper_t; -- type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t; +- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t; - type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; -- type httpd_initrc_exec_t, httpd_keytab_t; +- type httpd_initrc_exec_t, httpd_suexec_t; + type httpd_modules_t, httpd_lock_t, httpd_bool_t; + type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; + type httpd_suexec_tmp_t, httpd_tmp_t; @@ -6097,12 +4872,12 @@ index f6eb485..fca846b 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1210,10 +1462,10 @@ interface(`apache_admin',` +@@ -1204,10 +1462,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) - files_search_etc($1) -- admin_pattern($1, { httpd_keytab_t httpd_config_t }) +- admin_pattern($1, { httpd_config_t httpd_keytab_t }) + files_list_etc($1) + admin_pattern($1, httpd_config_t) @@ -6111,7 +4886,7 @@ index f6eb485..fca846b 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1476,141 @@ interface(`apache_admin',` +@@ -1218,9 +1476,141 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -6258,11 +5033,11 @@ index f6eb485..fca846b 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..17c4c9a 100644 +index 1a82e29..17c4c9a 100644 --- a/apache.te +++ b/apache.te -@@ -1,300 +1,381 @@ --policy_module(apache, 2.7.2) +@@ -1,297 +1,381 @@ +-policy_module(apache, 2.6.10) +policy_module(apache, 2.4.0) + +# @@ -6760,14 +5535,12 @@ index 6649962..17c4c9a 100644 type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) --type httpd_keytab_t; --files_type(httpd_keytab_t) +type httpd_unit_file_t; +ifdef(`distro_redhat',` + typealias httpd_unit_file_t alias phpfpm_unit_file_t; +') +systemd_unit_file(httpd_unit_file_t) - ++ type httpd_lock_t; files_lock_file(httpd_lock_t) @@ -6794,7 +5567,7 @@ index 6649962..17c4c9a 100644 type httpd_rotatelogs_t; type httpd_rotatelogs_exec_t; init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) -@@ -302,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -299,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) @@ -6807,7 +5580,7 @@ index 6649962..17c4c9a 100644 type httpd_suexec_exec_t; domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -@@ -314,9 +393,19 @@ role system_r types httpd_suexec_t; +@@ -311,9 +393,19 @@ role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) @@ -6829,7 +5602,7 @@ index 6649962..17c4c9a 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -326,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -323,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -6849,7 +5622,7 @@ index 6649962..17c4c9a 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -346,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad +@@ -343,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; @@ -6901,7 +5674,7 @@ index 6649962..17c4c9a 100644 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; -@@ -381,30 +484,37 @@ allow httpd_t self:shm create_shm_perms; +@@ -378,28 +484,37 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; @@ -6926,9 +5699,8 @@ index 6649962..17c4c9a 100644 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) --allow httpd_t httpd_keytab_t:file read_file_perms; +can_exec(httpd_t, httpd_exec_t) - ++ allow httpd_t httpd_lock_t:file manage_file_perms; files_lock_filetrans(httpd_t, httpd_lock_t, file) @@ -6945,7 +5717,7 @@ index 6649962..17c4c9a 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -407,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -6967,7 +5739,7 @@ index 6649962..17c4c9a 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -450,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -7041,10 +5813,10 @@ index 6649962..17c4c9a 100644 +# execute perl +corecmd_exec_bin(httpd_t) +corecmd_exec_shell(httpd_t) -+ + +domain_use_interactive_fds(httpd_t) +domain_dontaudit_read_all_domains_state(httpd_t) - ++ +files_dontaudit_search_all_pids(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) @@ -7207,7 +5979,7 @@ index 6649962..17c4c9a 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -7267,7 +6039,7 @@ index 6649962..17c4c9a 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +797,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +797,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -7358,7 +6130,7 @@ index 6649962..17c4c9a 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +844,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +844,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -7439,7 +6211,7 @@ index 6649962..17c4c9a 100644 ') optional_policy(` -@@ -749,24 +897,32 @@ optional_policy(` +@@ -744,24 +897,32 @@ optional_policy(` ') optional_policy(` @@ -7478,7 +6250,7 @@ index 6649962..17c4c9a 100644 ') optional_policy(` -@@ -775,6 +931,10 @@ optional_policy(` +@@ -770,6 +931,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -7489,28 +6261,19 @@ index 6649962..17c4c9a 100644 ') optional_policy(` -@@ -786,35 +946,58 @@ optional_policy(` +@@ -781,34 +946,58 @@ optional_policy(` ') optional_policy(` -- kerberos_manage_host_rcache(httpd_t) -- kerberos_read_keytab(httpd_t) -- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23") -- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48") -- kerberos_use(httpd_t) + tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` + gpg_domtrans_web(httpd_t) + ') - ') - - optional_policy(` -- ldap_stream_connect(httpd_t) ++') ++ ++optional_policy(` + gssproxy_stream_connect(httpd_t) +') - -- tunable_policy(`httpd_can_network_connect_ldap',` -- ldap_tcp_connect(httpd_t) -- ') ++ +optional_policy(` + ipa_search_lib(httpd_t) +') @@ -7527,14 +6290,21 @@ index 6649962..17c4c9a 100644 +') + +optional_policy(` -+ kerberos_keytab_template(httpd, httpd_t) + kerberos_keytab_template(httpd, httpd_t) +- kerberos_manage_host_rcache(httpd_t) +- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23") +- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23") + kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48") -+') -+ -+optional_policy(` + ') + + optional_policy(` + # needed by FreeIPA -+ ldap_stream_connect(httpd_t) + ldap_stream_connect(httpd_t) +- +- tunable_policy(`httpd_can_network_connect_ldap',` +- ldap_tcp_connect(httpd_t) +- ') + ldap_read_certs(httpd_t) ') @@ -7561,7 +6331,7 @@ index 6649962..17c4c9a 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1005,18 @@ optional_policy(` +@@ -816,8 +1005,18 @@ optional_policy(` ') optional_policy(` @@ -7580,7 +6350,7 @@ index 6649962..17c4c9a 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1025,7 @@ optional_policy(` +@@ -826,6 +1025,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -7588,7 +6358,7 @@ index 6649962..17c4c9a 100644 ') optional_policy(` -@@ -842,20 +1036,40 @@ optional_policy(` +@@ -836,20 +1036,40 @@ optional_policy(` ') optional_policy(` @@ -7635,7 +6405,7 @@ index 6649962..17c4c9a 100644 ') optional_policy(` -@@ -863,19 +1077,35 @@ optional_policy(` +@@ -857,19 +1077,35 @@ optional_policy(` ') optional_policy(` @@ -7671,7 +6441,7 @@ index 6649962..17c4c9a 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1113,173 @@ optional_policy(` +@@ -877,65 +1113,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7867,7 +6637,7 @@ index 6649962..17c4c9a 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1288,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1288,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -8022,7 +6792,7 @@ index 6649962..17c4c9a 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1372,106 @@ optional_policy(` +@@ -1077,172 +1372,106 @@ optional_policy(` ') ') @@ -8044,11 +6814,11 @@ index 6649962..17c4c9a 100644 -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -- --append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) --read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +allow httpd_sys_script_t self:process getsched; +-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +- -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -8194,8 +6964,7 @@ index 6649962..17c4c9a 100644 -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; @@ -8221,7 +6990,8 @@ index 6649962..17c4c9a 100644 - corenet_sendrecv_pop_client_packets(httpd_sys_script_t) - corenet_tcp_connect_pop_port(httpd_sys_script_t) - corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + - mta_send_mail(httpd_sys_script_t) - mta_signal_system_mail(httpd_sys_script_t) +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` @@ -8259,7 +7029,7 @@ index 6649962..17c4c9a 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1479,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1479,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -8356,7 +7126,7 @@ index 6649962..17c4c9a 100644 ######################################## # -@@ -1321,8 +1554,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1554,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -8373,7 +7143,7 @@ index 6649962..17c4c9a 100644 ') ######################################## -@@ -1330,49 +1570,38 @@ optional_policy(` +@@ -1324,49 +1570,38 @@ optional_policy(` # User content local policy # @@ -8438,7 +7208,7 @@ index 6649962..17c4c9a 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1611,100 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1611,100 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -8665,15 +7435,9 @@ index f3c0aba..cbe3d4a 100644 + files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4d..a813b6c 100644 +index b236327..a813b6c 100644 --- a/apcupsd.te +++ b/apcupsd.te -@@ -1,4 +1,4 @@ --policy_module(apcupsd, 1.9.0) -+policy_module(apcupsd, 1.8.4) - - ######################################## - # @@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t) type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) @@ -8827,15 +7591,9 @@ index 1a7a97e..1d29dce 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 7fd431b..1d8a844 100644 +index 3590e2f..1d8a844 100644 --- a/apm.te +++ b/apm.te -@@ -1,4 +1,4 @@ --policy_module(apm, 1.12.0) -+policy_module(apm, 1.11.4) - - ######################################## - # @@ -35,6 +35,9 @@ files_type(apmd_var_lib_t) type apmd_var_run_t; files_pid_file(apmd_var_run_t) @@ -8929,54 +7687,11 @@ index 7fd431b..1d8a844 100644 ') optional_policy(` -diff --git a/apt.fc b/apt.fc -index 7b20801..1fd6888 100644 ---- a/apt.fc -+++ b/apt.fc -@@ -1,11 +1,9 @@ --/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0) -- - ifndef(`distro_redhat',` - /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) - /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) - /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) --/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) - /usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0) -+/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) - /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) - /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) - ') diff --git a/apt.if b/apt.if -index cde81d2..970736b 100644 +index e2414c4..970736b 100644 --- a/apt.if +++ b/apt.if -@@ -21,25 +21,6 @@ interface(`apt_domtrans',` - - ######################################## - ## --## Execute the apt in the caller domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`apt_exec',` -- gen_require(` -- type apt_exec_t; -- ') -- -- corecmd_search_bin($1) -- can_exec($1, apt_exec_t) --') -- --######################################## --## - ## Execute apt programs in the apt domain. - ## - ## -@@ -171,7 +152,7 @@ interface(`apt_read_cache',` +@@ -152,7 +152,7 @@ interface(`apt_read_cache',` files_search_var($1) allow $1 apt_var_cache_t:dir list_dir_perms; @@ -8986,24 +7701,10 @@ index cde81d2..970736b 100644 ') diff --git a/apt.te b/apt.te -index efa8530..d82403c 100644 +index e2d8d52..d82403c 100644 --- a/apt.te +++ b/apt.te -@@ -1,4 +1,4 @@ --policy_module(apt, 1.8.1) -+policy_module(apt, 1.7.5) - - ######################################## - # -@@ -77,15 +77,12 @@ files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) - allow apt_t apt_var_log_t:file manage_file_perms; - logging_log_filetrans(apt_t, apt_var_log_t, file) - --can_exec(apt_t, apt_exec_t) -- - kernel_read_system_state(apt_t) - kernel_read_kernel_sysctls(apt_t) - +@@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t) corecmd_exec_bin(apt_t) corecmd_exec_shell(apt_t) @@ -9011,14 +7712,7 @@ index efa8530..d82403c 100644 corenet_all_recvfrom_netlabel(apt_t) corenet_tcp_sendrecv_generic_if(apt_t) corenet_tcp_sendrecv_generic_node(apt_t) -@@ -94,45 +91,37 @@ corenet_tcp_sendrecv_all_ports(apt_t) - corenet_sendrecv_all_client_packets(apt_t) - corenet_tcp_connect_all_ports(apt_t) - --dev_list_sysfs(apt_t) - dev_read_urand(apt_t) - - domain_getattr_all_domains(apt_t) +@@ -98,27 +97,24 @@ domain_getattr_all_domains(apt_t) domain_use_interactive_fds(apt_t) files_exec_usr_files(apt_t) @@ -9044,22 +7738,10 @@ index efa8530..d82403c 100644 sysnet_read_config(apt_t) -userdom_use_user_terminals(apt_t) -- --optional_policy(` -- backup_manage_store_files(apt_t) --') +userdom_use_inherited_user_terminals(apt_t) optional_policy(` cron_system_entry(apt_t, apt_exec_t) - ') - - optional_policy(` -- dbus_system_domain(apt_t, apt_exec_t) -+ dbus_system_domain(apt_t, apt_exec_t) - ') - - optional_policy(` diff --git a/arpwatch.fc b/arpwatch.fc index 9ca0d0f..9a1a61f 100644 --- a/arpwatch.fc @@ -9134,15 +7816,9 @@ index 50c9b9c..51c8cc0 100644 + allow $1 arpwatch_unit_file_t:service all_service_perms; ') diff --git a/arpwatch.te b/arpwatch.te -index 2d7bf34..fd6911a 100644 +index fa18c76..fd6911a 100644 --- a/arpwatch.te +++ b/arpwatch.te -@@ -1,4 +1,4 @@ --policy_module(arpwatch, 1.11.0) -+policy_module(arpwatch, 1.10.4) - - ######################################## - # @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) type arpwatch_var_run_t; files_pid_file(arpwatch_var_run_t) @@ -9203,10 +7879,36 @@ index 2d7bf34..fd6911a 100644 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) diff --git a/asterisk.if b/asterisk.if -index 2077053..6ffd87d 100644 +index 7268a04..6ffd87d 100644 --- a/asterisk.if +++ b/asterisk.if -@@ -124,16 +124,18 @@ interface(`asterisk_admin',` +@@ -19,6 +19,25 @@ interface(`asterisk_domtrans',` + domtrans_pattern($1, asterisk_exec_t, asterisk_t) + ') + ++###################################### ++## ++## Execute asterisk in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`asterisk_exec',` ++ gen_require(` ++ type asterisk_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, asterisk_exec_t) ++') ++ + ##################################### + ## + ## Connect to asterisk over a unix domain. +@@ -105,9 +124,13 @@ interface(`asterisk_admin',` type asterisk_var_lib_t, asterisk_initrc_exec_t; ') @@ -9221,23 +7923,10 @@ index 2077053..6ffd87d 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; - allow $2 system_r; - -- asterisk_exec($1) -- - files_list_tmp($1) - admin_pattern($1, asterisk_tmp_t) - diff --git a/asterisk.te b/asterisk.te -index 7e41350..4f8a8a5 100644 +index 5439f1c..4f8a8a5 100644 --- a/asterisk.te +++ b/asterisk.te -@@ -1,4 +1,4 @@ --policy_module(asterisk, 1.12.1) -+policy_module(asterisk, 1.11.3) - - ######################################## - # @@ -19,7 +19,7 @@ type asterisk_log_t; logging_log_file(asterisk_log_t) @@ -9247,22 +7936,25 @@ index 7e41350..4f8a8a5 100644 type asterisk_tmp_t; files_tmp_file(asterisk_tmp_t) -@@ -54,12 +54,12 @@ read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) - - manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) - manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) --logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir }) +@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms; + read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) + read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) + +-append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) +-create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) +-setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) ++manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) ++manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) +logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir}) manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) --files_spool_filetrans(asterisk_t, asterisk_spool_t, { dir file }) +files_spool_file(asterisk_t, asterisk_spool_t, {dir file}) manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) -@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f +@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) @@ -9276,7 +7968,7 @@ index 7e41350..4f8a8a5 100644 can_exec(asterisk_t, asterisk_exec_t) kernel_read_kernel_sysctls(asterisk_t) -@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t) +@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t) corecmd_exec_bin(asterisk_t) corecmd_exec_shell(asterisk_t) @@ -9284,7 +7976,7 @@ index 7e41350..4f8a8a5 100644 corenet_all_recvfrom_netlabel(asterisk_t) corenet_tcp_sendrecv_generic_if(asterisk_t) corenet_udp_sendrecv_generic_if(asterisk_t) -@@ -136,7 +135,6 @@ dev_read_urand(asterisk_t) +@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t) domain_use_interactive_fds(asterisk_t) @@ -9292,11 +7984,8 @@ index 7e41350..4f8a8a5 100644 files_search_spool(asterisk_t) files_dontaudit_search_home(asterisk_t) -@@ -147,11 +145,8 @@ fs_search_auto_mountpoints(asterisk_t) - - auth_use_nsswitch(asterisk_t) +@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t) --logging_search_logs(asterisk_t) logging_send_syslog_msg(asterisk_t) -miscfiles_read_localization(asterisk_t) @@ -9304,16 +7993,6 @@ index 7e41350..4f8a8a5 100644 userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) -diff --git a/authbind.te b/authbind.te -index dd9d215..a194e01 100644 ---- a/authbind.te -+++ b/authbind.te -@@ -1,4 +1,4 @@ --policy_module(authbind, 1.3.0) -+policy_module(authbind, 1.2.1) - - ######################################## - # diff --git a/authconfig.fc b/authconfig.fc new file mode 100644 index 0000000..4579cfe @@ -9509,7 +8188,7 @@ index 92adb37..0a2ffc6 100644 /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) diff --git a/automount.if b/automount.if -index f24e369..b0bed70 100644 +index 089430a..b0bed70 100644 --- a/automount.if +++ b/automount.if @@ -29,7 +29,6 @@ interface(`automount_domtrans',` @@ -9576,11 +8255,10 @@ index f24e369..b0bed70 100644 ## All of the rules required to ## administrate an automount environment. ## -@@ -153,20 +194,21 @@ interface(`automount_admin',` +@@ -153,11 +194,16 @@ interface(`automount_admin',` gen_require(` type automount_t, automount_lock_t, automount_tmp_t; type automount_var_run_t, automount_initrc_exec_t; -- type automount_keytab_t; + type automount_unit_file_t; ') @@ -9595,15 +8273,7 @@ index f24e369..b0bed70 100644 init_labeled_script_domtrans($1, automount_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 automount_initrc_exec_t system_r; - allow $2 system_r; - -- files_list_etc($1) -- admin_pattern($1, automount_keytab_t) -- - files_list_var($1) - admin_pattern($1, automount_lock_t) - -@@ -175,4 +217,8 @@ interface(`automount_admin',` +@@ -171,4 +217,8 @@ interface(`automount_admin',` files_list_pids($1) admin_pattern($1, automount_var_run_t) @@ -9613,35 +8283,16 @@ index f24e369..b0bed70 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 27d2f40..11dbe9d 100644 +index a579c3b..11dbe9d 100644 --- a/automount.te +++ b/automount.te -@@ -1,4 +1,4 @@ --policy_module(automount, 1.14.1) -+policy_module(automount, 1.13.3) - - ######################################## - # -@@ -12,8 +12,8 @@ init_daemon_domain(automount_t, automount_exec_t) - type automount_initrc_exec_t; - init_script_file(automount_initrc_exec_t) - --type automount_keytab_t; --files_type(automount_keytab_t) -+type automount_var_run_t; -+files_pid_file(automount_var_run_t) - - type automount_lock_t; - files_lock_file(automount_lock_t) -@@ -22,15 +22,16 @@ type automount_tmp_t; +@@ -22,12 +22,16 @@ type automount_tmp_t; files_tmp_file(automount_tmp_t) files_mountpoint(automount_tmp_t) --type automount_var_run_t; --files_pid_file(automount_var_run_t) +type automount_unit_file_t; +systemd_unit_file(automount_unit_file_t) - ++ ######################################## # # Local policy @@ -9653,16 +8304,7 @@ index 27d2f40..11dbe9d 100644 dontaudit automount_t self:capability sys_tty_config; allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; allow automount_t self:fifo_file rw_fifo_file_perms; -@@ -39,8 +40,6 @@ allow automount_t self:rawip_socket create_socket_perms; - - can_exec(automount_t, automount_exec_t) - --allow automount_t automount_keytab_t:file read_file_perms; -- - allow automount_t automount_lock_t:file manage_file_perms; - files_lock_filetrans(automount_t, automount_lock_t, file) - -@@ -67,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t) +@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t) corecmd_exec_bin(automount_t) corecmd_exec_shell(automount_t) @@ -9670,7 +8312,7 @@ index 27d2f40..11dbe9d 100644 corenet_all_recvfrom_netlabel(automount_t) corenet_tcp_sendrecv_generic_if(automount_t) corenet_udp_sendrecv_generic_if(automount_t) -@@ -91,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t) +@@ -86,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t) files_dontaudit_write_var_dirs(automount_t) files_getattr_all_dirs(automount_t) @@ -9678,7 +8320,7 @@ index 27d2f40..11dbe9d 100644 files_getattr_default_dirs(automount_t) files_getattr_home_dir(automount_t) files_getattr_isid_type_dirs(automount_t) -@@ -101,7 +100,6 @@ files_mount_all_file_type_fs(automount_t) +@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t) files_mounton_all_mountpoints(automount_t) files_mounton_mnt(automount_t) files_read_etc_runtime_files(automount_t) @@ -9686,7 +8328,7 @@ index 27d2f40..11dbe9d 100644 files_search_boot(automount_t) files_search_all(automount_t) files_unmount_all_file_type_fs(automount_t) -@@ -113,6 +111,7 @@ fs_manage_autofs_symlinks(automount_t) +@@ -108,6 +111,7 @@ fs_manage_autofs_symlinks(automount_t) fs_mount_all_fs(automount_t) fs_mount_autofs(automount_t) fs_read_nfs_files(automount_t) @@ -9694,7 +8336,7 @@ index 27d2f40..11dbe9d 100644 fs_search_all(automount_t) fs_search_auto_mountpoints(automount_t) fs_unmount_all_fs(automount_t) -@@ -135,22 +134,24 @@ auth_use_nsswitch(automount_t) +@@ -130,15 +134,18 @@ auth_use_nsswitch(automount_t) logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) @@ -9717,15 +8359,7 @@ index 27d2f40..11dbe9d 100644 fstools_domtrans(automount_t) ') - optional_policy(` -+ kerberos_keytab_template(automount, automount_t) - kerberos_read_config(automount_t) -- kerberos_read_keytab(automount_t) -- kerberos_use(automount_t) - kerberos_dontaudit_write_config(automount_t) - ') - -@@ -166,3 +167,8 @@ optional_policy(` +@@ -160,3 +167,8 @@ optional_policy(` optional_policy(` udev_read_db(automount_t) ') @@ -9747,142 +8381,49 @@ index e9fe2ca..4c2d076 100644 /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) diff --git a/avahi.if b/avahi.if -index 9078c3d..33fe57b 100644 +index aebe7cb..33fe57b 100644 --- a/avahi.if +++ b/avahi.if -@@ -21,25 +21,6 @@ interface(`avahi_domtrans',` - +@@ -97,7 +97,7 @@ interface(`avahi_dbus_chat',` ######################################## ## --## Execute avahi init scripts in the --## init script domain. --## --## --## --## Domain allowed to transition. --## --## --# --interface(`avahi_initrc_domtrans',` -- gen_require(` -- type avahi_initrc_exec_t; -- ') -- -- init_labeled_script_domtrans($1, avahi_initrc_exec_t) --') -- --######################################## --## - ## Send generic signals to avahi. + ## Connect to avahi using a unix +-$$ stream socket. ++## stream socket. ## ## -@@ -135,63 +116,6 @@ interface(`avahi_stream_connect',` - - ######################################## - ## --## Create avahi pid directories. --## --## --## --## Domain allowed access. --## --## --# --interface(`avahi_create_pid_dirs',` -- gen_require(` -- type avahi_var_run_t; -- ') -- -- files_search_pids($1) -- allow $1 avahi_var_run_t:dir create_dir_perms; --') -- --######################################## --## --## Set attributes of avahi pid directories. --## --## --## --## Domain allowed access. --## --## --# --interface(`avahi_setattr_pid_dirs',` -- gen_require(` -- type avahi_var_run_t; -- ') -- -- files_search_pids($1) -- allow $1 avahi_var_run_t:dir setattr_dir_perms; --') -- --######################################## --## --## Create, read, and write avahi pid files. --## --## --## --## Domain allowed access. --## --## --# --interface(`avahi_manage_pid_files',` -- gen_require(` -- type avahi_var_run_t; -- ') -- -- files_search_pids($1) -- manage_files_pattern($1, avahi_var_run_t, avahi_var_run_t) --') -- --######################################## --## - ## Do not audit attempts to search - ## avahi pid directories. - ## -@@ -211,31 +135,25 @@ interface(`avahi_dontaudit_search_pid',` + ## +@@ -135,6 +135,29 @@ interface(`avahi_dontaudit_search_pid',` ######################################## ## --## Create specified objects in generic --## pid directories with the avahi pid file type. +## Execute avahi server in the avahi domain. - ## - ## - ## --## Domain allowed access. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. ++## ++## ++## +## Domain allowed to transition. - ## - ## - # --interface(`avahi_filetrans_pid',` ++## ++## ++# +interface(`avahi_systemctl',` - gen_require(` -- type avahi_var_run_t; ++ gen_require(` + type avahi_t; + type avahi_unit_file_t; - ') - -- files_pid_filetrans($1, avahi_var_run_t, $2, $3) ++ ') ++ + systemd_exec_systemctl($1) + allow $1 avahi_unit_file_t:file read_file_perms; + allow $1 avahi_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, avahi_t) - ') - - ######################################## -@@ -258,13 +176,18 @@ interface(`avahi_filetrans_pid',` ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an avahi environment. + ## +@@ -153,12 +176,17 @@ interface(`avahi_dontaudit_search_pid',` interface(`avahi_admin',` gen_require(` type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; @@ -9894,16 +8435,14 @@ index 9078c3d..33fe57b 100644 + allow $1 avahi_t:process signal_perms; ps_process_pattern($1, avahi_t) -- avahi_initrc_domtrans($1) + tunable_policy(`deny_ptrace',`',` + allow $1 avahi_t:process ptrace; + ') + -+ init_labeled_script_domtrans($1, avahi_initrc_exec_t) + init_labeled_script_domtrans($1, avahi_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 avahi_initrc_exec_t system_r; - allow $2 system_r; -@@ -274,4 +197,8 @@ interface(`avahi_admin',` +@@ -169,4 +197,8 @@ interface(`avahi_admin',` files_search_var_lib($1) admin_pattern($1, avahi_var_lib_t) @@ -9913,15 +8452,9 @@ index 9078c3d..33fe57b 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index b8355b3..f1f2bcf 100644 +index 60e76be..f1f2bcf 100644 --- a/avahi.te +++ b/avahi.te -@@ -1,4 +1,4 @@ --policy_module(avahi, 1.14.1) -+policy_module(avahi, 1.13.2) - - ######################################## - # @@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t) type avahi_var_run_t; @@ -9980,15 +8513,9 @@ index b8355b3..f1f2bcf 100644 ') diff --git a/awstats.te b/awstats.te -index c1b16c3..116176d 100644 +index d6ab824..116176d 100644 --- a/awstats.te +++ b/awstats.te -@@ -1,4 +1,4 @@ --policy_module(awstats, 1.5.0) -+policy_module(awstats, 1.4.4) - - ######################################## - # @@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t) dev_read_urand(awstats_t) @@ -10023,54 +8550,10 @@ index c1b16c3..116176d 100644 files_search_var_lib(httpd_awstats_script_t) - -apache_read_log(httpd_awstats_script_t) -diff --git a/backup.fc b/backup.fc -index 349c26f..075621d 100644 ---- a/backup.fc -+++ b/backup.fc -@@ -1,5 +1,4 @@ - /etc/cron\.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0) --/etc/cron\.daily/passwd -- gen_context(system_u:object_r:backup_exec_t,s0) - /etc/cron\.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0) - - /var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0) -diff --git a/backup.if b/backup.if -index fe3f740..894810e 100644 ---- a/backup.if -+++ b/backup.if -@@ -45,23 +45,3 @@ interface(`backup_run',` - backup_domtrans($1) - roleattribute $2 backup_roles; - ') -- --######################################## --## --## Create, read, and write backup --## store files. --## --## --## --## Domain allowed access. --## --## --# --interface(`backup_manage_store_files',` -- gen_require(` -- type backup_store_t; -- ') -- -- files_search_var($1) -- manage_files_pattern($1, backup_store_t, backup_store_t) --') diff --git a/backup.te b/backup.te -index 7811450..c10d39c 100644 +index d6ceef4..c10d39c 100644 --- a/backup.te +++ b/backup.te -@@ -1,4 +1,4 @@ --policy_module(backup, 1.6.2) -+policy_module(backup, 1.5.2) - - ######################################## - # @@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t) corecmd_exec_bin(backup_t) corecmd_exec_shell(backup_t) @@ -10101,15 +8584,9 @@ index dcd774e..c240ffa 100644 allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te -index f16b000..a6d4fb0 100644 +index 3beba2f..a6d4fb0 100644 --- a/bacula.te +++ b/bacula.te -@@ -1,4 +1,4 @@ --policy_module(bacula, 1.2.0) -+policy_module(bacula, 1.1.1) - - ######################################## - # @@ -43,16 +43,18 @@ role bacula_admin_roles types bacula_admin_t; # Local policy # @@ -10240,15 +8717,9 @@ index ec95d36..7132e1e 100644 + ') ') diff --git a/bcfg2.te b/bcfg2.te -index c3fd7b1..271b976 100644 +index 536ec3c..271b976 100644 --- a/bcfg2.te +++ b/bcfg2.te -@@ -1,4 +1,4 @@ --policy_module(bcfg2, 1.1.0) -+policy_module(bcfg2, 1.0.1) - - ######################################## - # @@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t) type bcfg2_var_lib_t; files_type(bcfg2_var_lib_t) @@ -10394,7 +8865,7 @@ index 2b9a3a1..750788c 100644 +/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +') diff --git a/bind.if b/bind.if -index 531a8f2..43b445c 100644 +index 866a1e2..43b445c 100644 --- a/bind.if +++ b/bind.if @@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',` @@ -10515,13 +8986,12 @@ index 531a8f2..43b445c 100644 ## All of the rules required to ## administrate an bind environment. ## -@@ -362,13 +445,20 @@ interface(`bind_udp_chat_named',` +@@ -362,12 +445,20 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; - type named_cache_t, named_zone_t, named_initrc_exec_t; - type dnssec_t, ndc_t, named_conf_t, named_var_run_t; -- type named_keytab_t; + type named_conf_t, named_var_run_t, named_cache_t; + type named_zone_t, named_initrc_exec_t; + type dnssec_t, ndc_t, named_keytab_t; @@ -10541,18 +9011,15 @@ index 531a8f2..43b445c 100644 init_labeled_script_domtrans($1, named_initrc_exec_t) domain_system_change_exemption($1) -@@ -382,7 +472,9 @@ interface(`bind_admin',` - admin_pattern($1, named_log_t) - +@@ -383,11 +474,15 @@ interface(`bind_admin',` files_list_etc($1) -- admin_pattern($1, { named_keytab_t named_conf_t }) -+ admin_pattern($1, named_conf_t) -+ -+ admin_pattern($1, named_keytab_t) + admin_pattern($1, named_conf_t) ++ admin_pattern($1, named_keytab_t) ++ files_list_var($1) admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) -@@ -390,5 +482,7 @@ interface(`bind_admin',` + files_list_pids($1) admin_pattern($1, named_var_run_t) @@ -10562,15 +9029,9 @@ index 531a8f2..43b445c 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..93ffa1d 100644 +index 076ffee..93ffa1d 100644 --- a/bind.te +++ b/bind.te -@@ -1,4 +1,4 @@ --policy_module(bind, 1.13.1) -+policy_module(bind, 1.12.8) - - ######################################## - # @@ -34,7 +34,7 @@ type named_checkconf_exec_t; init_system_domain(named_t, named_checkconf_exec_t) @@ -10580,18 +9041,17 @@ index 1241123..93ffa1d 100644 files_mountpoint(named_conf_t) # for secondary zone files -@@ -44,8 +44,8 @@ files_type(named_cache_t) +@@ -44,6 +44,9 @@ files_type(named_cache_t) type named_initrc_exec_t; init_script_file(named_initrc_exec_t) --type named_keytab_t; --files_type(named_keytab_t) +type named_unit_file_t; +systemd_unit_file(named_unit_file_t) - ++ type named_log_t; logging_log_file(named_log_t) -@@ -71,8 +71,9 @@ role ndc_roles types ndc_t; + +@@ -68,8 +71,9 @@ role ndc_roles types ndc_t; # Local policy # @@ -10602,12 +9062,9 @@ index 1241123..93ffa1d 100644 allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:unix_stream_socket { accept listen }; -@@ -87,11 +88,9 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) - manage_files_pattern(named_t, named_cache_t, named_cache_t) - manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) +@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) --allow named_t named_keytab_t:file read_file_perms; -+can_exec(named_t, named_exec_t) + can_exec(named_t, named_exec_t) -append_files_pattern(named_t, named_log_t, named_log_t) -create_files_pattern(named_t, named_log_t, named_log_t) @@ -10616,16 +9073,7 @@ index 1241123..93ffa1d 100644 logging_log_filetrans(named_t, named_log_t, file) manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) -@@ -103,8 +102,6 @@ manage_files_pattern(named_t, named_var_run_t, named_var_run_t) - manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) - files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file }) - --can_exec(named_t, named_exec_t) -- - allow named_t named_zone_t:dir list_dir_perms; - read_files_pattern(named_t, named_zone_t, named_zone_t) - read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) -@@ -115,7 +112,6 @@ kernel_read_network_state(named_t) +@@ -110,7 +112,6 @@ kernel_read_network_state(named_t) corecmd_search_bin(named_t) @@ -10633,7 +9081,7 @@ index 1241123..93ffa1d 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -144,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t) +@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t) dev_read_sysfs(named_t) dev_read_rand(named_t) dev_read_urand(named_t) @@ -10641,7 +9089,7 @@ index 1241123..93ffa1d 100644 domain_use_interactive_fds(named_t) -@@ -175,6 +172,15 @@ tunable_policy(`named_write_master_zones',` +@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -10657,18 +9105,15 @@ index 1241123..93ffa1d 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,8 +193,8 @@ optional_policy(` - ') +@@ -183,6 +194,7 @@ optional_policy(` optional_policy(` -- kerberos_read_keytab(named_t) -- kerberos_use(named_t) -+ kerberos_keytab_template(named, named_t) + kerberos_keytab_template(named, named_t) + kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25") ') optional_policy(` -@@ -215,7 +221,8 @@ optional_policy(` +@@ -209,7 +221,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -10678,7 +9123,7 @@ index 1241123..93ffa1d 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -10690,7 +9135,7 @@ index 1241123..93ffa1d 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +248,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -236,6 +248,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -10700,7 +9145,7 @@ index 1241123..93ffa1d 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +266,7 @@ init_use_script_ptys(ndc_t) +@@ -251,7 +266,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -10710,15 +9155,9 @@ index 1241123..93ffa1d 100644 userdom_use_user_terminals(ndc_t) diff --git a/bird.te b/bird.te -index 1d60c27..f53b135 100644 +index d4d71ec..f53b135 100644 --- a/bird.te +++ b/bird.te -@@ -1,4 +1,4 @@ --policy_module(bird, 1.1.0) -+policy_module(bird, 1.0.2) - - ######################################## - # @@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t) corenet_tcp_sendrecv_bgp_port(bird_t) @@ -10747,15 +9186,9 @@ index e73fb79..2badfc0 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f5c1a48..48a96b7 100644 +index ac8c91e..48a96b7 100644 --- a/bitlbee.te +++ b/bitlbee.te -@@ -1,4 +1,4 @@ --policy_module(bitlbee, 1.5.0) -+policy_module(bitlbee, 1.4.4) - - ######################################## - # @@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; @@ -10840,16 +9273,10 @@ index 16ec525..1dd4059 100644 ######################################## diff --git a/blueman.te b/blueman.te -index 3a5032e..63a4b1d 100644 +index bc5c984..63a4b1d 100644 --- a/blueman.te +++ b/blueman.te -@@ -1,4 +1,4 @@ --policy_module(blueman, 1.1.0) -+policy_module(blueman, 1.0.4) - - ######################################## - # -@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0) +@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4) type blueman_t; type blueman_exec_t; @@ -11075,15 +9502,9 @@ index c723a0a..aa3283e 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index 851769e..a4110db 100644 +index 6f09d24..a4110db 100644 --- a/bluetooth.te +++ b/bluetooth.te -@@ -1,4 +1,4 @@ --policy_module(bluetooth, 3.5.0) -+policy_module(bluetooth, 3.4.5) - - ######################################## - # @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t) type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) @@ -11153,7 +9574,7 @@ index 851769e..a4110db 100644 miscfiles_read_fonts(bluetooth_t) miscfiles_read_hwdata(bluetooth_t) -@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) +@@ -130,8 +143,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) @@ -11163,8 +9584,11 @@ index 851769e..a4110db 100644 + optional_policy(` dbus_system_bus_client(bluetooth_t) - dbus_connect_system_bus(bluetooth_t) -@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t) ++ dbus_connect_system_bus(bluetooth_t) + + optional_policy(` + cups_dbus_chat(bluetooth_t) +@@ -199,7 +217,6 @@ dev_read_urand(bluetooth_helper_t) domain_read_all_domains_state(bluetooth_helper_t) files_read_etc_runtime_files(bluetooth_helper_t) @@ -11415,33 +9839,33 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 687d4c4..b326c23 100644 +index 7c92aa1..b326c23 100644 --- a/boinc.te +++ b/boinc.te -@@ -1,4 +1,4 @@ --policy_module(boinc, 1.1.1) +@@ -1,11 +1,20 @@ +-policy_module(boinc, 1.0.3) +policy_module(boinc, 1.0.0) ######################################## # -@@ -7,12 +7,14 @@ policy_module(boinc, 1.1.1) - - ## - ##

--## Determine whether boinc can execmem/execstack. -+## Allow boinc_domain execmem/execstack. - ##

- ## - gen_tunable(boinc_execmem, true) + # Declarations + # -type boinc_t; ++## ++##

++## Allow boinc_domain execmem/execstack. ++##

++## ++gen_tunable(boinc_execmem, true) ++ +attribute boinc_domain; + +type boinc_t, boinc_domain; type boinc_exec_t; init_daemon_domain(boinc_t, boinc_exec_t) -@@ -28,107 +30,122 @@ files_tmpfs_file(boinc_tmpfs_t) +@@ -21,107 +30,122 @@ files_tmpfs_file(boinc_tmpfs_t) type boinc_var_lib_t; files_type(boinc_var_lib_t) @@ -11621,7 +10045,7 @@ index 687d4c4..b326c23 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -137,59 +154,69 @@ init_read_utmp(boinc_t) +@@ -130,55 +154,69 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) @@ -11629,19 +10053,16 @@ index 687d4c4..b326c23 100644 -miscfiles_read_localization(boinc_t) +modutils_dontaudit_exec_insmod(boinc_t) --tunable_policy(`boinc_execmem',` -- allow boinc_t self:process { execstack execmem }; +-optional_policy(` +- mta_send_mail(boinc_t) -') +xserver_stream_connect(boinc_t) optional_policy(` - mta_send_mail(boinc_t) +- sysnet_dns_name_resolve(boinc_t) ++ mta_send_mail(boinc_t) ') --optional_policy(` -- sysnet_dns_name_resolve(boinc_t) --') -- ######################################## # -# Project local policy @@ -11714,15 +10135,9 @@ index 687d4c4..b326c23 100644 + unconfined_domain(boinc_project_t) +') diff --git a/brctl.te b/brctl.te -index c5a9113..6294955 100644 +index bcd1e87..6294955 100644 --- a/brctl.te +++ b/brctl.te -@@ -1,4 +1,4 @@ --policy_module(brctl, 1.7.0) -+policy_module(brctl, 1.6.2) - - ######################################## - # @@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t) domain_use_interactive_fds(brctl_t) @@ -11797,16 +10212,10 @@ index 1b22262..bf0cefa 100644 + ') ') diff --git a/bugzilla.te b/bugzilla.te -index 18623e3..57f094e 100644 +index 41f8251..57f094e 100644 --- a/bugzilla.te +++ b/bugzilla.te -@@ -1,4 +1,4 @@ --policy_module(bugzilla, 1.1.0) -+policy_module(bugzilla, 1.0.4) - - ######################################## - # -@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.1.0) +@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4) apache_content_template(bugzilla) @@ -12168,11 +10577,11 @@ index 8de2ab9..3b41945 100644 + domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) ') diff --git a/cachefilesd.te b/cachefilesd.te -index a3760bc..2d9508e 100644 +index 581c8ef..2d9508e 100644 --- a/cachefilesd.te +++ b/cachefilesd.te @@ -1,52 +1,144 @@ --policy_module(cachefilesd, 1.1.0) +-policy_module(cachefilesd, 1.0.1) +############################################################################### +# +# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. @@ -12352,15 +10761,9 @@ index cd9c528..ba793b7 100644 ') diff --git a/calamaris.te b/calamaris.te -index 7e57460..de28437 100644 +index f4f21d3..de28437 100644 --- a/calamaris.te +++ b/calamaris.te -@@ -1,4 +1,4 @@ --policy_module(calamaris, 1.8.0) -+policy_module(calamaris, 1.7.2) - - ######################################## - # @@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t) corecmd_exec_bin(calamaris_t) @@ -12391,15 +10794,9 @@ index 7e57460..de28437 100644 optional_policy(` diff --git a/callweaver.te b/callweaver.te -index 0e5be4c..44e5b7d 100644 +index 528051e..44e5b7d 100644 --- a/callweaver.te +++ b/callweaver.te -@@ -1,4 +1,4 @@ --policy_module(callweaver, 1.1.0) -+policy_module(callweaver, 1.0.2) - - ######################################## - # @@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t) auth_use_nsswitch(callweaver_t) @@ -12425,15 +10822,9 @@ index 400db07..f416e22 100644 domain_system_change_exemption($1) role_transition $2 canna_initrc_exec_t system_r; diff --git a/canna.te b/canna.te -index 9fe6162..32b7796 100644 +index 4ec0626..32b7796 100644 --- a/canna.te +++ b/canna.te -@@ -1,4 +1,4 @@ --policy_module(canna, 1.12.0) -+policy_module(canna, 1.11.1) - - ######################################## - # @@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) kernel_read_kernel_sysctls(canna_t) kernel_read_system_state(canna_t) @@ -12493,15 +10884,9 @@ index 5ded72d..cb94e5e 100644 files_search_var_lib($1) admin_pattern($1, ccs_var_lib_t) diff --git a/ccs.te b/ccs.te -index 658134d..476aaa3 100644 +index b85b53b..476aaa3 100644 --- a/ccs.te +++ b/ccs.te -@@ -1,4 +1,4 @@ --policy_module(ccs, 1.6.0) -+policy_module(ccs, 1.5.2) - - ######################################## - # @@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t) allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; @@ -12562,15 +10947,9 @@ index fbc20f6..4de4a00 100644 ps_process_pattern($2, cdrecord_t) ') diff --git a/cdrecord.te b/cdrecord.te -index 16883c9..a7555c0 100644 +index 55fb26a..a7555c0 100644 --- a/cdrecord.te +++ b/cdrecord.te -@@ -1,4 +1,4 @@ --policy_module(cdrecord, 2.6.0) -+policy_module(cdrecord, 2.5.2) - - ######################################## - # @@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t) domain_interactive_fd(cdrecord_t) domain_use_interactive_fds(cdrecord_t) @@ -12630,15 +11009,9 @@ index 0c53b18..ef29f6e 100644 domain_system_change_exemption($1) role_transition $2 certmaster_initrc_exec_t system_r; diff --git a/certmaster.te b/certmaster.te -index 4a87873..2b571c7 100644 +index bf82163..2b571c7 100644 --- a/certmaster.te +++ b/certmaster.te -@@ -1,4 +1,4 @@ --policy_module(certmaster, 1.3.0) -+policy_module(certmaster, 1.2.1) - - ######################################## - # @@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t) dev_read_urand(certmaster_t) @@ -12695,15 +11068,9 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..3a07ee5 100644 +index 2354e21..3a07ee5 100644 --- a/certmonger.te +++ b/certmonger.te -@@ -1,4 +1,4 @@ --policy_module(certmonger, 1.2.0) -+policy_module(certmonger, 1.1.5) - - ######################################## - # @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) type certmonger_var_run_t; files_pid_file(certmonger_var_run_t) @@ -12845,15 +11212,9 @@ index 550b287..3a07ee5 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 171fafb..1a4bd9c 100644 +index 403af41..1a4bd9c 100644 --- a/certwatch.te +++ b/certwatch.te -@@ -1,4 +1,4 @@ --policy_module(certwatch, 1.8.0) -+policy_module(certwatch, 1.7.2) - - ######################################## - # @@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t; allow certwatch_t self:capability sys_nice; @@ -13006,15 +11367,9 @@ index a731122..5279d4e 100644 ') + diff --git a/cfengine.te b/cfengine.te -index fbe3ad9..168f01f 100644 +index 8af5bbe..168f01f 100644 --- a/cfengine.te +++ b/cfengine.te -@@ -1,4 +1,4 @@ --policy_module(cfengine, 1.1.0) -+policy_module(cfengine, 1.0.2) - - ######################################## - # @@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) logging_log_filetrans(cfengine_domain, cfengine_log_t, dir) @@ -13069,15 +11424,9 @@ index 85ca63f..1d1c99c 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index 80a88a2..a4c2efb 100644 +index fdee107..a4c2efb 100644 --- a/cgroup.te +++ b/cgroup.te -@@ -1,4 +1,4 @@ --policy_module(cgroup, 1.2.0) -+policy_module(cgroup, 1.1.3) - - ######################################## - # @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) type cgrules_etc_t; files_config_file(cgrules_etc_t) @@ -13746,15 +12095,9 @@ index 32e8265..0de4af3 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c..d0c8001 100644 +index 914ee2d..d0c8001 100644 --- a/chronyd.te +++ b/chronyd.te -@@ -1,4 +1,4 @@ --policy_module(chronyd, 1.2.0) -+policy_module(chronyd, 1.1.4) - - ######################################## - # @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) type chronyd_tmpfs_t; files_tmpfs_file(chronyd_tmpfs_t) @@ -14068,15 +12411,9 @@ index 0000000..f257547 +') + diff --git a/cipe.te b/cipe.te -index a0aa693..9b86dd1 100644 +index 28c8475..9b86dd1 100644 --- a/cipe.te +++ b/cipe.te -@@ -1,4 +1,4 @@ --policy_module(cipe, 1.6.0) -+policy_module(cipe, 1.5.1) - - ######################################## - # @@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t) corecmd_exec_shell(ciped_t) corecmd_exec_bin(ciped_t) @@ -14365,15 +12702,9 @@ index 4cc4a5c..99c5cca 100644 + ') diff --git a/clamav.te b/clamav.te -index ce3836a..c8c9a5a 100644 +index 8e1fef9..c8c9a5a 100644 --- a/clamav.te +++ b/clamav.te -@@ -1,4 +1,4 @@ --policy_module(clamav, 1.11.0) -+policy_module(clamav, 1.10.6) - - ## - ##

@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t) type clamd_initrc_exec_t; init_script_file(clamd_initrc_exec_t) @@ -14514,15 +12845,9 @@ index ce3836a..c8c9a5a 100644 ') diff --git a/clockspeed.te b/clockspeed.te -index d3e2a67..4b8cddc 100644 +index b59c592..4b8cddc 100644 --- a/clockspeed.te +++ b/clockspeed.te -@@ -1,4 +1,4 @@ --policy_module(clockspeed, 1.6.0) -+policy_module(clockspeed, 1.5.1) - - ######################################## - # @@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms; read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) @@ -14563,15 +12888,9 @@ index d3e2a67..4b8cddc 100644 optional_policy(` daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) diff --git a/clogd.te b/clogd.te -index 4a5b3d1..685edff 100644 +index 29782b8..685edff 100644 --- a/clogd.te +++ b/clogd.te -@@ -1,4 +1,4 @@ --policy_module(clogd, 1.1.0) -+policy_module(clogd, 1.0.1) - - ######################################## - # @@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t) logging_send_syslog_msg(clogd_t) @@ -15029,15 +13348,9 @@ index cc4e7cb..f348d27 100644 domain_system_change_exemption($1) role_transition $2 cmirrord_initrc_exec_t system_r; diff --git a/cmirrord.te b/cmirrord.te -index bbdd396..e4c023c 100644 +index d8e9958..e4c023c 100644 --- a/cmirrord.te +++ b/cmirrord.te -@@ -1,4 +1,4 @@ --policy_module(cmirrord, 1.1.0) -+policy_module(cmirrord, 1.0.1) - - ######################################## - # @@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t) # Local policy # @@ -15152,15 +13465,9 @@ index c223f81..8b567c1 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 5f306dd..3a38b11 100644 +index 2a71346..3a38b11 100644 --- a/cobbler.te +++ b/cobbler.te -@@ -1,4 +1,4 @@ --policy_module(cobbler, 1.2.0) -+policy_module(cobbler, 1.1.4) - - ######################################## - # @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -15864,16 +14171,10 @@ index 6471fa8..f8b4a5b 100644 + +auth_read_passwd(httpd_collectd_script_t) diff --git a/colord.fc b/colord.fc -index 71639eb..22e0385 100644 +index 717ea0b..22e0385 100644 --- a/colord.fc +++ b/colord.fc -@@ -1,11 +1,10 @@ --/usr/lib/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0) --/usr/lib/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) -- - /usr/lib/[^/]*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0) - /usr/lib/[^/]*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) - +@@ -4,5 +4,7 @@ /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) @@ -15935,16 +14236,10 @@ index 8e27a37..825f537 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 9f2dfb2..3547d05 100644 +index 09f18e2..3547d05 100644 --- a/colord.te +++ b/colord.te -@@ -1,4 +1,4 @@ --policy_module(colord, 1.1.0) -+policy_module(colord, 1.0.2) - - ######################################## - # -@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0) +@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) type colord_t; type colord_exec_t; dbus_system_domain(colord_t, colord_exec_t) @@ -15977,7 +14272,7 @@ index 9f2dfb2..3547d05 100644 manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) -@@ -74,52 +81,52 @@ dev_read_video_dev(colord_t) +@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) dev_read_rand(colord_t) @@ -16004,25 +14299,22 @@ index 9f2dfb2..3547d05 100644 storage_getattr_fixed_disk_dev(colord_t) storage_getattr_removable_dev(colord_t) - storage_read_scsi_generic(colord_t) - storage_write_scsi_generic(colord_t) +@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t) --init_read_state(colord_t) -- auth_use_nsswitch(colord_t) --logging_send_syslog_msg(colord_t) +init_read_state(colord_t) ++ + logging_send_syslog_msg(colord_t) -miscfiles_read_localization(colord_t) -+logging_send_syslog_msg(colord_t) ++systemd_read_logind_sessions_files(colord_t) -tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(colord_t) - fs_read_nfs_files(colord_t) -') -+systemd_read_logind_sessions_files(colord_t) - +- -tunable_policy(`use_samba_home_dirs',` - fs_getattr_cifs(colord_t) - fs_read_cifs_files(colord_t) @@ -16035,7 +14327,6 @@ index 9f2dfb2..3547d05 100644 optional_policy(` cups_read_config(colord_t) cups_read_rw_config(colord_t) -- cups_read_state(colord_t) cups_stream_connect(colord_t) cups_dbus_chat(colord_t) + cups_read_state(colord_t) @@ -16048,12 +14339,10 @@ index 9f2dfb2..3547d05 100644 ') optional_policy(` -@@ -135,5 +142,17 @@ optional_policy(` - +@@ -133,3 +143,16 @@ optional_policy(` optional_policy(` udev_read_db(colord_t) -- udev_read_pid_files(colord_t) -+') + ') + +optional_policy(` + xserver_dbus_chat_xdm(colord_t) @@ -16066,17 +14355,11 @@ index 9f2dfb2..3547d05 100644 + +optional_policy(` + zoneminder_rw_tmpfs_files(colord_t) - ') ++') diff --git a/comsat.te b/comsat.te -index c63cf85..88c4f19 100644 +index 3f6e4dc..88c4f19 100644 --- a/comsat.te +++ b/comsat.te -@@ -1,4 +1,4 @@ --policy_module(comsat, 1.8.0) -+policy_module(comsat, 1.7.1) - - ######################################## - # @@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t) kernel_read_network_state(comsat_t) kernel_read_system_state(comsat_t) @@ -16101,18 +14384,16 @@ index c63cf85..88c4f19 100644 mta_getattr_spool(comsat_t) diff --git a/condor.fc b/condor.fc -index ad2b696..c4450f7 100644 +index 23dc348..c4450f7 100644 --- a/condor.fc +++ b/condor.fc -@@ -1,6 +1,5 @@ --/etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0) -- +@@ -1,4 +1,5 @@ /etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0) +/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0) /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) -@@ -10,6 +9,8 @@ +@@ -8,6 +9,8 @@ /usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0) /usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0) @@ -16122,10 +14403,10 @@ index ad2b696..c4450f7 100644 /var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) diff --git a/condor.if b/condor.if -index 881d92f..e979b3d 100644 +index 3fe3cb8..e979b3d 100644 --- a/condor.if +++ b/condor.if -@@ -1,84 +1,396 @@ +@@ -1,81 +1,396 @@ -##

High-Throughput Computing System. + +## policy for condor @@ -16366,15 +14647,10 @@ index 881d92f..e979b3d 100644 # -interface(`condor_admin',` +interface(`condor_read_lib_files',` - gen_require(` -- attribute condor_domain; -- type condor_initrc_exec_config_t, condor_log_t; -- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; -- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t; ++ gen_require(` + type condor_var_lib_t; - ') - -- allow $1 condor_domain:process { ptrace signal_perms }; ++ ') ++ + files_search_var_lib($1) + read_files_pattern($1, condor_var_lib_t, condor_var_lib_t) +') @@ -16447,10 +14723,15 @@ index 881d92f..e979b3d 100644 +## +# +interface(`condor_read_pid_files',` -+ gen_require(` + gen_require(` +- attribute condor_domain; +- type condor_initrc_exec_config_t, condor_log_t; +- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; +- type condor_var_run_t, condor_startd_tmp_t; + type condor_var_run_t; -+ ') -+ + ') + +- allow $1 condor_domain:process { ptrace signal_perms }; + files_search_pids($1) + allow $1 condor_var_run_t:file read_file_perms; +') @@ -16478,11 +14759,7 @@ index 881d92f..e979b3d 100644 + ps_process_pattern($1, condor_domain) +') - -- init_labeled_script_domtrans($1, condor_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 condor_initrc_exec_t system_r; -- allow $2 system_r; ++ +####################################### +## +## Read and write condor_startd server TCP sockets. @@ -16498,8 +14775,10 @@ index 881d92f..e979b3d 100644 + type condor_startd_t; + ') -- files_search_etc($1) -- admin_pattern($1, condor_conf_t) +- init_labeled_script_domtrans($1, condor_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 condor_initrc_exec_t system_r; +- allow $2 system_r; + allow $1 condor_startd_t:tcp_socket rw_socket_perms; +') + @@ -16564,7 +14843,7 @@ index 881d92f..e979b3d 100644 files_search_var_lib($1) admin_pattern($1, condor_var_lib_t) -@@ -88,4 +400,13 @@ interface(`condor_admin',` +@@ -85,4 +400,13 @@ interface(`condor_admin',` files_search_tmp($1) admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) @@ -16579,27 +14858,20 @@ index 881d92f..e979b3d 100644 + ') ') diff --git a/condor.te b/condor.te -index ce9f040..8fb887d 100644 +index 3f2b672..8fb887d 100644 --- a/condor.te +++ b/condor.te -@@ -1,4 +1,4 @@ --policy_module(condor, 1.0.1) -+policy_module(condor, 1.0.0) - - ######################################## - # -@@ -34,8 +34,8 @@ files_tmp_file(condor_startd_tmp_t) +@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t) type condor_startd_tmpfs_t; files_tmpfs_file(condor_startd_tmpfs_t) --type condor_conf_t; --files_config_file(condor_conf_t) +type condor_etc_rw_t; +files_config_file(condor_etc_rw_t) - ++ type condor_log_t; logging_log_file(condor_log_t) -@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t) + +@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t) type condor_var_run_t; files_pid_file(condor_var_run_t) @@ -16609,7 +14881,7 @@ index ce9f040..8fb887d 100644 condor_domain_template(collector) condor_domain_template(negotiator) condor_domain_template(procd) -@@ -60,12 +63,18 @@ condor_domain_template(startd) +@@ -57,15 +63,21 @@ condor_domain_template(startd) # Global local policy # @@ -16624,14 +14896,19 @@ index ce9f040..8fb887d 100644 +allow condor_domain self:udp_socket create_socket_perms; +allow condor_domain self:unix_stream_socket create_stream_socket_perms; +allow condor_domain self:netlink_route_socket r_netlink_socket_perms; - --rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t) ++ +allow condor_domain condor_etc_rw_t:dir list_dir_perms; +rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t) manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) - manage_files_pattern(condor_domain, condor_log_t, condor_log_t) -@@ -86,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) +-append_files_pattern(condor_domain, condor_log_t, condor_log_t) +-create_files_pattern(condor_domain, condor_log_t, condor_log_t) +-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t) ++manage_files_pattern(condor_domain, condor_log_t, condor_log_t) + logging_log_filetrans(condor_domain, condor_log_t, { dir file }) + + manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) +@@ -83,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) allow condor_domain condor_master_t:process signull; allow condor_domain condor_master_t:tcp_socket getattr; @@ -16649,18 +14926,19 @@ index ce9f040..8fb887d 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -109,9 +116,7 @@ dev_read_rand(condor_domain) +@@ -106,9 +116,9 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) -logging_send_syslog_msg(condor_domain) -- --miscfiles_read_localization(condor_domain) +auth_read_passwd(condor_domain) - sysnet_dns_name_resolve(condor_domain) +-miscfiles_read_localization(condor_domain) ++sysnet_dns_name_resolve(condor_domain) -@@ -130,7 +135,7 @@ optional_policy(` + tunable_policy(`condor_tcp_network_connect',` + corenet_sendrecv_all_client_packets(condor_domain) +@@ -125,7 +135,7 @@ optional_policy(` # Master local policy # @@ -16669,7 +14947,7 @@ index ce9f040..8fb887d 100644 allow condor_master_t condor_domain:process { sigkill signal }; -@@ -138,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +@@ -133,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) @@ -16680,7 +14958,7 @@ index ce9f040..8fb887d 100644 corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) -@@ -157,6 +166,8 @@ domain_read_all_domains_state(condor_master_t) +@@ -152,6 +166,8 @@ domain_read_all_domains_state(condor_master_t) auth_use_nsswitch(condor_master_t) @@ -16689,7 +14967,7 @@ index ce9f040..8fb887d 100644 optional_policy(` mta_send_mail(condor_master_t) mta_read_config(condor_master_t) -@@ -174,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; +@@ -169,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; kernel_read_network_state(condor_collector_t) @@ -16698,7 +14976,7 @@ index ce9f040..8fb887d 100644 ##################################### # # Negotiator local policy -@@ -183,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -178,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -16707,15 +14985,17 @@ index ce9f040..8fb887d 100644 ###################################### # # Procd local policy -@@ -192,6 +207,7 @@ allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace +@@ -185,7 +205,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; - allow condor_procd_t condor_domain:process sigkill; + allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; +-allow condor_procd_t condor_startd_t:process sigkill; ++allow condor_procd_t condor_domain:process sigkill; + + domain_read_all_domains_state(condor_procd_t) - ####################################### -@@ -206,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -201,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -16724,7 +15004,7 @@ index ce9f040..8fb887d 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -214,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -209,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -16733,7 +15013,7 @@ index ce9f040..8fb887d 100644 ##################################### # # Startd local policy -@@ -238,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -16746,7 +15026,7 @@ index ce9f040..8fb887d 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -254,3 +273,7 @@ optional_policy(` +@@ -249,3 +273,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -17110,15 +15390,9 @@ index 5b830ec..0647a3b 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/consolekit.te b/consolekit.te -index bd18063..580dff0 100644 +index 5f0c793..580dff0 100644 --- a/consolekit.te +++ b/consolekit.te -@@ -1,4 +1,4 @@ --policy_module(consolekit, 1.9.0) -+policy_module(consolekit, 1.8.4) - - ######################################## - # @@ -19,21 +19,23 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit") @@ -17148,14 +15422,14 @@ index bd18063..580dff0 100644 manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -@@ -54,42 +56,44 @@ dev_read_sysfs(consolekit_t) +@@ -54,37 +56,36 @@ dev_read_sysfs(consolekit_t) domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) -domain_dontaudit_ptrace_all_domains(consolekit_t) -files_read_usr_files(consolekit_t) -+# needs to read /var/lib/dbus/machine-id + # needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) files_search_all_mountpoints(consolekit_t) @@ -17168,11 +15442,9 @@ index bd18063..580dff0 100644 auth_use_nsswitch(consolekit_t) auth_manage_pam_console_data(consolekit_t) auth_write_login_records(consolekit_t) --auth_create_pam_console_data_dirs(consolekit_t) --auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console") -+ -+init_read_utmp(consolekit_t) ++init_read_utmp(consolekit_t) ++ logging_send_syslog_msg(consolekit_t) logging_send_audit_msgs(consolekit_t) @@ -17187,25 +15459,17 @@ index bd18063..580dff0 100644 -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(consolekit_t) +-') +userdom_home_reader(consolekit_t) -+ -+optional_policy(` -+ cron_read_system_job_lib_files(consolekit_t) - ') -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(consolekit_t) -+ifdef(`distro_debian',` -+ auth_create_pam_console_data_dirs(consolekit_t) -+ auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console") ++optional_policy(` ++ cron_read_system_job_lib_files(consolekit_t) ') - optional_policy(` -- dbus_read_lib_files(consolekit_t) - dbus_system_domain(consolekit_t, consolekit_exec_t) - - optional_policy(` -@@ -109,13 +113,6 @@ optional_policy(` + ifdef(`distro_debian',` +@@ -112,13 +113,6 @@ optional_policy(` ') ') @@ -17352,15 +15616,9 @@ index 694a037..b836c07 100644 + allow $1 corosync_unit_file_t:service all_service_perms; ') diff --git a/corosync.te b/corosync.te -index d5aa1e4..691ca11 100644 +index eeea48d..691ca11 100644 --- a/corosync.te +++ b/corosync.te -@@ -1,4 +1,4 @@ --policy_module(corosync, 1.1.0) -+policy_module(corosync, 1.0.7) - - ######################################## - # @@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t) type corosync_var_run_t; files_pid_file(corosync_var_run_t) @@ -17453,50 +15711,33 @@ index c086302..5d94628 100644 + +/usr/lib/erlang/lib/couch-.*/priv/couchjs -- gen_context(system_u:object_r:couchdb_js_exec_t,s0) diff --git a/couchdb.if b/couchdb.if -index 715a826..3f0c0dc 100644 +index 83d6744..3f0c0dc 100644 --- a/couchdb.if +++ b/couchdb.if -@@ -2,7 +2,7 @@ +@@ -2,6 +2,44 @@ ######################################## ## --## Read couchdb log files. +## Allow to read couchdb log files. - ## - ## - ## -@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',` - type couchdb_log_t; - ') - -- logging_search_logs($1) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_log_files',` ++ gen_require(` ++ type couchdb_log_t; ++ ') ++ + files_search_var_lib($1) - read_files_pattern($1, couchdb_log_t, couchdb_log_t) - ') - - ######################################## - ## --## Read, write, and create couchdb lib files. ++ read_files_pattern($1, couchdb_log_t, couchdb_log_t) ++') ++ ++######################################## ++## +## Allow to read couchdb lib files. - ## - ## - ## -@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',` - ## - ## - # --interface(`couchdb_manage_lib_files',` -+interface(`couchdb_read_lib_files',` - gen_require(` - type couchdb_var_lib_t; - ') -@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',` - - ######################################## - ## --## Read couchdb config files. -+## All of the rules required to -+## administrate an couchdb environment. +## +## +## @@ -17504,6 +15745,25 @@ index 715a826..3f0c0dc 100644 +## +## +# ++interface(`couchdb_read_lib_files',` ++ gen_require(` ++ type couchdb_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an couchdb environment. + ## +@@ -10,6 +48,151 @@ + ## Domain allowed access. + ## + ## ++# +interface(`couchdb_manage_lib_files',` + gen_require(` + type couchdb_var_lib_t; @@ -17535,30 +15795,38 @@ index 715a826..3f0c0dc 100644 +######################################## +## +## Allow to read couchdb conf files. - ## - ## - ## -@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',` - type couchdb_conf_t; - ') - -- files_search_etc($1) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_conf_files',` ++ gen_require(` ++ type couchdb_conf_t; ++ ') ++ + files_search_var_lib($1) - read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) - ') - - ######################################## - ## --## Read couchdb pid files. ++ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) ++') ++ ++######################################## ++## +## Read couchdb PID files. - ## - ## - ## -@@ -73,19 +112,87 @@ interface(`couchdb_read_pid_files',` - ') - - files_search_pids($1) -- read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_pid_files',` ++ gen_require(` ++ type couchdb_var_run_t; ++ ') ++ ++ files_search_pids($1) + allow $1 couchdb_var_run_t:file read_file_perms; +') + @@ -17603,20 +15871,17 @@ index 715a826..3f0c0dc 100644 + manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) + manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t) + manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an couchdb environment. ++') ++ ++######################################## ++## +## Execute couchdb server in the couchdb domain. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain allowed to transition. - ## - ## ++## ++## +# +interface(`couchdb_systemctl',` + gen_require(` @@ -17646,7 +15911,7 @@ index 715a826..3f0c0dc 100644 ## ## ## Role allowed access. -@@ -95,14 +202,19 @@ interface(`couchdb_read_pid_files',` +@@ -19,14 +202,19 @@ # interface(`couchdb_admin',` gen_require(` @@ -17667,7 +15932,7 @@ index 715a826..3f0c0dc 100644 init_labeled_script_domtrans($1, couchdb_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 couchdb_initrc_exec_t system_r; -@@ -122,4 +234,13 @@ interface(`couchdb_admin',` +@@ -46,4 +234,13 @@ interface(`couchdb_admin',` files_search_pids($1) admin_pattern($1, couchdb_var_run_t) @@ -17682,15 +15947,9 @@ index 715a826..3f0c0dc 100644 + ') ') diff --git a/couchdb.te b/couchdb.te -index ae1c1b1..509e73c 100644 +index 503adab..509e73c 100644 --- a/couchdb.te +++ b/couchdb.te -@@ -1,4 +1,4 @@ --policy_module(couchdb, 1.1.1) -+policy_module(couchdb, 1.0.2) - - ######################################## - # @@ -27,6 +27,13 @@ files_type(couchdb_var_lib_t) type couchdb_var_run_t; files_pid_file(couchdb_var_run_t) @@ -17773,18 +16032,11 @@ index ae1c1b1..509e73c 100644 -miscfiles_read_localization(couchdb_t) diff --git a/courier.fc b/courier.fc -index 2f017a0..cbecde8 100644 +index 8a4b596..cbecde8 100644 --- a/courier.fc +++ b/courier.fc -@@ -4,24 +4,23 @@ - /usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) - - /usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) --/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) - /usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) - /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) +@@ -9,17 +9,18 @@ /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) --/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) @@ -17987,15 +16239,9 @@ index 10f820f..acdb179 100644 allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; ') diff --git a/courier.te b/courier.te -index ae3bc70..1499c3f 100644 +index 77bb077..1499c3f 100644 --- a/courier.te +++ b/courier.te -@@ -1,4 +1,4 @@ --policy_module(courier, 1.14.0) -+policy_module(courier, 1.13.2) - - ######################################## - # @@ -18,7 +18,7 @@ type courier_etc_t; files_config_file(courier_etc_t) @@ -18074,15 +16320,9 @@ index ae3bc70..1499c3f 100644 ######################################## # diff --git a/cpucontrol.te b/cpucontrol.te -index af72c4e..155a337 100644 +index 2f1aad6..155a337 100644 --- a/cpucontrol.te +++ b/cpucontrol.te -@@ -1,4 +1,4 @@ --policy_module(cpucontrol, 1.4.0) -+policy_module(cpucontrol, 1.3.2) - - ######################################## - # @@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain) init_use_fds(cpucontrol_domain) init_use_script_ptys(cpucontrol_domain) @@ -18117,15 +16357,9 @@ index af72c4e..155a337 100644 -miscfiles_read_localization(cpuspeed_t) +logging_send_syslog_msg(cpuspeed_t) diff --git a/cpufreqselector.te b/cpufreqselector.te -index 6cedb87..7fd7d8f 100644 +index a3bbc21..7fd7d8f 100644 --- a/cpufreqselector.te +++ b/cpufreqselector.te -@@ -1,4 +1,4 @@ --policy_module(cpufreqselector, 1.4.0) -+policy_module(cpufreqselector, 1.3.1) - - ######################################## - # @@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t) # Local policy # @@ -18160,79 +16394,47 @@ index 6cedb87..7fd7d8f 100644 + xserver_dbus_chat_xdm(cpufreqselector_t) +') diff --git a/cron.fc b/cron.fc -index ad0bae9..a665f12 100644 +index 6e76215..a665f12 100644 --- a/cron.fc +++ b/cron.fc -@@ -1,66 +1,74 @@ --/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) - --/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) --/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +@@ -3,6 +3,9 @@ + /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) --/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) --/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) +/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) +/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) ++ + /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) + /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) + +@@ -12,9 +15,7 @@ + /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) + /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) --/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) --/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) -+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) -+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) - --/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) --/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) --/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) --/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) --/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) -+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) -+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) -+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) -+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) -+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) - --/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) +-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) +- +-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) +/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) -+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) - --/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) --/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) -+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) -+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) -+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) - --/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) --/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) --/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) --/var/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) --/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) --/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) --/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) -+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) - --/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) --/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) --/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) + /var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) + + /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +@@ -27,13 +28,23 @@ + + /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) +-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) + +-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) -+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -+/var/spool/cron/[^/]* -- <> + #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) + /var/spool/cron/[^/]* -- <> --/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) --#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) --/var/spool/cron/[^/]* -- <> +-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) +ifdef(`distro_gentoo',` +/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +/var/spool/cron/lastrun/[^/]* -- <> +') - --/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) ++ +ifdef(`distro_suse', ` +/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +/var/spool/cron/lastrun/[^/]* -- <> @@ -18243,39 +16445,31 @@ index ad0bae9..a665f12 100644 /var/spool/cron/crontabs/.* -- <> #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) --/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) --/var/spool/fcron/.* <> -+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) -+/var/spool/fcron/.* <> - /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) --/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) --/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0) -+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +@@ -44,18 +55,20 @@ /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) --/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) ifdef(`distro_debian',` --/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0) + +/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/cron/atjobs/[^/]* -- <> --/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) ') ifdef(`distro_gentoo',` --/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> ') -ifdef(`distro_suse',` --/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +ifdef(`distro_suse', ` +/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> --/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ') diff --git a/cron.if b/cron.if @@ -19243,11 +17437,11 @@ index 1303b30..058864e 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..439a761 100644 +index 28e1b86..439a761 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ --policy_module(cron, 2.6.3) +-policy_module(cron, 2.5.10) +policy_module(cron, 2.2.1) gen_require(` @@ -19486,7 +17680,7 @@ index 7de3859..439a761 100644 logging_log_filetrans(crond_t, cron_log_t, file) manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) -@@ -237,73 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) +@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) @@ -19557,7 +17751,7 @@ index 7de3859..439a761 100644 +# Read from /var/spool/cron. files_search_var_lib(crond_t) files_search_default(crond_t) - files_read_all_locks(crond_t) ++files_read_all_locks(crond_t) -mls_fd_share_all_levels(crond_t) +fs_manage_cgroup_dirs(crond_t) @@ -19590,7 +17784,7 @@ index 7de3859..439a761 100644 auth_use_nsswitch(crond_t) logging_send_audit_msgs(crond_t) -@@ -312,41 +250,46 @@ logging_set_loginuid(crond_t) +@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) @@ -19653,7 +17847,7 @@ index 7de3859..439a761 100644 ') optional_policy(` -@@ -354,118 +297,149 @@ optional_policy(` +@@ -353,102 +297,136 @@ optional_policy(` ') optional_policy(` @@ -19751,7 +17945,6 @@ index 7de3859..439a761 100644 allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; + allow system_cronjob_t self:process { signal_perms getsched setsched }; --allow system_cronjob_t self:fd use; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; @@ -19822,10 +18015,7 @@ index 7de3859..439a761 100644 allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; --allow system_cronjob_t crond_tmp_t:file { read write }; -- - kernel_read_kernel_sysctls(system_cronjob_t) - kernel_read_network_state(system_cronjob_t) +@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -19838,7 +18028,7 @@ index 7de3859..439a761 100644 corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -485,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t) +@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -19846,7 +18036,7 @@ index 7de3859..439a761 100644 domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) -@@ -495,17 +470,20 @@ files_getattr_all_files(system_cronjob_t) +@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t) files_getattr_all_pipes(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t) @@ -19861,18 +18051,15 @@ index 7de3859..439a761 100644 -mls_file_read_to_clearance(system_cronjob_t) - --init_domtrans_script(system_cronjob_t) --init_read_utmp(system_cronjob_t) init_use_script_fds(system_cronjob_t) +init_read_utmp(system_cronjob_t) +init_dontaudit_rw_utmp(system_cronjob_t) +# prelink tells init to restart it self, we either need to allow or dontaudit +init_telinit(system_cronjob_t) -+init_domtrans_script(system_cronjob_t) + init_domtrans_script(system_cronjob_t) auth_use_nsswitch(system_cronjob_t) - -@@ -516,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t) +@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -19902,7 +18089,7 @@ index 7de3859..439a761 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -539,27 +523,26 @@ tunable_policy(`cron_can_relabel',` +@@ -534,10 +523,18 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -19914,30 +18101,25 @@ index 7de3859..439a761 100644 + apache_manage_lib(system_cronjob_t) + apache_delete_cache_dirs(system_cronjob_t) + apache_delete_cache_files(system_cronjob_t) ++') ++ ++optional_policy(` ++ bind_read_config(system_cronjob_t) ') optional_policy(` -- cyrus_manage_data(system_cronjob_t) -+ bind_read_config(system_cronjob_t) - ') +@@ -546,10 +543,6 @@ optional_policy(` optional_policy(` -- dbus_system_bus_client(system_cronjob_t) + dbus_system_bus_client(system_cronjob_t) - - optional_policy(` - networkmanager_dbus_chat(system_cronjob_t) - ') -+ cyrus_manage_data(system_cronjob_t) - ') - - optional_policy(` -- devicekit_read_pid_files(system_cronjob_t) -- devicekit_append_inherited_log_files(system_cronjob_t) -+ dbus_system_bus_client(system_cronjob_t) ') optional_policy(` -@@ -591,6 +574,7 @@ optional_policy(` +@@ -581,6 +574,7 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -19945,22 +18127,24 @@ index 7de3859..439a761 100644 ') optional_policy(` -@@ -598,7 +582,23 @@ optional_policy(` +@@ -588,15 +582,23 @@ optional_policy(` ') optional_policy(` +- postfix_read_config(system_cronjob_t) + networkmanager_dbus_chat(system_cronjob_t) -+') -+ -+optional_policy(` - postfix_read_config(system_cronjob_t) + ') + + optional_policy(` ++ postfix_read_config(system_cronjob_t) +') + +optional_policy(` -+ prelink_delete_cache(system_cronjob_t) -+ prelink_manage_lib(system_cronjob_t) -+ prelink_manage_log(system_cronjob_t) -+ prelink_read_cache(system_cronjob_t) + prelink_delete_cache(system_cronjob_t) + prelink_manage_lib(system_cronjob_t) + prelink_manage_log(system_cronjob_t) + prelink_read_cache(system_cronjob_t) +- prelink_relabelfrom_lib(system_cronjob_t) + prelink_relabel_lib(system_cronjob_t) +') + @@ -19969,7 +18153,7 @@ index 7de3859..439a761 100644 ') optional_policy(` -@@ -608,6 +608,7 @@ optional_policy(` +@@ -606,6 +608,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -19977,7 +18161,7 @@ index 7de3859..439a761 100644 ') optional_policy(` -@@ -615,12 +616,24 @@ optional_policy(` +@@ -613,12 +616,24 @@ optional_policy(` ') optional_policy(` @@ -20004,7 +18188,7 @@ index 7de3859..439a761 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -626,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -20038,7 +18222,7 @@ index 7de3859..439a761 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -639,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -20128,30 +18312,31 @@ index 7de3859..439a761 100644 +# Unconfined cronjobs local policy # --type unconfined_cronjob_t; --domain_type(unconfined_cronjob_t) --domain_cron_exemption_target(unconfined_cronjob_t) -- --dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; + optional_policy(` +- type unconfined_cronjob_t; +- domain_type(unconfined_cronjob_t) +- domain_cron_exemption_target(unconfined_cronjob_t) - --tunable_policy(`cron_userdomain_transition',` -- dontaudit crond_t unconfined_cronjob_t:process transition; -- dontaudit crond_t unconfined_cronjob_t:fd use; -- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; --',` -+optional_policy(` + # Permit a transition from the crond_t domain to this domain. + # The transition is requested explicitly by the modified crond + # via setexeccon. There is no way to set up an automatic + # transition, since crontabs are configuration files, not executables. - allow crond_t unconfined_cronjob_t:process transition; -+ dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; - allow crond_t unconfined_cronjob_t:fd use; -- allow crond_t unconfined_cronjob_t:key manage_key_perms; -+ -+ unconfined_domain(unconfined_cronjob_t) ++ allow crond_t unconfined_cronjob_t:process transition; + dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; ++ allow crond_t unconfined_cronjob_t:fd use; + + unconfined_domain(unconfined_cronjob_t) +') -+ + +- tunable_policy(`cron_userdomain_transition',` +- dontaudit crond_t unconfined_cronjob_t:process transition; +- dontaudit crond_t unconfined_cronjob_t:fd use; +- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; +- ',` +- allow crond_t unconfined_cronjob_t:process transition; +- allow crond_t unconfined_cronjob_t:fd use; +- allow crond_t unconfined_cronjob_t:key manage_key_perms; +- ') +############################## +# +# crontab common policy @@ -20210,10 +18395,9 @@ index 7de3859..439a761 100644 + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u + dontaudit crontab_domain crond_t:process signal; - ') - - optional_policy(` -- unconfined_domain(unconfined_cronjob_t) ++') ++ ++optional_policy(` + ssh_dontaudit_use_ptys(crontab_domain) +') + @@ -20533,15 +18717,9 @@ index b25b01d..e99c5c6 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..7725178 100644 +index 6ce66e7..7725178 100644 --- a/ctdb.te +++ b/ctdb.te -@@ -1,4 +1,4 @@ --policy_module(ctdb, 1.1.0) -+policy_module(ctdb, 1.0.3) - - ######################################## - # @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) type ctdbd_var_lib_t; files_type(ctdbd_var_lib_t) @@ -20770,7 +18948,7 @@ index 949011e..9437dbe 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 3023be7..c18145d 100644 +index 06da9a0..c18145d 100644 --- a/cups.if +++ b/cups.if @@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',` @@ -20788,39 +18966,37 @@ index 3023be7..c18145d 100644 ') ######################################## -@@ -306,22 +309,25 @@ interface(`cups_stream_connect_ptal',` +@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',` ######################################## ## --## Read the process state (/proc/pid) of cupsd. +## Execute cupsd server in the cupsd domain. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain allowed to transition. - ## - ## - # --interface(`cups_read_state',` ++## ++## ++# +interface(`cupsd_systemctl',` - gen_require(` - type cupsd_t; ++ gen_require(` ++ type cupsd_t; + type cupsd_unit_file_t; - ') - -- allow $1 cupsd_t:dir search_dir_perms; -- allow $1 cupsd_t:file read_file_perms; -- allow $1 cupsd_t:lnk_file read_lnk_file_perms; ++ ') ++ + systemd_exec_systemctl($1) + allow $1 cupsd_unit_file_t:file read_file_perms; + allow $1 cupsd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, cupsd_t) - ') - - ######################################## -@@ -344,18 +350,23 @@ interface(`cups_read_state',` ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an cups environment. + ## +@@ -324,18 +350,23 @@ interface(`cups_stream_connect_ptal',` interface(`cups_admin',` gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; @@ -20849,7 +19025,7 @@ index 3023be7..c18145d 100644 init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) -@@ -368,13 +379,64 @@ interface(`cups_admin',` +@@ -348,13 +379,64 @@ interface(`cups_admin',` logging_list_logs($1) admin_pattern($1, cupsd_log_t) @@ -20920,15 +19096,10 @@ index 3023be7..c18145d 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index c91813c..e694e2f 100644 +index 9f34c2e..e694e2f 100644 --- a/cups.te +++ b/cups.te -@@ -1,23 +1,35 @@ --policy_module(cups, 1.16.2) -+policy_module(cups, 1.15.9) - - ######################################## - # +@@ -5,19 +5,31 @@ policy_module(cups, 1.15.9) # Declarations # @@ -21094,8 +19265,15 @@ index c91813c..e694e2f 100644 allow cupsd_t cupsd_exec_t:dir search_dir_perms; allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; -@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) - manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +@@ -133,28 +166,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms; + files_lock_filetrans(cupsd_t, cupsd_lock_t, file) + + manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) ++manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) +manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) @@ -21122,7 +19300,7 @@ index c91813c..e694e2f 100644 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; -@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -162,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) kernel_read_system_state(cupsd_t) @@ -21134,7 +19312,7 @@ index c91813c..e694e2f 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +@@ -189,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -21159,7 +19337,7 @@ index c91813c..e694e2f 100644 dev_rw_input_dev(cupsd_t) dev_rw_generic_usb_dev(cupsd_t) dev_rw_usbfs(cupsd_t) -@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t) +@@ -206,7 +243,6 @@ domain_use_interactive_fds(cupsd_t) files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -21167,7 +19345,7 @@ index c91813c..e694e2f 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t) +@@ -215,17 +251,19 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -21189,7 +19367,7 @@ index c91813c..e694e2f 100644 mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) -@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -235,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -21198,7 +19376,7 @@ index c91813c..e694e2f 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -247,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -21220,18 +19398,19 @@ index c91813c..e694e2f 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_t) +userdom_dontaudit_search_user_home_dirs(cupsd_t) - userdom_dontaudit_search_user_home_content(cupsd_t) -+userdom_dontaudit_use_unpriv_user_fds(cupsd_t) +userdom_dontaudit_search_user_home_content(cupsd_t) -+ ++userdom_dontaudit_use_unpriv_user_fds(cupsd_t) + userdom_dontaudit_search_user_home_content(cupsd_t) + +tunable_policy(`cups_execmem',` + allow cupsd_t self:process { execmem execstack }; +') + - ++ optional_policy(` apm_domtrans_client(cupsd_t) -@@ -272,6 +320,8 @@ optional_policy(` + ') +@@ -275,6 +320,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -21240,7 +19419,7 @@ index c91813c..e694e2f 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -282,8 +332,10 @@ optional_policy(` +@@ -285,8 +332,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -21251,7 +19430,7 @@ index c91813c..e694e2f 100644 ') ') -@@ -296,8 +348,8 @@ optional_policy(` +@@ -299,8 +348,8 @@ optional_policy(` ') optional_policy(` @@ -21261,7 +19440,7 @@ index c91813c..e694e2f 100644 ') optional_policy(` -@@ -306,7 +358,6 @@ optional_policy(` +@@ -309,7 +358,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -21269,7 +19448,7 @@ index c91813c..e694e2f 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -334,7 +385,11 @@ optional_policy(` +@@ -337,7 +385,11 @@ optional_policy(` ') optional_policy(` @@ -21282,7 +19461,7 @@ index c91813c..e694e2f 100644 ') ######################################## -@@ -342,12 +397,11 @@ optional_policy(` +@@ -345,12 +397,11 @@ optional_policy(` # Configuration daemon local policy # @@ -21298,7 +19477,7 @@ index c91813c..e694e2f 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -372,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -375,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -21319,7 +19498,7 @@ index c91813c..e694e2f 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -21340,7 +19519,7 @@ index c91813c..e694e2f 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -21352,7 +19531,7 @@ index c91813c..e694e2f 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -449,9 +488,12 @@ optional_policy(` +@@ -452,9 +488,12 @@ optional_policy(` ') optional_policy(` @@ -21366,7 +19545,7 @@ index c91813c..e694e2f 100644 ') optional_policy(` -@@ -487,10 +529,6 @@ optional_policy(` +@@ -490,10 +529,6 @@ optional_policy(` # Lpd local policy # @@ -21377,7 +19556,7 @@ index c91813c..e694e2f 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,28 +546,16 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +546,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -21390,24 +19569,18 @@ index c91813c..e694e2f 100644 corenet_sendrecv_ipp_client_packets(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) --corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) -- --corenet_sendrecv_printer_server_packets(cupsd_lpd_t) - corenet_tcp_bind_printer_port(cupsd_lpd_t) --corenet_tcp_sendrecv_printer_port(cupsd_lpd_t) -- --corenet_sendrecv_printer_client_packets(cupsd_lpd_t) - corenet_tcp_connect_printer_port(cupsd_lpd_t) -- ++corenet_tcp_bind_printer_port(cupsd_lpd_t) ++corenet_tcp_connect_printer_port(cupsd_lpd_t) + corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) + -dev_read_urand(cupsd_lpd_t) -dev_read_rand(cupsd_lpd_t) - -fs_getattr_xattr_fs(cupsd_lpd_t) -+corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) - +- files_search_home(cupsd_lpd_t) -@@ -537,9 +563,6 @@ auth_use_nsswitch(cupsd_lpd_t) + auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -21417,7 +19590,7 @@ index c91813c..e694e2f 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -550,7 +573,6 @@ optional_policy(` +@@ -546,7 +573,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -21425,7 +19598,7 @@ index c91813c..e694e2f 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +588,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,148 +588,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -21547,15 +19720,17 @@ index c91813c..e694e2f 100644 -userdom_dontaudit_use_unpriv_user_fds(hplip_t) -userdom_dontaudit_search_user_home_dirs(hplip_t) -userdom_dontaudit_search_user_home_content(hplip_t) -- --optional_policy(` ++userdom_home_manager(cups_pdf_t) + + optional_policy(` - dbus_system_bus_client(hplip_t) - - optional_policy(` - userdom_dbus_send_all_users(hplip_t) - ') --') -- ++ gnome_read_config(cups_pdf_t) + ') + -optional_policy(` - lpd_read_config(hplip_t) - lpd_manage_spool(hplip_t) @@ -21564,20 +19739,18 @@ index c91813c..e694e2f 100644 -optional_policy(` - seutil_sigchld_newrole(hplip_t) -') -+userdom_home_manager(cups_pdf_t) - - optional_policy(` +- +-optional_policy(` - snmp_read_snmp_var_lib_files(hplip_t) -+ gnome_read_config(cups_pdf_t) - ') - +-') +- -optional_policy(` - udev_read_db(hplip_t) -') ######################################## # -@@ -735,7 +632,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +632,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -21585,7 +19758,7 @@ index c91813c..e694e2f 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +641,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +641,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -21599,7 +19772,7 @@ index c91813c..e694e2f 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +653,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +653,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -21608,7 +19781,7 @@ index c91813c..e694e2f 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +665,4 @@ optional_policy(` +@@ -769,3 +665,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -21625,7 +19798,7 @@ index 75c8be9..9dcffb2 100644 /opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) diff --git a/cvs.if b/cvs.if -index 64775fd..089c8d4 100644 +index 9fa7ffb..089c8d4 100644 --- a/cvs.if +++ b/cvs.if @@ -1,5 +1,23 @@ @@ -21677,10 +19850,12 @@ index 64775fd..089c8d4 100644 ## All of the rules required to ## administrate an cvs environment ## -@@ -60,19 +96,22 @@ interface(`cvs_admin',` +@@ -59,12 +95,18 @@ interface(`cvs_exec',` + interface(`cvs_admin',` gen_require(` type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; - type cvs_data_t, cvs_var_run_t, cvs_keytab_t; +- type cvs_data_t, cvs_var_run_t; ++ type cvs_data_t, cvs_var_run_t, cvs_keytab_t; + type cvs_home_t; ') @@ -21696,15 +19871,7 @@ index 64775fd..089c8d4 100644 init_labeled_script_domtrans($1, cvs_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cvs_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_etc($1) -- admin_pattern($1, cvs_keytab_t) -- - files_list_tmp($1) - admin_pattern($1, cvs_tmp_t) - -@@ -81,4 +120,7 @@ interface(`cvs_admin',` +@@ -78,4 +120,7 @@ interface(`cvs_admin',` files_list_pids($1) admin_pattern($1, cvs_var_run_t) @@ -21713,16 +19880,10 @@ index 64775fd..089c8d4 100644 + admin_pattern($1, cvs_home_t) ') diff --git a/cvs.te b/cvs.te -index 0f77550..d7cdaaf 100644 +index 53fc3af..d7cdaaf 100644 --- a/cvs.te +++ b/cvs.te -@@ -1,4 +1,4 @@ --policy_module(cvs, 1.10.2) -+policy_module(cvs, 1.9.1) - - ######################################## - # -@@ -11,12 +11,12 @@ policy_module(cvs, 1.10.2) +@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1) ## password files. ##

## @@ -21732,21 +19893,11 @@ index 0f77550..d7cdaaf 100644 type cvs_t; type cvs_exec_t; inetd_tcp_service_domain(cvs_t, cvs_exec_t) --init_daemon_domain(cvs_t, cvs_exec_t) +init_domain(cvs_t, cvs_exec_t) application_executable_file(cvs_exec_t) type cvs_data_t; # customizable -@@ -25,32 +25,32 @@ files_type(cvs_data_t) - type cvs_initrc_exec_t; - init_script_file(cvs_initrc_exec_t) - --type cvs_keytab_t; --files_type(cvs_keytab_t) -- - type cvs_tmp_t; - files_tmp_file(cvs_tmp_t) - +@@ -30,16 +31,22 @@ files_tmp_file(cvs_tmp_t) type cvs_var_run_t; files_pid_file(cvs_var_run_t) @@ -21763,46 +19914,30 @@ index 0f77550..d7cdaaf 100644 allow cvs_t self:process signal_perms; allow cvs_t self:fifo_file rw_fifo_file_perms; allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; --allow cvs_t self:tcp_socket { accept listen }; -+ + +userdom_search_user_home_dirs(cvs_t) +allow cvs_t cvs_home_t:file read_file_perms; - ++ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t) +@@ -58,6 +65,15 @@ kernel_read_network_state(cvs_t) + corecmd_exec_bin(cvs_t) + corecmd_exec_shell(cvs_t) --allow cvs_t cvs_keytab_t:file read_file_perms; -- - manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) - files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file }) -@@ -62,17 +62,17 @@ kernel_read_kernel_sysctls(cvs_t) - kernel_read_system_state(cvs_t) - kernel_read_network_state(cvs_t) - --corenet_all_recvfrom_unlabeled(cvs_t) -+corecmd_exec_bin(cvs_t) -+corecmd_exec_shell(cvs_t) -+ - corenet_all_recvfrom_netlabel(cvs_t) - corenet_tcp_sendrecv_generic_if(cvs_t) ++corenet_all_recvfrom_netlabel(cvs_t) ++corenet_tcp_sendrecv_generic_if(cvs_t) +corenet_udp_sendrecv_generic_if(cvs_t) - corenet_tcp_sendrecv_generic_node(cvs_t) -- --corenet_sendrecv_cvs_server_packets(cvs_t) ++corenet_tcp_sendrecv_generic_node(cvs_t) +corenet_udp_sendrecv_generic_node(cvs_t) +corenet_tcp_sendrecv_all_ports(cvs_t) +corenet_udp_sendrecv_all_ports(cvs_t) - corenet_tcp_bind_cvs_port(cvs_t) --corenet_tcp_sendrecv_cvs_port(cvs_t) -- --corecmd_exec_bin(cvs_t) --corecmd_exec_shell(cvs_t) - ++corenet_tcp_bind_cvs_port(cvs_t) ++ dev_read_urand(cvs_t) -@@ -86,26 +86,23 @@ auth_use_nsswitch(cvs_t) + files_read_etc_runtime_files(cvs_t) +@@ -70,18 +86,16 @@ auth_use_nsswitch(cvs_t) init_read_utmp(cvs_t) @@ -21824,31 +19959,16 @@ index 0f77550..d7cdaaf 100644 allow cvs_t self:capability dac_override; auth_tunable_read_shadow(cvs_t) ') - - optional_policy(` -+ kerberos_keytab_template(cvs, cvs_t) - kerberos_read_config(cvs_t) -- kerberos_read_keytab(cvs_t) -- kerberos_use(cvs_t) - kerberos_dontaudit_write_config(cvs_t) - ') - -@@ -120,4 +117,5 @@ optional_policy(` +@@ -103,4 +117,5 @@ optional_policy(` read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') diff --git a/cyphesis.te b/cyphesis.te -index 77ffc73..556f1ac 100644 +index 916427f..556f1ac 100644 --- a/cyphesis.te +++ b/cyphesis.te -@@ -1,4 +1,4 @@ --policy_module(cyphesis, 1.3.0) -+policy_module(cyphesis, 1.2.2) - - ######################################## - # @@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t) corecmd_search_bin(cyphesis_t) corecmd_getattr_bin_files(cyphesis_t) @@ -21872,7 +19992,7 @@ index 77ffc73..556f1ac 100644 optional_policy(` diff --git a/cyrus.if b/cyrus.if -index 83bfda6..a2860e3 100644 +index 6508280..a2860e3 100644 --- a/cyrus.if +++ b/cyrus.if @@ -20,6 +20,25 @@ interface(`cyrus_manage_data',` @@ -21901,11 +20021,8 @@ index 83bfda6..a2860e3 100644 ######################################## ## ## Connect to Cyrus using a unix -@@ -61,20 +80,20 @@ interface(`cyrus_admin',` - gen_require(` - type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; +@@ -63,9 +82,13 @@ interface(`cyrus_admin',` type cyrus_var_run_t, cyrus_initrc_exec_t; -- type cyrus_keytab_t; ') - allow $1 cyrus_t:process { ptrace signal_perms }; @@ -21919,35 +20036,11 @@ index 83bfda6..a2860e3 100644 init_labeled_script_domtrans($1, cyrus_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; - allow $2 system_r; - -- files_list_etc($1) -- admin_pattern($1, cyrus_keytab_t) -- - files_list_tmp($1) - admin_pattern($1, cyrus_tmp_t) - diff --git a/cyrus.te b/cyrus.te -index 4283f2d..bf8db3c 100644 +index 395f97c..bf8db3c 100644 --- a/cyrus.te +++ b/cyrus.te -@@ -1,4 +1,4 @@ --policy_module(cyrus, 1.13.1) -+policy_module(cyrus, 1.12.2) - - ######################################## - # -@@ -12,9 +12,6 @@ init_daemon_domain(cyrus_t, cyrus_exec_t) - type cyrus_initrc_exec_t; - init_script_file(cyrus_initrc_exec_t) - --type cyrus_keytab_t; --files_type(cyrus_keytab_t) -- - type cyrus_tmp_t; - files_tmp_file(cyrus_tmp_t) - -@@ -29,7 +26,7 @@ files_pid_file(cyrus_var_run_t) +@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) # Local policy # @@ -21956,16 +20049,7 @@ index 4283f2d..bf8db3c 100644 dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; -@@ -44,8 +41,6 @@ allow cyrus_t self:unix_dgram_socket sendto; - allow cyrus_t self:unix_stream_socket { accept connectto listen }; - allow cyrus_t self:tcp_socket { accept listen }; - --allow cyrus_t cyrus_keytab_t:file read_file_perms; -- - manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) - manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) - files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file }) -@@ -63,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t) +@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t) kernel_read_system_state(cyrus_t) kernel_read_all_sysctls(cyrus_t) @@ -21973,7 +20057,7 @@ index 4283f2d..bf8db3c 100644 corenet_all_recvfrom_netlabel(cyrus_t) corenet_tcp_sendrecv_generic_if(cyrus_t) corenet_tcp_sendrecv_generic_node(cyrus_t) -@@ -76,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t) +@@ -71,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_sendrecv_lmtp_server_packets(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -21983,7 +20067,7 @@ index 4283f2d..bf8db3c 100644 corenet_sendrecv_pop_server_packets(cyrus_t) corenet_tcp_bind_pop_port(cyrus_t) -@@ -95,8 +92,6 @@ domain_use_interactive_fds(cyrus_t) +@@ -90,8 +92,6 @@ domain_use_interactive_fds(cyrus_t) files_list_var_lib(cyrus_t) files_read_etc_runtime_files(cyrus_t) @@ -21992,7 +20076,7 @@ index 4283f2d..bf8db3c 100644 fs_getattr_all_fs(cyrus_t) fs_search_auto_mountpoints(cyrus_t) -@@ -107,7 +102,6 @@ libs_exec_lib_files(cyrus_t) +@@ -102,7 +102,6 @@ libs_exec_lib_files(cyrus_t) logging_send_syslog_msg(cyrus_t) @@ -22000,21 +20084,18 @@ index 4283f2d..bf8db3c 100644 miscfiles_read_generic_certs(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) -@@ -121,8 +115,11 @@ optional_policy(` +@@ -116,6 +115,10 @@ optional_policy(` ') optional_policy(` -- kerberos_read_keytab(cyrus_t) -- kerberos_use(cyrus_t) + dirsrv_stream_connect(cyrus_t) +') + +optional_policy(` -+ kerberos_keytab_template(cyrus, cyrus_t) + kerberos_keytab_template(cyrus, cyrus_t) ') - optional_policy(` -@@ -134,8 +131,8 @@ optional_policy(` +@@ -128,8 +131,8 @@ optional_policy(` ') optional_policy(` @@ -22035,15 +20116,9 @@ index 3b3d9a0..6c8106a 100644 ') + diff --git a/daemontools.te b/daemontools.te -index ee1b4aa..2569147 100644 +index 0165962..2569147 100644 --- a/daemontools.te +++ b/daemontools.te -@@ -1,4 +1,4 @@ --policy_module(daemontools, 1.3.0) -+policy_module(daemontools, 1.2.1) - - ######################################## - # @@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld; allow svc_multilog_t svc_start_t:fd use; allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms; @@ -22091,15 +20166,9 @@ index ee1b4aa..2569147 100644 - -miscfiles_read_localization(svc_start_t) diff --git a/dante.te b/dante.te -index 5a5e290..fff0987 100644 +index 98a2d6a..fff0987 100644 --- a/dante.te +++ b/dante.te -@@ -1,4 +1,4 @@ --policy_module(dante, 1.9.0) -+policy_module(dante, 1.8.2) - - ######################################## - # @@ -53,7 +53,6 @@ dev_read_sysfs(dante_t) domain_use_interactive_fds(dante_t) @@ -22109,15 +20178,9 @@ index 5a5e290..fff0987 100644 fs_getattr_all_fs(dante_t) diff --git a/dbadm.te b/dbadm.te -index b60c464..f7c0e61 100644 +index a67870a..f7c0e61 100644 --- a/dbadm.te +++ b/dbadm.te -@@ -1,4 +1,4 @@ --policy_module(dbadm, 1.1.0) -+policy_module(dbadm, 1.0.1) - - ######################################## - # @@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false) role dbadm_r; @@ -22151,23 +20214,10 @@ index b60c464..f7c0e61 100644 +optional_policy(` + sudo_role_template(dbadm, dbadm_r, dbadm_t) +') -diff --git a/dbskk.fc b/dbskk.fc -index 6fb8fea..7af2590 100644 ---- a/dbskk.fc -+++ b/dbskk.fc -@@ -1 +1,2 @@ -+ - /usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0) diff --git a/dbskk.te b/dbskk.te -index f55c420..719583e 100644 +index 188e2e6..719583e 100644 --- a/dbskk.te +++ b/dbskk.te -@@ -1,4 +1,4 @@ --policy_module(dbskk, 1.6.0) -+policy_module(dbskk, 1.5.1) - - ######################################## - # @@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t) kernel_read_system_state(dbskkd_t) kernel_read_network_state(dbskkd_t) @@ -22231,7 +20281,7 @@ index dda905b..ccd0ba9 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..8cc440f 100644 +index afcf3a2..8cc440f 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -22693,7 +20743,7 @@ index 62d22cb..8cc440f 100644 ## ## ## -@@ -349,20 +362,18 @@ interface(`dbus_read_config',` +@@ -349,19 +362,18 @@ interface(`dbus_read_config',` ## ## # @@ -22707,7 +20757,6 @@ index 62d22cb..8cc440f 100644 - files_search_var_lib($1) - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) -- read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + allow $1 system_dbusd_t:dbus send_msg; ') @@ -22719,7 +20768,7 @@ index 62d22cb..8cc440f 100644 ## ## ## -@@ -370,26 +381,20 @@ interface(`dbus_read_lib_files',` +@@ -369,26 +381,20 @@ interface(`dbus_read_lib_files',` ## ## # @@ -22752,7 +20801,7 @@ index 62d22cb..8cc440f 100644 ## ## ## Type to be used as a domain. -@@ -397,81 +402,67 @@ interface(`dbus_manage_lib_files',` +@@ -396,81 +402,67 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -22862,7 +20911,7 @@ index 62d22cb..8cc440f 100644 ## ## ## -@@ -479,18 +470,18 @@ interface(`dbus_spec_session_domain',` +@@ -478,18 +470,18 @@ interface(`dbus_spec_session_domain',` ## ## # @@ -22886,7 +20935,7 @@ index 62d22cb..8cc440f 100644 ## ## ## -@@ -498,98 +489,80 @@ interface(`dbus_connect_system_bus',` +@@ -497,98 +489,80 @@ interface(`dbus_connect_system_bus',` ## ## # @@ -23013,7 +21062,7 @@ index 62d22cb..8cc440f 100644 ## ## ## -@@ -597,28 +570,49 @@ interface(`dbus_use_system_bus_fds',` +@@ -596,28 +570,49 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -23072,11 +21121,11 @@ index 62d22cb..8cc440f 100644 + files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus") ') diff --git a/dbus.te b/dbus.te -index c9998c8..2ead441 100644 +index 2c2e7e1..2ead441 100644 --- a/dbus.te +++ b/dbus.te @@ -1,20 +1,18 @@ --policy_module(dbus, 1.19.0) +-policy_module(dbus, 1.18.8) +policy_module(dbus, 1.17.0) gen_require(` @@ -23452,8 +21501,8 @@ index c9998c8..2ead441 100644 # Unconfined access to this module # --allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms; --allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg; +-allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg; +-allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms; +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; +allow session_bus_type dbusd_unconfined:dbus send_msg; @@ -23483,15 +21532,9 @@ index a5c21e0..4639421 100644 stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) ') diff --git a/dcc.te b/dcc.te -index 353fa4a..cecb0da 100644 +index 15d908f..cecb0da 100644 --- a/dcc.te +++ b/dcc.te -@@ -1,4 +1,4 @@ --policy_module(dcc, 1.12.0) -+policy_module(dcc, 1.11.1) - - ######################################## - # @@ -45,7 +45,7 @@ type dcc_var_t; files_type(dcc_var_t) @@ -23661,15 +21704,9 @@ index 5606b40..cd18cf2 100644 domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; diff --git a/ddclient.te b/ddclient.te -index a4caa1b..2efb435 100644 +index 0b4b8b9..2efb435 100644 --- a/ddclient.te +++ b/ddclient.te -@@ -1,4 +1,4 @@ --policy_module(ddclient, 1.10.0) -+policy_module(ddclient, 1.9.2) - - ######################################## - # @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t) # Declarations # @@ -23722,15 +21759,9 @@ index a4caa1b..2efb435 100644 sysnet_exec_ifconfig(ddclient_t) sysnet_dns_name_resolve(ddclient_t) diff --git a/ddcprobe.te b/ddcprobe.te -index 8fa4bb9..2496e02 100644 +index ceb9bf4..2496e02 100644 --- a/ddcprobe.te +++ b/ddcprobe.te -@@ -1,4 +1,4 @@ --policy_module(ddcprobe, 1.3.0) -+policy_module(ddcprobe, 1.2.1) - - ######################################## - # @@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t) dev_read_raw_memory(ddcprobe_t) dev_wx_raw_memory(ddcprobe_t) @@ -23783,15 +21814,9 @@ index a7326da..c87b5b7 100644 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/denyhosts.te b/denyhosts.te -index 583a527..7f0c21f 100644 +index bcb9770..7f0c21f 100644 --- a/denyhosts.te +++ b/denyhosts.te -@@ -1,4 +1,4 @@ --policy_module(denyhosts, 1.1.0) -+policy_module(denyhosts, 1.0.2) - - ######################################## - # @@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) # # Local policy @@ -23839,7 +21864,7 @@ index 583a527..7f0c21f 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/devicekit.if b/devicekit.if -index 8ce99ff..3b4f593 100644 +index d294865..3b4f593 100644 --- a/devicekit.if +++ b/devicekit.if @@ -1,4 +1,4 @@ @@ -23893,122 +21918,56 @@ index 8ce99ff..3b4f593 100644 ') ######################################## -@@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',` +@@ -83,7 +99,46 @@ interface(`devicekit_dbus_chat_disk',` ######################################## ## -## Send generic signals to devicekit power. +## Use file descriptors for devicekit_disk. - ## - ## - ## -@@ -91,39 +107,38 @@ interface(`devicekit_dbus_chat_disk',` - ## - ## - # --interface(`devicekit_signal_power',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`devicekit_use_fds_disk',` - gen_require(` -- type devicekit_power_t; ++ gen_require(` + type devicekit_disk_t; - ') - -- allow $1 devicekit_power_t:process signal; ++ ') ++ + allow $1 devicekit_disk_t:fd use; - ') - - ######################################## - ## --## Send and receive messages from --## devicekit power over dbus. ++') ++ ++######################################## ++## +## Dontaudit Send and receive messages from +## devicekit disk over dbus. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`devicekit_dbus_chat_power',` ++## ++## ++# +interface(`devicekit_dontaudit_dbus_chat_disk',` - gen_require(` -- type devicekit_power_t; -+ type devicekit_disk_t; - class dbus send_msg; - ') - -- allow $1 devicekit_power_t:dbus send_msg; -- allow devicekit_power_t $1:dbus send_msg; -+ dontaudit $1 devicekit_disk_t:dbus send_msg; -+ dontaudit devicekit_disk_t $1:dbus send_msg; - ') - - ######################################## - ## --## Use and inherit devicekit power --## file descriptors. -+## Send signal devicekit power - ## - ## - ## -@@ -131,17 +146,18 @@ interface(`devicekit_dbus_chat_power',` - ## - ## - # --interface(`devicekit_use_fds_power',` -+interface(`devicekit_signal_power',` - gen_require(` - type devicekit_power_t; - ') - -- allow $1 devicekit_power_t:fd use; -+ allow $1 devicekit_power_t:process signal; - ') - - ######################################## - ## --## Append inherited devicekit log files. -+## Send and receive messages from -+## devicekit power over dbus. - ## - ## - ## -@@ -149,40 +165,56 @@ interface(`devicekit_use_fds_power',` - ## - ## - # -+interface(`devicekit_dbus_chat_power',` + gen_require(` -+ type devicekit_power_t; ++ type devicekit_disk_t; + class dbus send_msg; + ') + -+ allow $1 devicekit_power_t:dbus send_msg; -+ allow devicekit_power_t $1:dbus send_msg; ++ dontaudit $1 devicekit_disk_t:dbus send_msg; ++ dontaudit devicekit_disk_t $1:dbus send_msg; +') + -+####################################### ++######################################## +## -+## Append inherited devicekit log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# - interface(`devicekit_append_inherited_log_files',` - gen_require(` - type devicekit_var_log_t; - ') - -- logging_search_logs($1) -- allow $1 devicekit_var_log_t:file { getattr_file_perms append }; -- -- devicekit_use_fds_power($1) -+ allow $1 devicekit_var_log_t:file append_inherited_file_perms; ++## Send signal devicekit power + ## + ## + ## +@@ -120,29 +175,46 @@ interface(`devicekit_dbus_chat_power',` + allow devicekit_power_t $1:dbus send_msg; ') -######################################## @@ -24016,26 +21975,44 @@ index 8ce99ff..3b4f593 100644 ## -## Create, read, write, and delete -## devicekit log files. -+## Do not audit attempts to write the devicekit -+## log files. ++## Append inherited devicekit log files. ## ## -## -## Domain allowed access. -## +## -+## Domain to not audit. ++## Domain allowed access. +## ## # -interface(`devicekit_manage_log_files',` -+interface(`devicekit_dontaudit_rw_log',` ++interface(`devicekit_append_inherited_log_files',` gen_require(` type devicekit_var_log_t; ') - logging_search_logs($1) - manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++ allow $1 devicekit_var_log_t:file append_inherited_file_perms; ++') ++ ++####################################### ++## ++## Do not audit attempts to write the devicekit ++## log files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`devicekit_dontaudit_rw_log',` ++ gen_require(` ++ type devicekit_var_log_t; ++ ') ++ + dontaudit $1 devicekit_var_log_t:file rw_file_perms; ') @@ -24046,7 +22023,7 @@ index 8ce99ff..3b4f593 100644 ## ## ## -@@ -190,13 +222,13 @@ interface(`devicekit_manage_log_files',` +@@ -150,13 +222,13 @@ interface(`devicekit_manage_log_files',` ## ## # @@ -24064,7 +22041,7 @@ index 8ce99ff..3b4f593 100644 ') ######################################## -@@ -220,11 +252,30 @@ interface(`devicekit_read_pid_files',` +@@ -180,11 +252,30 @@ interface(`devicekit_read_pid_files',` ######################################## ## @@ -24096,7 +22073,7 @@ index 8ce99ff..3b4f593 100644 ## Domain allowed access. ## ## -@@ -235,22 +286,59 @@ interface(`devicekit_manage_pid_files',` +@@ -195,22 +286,59 @@ interface(`devicekit_manage_pid_files',` ') files_search_pids($1) @@ -24160,7 +22137,7 @@ index 8ce99ff..3b4f593 100644 ## ## ## -@@ -259,21 +347,48 @@ interface(`devicekit_admin',` +@@ -219,21 +347,48 @@ interface(`devicekit_admin',` gen_require(` type devicekit_t, devicekit_disk_t, devicekit_power_t; type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; @@ -24219,16 +22196,10 @@ index 8ce99ff..3b4f593 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 77a5003..cd1d88d 100644 +index ff933af..cd1d88d 100644 --- a/devicekit.te +++ b/devicekit.te -@@ -1,4 +1,4 @@ --policy_module(devicekit, 1.3.1) -+policy_module(devicekit, 1.2.1) - - ######################################## - # -@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1) +@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1) type devicekit_t; type devicekit_exec_t; @@ -24270,7 +22241,7 @@ index 77a5003..cd1d88d 100644 allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -81,15 +79,15 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; +@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) @@ -24283,12 +22254,7 @@ index 77a5003..cd1d88d 100644 kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) - kernel_read_system_state(devicekit_disk_t) --kernel_read_vm_sysctls(devicekit_disk_t) - kernel_request_load_module(devicekit_disk_t) - kernel_setsched(devicekit_disk_t) - -@@ -99,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) +@@ -98,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) @@ -24297,7 +22263,7 @@ index 77a5003..cd1d88d 100644 dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_read_urand(devicekit_disk_t) -@@ -117,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t) +@@ -116,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t) files_manage_boot_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) @@ -24307,7 +22273,7 @@ index 77a5003..cd1d88d 100644 fs_getattr_all_fs(devicekit_disk_t) fs_list_inotifyfs(devicekit_disk_t) -@@ -135,18 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -24316,10 +22282,9 @@ index 77a5003..cd1d88d 100644 auth_use_nsswitch(devicekit_disk_t) - logging_send_syslog_msg(devicekit_disk_t) - -miscfiles_read_localization(devicekit_disk_t) -- ++logging_send_syslog_msg(devicekit_disk_t) + userdom_read_all_users_state(devicekit_disk_t) userdom_search_user_home_dirs(devicekit_disk_t) +userdom_manage_user_tmp_dirs(devicekit_disk_t) @@ -24329,7 +22294,7 @@ index 77a5003..cd1d88d 100644 dbus_system_bus_client(devicekit_disk_t) allow devicekit_disk_t devicekit_t:dbus send_msg; -@@ -170,6 +170,7 @@ optional_policy(` +@@ -167,6 +170,7 @@ optional_policy(` optional_policy(` mount_domtrans(devicekit_disk_t) @@ -24337,7 +22302,7 @@ index 77a5003..cd1d88d 100644 ') optional_policy(` -@@ -183,25 +184,35 @@ optional_policy(` +@@ -180,6 +184,11 @@ optional_policy(` ') optional_policy(` @@ -24348,10 +22313,8 @@ index 77a5003..cd1d88d 100644 +optional_policy(` udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) -- udev_read_pid_files(devicekit_disk_t) ') - - optional_policy(` +@@ -188,12 +197,19 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -24372,11 +22335,7 @@ index 77a5003..cd1d88d 100644 allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; --allow devicekit_power_t self:unix_stream_socket create_socket_perms; - allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; - - manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) -@@ -212,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) @@ -24387,14 +22346,7 @@ index 77a5003..cd1d88d 100644 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -@@ -241,27 +250,22 @@ dev_rw_generic_chr_files(devicekit_power_t) - dev_rw_netcontrol(devicekit_power_t) - dev_rw_sysfs(devicekit_power_t) - dev_read_rand(devicekit_power_t) --dev_getattr_all_blk_files(devicekit_power_t) - dev_getattr_all_chr_files(devicekit_power_t) - - domain_read_all_domains_state(devicekit_power_t) +@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t) files_read_kernel_img(devicekit_power_t) files_read_etc_runtime_files(devicekit_power_t) @@ -24409,28 +22361,24 @@ index 77a5003..cd1d88d 100644 auth_use_nsswitch(devicekit_power_t) --init_all_labeled_script_domtrans(devicekit_power_t) --init_read_utmp(devicekit_power_t) -- -miscfiles_read_localization(devicekit_power_t) +seutil_exec_setfiles(devicekit_power_t) sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) -@@ -277,6 +281,12 @@ optional_policy(` - ') +@@ -269,9 +282,11 @@ optional_policy(` optional_policy(` -+ cron_initrc_domtrans(devicekit_power_t) + cron_initrc_domtrans(devicekit_power_t) + cron_systemctl(devicekit_power_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -307,8 +317,11 @@ optional_policy(` +@@ -302,8 +317,11 @@ optional_policy(` ') optional_policy(` @@ -24443,15 +22391,7 @@ index 77a5003..cd1d88d 100644 hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) ') -@@ -337,7 +350,6 @@ optional_policy(` - - optional_policy(` - udev_read_db(devicekit_power_t) -- udev_manage_pid_files(devicekit_power_t) - ') - - optional_policy(` -@@ -347,3 +359,9 @@ optional_policy(` +@@ -341,3 +359,9 @@ optional_policy(` optional_policy(` vbetool_domtrans(devicekit_power_t) ') @@ -24462,24 +22402,16 @@ index 77a5003..cd1d88d 100644 +') + diff --git a/dhcp.fc b/dhcp.fc -index 8182c48..333d214 100644 +index 7956248..333d214 100644 --- a/dhcp.fc +++ b/dhcp.fc -@@ -1,8 +1,10 @@ +@@ -1,4 +1,6 @@ /etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) +/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) +/usr/lib/systemd/system/dhcpd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) --/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) -+/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) - --/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) --/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) -+/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) -+/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) + /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) --/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) -+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/dhcp.if b/dhcp.if index c697edb..31d45bf 100644 --- a/dhcp.if @@ -24552,15 +22484,9 @@ index c697edb..31d45bf 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index 98a24b9..5d61f10 100644 +index c93c3db..5d61f10 100644 --- a/dhcp.te +++ b/dhcp.te -@@ -1,4 +1,4 @@ --policy_module(dhcp, 1.11.0) -+policy_module(dhcp, 1.10.1) - - ######################################## - # @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) type dhcpd_initrc_exec_t; init_script_file(dhcpd_initrc_exec_t) @@ -24651,15 +22577,9 @@ index 3cc3494..cb0a1f4 100644 init_labeled_script_domtrans($1, dictd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/dictd.te b/dictd.te -index 433d3c5..43b800a 100644 +index fd4a602..43b800a 100644 --- a/dictd.te +++ b/dictd.te -@@ -1,4 +1,4 @@ --policy_module(dictd, 1.8.0) -+policy_module(dictd, 1.7.1) - - ######################################## - # @@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file) kernel_read_system_state(dictd_t) kernel_read_kernel_sysctls(dictd_t) @@ -25478,15 +23398,9 @@ index 24d8c74..1790ec5 100644 ') diff --git a/distcc.te b/distcc.te -index 898b2f4..83fb340 100644 +index b441a4d..83fb340 100644 --- a/distcc.te +++ b/distcc.te -@@ -1,4 +1,4 @@ --policy_module(distcc, 1.9.0) -+policy_module(distcc, 1.8.2) - - ######################################## - # @@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file) kernel_read_system_state(distccd_t) kernel_read_kernel_sysctls(distccd_t) @@ -25533,15 +23447,9 @@ index 671d3c0..6d36c95 100644 ##################################### diff --git a/djbdns.te b/djbdns.te -index 87ca536..df50e4c 100644 +index 463d290..df50e4c 100644 --- a/djbdns.te +++ b/djbdns.te -@@ -1,4 +1,4 @@ --policy_module(djbdns, 1.6.0) -+policy_module(djbdns, 1.5.3) - - ######################################## - # @@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain) files_search_var(djbdns_domain) @@ -25565,25 +23473,6 @@ index 5818418..674367b 100644 /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) -diff --git a/dkim.te b/dkim.te -index 6a73d60..0d2eb21 100644 ---- a/dkim.te -+++ b/dkim.te -@@ -1,4 +1,4 @@ --policy_module(dkim, 1.2.0) -+policy_module(dkim, 1.1.3) - - ######################################## - # -@@ -13,8 +13,6 @@ init_script_file(dkim_milter_initrc_exec_t) - type dkim_milter_private_key_t; - files_type(dkim_milter_private_key_t) - --init_daemon_run_dir(dkim_milter_data_t, "opendkim") -- - ######################################## - # - # Local policy diff --git a/dmidecode.if b/dmidecode.if index 41c3f67..653a1ec 100644 --- a/dmidecode.if @@ -25615,30 +23504,11 @@ index 41c3f67..653a1ec 100644 ## ## Execute dmidecode in the dmidecode diff --git a/dmidecode.te b/dmidecode.te -index aa0ef6e..8d4d843 100644 +index c947c2c..8d4d843 100644 --- a/dmidecode.te +++ b/dmidecode.te -@@ -1,4 +1,4 @@ --policy_module(dmidecode, 1.5.1) -+policy_module(dmidecode, 1.4.1) - - ######################################## - # -@@ -20,15 +20,17 @@ role dmidecode_roles types dmidecode_t; - - allow dmidecode_t self:capability sys_rawio; - --dev_read_raw_memory(dmidecode_t) - dev_read_sysfs(dmidecode_t) -+dev_read_raw_memory(dmidecode_t) - --domain_use_interactive_fds(dmidecode_t) -+mls_file_read_all_levels(dmidecode_t) +@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t) - files_list_usr(dmidecode_t) - --mls_file_read_all_levels(dmidecode_t) -- locallogin_use_fds(dmidecode_t) -userdom_use_user_terminals(dmidecode_t) @@ -25933,15 +23803,9 @@ index 19aa0b8..b9895ba 100644 + allow $1 dnsmasq_unit_file_t:service all_service_perms; ') diff --git a/dnsmasq.te b/dnsmasq.te -index 37a3b7b..34a4c71 100644 +index ba14bcf..34a4c71 100644 --- a/dnsmasq.te +++ b/dnsmasq.te -@@ -1,4 +1,4 @@ --policy_module(dnsmasq, 1.10.0) -+policy_module(dnsmasq, 1.9.3) - - ######################################## - # @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) @@ -26204,15 +24068,9 @@ index 0000000..64f1a64 + +') diff --git a/dnssectrigger.te b/dnssectrigger.te -index c7bb4e7..fddd51f 100644 +index ef36d73..fddd51f 100644 --- a/dnssectrigger.te +++ b/dnssectrigger.te -@@ -1,4 +1,4 @@ --policy_module(dnssectrigger, 1.1.0) -+policy_module(dnssectrigger, 1.0.1) - - ######################################## - # @@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t) logging_send_syslog_msg(dnssec_triggerd_t) @@ -26991,7 +24849,7 @@ index c880070..4448055 100644 -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/dovecot.if b/dovecot.if -index d5badb7..f3e446c 100644 +index dbcac59..f3e446c 100644 --- a/dovecot.if +++ b/dovecot.if @@ -1,29 +1,49 @@ @@ -27151,7 +25009,7 @@ index d5badb7..f3e446c 100644 ## ## ## -@@ -132,22 +168,24 @@ interface(`dovecot_write_inherited_tmp_files',` +@@ -132,21 +168,24 @@ interface(`dovecot_write_inherited_tmp_files',` ## ## ## @@ -27167,7 +25025,6 @@ index d5badb7..f3e446c 100644 - type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; - type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t; - type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; -- type dovecot_keytab_t; + type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; + type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t; + type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t; @@ -27183,12 +25040,9 @@ index d5badb7..f3e446c 100644 init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) -@@ -155,22 +193,27 @@ interface(`dovecot_admin',` - allow $2 system_r; - +@@ -156,20 +195,25 @@ interface(`dovecot_admin',` files_list_etc($1) -- admin_pattern($1, { dovecot_keytab_t dovecot_etc_t }) -+ admin_pattern($1, dovecot_etc_t) + admin_pattern($1, dovecot_etc_t) - logging_list_logs($1) - admin_pattern($1, dovecot_var_log_t) @@ -27219,16 +25073,16 @@ index d5badb7..f3e446c 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e..38bfca8 100644 +index a7bfaf0..38bfca8 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ --policy_module(dovecot, 1.16.1) +-policy_module(dovecot, 1.15.6) +policy_module(dovecot, 1.14.0) ######################################## # -@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) +@@ -7,12 +7,10 @@ policy_module(dovecot, 1.15.6) attribute dovecot_domain; @@ -27253,14 +25107,7 @@ index 0aabc7e..38bfca8 100644 domain_type(dovecot_deliver_t) domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) role system_r types dovecot_deliver_t; -@@ -38,18 +35,16 @@ files_config_file(dovecot_etc_t) - type dovecot_initrc_exec_t; - init_script_file(dovecot_initrc_exec_t) - --type dovecot_keytab_t; --files_type(dovecot_keytab_t) -- - type dovecot_passwd_t; +@@ -42,11 +39,12 @@ type dovecot_passwd_t; files_type(dovecot_passwd_t) type dovecot_spool_t; @@ -27274,7 +25121,7 @@ index 0aabc7e..38bfca8 100644 type dovecot_var_lib_t; files_type(dovecot_var_lib_t) -@@ -59,20 +54,18 @@ logging_log_file(dovecot_var_log_t) +@@ -56,20 +54,18 @@ logging_log_file(dovecot_var_log_t) type dovecot_var_run_t; files_pid_file(dovecot_var_run_t) @@ -27300,7 +25147,7 @@ index 0aabc7e..38bfca8 100644 corecmd_exec_bin(dovecot_domain) corecmd_exec_shell(dovecot_domain) -@@ -81,39 +74,46 @@ dev_read_sysfs(dovecot_domain) +@@ -78,37 +74,46 @@ dev_read_sysfs(dovecot_domain) dev_read_rand(dovecot_domain) dev_read_urand(dovecot_domain) @@ -27335,8 +25182,7 @@ index 0aabc7e..38bfca8 100644 -allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms; +read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) +read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) - --allow dovecot_t dovecot_keytab_t:file read_file_perms; ++ +allow dovecot_t dovecot_etc_t:dir list_dir_perms; +read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) +read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) @@ -27361,7 +25207,7 @@ index 0aabc7e..38bfca8 100644 logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -@@ -125,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +@@ -120,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) @@ -27418,7 +25264,7 @@ index 0aabc7e..38bfca8 100644 init_getattr_utmp(dovecot_t) -@@ -171,37 +161,29 @@ auth_use_nsswitch(dovecot_t) +@@ -166,44 +161,42 @@ auth_use_nsswitch(dovecot_t) miscfiles_read_generic_certs(dovecot_t) @@ -27431,12 +25277,6 @@ index 0aabc7e..38bfca8 100644 - fs_manage_nfs_files(dovecot_t) - fs_manage_nfs_symlinks(dovecot_t) -') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(dovecot_t) -- fs_manage_cifs_files(dovecot_t) -- fs_manage_cifs_symlinks(dovecot_t) --') +userdom_home_manager(dovecot_t) +userdom_dontaudit_use_unpriv_user_fds(dovecot_t) +userdom_manage_user_home_content_dirs(dovecot_t) @@ -27446,13 +25286,20 @@ index 0aabc7e..38bfca8 100644 +userdom_manage_user_home_content_sockets(dovecot_t) +userdom_filetrans_home_content(dovecot_t) +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(dovecot_t) +- fs_manage_cifs_files(dovecot_t) +- fs_manage_cifs_symlinks(dovecot_t) ++optional_policy(` ++ mta_manage_home_rw(dovecot_t) ++ mta_manage_spool(dovecot_t) + ') + optional_policy(` + kerberos_keytab_template(dovecot, dovecot_t) - kerberos_manage_host_rcache(dovecot_t) -- kerberos_read_keytab(dovecot_t) - kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0") -- kerberos_use(dovecot_t) -+ mta_manage_home_rw(dovecot_t) -+ mta_manage_spool(dovecot_t) ++ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0") ') optional_policy(` @@ -27460,29 +25307,27 @@ index 0aabc7e..38bfca8 100644 - mta_manage_mail_home_rw_content(dovecot_t) - mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir") - mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir") -+ kerberos_keytab_template(dovecot, dovecot_t) -+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0") ++ gnome_manage_data(dovecot_t) ') optional_policy(` - postgresql_stream_connect(dovecot_t) -+ gnome_manage_data(dovecot_t) ++ postfix_manage_private_sockets(dovecot_t) ++ postfix_search_spool(dovecot_t) ') optional_policy(` -@@ -210,6 +192,11 @@ optional_policy(` +- postfix_manage_private_sockets(dovecot_t) +- postfix_search_spool(dovecot_t) ++ postgresql_stream_connect(dovecot_t) ') optional_policy(` -+ postgresql_stream_connect(dovecot_t) -+') -+ -+optional_policy(` + # Handle sieve scripts sendmail_domtrans(dovecot_t) ') -@@ -227,46 +214,65 @@ optional_policy(` +@@ -221,46 +214,65 @@ optional_policy(` ######################################## # @@ -27557,7 +25402,7 @@ index 0aabc7e..38bfca8 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -277,15 +283,30 @@ optional_policy(` +@@ -271,15 +283,30 @@ optional_policy(` ') optional_policy(` @@ -27589,7 +25434,7 @@ index 0aabc7e..38bfca8 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -295,35 +316,44 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,35 +316,44 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -27651,92 +25496,13 @@ index 0aabc7e..38bfca8 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -332,5 +362,6 @@ optional_policy(` +@@ -326,5 +362,6 @@ optional_policy(` ') optional_policy(` + # Handle sieve scripts sendmail_domtrans(dovecot_deliver_t) ') -diff --git a/dpkg.fc b/dpkg.fc -index eec3c48..751c251 100644 ---- a/dpkg.fc -+++ b/dpkg.fc -@@ -1,5 +1,3 @@ --/etc/cron\.daily/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) -- - /usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) - /usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) - /usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) -diff --git a/dpkg.if b/dpkg.if -index fdc06d6..9aa68a6 100644 ---- a/dpkg.if -+++ b/dpkg.if -@@ -21,25 +21,6 @@ interface(`dpkg_domtrans',` - - ######################################## - ## --## Execute the dkpg in the caller domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`dpkg_exec',` -- gen_require(` -- type dpkg_exec_t; -- ') -- -- corecmd_search_bin($1) -- can_exec($1, dpkg_exec_t) --') -- --######################################## --## - ## Execute dpkg_script programs in - ## the dpkg_script domain. - ## -diff --git a/dpkg.te b/dpkg.te -index 50af48c..998d765 100644 ---- a/dpkg.te -+++ b/dpkg.te -@@ -1,4 +1,4 @@ --policy_module(dpkg, 1.10.1) -+policy_module(dpkg, 1.10.0) - - ######################################## - # -@@ -137,7 +137,7 @@ storage_raw_read_fixed_disk(dpkg_t) - - auth_dontaudit_read_shadow(dpkg_t) - --init_all_labeled_script_domtrans(dpkg_t) -+init_domtrans_script(dpkg_t) - init_use_script_ptys(dpkg_t) - - libs_exec_ld_so(dpkg_t) -@@ -161,10 +161,6 @@ optional_policy(` - ') - - optional_policy(` -- backup_manage_store_files(dpkg_t) --') -- --optional_policy(` - cron_system_entry(dpkg_t, dpkg_exec_t) - ') - -@@ -276,7 +272,7 @@ term_use_all_terms(dpkg_script_t) - auth_dontaudit_getattr_shadow(dpkg_script_t) - files_manage_non_auth_files(dpkg_script_t) - --init_all_labeled_script_domtrans(dpkg_script_t) -+init_domtrans_script(dpkg_script_t) - init_use_script_fds(dpkg_script_t) - - libs_exec_ld_so(dpkg_script_t) diff --git a/drbd.fc b/drbd.fc index 671a3fb..c781675 100644 --- a/drbd.fc @@ -27893,15 +25659,9 @@ index 9a21639..26c5986 100644 ') + diff --git a/drbd.te b/drbd.te -index f2516cc..bdd8883 100644 +index 8e5ee54..bdd8883 100644 --- a/drbd.te +++ b/drbd.te -@@ -1,4 +1,4 @@ --policy_module(drbd, 1.1.0) -+policy_module(drbd, 1.0.1) - - ######################################## - # @@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config; allow drbd_t self:fifo_file rw_fifo_file_perms; allow drbd_t self:unix_stream_socket create_stream_socket_perms; @@ -28223,15 +25983,9 @@ index 18f2452..a446210 100644 + ') diff --git a/dspam.te b/dspam.te -index ef62363..b619351 100644 +index 266cb8f..b619351 100644 --- a/dspam.te +++ b/dspam.te -@@ -1,4 +1,4 @@ --policy_module(dspam, 1.1.0) -+policy_module(dspam, 1.0.5) - - ######################################## - # @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) allow dspam_t self:capability net_admin; @@ -28305,27 +26059,11 @@ index ef62363..b619351 100644 +optional_policy(` + procmail_domtrans(dspam_t) +') -diff --git a/entropyd.fc b/entropyd.fc -index ee38542..c698711 100644 ---- a/entropyd.fc -+++ b/entropyd.fc -@@ -4,4 +4,4 @@ - /usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) - - /var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) --/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) -+/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) diff --git a/entropyd.te b/entropyd.te -index b8b8328..dc22b89 100644 +index a0da189..dc22b89 100644 --- a/entropyd.te +++ b/entropyd.te -@@ -1,4 +1,4 @@ --policy_module(entropyd, 1.8.0) -+policy_module(entropyd, 1.7.2) - - ######################################## - # -@@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0) +@@ -12,7 +12,7 @@ policy_module(entropyd, 1.7.2) ## the entropy feeds. ##

## @@ -28365,15 +26103,9 @@ index 597f305..8520653 100644 /tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) diff --git a/evolution.te b/evolution.te -index c99e07c..3742ee1 100644 +index 94fb625..3742ee1 100644 --- a/evolution.te +++ b/evolution.te -@@ -1,4 +1,4 @@ --policy_module(evolution, 2.4.0) -+policy_module(evolution, 2.3.7) - - ######################################## - # @@ -168,7 +168,6 @@ dev_read_urand(evolution_t) domain_dontaudit_read_all_domains_state(evolution_t) @@ -28415,8 +26147,21 @@ index c99e07c..3742ee1 100644 fs_search_auto_mountpoints(evolution_server_t) +diff --git a/exim.fc b/exim.fc +index dc0254b..9df498d 100644 +--- a/exim.fc ++++ b/exim.fc +@@ -3,6 +3,8 @@ + /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) + /usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) + ++/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0) ++ + /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) + + /var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) diff --git a/exim.if b/exim.if -index 9bbc690..4a8d053 100644 +index 6041113..4a8d053 100644 --- a/exim.if +++ b/exim.if @@ -21,35 +21,51 @@ interface(`exim_domtrans',` @@ -28541,7 +26286,52 @@ index 9bbc690..4a8d053 100644 ## ## ## -@@ -276,7 +292,6 @@ interface(`exim_manage_var_lib_files',` +@@ -225,6 +241,44 @@ interface(`exim_manage_spool_files',` + + ######################################## + ## ++## Read exim var lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`exim_read_var_lib_files',` ++ gen_require(` ++ type exim_var_lib_t; ++ ') ++ ++ read_files_pattern($1, exim_var_lib_t, exim_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Create, read, and write exim var lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`exim_manage_var_lib_files',` ++ gen_require(` ++ type exim_var_lib_t; ++ ') ++ ++ manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an exim environment. + ## +@@ -238,22 +292,29 @@ interface(`exim_manage_spool_files',` ## Role allowed access. ## ## @@ -28549,8 +26339,9 @@ index 9bbc690..4a8d053 100644 # interface(`exim_admin',` gen_require(` -@@ -285,10 +300,14 @@ interface(`exim_admin',` - type exim_keytab_t; + type exim_t, exim_spool_t, exim_log_t; + type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t; ++ type exim_keytab_t; ') - allow $1 exim_t:process { ptrace signal_perms }; @@ -28566,21 +26357,31 @@ index 9bbc690..4a8d053 100644 domain_system_change_exemption($1) role_transition $2 exim_initrc_exec_t system_r; allow $2 system_r; + ++ files_search_etc($1) ++ admin_pattern($1, exim_keytab_t) ++ + files_search_spool($1) + admin_pattern($1, exim_spool_t) + diff --git a/exim.te b/exim.te -index 4086c51..5495c90 100644 +index 19325ce..5495c90 100644 --- a/exim.te +++ b/exim.te -@@ -45,9 +45,6 @@ mta_agent_executable(exim_exec_t) +@@ -1,4 +1,4 @@ +-policy_module(exim, 1.5.4) ++policy_module(exim, 1.6.1) + + ######################################## + # +@@ -45,11 +45,14 @@ mta_agent_executable(exim_exec_t) type exim_initrc_exec_t; init_script_file(exim_initrc_exec_t) --type exim_keytab_t; --files_type(exim_keytab_t) -- - type exim_var_lib_t; - files_type(exim_var_lib_t) - -@@ -55,7 +52,7 @@ type exim_log_t; ++type exim_var_lib_t; ++files_type(exim_var_lib_t) ++ + type exim_log_t; logging_log_file(exim_log_t) type exim_spool_t; @@ -28589,17 +26390,31 @@ index 4086c51..5495c90 100644 type exim_tmp_t; files_tmp_file(exim_tmp_t) -@@ -78,8 +75,6 @@ allow exim_t self:fifo_file rw_fifo_file_perms; +@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t) + type exim_var_run_t; + files_pid_file(exim_var_run_t) + ++ifdef(`distro_debian',` ++ init_daemon_run_dir(exim_var_run_t, "exim4") ++') ++ + ######################################## + # + # Local policy +@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms; allow exim_t self:unix_stream_socket { accept listen }; allow exim_t self:tcp_socket { accept listen }; --allow exim_t exim_keytab_t:file read_file_perms; -- - manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t) - ++manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t) ++ append_files_pattern(exim_t, exim_log_t, exim_log_t) -@@ -105,11 +100,10 @@ can_exec(exim_t, exim_exec_t) - kernel_read_crypto_sysctls(exim_t) + create_files_pattern(exim_t, exim_log_t, exim_log_t) + setattr_files_pattern(exim_t, exim_log_t, exim_log_t) +@@ -88,13 +97,13 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file }) + + can_exec(exim_t, exim_exec_t) + ++kernel_read_crypto_sysctls(exim_t) kernel_read_kernel_sysctls(exim_t) kernel_read_network_state(exim_t) -kernel_dontaudit_read_system_state(exim_t) @@ -28611,7 +26426,15 @@ index 4086c51..5495c90 100644 corenet_all_recvfrom_netlabel(exim_t) corenet_tcp_sendrecv_generic_if(exim_t) corenet_udp_sendrecv_generic_if(exim_t) -@@ -151,10 +145,10 @@ fs_getattr_xattr_fs(exim_t) +@@ -123,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t) + + dev_read_rand(exim_t) + dev_read_urand(exim_t) ++dev_read_sysfs(exim_t) + + domain_use_interactive_fds(exim_t) + +@@ -135,10 +145,10 @@ fs_getattr_xattr_fs(exim_t) fs_list_inotifyfs(exim_t) auth_use_nsswitch(exim_t) @@ -28623,7 +26446,7 @@ index 4086c51..5495c90 100644 miscfiles_read_generic_certs(exim_t) userdom_dontaudit_search_user_home_dirs(exim_t) -@@ -170,9 +164,9 @@ tunable_policy(`exim_can_connect_db',` +@@ -154,9 +164,9 @@ tunable_policy(`exim_can_connect_db',` corenet_sendrecv_mssql_client_packets(exim_t) corenet_tcp_connect_mssql_port(exim_t) corenet_tcp_sendrecv_mssql_port(exim_t) @@ -28636,7 +26459,7 @@ index 4086c51..5495c90 100644 ') tunable_policy(`exim_read_user_files',` -@@ -186,8 +180,8 @@ tunable_policy(`exim_manage_user_files',` +@@ -170,13 +180,14 @@ tunable_policy(`exim_manage_user_files',` ') optional_policy(` @@ -28647,12 +26470,17 @@ index 4086c51..5495c90 100644 ') optional_policy(` -@@ -205,13 +199,7 @@ optional_policy(` + cron_read_pipes(exim_t) + cron_rw_system_job_pipes(exim_t) ++ cron_use_system_job_fds(exim_t) + ') + + optional_policy(` +@@ -188,12 +199,7 @@ optional_policy(` ') optional_policy(` -- kerberos_read_keytab(exim_t) -- kerberos_use(exim_t) +- kerberos_keytab_template(exim, exim_t) -') - -optional_policy(` @@ -28662,7 +26490,7 @@ index 4086c51..5495c90 100644 ') optional_policy(` -@@ -236,6 +224,7 @@ optional_policy(` +@@ -218,6 +224,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) @@ -28937,16 +26765,10 @@ index 50d0084..6565422 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e567..4acb314 100644 +index 0872e50..4acb314 100644 --- a/fail2ban.te +++ b/fail2ban.te -@@ -1,4 +1,4 @@ --policy_module(fail2ban, 1.5.0) -+policy_module(fail2ban, 1.4.9) - - ######################################## - # -@@ -37,13 +37,11 @@ role fail2ban_client_roles types fail2ban_client_t; +@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; # allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; @@ -28955,13 +26777,7 @@ index cf0e567..4acb314 100644 allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { accept connectto listen }; allow fail2ban_t self:tcp_socket { accept listen }; - --read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) -- - append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) - create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) - setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) -@@ -67,7 +65,6 @@ kernel_read_system_state(fail2ban_t) +@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t) corecmd_exec_bin(fail2ban_t) corecmd_exec_shell(fail2ban_t) @@ -28969,7 +26785,7 @@ index cf0e567..4acb314 100644 corenet_all_recvfrom_netlabel(fail2ban_t) corenet_tcp_sendrecv_generic_if(fail2ban_t) corenet_tcp_sendrecv_generic_node(fail2ban_t) -@@ -82,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t) +@@ -80,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t) domain_dontaudit_read_all_domains_state(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) @@ -28977,7 +26793,7 @@ index cf0e567..4acb314 100644 files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) -@@ -92,24 +88,38 @@ fs_getattr_all_fs(fail2ban_t) +@@ -90,24 +88,38 @@ fs_getattr_all_fs(fail2ban_t) auth_use_nsswitch(fail2ban_t) logging_read_all_logs(fail2ban_t) @@ -29020,7 +26836,7 @@ index cf0e567..4acb314 100644 iptables_domtrans(fail2ban_t) ') -@@ -118,6 +128,10 @@ optional_policy(` +@@ -116,6 +128,10 @@ optional_policy(` ') optional_policy(` @@ -29031,7 +26847,7 @@ index cf0e567..4acb314 100644 shorewall_domtrans(fail2ban_t) ') -@@ -131,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -129,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -29067,15 +26883,9 @@ index cf0e567..4acb314 100644 + apache_read_log(fail2ban_client_t) +') diff --git a/fcoe.te b/fcoe.te -index ce358fb..28dec44 100644 +index 79b9273..28dec44 100644 --- a/fcoe.te +++ b/fcoe.te -@@ -1,4 +1,4 @@ --policy_module(fcoe, 1.1.0) -+policy_module(fcoe, 1.0.1) - - ######################################## - # @@ -20,25 +20,31 @@ files_pid_file(fcoemon_var_run_t) # Local policy # @@ -29113,7 +26923,7 @@ index ce358fb..28dec44 100644 + networkmanager_dgram_send(fcoemon_t) +') diff --git a/fetchmail.fc b/fetchmail.fc -index 133b8ee..fef9bff 100644 +index 2486e2a..fef9bff 100644 --- a/fetchmail.fc +++ b/fetchmail.fc @@ -1,4 +1,5 @@ @@ -29126,7 +26936,7 @@ index 133b8ee..fef9bff 100644 /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) --/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0) +-/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) +/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0) diff --git a/fetchmail.if b/fetchmail.if index c3f7916..cab3954 100644 @@ -29153,15 +26963,9 @@ index c3f7916..cab3954 100644 admin_pattern($1, fetchmail_etc_t) diff --git a/fetchmail.te b/fetchmail.te -index 742559a..2e94f0e 100644 +index f0388cb..2e94f0e 100644 --- a/fetchmail.te +++ b/fetchmail.te -@@ -1,4 +1,4 @@ --policy_module(fetchmail, 1.13.2) -+policy_module(fetchmail, 1.12.2) - - ######################################## - # @@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t) # # Local policy @@ -29183,7 +26987,7 @@ index 742559a..2e94f0e 100644 manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) --files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { file dir }) +-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir) +files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir}) + +list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) @@ -29229,15 +27033,9 @@ index 742559a..2e94f0e 100644 optional_policy(` procmail_domtrans(fetchmail_t) diff --git a/finger.te b/finger.te -index 35da09d..92245bf 100644 +index af4b6d7..92245bf 100644 --- a/finger.te +++ b/finger.te -@@ -1,4 +1,4 @@ --policy_module(finger, 1.10.0) -+policy_module(finger, 1.9.1) - - ######################################## - # @@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file) kernel_read_kernel_sysctls(fingerd_t) kernel_read_system_state(fingerd_t) @@ -29282,31 +27080,32 @@ index 21d7b84..0e272bd 100644 /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) diff --git a/firewalld.if b/firewalld.if -index c62c567..1893f7f 100644 +index 5cf6ac6..1893f7f 100644 --- a/firewalld.if +++ b/firewalld.if -@@ -2,7 +2,7 @@ +@@ -2,6 +2,66 @@ ######################################## ## --## Read firewalld configuration files. +## Read firewalld config - ## - ## - ## -@@ -10,7 +10,7 @@ - ## - ## - # --interface(`firewalld_read_config_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`firewalld_read_config',` - gen_require(` - type firewalld_etc_rw_t; - ') -@@ -21,6 +21,47 @@ interface(`firewalld_read_config_files',` - - ######################################## - ## ++ gen_require(` ++ type firewalld_etc_rw_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t) ++') ++ ++######################################## ++## +## Execute firewalld server in the firewalld domain. +## +## @@ -29351,41 +27150,37 @@ index c62c567..1893f7f 100644 ## Send and receive messages from ## firewalld over dbus. ## -@@ -42,8 +83,8 @@ interface(`firewalld_dbus_chat',` +@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',` ######################################## ## --## Do not audit attempts to read, snd --## write firewalld temporary files. +-## All of the rules required to +-## administrate an firewalld environment. +## Dontaudit attempts to write +## firewalld tmp files. - ## - ## - ## -@@ -51,18 +92,18 @@ interface(`firewalld_dbus_chat',` - ## - ## - # --interface(`firewalld_dontaudit_rw_tmp_files',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`firewalld_dontaudit_write_tmp_files',` - gen_require(` - type firewalld_tmp_t; - ') - -- dontaudit $1 firewalld_tmp_t:file { read write }; ++ gen_require(` ++ type firewalld_tmp_t; ++ ') ++ + dontaudit $1 firewalld_tmp_t:file write; - ') - - ######################################## - ## --## All of the rules required to --## administrate an firewalld environment. ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an firewalld environment ## ## ## -@@ -79,14 +120,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',` +@@ -41,14 +120,18 @@ interface(`firewalld_dbus_chat',` interface(`firewalld_admin',` gen_require(` type firewalld_t, firewalld_initrc_exec_t; @@ -29407,7 +27202,7 @@ index c62c567..1893f7f 100644 domain_system_change_exemption($1) role_transition $2 firewalld_initrc_exec_t system_r; allow $2 system_r; -@@ -97,6 +142,9 @@ interface(`firewalld_admin',` +@@ -59,6 +142,9 @@ interface(`firewalld_admin',` logging_search_logs($1) admin_pattern($1, firewalld_var_log_t) @@ -29420,42 +27215,32 @@ index c62c567..1893f7f 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..bacc80c 100644 +index c8014f8..bacc80c 100644 --- a/firewalld.te +++ b/firewalld.te -@@ -1,4 +1,4 @@ --policy_module(firewalld, 1.1.1) -+policy_module(firewalld, 1.0.6) +@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) + type firewalld_var_run_t; + files_pid_file(firewalld_var_run_t) - ######################################## - # -@@ -18,17 +18,22 @@ files_config_file(firewalld_etc_rw_t) - type firewalld_var_log_t; - logging_log_file(firewalld_var_log_t) - -+type firewalld_var_run_t; -+files_pid_file(firewalld_var_run_t) -+ +type firewalld_unit_file_t; +systemd_unit_file(firewalld_unit_file_t) + - type firewalld_tmp_t; - files_tmp_file(firewalld_tmp_t) - --type firewalld_var_run_t; --files_pid_file(firewalld_var_run_t) ++type firewalld_tmp_t; ++files_tmp_file(firewalld_tmp_t) ++ +type firewalld_tmpfs_t; +files_tmpfs_file(firewalld_tmpfs_t) - ++ ######################################## # # Local policy # - - allow firewalld_t self:capability { dac_override net_admin }; ++allow firewalld_t self:capability { dac_override net_admin }; dontaudit firewalld_t self:capability sys_tty_config; allow firewalld_t self:fifo_file rw_fifo_file_perms; -@@ -37,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms; + allow firewalld_t self:unix_stream_socket { accept listen }; +@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms; manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) @@ -29463,28 +27248,29 @@ index 98072a3..bacc80c 100644 allow firewalld_t firewalld_var_log_t:file append_file_perms; allow firewalld_t firewalld_var_log_t:file create_file_perms; -@@ -46,10 +52,15 @@ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) +@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; + allow firewalld_t firewalld_var_log_t:file setattr_file_perms; + logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) - manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) - files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) --allow firewalld_t firewalld_tmp_t:file mmap_file_perms; ++manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) ++files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) +allow firewalld_t firewalld_tmp_t:file execute; + +manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t) +fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file) +allow firewalld_t firewalld_tmpfs_t:file execute; - ++ manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) files_pid_filetrans(firewalld_t, firewalld_var_run_t, file) +can_exec(firewalld_t, firewalld_var_run_t) kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -59,24 +70,20 @@ corecmd_exec_bin(firewalld_t) - corecmd_exec_shell(firewalld_t) ++kernel_rw_net_sysctls(firewalld_t) - dev_read_urand(firewalld_t) --dev_search_sysfs(firewalld_t) + corecmd_exec_bin(firewalld_t) + corecmd_exec_shell(firewalld_t) +@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -29510,7 +27296,7 @@ index 98072a3..bacc80c 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -95,6 +102,10 @@ optional_policy(` +@@ -85,9 +102,17 @@ optional_policy(` ') optional_policy(` @@ -29521,20 +27307,13 @@ index 98072a3..bacc80c 100644 iptables_domtrans(firewalld_t) ') -@@ -103,5 +114,5 @@ optional_policy(` - ') - optional_policy(` -- networkmanager_read_state(firewalld_t) -+ NetworkManager_read_state(firewalld_t) + modutils_domtrans_insmod(firewalld_t) ') -diff --git a/firewallgui.fc b/firewallgui.fc -index 94ab048..ef1f43d 100644 ---- a/firewallgui.fc -+++ b/firewallgui.fc -@@ -1 +1 @@ --/usr/share/system-config-firewall/system-config-firewall-mechanism\.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) -+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) ++ ++optional_policy(` ++ NetworkManager_read_state(firewalld_t) ++') diff --git a/firewallgui.if b/firewallgui.if index e6866d1..941f4ef 100644 --- a/firewallgui.if @@ -29547,15 +27326,9 @@ index e6866d1..941f4ef 100644 + dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; ') diff --git a/firewallgui.te b/firewallgui.te -index 2094546..86b8098 100644 +index c5ceab1..86b8098 100644 --- a/firewallgui.te +++ b/firewallgui.te -@@ -1,4 +1,4 @@ --policy_module(firewallgui, 1.1.0) -+policy_module(firewallgui, 1.0.1) - - ######################################## - # @@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t) dev_read_sysfs(firewallgui_t) dev_read_urand(firewallgui_t) @@ -29723,11 +27496,11 @@ index 280f875..f3a67c9 100644 ## ## diff --git a/firstboot.te b/firstboot.te -index 5010f04..a415012 100644 +index c12c067..a415012 100644 --- a/firstboot.te +++ b/firstboot.te @@ -1,7 +1,7 @@ --policy_module(firstboot, 1.13.0) +-policy_module(firstboot, 1.12.3) +policy_module(firstboot, 1.12.0) gen_require(` @@ -29860,15 +27633,9 @@ index 5010f04..a415012 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index 92a6479..2cbb61f 100644 +index c81b6e8..2cbb61f 100644 --- a/fprintd.te +++ b/fprintd.te -@@ -1,4 +1,4 @@ --policy_module(fprintd, 1.2.0) -+policy_module(fprintd, 1.1.1) - - ######################################## - # @@ -20,23 +20,28 @@ files_type(fprintd_var_lib_t) allow fprintd_t self:capability sys_nice; allow fprintd_t self:process { getsched setsched signal sigkill }; @@ -30245,7 +28012,7 @@ index ddb75c1..44f74e6 100644 /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) diff --git a/ftp.if b/ftp.if -index 4498143..97fb494 100644 +index d062080..97fb494 100644 --- a/ftp.if +++ b/ftp.if @@ -1,5 +1,66 @@ @@ -30315,11 +28082,8 @@ index 4498143..97fb494 100644 ####################################### ## ## Execute a dyntransition to run anon sftpd. -@@ -176,11 +237,13 @@ interface(`ftp_admin',` - type ftpd_etc_t, ftpd_lock_t, sftpd_t; - type ftpd_var_run_t, xferlog_t, anon_sftpd_t; +@@ -178,8 +239,11 @@ interface(`ftp_admin',` type ftpd_initrc_exec_t, ftpdctl_tmp_t; -- type ftpd_keytab_t; ') - allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms }; @@ -30331,16 +28095,7 @@ index 4498143..97fb494 100644 init_labeled_script_domtrans($1, ftpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -193,7 +256,7 @@ interface(`ftp_admin',` - admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t }) - - files_list_etc($1) -- admin_pattern($1, { ftpd_etc_t ftpd_keytab_t }) -+ admin_pattern($1, ftpd_etc_t) - - files_list_var($1) - admin_pattern($1, ftpd_lock_t) -@@ -204,5 +267,9 @@ interface(`ftp_admin',` +@@ -203,5 +267,9 @@ interface(`ftp_admin',` logging_list_logs($1) admin_pattern($1, xferlog_t) @@ -30351,16 +28106,10 @@ index 4498143..97fb494 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c2..de8e914 100644 +index e50f33c..de8e914 100644 --- a/ftp.te +++ b/ftp.te -@@ -1,4 +1,4 @@ --policy_module(ftp, 1.15.1) -+policy_module(ftp, 1.14.1) - - ######################################## - # -@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) +@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) ## be labeled public_content_rw_t. ##

## @@ -30403,23 +28152,17 @@ index 36838c2..de8e914 100644 ## ##

-@@ -124,8 +131,8 @@ files_config_file(ftpd_etc_t) +@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) --type ftpd_keytab_t; --files_type(ftpd_keytab_t) +type ftpd_unit_file_t; +systemd_unit_file(ftpd_unit_file_t) - ++ type ftpd_lock_t; files_lock_file(ftpd_lock_t) -@@ -179,11 +186,12 @@ allow ftpd_t self:key manage_key_perms; - - allow ftpd_t ftpd_etc_t:file read_file_perms; --allow ftpd_t ftpd_keytab_t:file read_file_perms; -- +@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) @@ -30429,7 +28172,7 @@ index 36838c2..de8e914 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -198,22 +206,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) +@@ -193,22 +206,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; @@ -30456,7 +28199,7 @@ index 36838c2..de8e914 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -229,9 +234,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -224,9 +234,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -30470,7 +28213,7 @@ index 36838c2..de8e914 100644 files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) -@@ -250,7 +258,6 @@ logging_send_audit_msgs(ftpd_t) +@@ -245,7 +258,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -30478,7 +28221,7 @@ index 36838c2..de8e914 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -259,32 +266,50 @@ sysnet_use_ldap(ftpd_t) +@@ -254,32 +266,50 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -30536,7 +28279,7 @@ index 36838c2..de8e914 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -304,22 +329,19 @@ tunable_policy(`ftpd_connect_db',` +@@ -299,22 +329,19 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -30564,19 +28307,16 @@ index 36838c2..de8e914 100644 userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) ') -@@ -364,9 +386,8 @@ optional_policy(` - optional_policy(` +@@ -360,7 +387,7 @@ optional_policy(` selinux_validate_context(ftpd_t) -- kerberos_read_keytab(ftpd_t) + kerberos_keytab_template(ftpd, ftpd_t) - kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0") -- kerberos_use(ftpd_t) -+ kerberos_keytab_template(ftpd, ftpd_t) + kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0") ') optional_policy(` -@@ -416,21 +437,20 @@ optional_policy(` +@@ -410,21 +437,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -30600,7 +28340,7 @@ index 36838c2..de8e914 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -443,23 +463,34 @@ tunable_policy(`sftpd_anon_write',` +@@ -437,23 +463,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -30641,7 +28381,7 @@ index 36838c2..de8e914 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -481,21 +512,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -475,21 +512,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -30695,15 +28435,9 @@ index e2a3e0d..50ebd40 100644 + manage_files_pattern($1, games_data_t, games_data_t) +') diff --git a/games.te b/games.te -index e5b15fb..879c59a 100644 +index 572fb12..879c59a 100644 --- a/games.te +++ b/games.te -@@ -1,4 +1,4 @@ --policy_module(games, 2.3.0) -+policy_module(games, 2.2.4) - - ######################################## - # @@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t) logging_send_syslog_msg(games_srv_t) @@ -30748,15 +28482,9 @@ index e5b15fb..879c59a 100644 ') diff --git a/gatekeeper.te b/gatekeeper.te -index 2820368..10a1bbe 100644 +index fc3b036..10a1bbe 100644 --- a/gatekeeper.te +++ b/gatekeeper.te -@@ -1,4 +1,4 @@ --policy_module(gatekeeper, 1.8.0) -+policy_module(gatekeeper, 1.7.1) - - ######################################## - # @@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t) corecmd_list_bin(gatekeeper_t) @@ -30781,135 +28509,6 @@ index 2820368..10a1bbe 100644 sysnet_read_config(gatekeeper_t) userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) -diff --git a/gdomap.fc b/gdomap.fc -deleted file mode 100644 -index 0735238..0000000 ---- a/gdomap.fc -+++ /dev/null -@@ -1,7 +0,0 @@ --/etc/default/gdomap -- gen_context(system_u:object_r:gdomap_conf_t,s0) -- --/etc/rc\.d/init\.d/gdomap -- gen_context(system_u:object_r:gdomap_initrc_exec_t,s0) -- --/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0) -- --/var/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0) -diff --git a/gdomap.if b/gdomap.if -deleted file mode 100644 -index 7d6b6b7..0000000 ---- a/gdomap.if -+++ /dev/null -@@ -1,58 +0,0 @@ --##

GNUstep distributed object mapper. -- --######################################## --## --## Read gdomap configuration files. --## --## --## --## Domain allowed access. --## --## --# --interface(`gdomap_read_config',` -- gen_require(` -- type gdomap_conf_t; -- ') -- -- files_search_etc($1) -- allow $1 gdomap_conf_t:file read_file_perms; --') -- --######################################## --## --## All of the rules required to --## administrate an gdomap environment. --## --## --## --## Domain allowed access. --## --## --## --## --## Role allowed access. --## --## --## --# --interface(`gdomap_admin',` -- gen_require(` -- type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t; -- type gdomap_var_run_t; -- ') -- -- allow $1 gdomap_t:process { ptrace signal_perms }; -- ps_process_pattern($1, gdomap_t) -- -- init_labeled_script_domtrans($1, gdomap_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 gdomap_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_search_etc($1) -- admin_pattern($1, gdomap_conf_t) -- -- files_search_pids($1) -- admin_pattern($1, gdomap_var_run_t) --') -diff --git a/gdomap.te b/gdomap.te -deleted file mode 100644 -index db7b56c..0000000 ---- a/gdomap.te -+++ /dev/null -@@ -1,46 +0,0 @@ --policy_module(gdomap, 1.0.1) -- --######################################## --# --# Declarations --# -- --type gdomap_t; --type gdomap_exec_t; --init_daemon_domain(gdomap_t, gdomap_exec_t) -- --type gdomap_initrc_exec_t; --init_script_file(gdomap_initrc_exec_t) -- --type gdomap_conf_t; --files_config_file(gdomap_conf_t) -- --type gdomap_var_run_t; --files_pid_file(gdomap_var_run_t) -- --######################################## --# --# Local policy --# -- --allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid }; --allow gdomap_t self:tcp_socket { listen accept }; -- --allow gdomap_t gdomap_var_run_t:file manage_file_perms; --files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid") -- --corenet_sendrecv_gdomap_server_packets(gdomap_t) --corenet_tcp_bind_generic_node(gdomap_t) --corenet_tcp_bind_gdomap_port(gdomap_t) --corenet_tcp_sendrecv_gdomap_port(gdomap_t) --corenet_udp_bind_generic_node(gdomap_t) --corenet_udp_bind_gdomap_port(gdomap_t) --corenet_udp_sendrecv_gdomap_port(gdomap_t) -- --domain_use_interactive_fds(gdomap_t) -- --files_search_tmp(gdomap_t) -- --auth_use_nsswitch(gdomap_t) -- --logging_send_syslog_msg(gdomap_t) diff --git a/gear.fc b/gear.fc new file mode 100644 index 0000000..98c012c @@ -31598,15 +29197,9 @@ index 0000000..e61eed9 + pcscd_stream_connect(geoclue_t) +') diff --git a/gift.te b/gift.te -index 8a820fa..af76abb 100644 +index 395238e..af76abb 100644 --- a/gift.te +++ b/gift.te -@@ -1,4 +1,4 @@ --policy_module(gift, 2.4.0) -+policy_module(gift, 2.3.4) - - ######################################## - # @@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t) userdom_dontaudit_read_user_home_content_files(gift_t) @@ -31698,15 +29291,9 @@ index 1e29af1..6c64f55 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index dc49c71..6acc1f0 100644 +index 93b0301..6acc1f0 100644 --- a/git.te +++ b/git.te -@@ -1,4 +1,4 @@ --policy_module(git, 1.3.2) -+policy_module(git, 1.2.3) - - ######################################## - # @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) ## @@ -31722,13 +29309,7 @@ index dc49c71..6acc1f0 100644 ## Determine whether Git system daemon ## can search home directories. ##

-@@ -87,16 +79,15 @@ apache_content_template(git) - type git_system_t, git_daemon; - type gitd_exec_t; - inetd_service_domain(git_system_t, gitd_exec_t) --init_daemon_domain(git_system_t, gitd_exec_t) - - type git_session_t, git_daemon; +@@ -92,10 +84,10 @@ type git_session_t, git_daemon; userdom_user_application_domain(git_session_t, gitd_exec_t) role git_session_roles types git_session_t; @@ -31741,7 +29322,7 @@ index dc49c71..6acc1f0 100644 userdom_user_home_content(git_user_content_t) ######################################## -@@ -110,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) +@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) userdom_search_user_home_dirs(git_session_t) @@ -31750,7 +29331,7 @@ index dc49c71..6acc1f0 100644 corenet_all_recvfrom_netlabel(git_session_t) corenet_all_recvfrom_unlabeled(git_session_t) corenet_tcp_bind_generic_node(git_session_t) -@@ -130,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` +@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` corenet_tcp_sendrecv_all_ports(git_session_t) ') @@ -31761,25 +29342,19 @@ index dc49c71..6acc1f0 100644 tunable_policy(`use_nfs_home_dirs',` fs_getattr_nfs(git_session_t) -@@ -158,15 +149,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -157,6 +149,11 @@ tunable_policy(`use_samba_home_dirs',` list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) --corenet_all_recvfrom_unlabeled(git_system_t) --corenet_all_recvfrom_netlabel(git_system_t) --corenet_tcp_sendrecv_generic_if(git_system_t) --corenet_tcp_sendrecv_generic_node(git_system_t) --corenet_tcp_bind_generic_node(git_system_t) +kernel_read_network_state(git_system_t) +kernel_read_system_state(git_system_t) - --corenet_sendrecv_git_server_packets(git_system_t) - corenet_tcp_bind_git_port(git_system_t) --corenet_tcp_sendrecv_git_port(git_system_t) - ++ ++corenet_tcp_bind_git_port(git_system_t) ++ files_search_var_lib(git_system_t) -@@ -176,6 +162,10 @@ logging_send_syslog_msg(git_system_t) + auth_use_nsswitch(git_system_t) +@@ -165,6 +162,10 @@ logging_send_syslog_msg(git_system_t) tunable_policy(`git_system_enable_homedirs',` userdom_search_user_home_dirs(git_system_t) @@ -31790,7 +29365,7 @@ index dc49c71..6acc1f0 100644 ') tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` -@@ -259,6 +249,11 @@ tunable_policy(`git_cgi_use_nfs',` +@@ -248,6 +249,11 @@ tunable_policy(`git_cgi_use_nfs',` fs_dontaudit_read_nfs_files(httpd_git_script_t) ') @@ -31802,7 +29377,7 @@ index dc49c71..6acc1f0 100644 ######################################## # # Git global policy -@@ -266,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',` +@@ -255,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',` allow git_daemon self:fifo_file rw_fifo_file_perms; @@ -31817,15 +29392,9 @@ index dc49c71..6acc1f0 100644 -miscfiles_read_localization(git_daemon) diff --git a/gitosis.te b/gitosis.te -index 582db0a..d3acb1a 100644 +index 3194b76..d3acb1a 100644 --- a/gitosis.te +++ b/gitosis.te -@@ -1,4 +1,4 @@ --policy_module(gitosis, 1.4.0) -+policy_module(gitosis, 1.3.2) - - ######################################## - # @@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t) dev_read_urand(gitosis_t) @@ -31906,15 +29475,10 @@ index 9eacb2c..2769682 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index 5cd0909..2d17fe6 100644 +index e0a4f46..2d17fe6 100644 --- a/glance.te +++ b/glance.te -@@ -1,14 +1,20 @@ --policy_module(glance, 1.1.0) -+policy_module(glance, 1.0.2) - - ######################################## - # +@@ -5,10 +5,16 @@ policy_module(glance, 1.0.2) # Declarations # @@ -32532,11 +30096,11 @@ index 05233c8..0000000 -') diff --git a/glusterfs.te b/glusterfs.te deleted file mode 100644 -index 4e95c7e..0000000 +index fd02acc..0000000 --- a/glusterfs.te +++ /dev/null -@@ -1,105 +0,0 @@ --policy_module(glusterfs, 1.1.2) +@@ -1,102 +0,0 @@ +-policy_module(glusterfs, 1.0.1) - -######################################## -# @@ -32563,7 +30127,7 @@ index 4e95c7e..0000000 -files_pid_file(glusterd_var_run_t) - -type glusterd_var_lib_t; --files_type(glusterd_var_lib_t) +-files_type(glusterd_var_lib_t); - -######################################## -# @@ -32593,8 +30157,7 @@ index 4e95c7e..0000000 - -manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) --manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) --files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file }) +-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file }) - -manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) -manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) @@ -32630,8 +30193,6 @@ index 4e95c7e..0000000 -dev_read_sysfs(glusterd_t) -dev_read_urand(glusterd_t) - --domain_read_all_domains_state(glusterd_t) -- -domain_use_interactive_fds(glusterd_t) - -files_read_usr_files(glusterd_t) @@ -32716,10 +30277,10 @@ index e39de43..5edcb83 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..ba8cb38 100644 +index d03fd43..ba8cb38 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,125 +1,157 @@ +@@ -1,123 +1,157 @@ -## GNU network object model environment. +## GNU network object model environment (GNOME) @@ -32908,15 +30469,15 @@ index ab09d61..ba8cb38 100644 + gnome_manage_generic_home_dirs($1_gkeyringd_t) + gnome_read_generic_data_home_files($1_gkeyringd_t) + gnome_read_generic_data_home_dirs($1_gkeyringd_t) - - optional_policy(` -- gnome_dbus_chat_gkeyringd($1, $3) ++ ++ optional_policy(` + telepathy_mission_control_read_state($1_gkeyringd_t) + telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t) - ') - ') - ') ++ ') ++ ') ++') +- gnome_dbus_chat_gkeyringd($1, $3) +####################################### +## +## Allow domain to run gkeyring in the $1_gkeyringd_t domain. @@ -32941,11 +30502,11 @@ index ab09d61..ba8cb38 100644 + gen_require(` + type $1_gkeyringd_t; + type gkeyringd_exec_t; -+ ') + ') + role $2 types $1_gkeyringd_t; + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) -+') -+ + ') + ######################################## ## -## Execute gconf in the caller domain. @@ -32953,7 +30514,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -127,18 +159,18 @@ template(`gnome_role_template',` +@@ -125,18 +159,18 @@ template(`gnome_role_template',` ## ## # @@ -32977,7 +30538,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -146,119 +178,114 @@ interface(`gnome_exec_gconf',` +@@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',` ## ## # @@ -33134,7 +30695,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -266,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',` +@@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',` ## ## # @@ -33161,7 +30722,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -282,57 +315,89 @@ interface(`gnome_setattr_config_dirs',` +@@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',` ## ## # @@ -33269,7 +30830,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -340,15 +405,18 @@ interface(`gnome_read_generic_home_content',` +@@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',` ## ## # @@ -33293,7 +30854,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -356,22 +424,18 @@ interface(`gnome_manage_config',` +@@ -354,22 +424,18 @@ interface(`gnome_manage_config',` ## ## # @@ -33321,7 +30882,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -379,53 +443,37 @@ interface(`gnome_manage_generic_home_content',` +@@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',` ## ## # @@ -33383,7 +30944,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -433,17 +481,18 @@ interface(`gnome_home_filetrans',` +@@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',` ## ## # @@ -33406,7 +30967,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -451,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # @@ -33434,7 +30995,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -475,22 +519,18 @@ interface(`gnome_read_generic_gconf_home_content',` +@@ -473,22 +519,18 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # @@ -33461,7 +31022,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -498,79 +538,59 @@ interface(`gnome_manage_generic_gconf_home_content',` +@@ -496,79 +538,59 @@ interface(`gnome_manage_generic_gconf_home_content',` ## ## # @@ -33559,7 +31120,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -579,12 +599,12 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -577,12 +599,12 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## ## @@ -33574,7 +31135,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -593,18 +613,18 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -591,18 +613,18 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## # @@ -33599,7 +31160,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -612,46 +632,80 @@ interface(`gnome_gconf_home_filetrans',` +@@ -610,46 +632,80 @@ interface(`gnome_gconf_home_filetrans',` ## ## # @@ -33697,7 +31258,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -659,46 +713,64 @@ interface(`gnome_dbus_chat_gkeyringd',` +@@ -657,46 +713,64 @@ interface(`gnome_dbus_chat_gkeyringd',` ## ## # @@ -33779,7 +31340,7 @@ index ab09d61..ba8cb38 100644 ## ## ## -@@ -706,12 +778,985 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -704,12 +778,985 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -34771,11 +32332,11 @@ index ab09d61..ba8cb38 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 63893eb..ea1115c 100644 +index 20f726b..ea1115c 100644 --- a/gnome.te +++ b/gnome.te @@ -1,18 +1,36 @@ --policy_module(gnome, 2.3.0) +-policy_module(gnome, 2.2.5) +policy_module(gnome, 2.2.0) ############################## @@ -35091,22 +32652,21 @@ index 63893eb..ea1115c 100644 + +userdom_use_inherited_user_terminals(gnomedomain) diff --git a/gnomeclock.fc b/gnomeclock.fc -index f9ba8cd..e4c1b83 100644 +index b687443..e4c1b83 100644 --- a/gnomeclock.fc +++ b/gnomeclock.fc -@@ -1,7 +1,9 @@ +@@ -1,5 +1,9 @@ +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - --/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) ++ +/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) --/usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) diff --git a/gnomeclock.if b/gnomeclock.if index 3f55702..25c7ab8 100644 --- a/gnomeclock.if @@ -35166,11 +32726,11 @@ index 3f55702..25c7ab8 100644 ## ## diff --git a/gnomeclock.te b/gnomeclock.te -index 7cd7435..c728009 100644 +index 6d79eb5..c728009 100644 --- a/gnomeclock.te +++ b/gnomeclock.te @@ -1,86 +1,99 @@ --policy_module(gnomeclock, 1.1.0) +-policy_module(gnomeclock, 1.0.5) +policy_module(gnomeclock, 1.0.0) ######################################## @@ -35615,11 +33175,11 @@ index 180f1b7..951b790 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 0e97e82..2153214 100644 +index 44cf341..2153214 100644 --- a/gpg.te +++ b/gpg.te @@ -1,47 +1,47 @@ --policy_module(gpg, 2.8.0) +-policy_module(gpg, 2.7.3) +policy_module(gpg, 2.6.0) ######################################## @@ -36139,15 +33699,9 @@ index 0e97e82..2153214 100644 + miscfiles_manage_public_files(gpg_web_t) ') diff --git a/gpm.te b/gpm.te -index 69734fd..68b2eb8 100644 +index 3226f52..68b2eb8 100644 --- a/gpm.te +++ b/gpm.te -@@ -1,4 +1,4 @@ --policy_module(gpm, 1.9.0) -+policy_module(gpm, 1.8.2) - - ######################################## - # @@ -13,7 +13,7 @@ type gpm_initrc_exec_t; init_script_file(gpm_initrc_exec_t) @@ -36179,15 +33733,9 @@ index 69734fd..68b2eb8 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/gpsd.te b/gpsd.te -index fe3895e..3085534 100644 +index 25f09ae..3085534 100644 --- a/gpsd.te +++ b/gpsd.te -@@ -1,4 +1,4 @@ --policy_module(gpsd, 1.2.0) -+policy_module(gpsd, 1.1.1) - - ######################################## - # @@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t) # @@ -36511,15 +34059,9 @@ index 0000000..bbd5979 + kerberos_manage_host_rcache(gssproxy_t) +') diff --git a/guest.te b/guest.te -index 19cdbe1..93d2d83 100644 +index d928711..93d2d83 100644 --- a/guest.te +++ b/guest.te -@@ -1,4 +1,4 @@ --policy_module(guest, 1.3.0) -+policy_module(guest, 1.2.1) - - ######################################## - # @@ -20,4 +20,4 @@ optional_policy(` apache_role(guest_r, guest_t) ') @@ -36527,15 +34069,9 @@ index 19cdbe1..93d2d83 100644 -#gen_user(guest_u, user, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) diff --git a/hadoop.te b/hadoop.te -index e151378..f44ad99 100644 +index e62bcb7..f44ad99 100644 --- a/hadoop.te +++ b/hadoop.te -@@ -1,4 +1,4 @@ --policy_module(hadoop, 1.3.0) -+policy_module(hadoop, 1.2.5) - - ######################################## - # @@ -155,7 +155,6 @@ dev_read_urand(hadoop_t) domain_use_interactive_fds(hadoop_t) @@ -36569,44 +34105,10 @@ index e151378..f44ad99 100644 fs_getattr_xattr_fs(zookeeper_server_t) -diff --git a/hal.fc b/hal.fc -index c9f4520..2899bad 100644 ---- a/hal.fc -+++ b/hal.fc -@@ -1,5 +1,5 @@ --/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) - /etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) -+/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) - - /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) - -@@ -9,14 +9,14 @@ - /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) - /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) - /usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -+/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0) - - /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) --/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0) - - /var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) - --/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) - /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) -+/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) - - /var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) - diff --git a/hal.te b/hal.te -index bbccc79..85b6f3e 100644 +index 0801fe1..85b6f3e 100644 --- a/hal.te +++ b/hal.te -@@ -1,4 +1,4 @@ --policy_module(hal, 1.15.0) -+policy_module(hal, 1.14.5) - - ######################################## - # @@ -61,7 +61,6 @@ files_type(hald_var_lib_t) # Common local policy # @@ -36643,15 +34145,9 @@ index 1728071..77e71ea 100644 domain_system_change_exemption($1) role_transition $2 hddtemp_initrc_exec_t system_r; diff --git a/hddtemp.te b/hddtemp.te -index 9e11b98..588c964 100644 +index 18d76bb..588c964 100644 --- a/hddtemp.te +++ b/hddtemp.te -@@ -1,4 +1,4 @@ --policy_module(hddtemp, 1.2.0) -+policy_module(hddtemp, 1.1.1) - - ######################################## - # @@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen }; allow hddtemp_t hddtemp_etc_t:file read_file_perms; @@ -36676,15 +34172,9 @@ index 9e11b98..588c964 100644 -miscfiles_read_localization(hddtemp_t) diff --git a/howl.te b/howl.te -index b9e60ec..4e0f8ba 100644 +index e207823..4e0f8ba 100644 --- a/howl.te +++ b/howl.te -@@ -1,4 +1,4 @@ --policy_module(howl, 1.10.0) -+policy_module(howl, 1.9.1) - - ######################################## - # @@ -36,7 +36,6 @@ kernel_request_load_module(howl_t) kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) @@ -36703,14 +34193,13 @@ index b9e60ec..4e0f8ba 100644 userdom_dontaudit_search_user_home_dirs(howl_t) diff --git a/hypervkvp.fc b/hypervkvp.fc -index b46130e..e2ae3b2 100644 ---- a/hypervkvp.fc +new file mode 100644 +index 0000000..e2ae3b2 +--- /dev/null +++ b/hypervkvp.fc -@@ -1,3 +1,10 @@ --/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0) +@@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0) - --/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0) ++ +/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0) + +/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) @@ -36720,11 +34209,11 @@ index b46130e..e2ae3b2 100644 + +/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0) diff --git a/hypervkvp.if b/hypervkvp.if -index 6517fad..b7ca833 100644 ---- a/hypervkvp.if +new file mode 100644 +index 0000000..b7ca833 +--- /dev/null +++ b/hypervkvp.if -@@ -1,32 +1,134 @@ --## HyperV key value pair (KVP). +@@ -0,0 +1,134 @@ + +## policy for hypervkvp + @@ -36785,20 +34274,17 @@ index 6517fad..b7ca833 100644 + allow $1 hypervkvp_var_lib_t:dir list_dir_perms; + read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +') - - ######################################## - ## --## All of the rules required to --## administrate an hypervkvp environment. ++ ++######################################## ++## +## Create, read, write, and delete +## hypervkvp lib files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`hypervkvp_manage_lib_files',` + gen_require(` @@ -36838,16 +34324,13 @@ index 6517fad..b7ca833 100644 +## an hypervkvp environment +## +## - ## --## Role allowed access. ++## +## Domain allowed access. - ## - ## --## - # - interface(`hypervkvp_admin',` - gen_require(` -- type hypervkvpd_t, hypervkvpd_initrc_exec_t; ++## ++## ++# ++interface(`hypervkvp_admin',` ++ gen_require(` + type hypervkvp_t; + type hypervkvp_unit_file_t; + ') @@ -36857,35 +34340,29 @@ index 6517fad..b7ca833 100644 + + tunable_policy(`deny_ptrace',`',` + allow $1 hypervkvp_t:process ptrace; - ') - -- allow $1 hypervkvpd_t:process { ptrace signal_perms }; -- ps_process_pattern($1, hypervkvpd_t) ++ ') ++ + hypervkvp_manage_lib_files($1) - -- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 hypervkvpd_initrc_exec_t system_r; -- allow $2 system_r; ++ + hypervkvp_systemctl($1) + admin_pattern($1, hypervkvp_unit_file_t) + allow $1 hypervkvp_unit_file_t:service all_service_perms; - ') ++') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..97144bc 100644 ---- a/hypervkvp.te +new file mode 100644 +index 0000000..97144bc +--- /dev/null +++ b/hypervkvp.te -@@ -5,24 +5,75 @@ policy_module(hypervkvp, 1.0.0) - # Declarations - # - --type hypervkvpd_t; --type hypervkvpd_exec_t; --init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t) +@@ -0,0 +1,79 @@ ++policy_module(hypervkvp, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ +attribute hyperv_domain; - --type hypervkvpd_initrc_exec_t; --init_script_file(hypervkvpd_initrc_exec_t) ++ +type hypervkvp_t, hyperv_domain; +type hypervkvp_exec_t; +init_daemon_domain(hypervkvp_t, hypervkvp_exec_t) @@ -36905,10 +34382,9 @@ index 4eb7041..97144bc 100644 + +type hypervvssd_unit_file_t; +systemd_unit_file(hypervvssd_unit_file_t) - - ######################################## - # --# Local policy ++ ++######################################## ++# +# hyperv domain local policy +# + @@ -36924,12 +34400,10 @@ index 4eb7041..97144bc 100644 +dev_read_sysfs(hyperv_domain) + +######################################## - # ++# +# hypervkvp local policy - # - --allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; --allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++# ++ +manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) @@ -36944,8 +34418,7 @@ index 4eb7041..97144bc 100644 +logging_send_syslog_msg(hypervkvp_t) + +sysnet_dns_name_resolve(hypervkvp_t) - --logging_send_syslog_msg(hypervkvpd_t) ++ +userdom_dontaudit_search_admin_dir(hypervkvp_t) + +optional_policy(` @@ -36956,22 +34429,14 @@ index 4eb7041..97144bc 100644 +# +# hypervvssd local policy +# - --miscfiles_read_localization(hypervkvpd_t) ++ +allow hypervvssd_t self:capability sys_admin; - --sysnet_dns_name_resolve(hypervkvpd_t) ++ +logging_send_syslog_msg(hypervvssd_t) diff --git a/i18n_input.te b/i18n_input.te -index 369a056..a738d7f 100644 +index 3bed8fa..a738d7f 100644 --- a/i18n_input.te +++ b/i18n_input.te -@@ -1,4 +1,4 @@ --policy_module(i18n_input, 1.9.0) -+policy_module(i18n_input, 1.8.1) - - ######################################## - # @@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t) kernel_read_kernel_sysctls(i18n_input_t) kernel_read_system_state(i18n_input_t) @@ -37030,15 +34495,9 @@ index 580b533..c267cea 100644 domain_system_change_exemption($1) role_transition $2 icecast_initrc_exec_t system_r; diff --git a/icecast.te b/icecast.te -index a9e573a..bd3a837 100644 +index ac6f9d5..bd3a837 100644 --- a/icecast.te +++ b/icecast.te -@@ -1,4 +1,4 @@ --policy_module(icecast, 1.2.0) -+policy_module(icecast, 1.1.1) - - ######################################## - # @@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t) dev_read_urand(icecast_t) dev_read_rand(icecast_t) @@ -37066,15 +34525,9 @@ index 8999899..96909ae 100644 init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) diff --git a/ifplugd.te b/ifplugd.te -index b0546b4..c4a9fcb 100644 +index 6910e49..c4a9fcb 100644 --- a/ifplugd.te +++ b/ifplugd.te -@@ -1,4 +1,4 @@ --policy_module(ifplugd, 1.1.0) -+policy_module(ifplugd, 1.0.1) - - ######################################## - # @@ -10,7 +10,7 @@ type ifplugd_exec_t; init_daemon_domain(ifplugd_t, ifplugd_exec_t) @@ -37100,15 +34553,9 @@ index b0546b4..c4a9fcb 100644 sysnet_domtrans_ifconfig(ifplugd_t) diff --git a/imaze.te b/imaze.te -index 1eb24d8..08a489c 100644 +index 05387d1..08a489c 100644 --- a/imaze.te +++ b/imaze.te -@@ -1,4 +1,4 @@ --policy_module(imaze, 1.8.0) -+policy_module(imaze, 1.7.1) - - ######################################## - # @@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t) kernel_read_kernel_sysctls(imazesrv_t) kernel_read_proc_symlinks(imazesrv_t) @@ -37126,21 +34573,6 @@ index 1eb24d8..08a489c 100644 userdom_use_unpriv_users_fds(imazesrv_t) userdom_dontaudit_search_user_home_dirs(imazesrv_t) -diff --git a/inetd.fc b/inetd.fc -index 0374509..2a5a686 100644 ---- a/inetd.fc -+++ b/inetd.fc -@@ -5,8 +5,9 @@ - /usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) - /usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0) - -+/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) - /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) --/usr/sbin/(x)?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) -+/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) - - /var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0) - diff --git a/inetd.if b/inetd.if index fbb54e7..05c3777 100644 --- a/inetd.if @@ -37159,15 +34591,9 @@ index fbb54e7..05c3777 100644 ######################################## diff --git a/inetd.te b/inetd.te -index c6450df..420305b 100644 +index 1a5ed62..420305b 100644 --- a/inetd.te +++ b/inetd.te -@@ -1,4 +1,4 @@ --policy_module(inetd, 1.13.0) -+policy_module(inetd, 1.12.2) - - ######################################## - # @@ -37,9 +37,9 @@ ifdef(`enable_mcs',` # Local policy # @@ -37317,15 +34743,9 @@ index eb87f23..d3d32c3 100644 init_labeled_script_domtrans($1, innd_initrc_exec_t) diff --git a/inn.te b/inn.te -index d39f0cc..5967395 100644 +index 5aab5d0..5967395 100644 --- a/inn.te +++ b/inn.te -@@ -1,4 +1,4 @@ --policy_module(inn, 1.11.0) -+policy_module(inn, 1.10.3) - - ######################################## - # @@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t) type news_spool_t; @@ -37436,9 +34856,15 @@ index a0bfbd0..a3b02e6 100644 ## administrate an iodined environment ## diff --git a/iodine.te b/iodine.te -index d443fee..6cbbf7d 100644 +index 94ec5f8..6cbbf7d 100644 --- a/iodine.te +++ b/iodine.te +@@ -1,4 +1,4 @@ +-policy_module(iodine, 1.0.2) ++policy_module(iodine, 1.1.0) + + ######################################## + # @@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t) type iodined_initrc_exec_t; init_script_file(iodined_initrc_exec_t) @@ -37695,15 +35121,9 @@ index ac00fb0..36ef2e5 100644 + userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs") ') diff --git a/irc.te b/irc.te -index 2636503..abf0b2d 100644 +index ecad9c7..abf0b2d 100644 --- a/irc.te +++ b/irc.te -@@ -1,4 +1,4 @@ --policy_module(irc, 2.3.1) -+policy_module(irc, 2.2.3) - - ######################################## - # @@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; userdom_user_home_content(irc_home_t) @@ -37779,11 +35199,10 @@ index 2636503..abf0b2d 100644 fs_getattr_all_fs(irc_t) fs_search_auto_mountpoints(irc_t) -@@ -106,17 +122,18 @@ auth_use_nsswitch(irc_t) +@@ -106,15 +122,18 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) --miscfiles_read_generic_certs(irc_t) -miscfiles_read_localization(irc_t) userdom_use_user_terminals(irc_t) @@ -37797,12 +35216,11 @@ index 2636503..abf0b2d 100644 +userdom_use_inherited_user_terminals(irc_t) tunable_policy(`irc_use_any_tcp_ports',` -- allow irc_t self:tcp_socket { accept listen }; + allow irc_t self:tcp_socket create_stream_socket_perms; corenet_sendrecv_all_server_packets(irc_t) corenet_tcp_bind_all_unreserved_ports(irc_t) corenet_sendrecv_all_client_packets(irc_t) -@@ -124,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',` +@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',` corenet_tcp_sendrecv_all_ports(irc_t) ') @@ -37898,15 +35316,9 @@ index ade9803..3620c9a 100644 files_search_var_lib($1) diff --git a/ircd.te b/ircd.te -index efaf4b1..40e440c 100644 +index e9f746e..40e440c 100644 --- a/ircd.te +++ b/ircd.te -@@ -1,4 +1,4 @@ --policy_module(ircd, 1.8.0) -+policy_module(ircd, 1.7.1) - - ######################################## - # @@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t) corecmd_exec_bin(ircd_t) @@ -37925,30 +35337,22 @@ index efaf4b1..40e440c 100644 userdom_dontaudit_search_user_home_dirs(ircd_t) diff --git a/irqbalance.te b/irqbalance.te -index e1f302d..947efe0 100644 +index c5a8112..947efe0 100644 --- a/irqbalance.te +++ b/irqbalance.te -@@ -1,4 +1,4 @@ --policy_module(irqbalance, 1.6.0) -+policy_module(irqbalance, 1.5.1) - - ######################################## - # -@@ -22,7 +22,13 @@ files_pid_file(irqbalance_var_run_t) +@@ -22,6 +22,12 @@ files_pid_file(irqbalance_var_run_t) allow irqbalance_t self:capability { setpcap net_admin }; dontaudit irqbalance_t self:capability sys_tty_config; --allow irqbalance_t self:process { getcap getsched setcap signal_perms }; + +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code + dontaudit irqbalance_t self:capability sys_module; +') + -+allow irqbalance_t self:process { getcap setcap signal_perms }; + allow irqbalance_t self:process { getcap setcap signal_perms }; allow irqbalance_t self:udp_socket create_socket_perms; - manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) @@ -35,7 +41,6 @@ kernel_rw_irq_sysctls(irqbalance_t) dev_read_sysfs(irqbalance_t) @@ -38107,15 +35511,9 @@ index 1a35420..a7e1562 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020fa..b25cfd0 100644 +index 57304e4..b25cfd0 100644 --- a/iscsi.te +++ b/iscsi.te -@@ -1,4 +1,4 @@ --policy_module(iscsi, 1.9.0) -+policy_module(iscsi, 1.8.2) - - ######################################## - # @@ -9,8 +9,8 @@ type iscsid_t; type iscsid_exec_t; init_daemon_domain(iscsid_t, iscsid_exec_t) @@ -38265,7 +35663,7 @@ index 59ad3b3..bd02cc8 100644 + +/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0) diff --git a/jabber.if b/jabber.if -index 7eb3811..01673a4 100644 +index 16b1666..01673a4 100644 --- a/jabber.if +++ b/jabber.if @@ -1,29 +1,76 @@ @@ -38459,7 +35857,7 @@ index 7eb3811..01673a4 100644 role_transition $2 jabberd_initrc_exec_t system_r; allow $2 system_r; -- files_search_locks($1) +- files_search_locks($1)) - admin_pattern($1, jabberd_lock_t) - - logging_search_logs($1) @@ -38476,11 +35874,11 @@ index 7eb3811..01673a4 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/jabber.te b/jabber.te -index af67c36..62d511b 100644 +index bb12c90..62d511b 100644 --- a/jabber.te +++ b/jabber.te @@ -1,4 +1,4 @@ --policy_module(jabber, 1.10.0) +-policy_module(jabber, 1.9.1) +policy_module(jabber, 1.8.0) ######################################## @@ -38696,16 +36094,10 @@ index af67c36..62d511b 100644 -auth_use_nsswitch(jabberd_router_t) +sysnet_read_config(jabberd_domain) diff --git a/java.te b/java.te -index a7ae153..5459aa3 100644 +index b3fcfbb..5459aa3 100644 --- a/java.te +++ b/java.te -@@ -1,4 +1,4 @@ --policy_module(java, 2.7.0) -+policy_module(java, 2.6.3) - - ######################################## - # -@@ -11,7 +11,7 @@ policy_module(java, 2.7.0) +@@ -11,7 +11,7 @@ policy_module(java, 2.6.3) ## its stack executable. ##

## @@ -39748,11 +37140,11 @@ index 3a00b3a..21efcc4 100644 + allow $1 kdump_unit_file_t:service all_service_perms; ') diff --git a/kdump.te b/kdump.te -index 715fc21..58bd992 100644 +index 70f3007..58bd992 100644 --- a/kdump.te +++ b/kdump.te @@ -1,4 +1,4 @@ --policy_module(kdump, 1.3.0) +-policy_module(kdump, 1.2.3) +policy_module(kdump, 1.2.0) ####################################### @@ -39956,11 +37348,11 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index 2990962..12ff296 100644 +index e7f5c81..12ff296 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -1,83 +1,92 @@ --policy_module(kdumpgui, 1.2.0) +-policy_module(kdumpgui, 1.1.4) +policy_module(kdumpgui, 1.1.0) ######################################## @@ -40348,7 +37740,7 @@ index 4fe75fd..b029c28 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index f6c00d8..b573f79 100644 +index f9de9fc..b573f79 100644 --- a/kerberos.if +++ b/kerberos.if @@ -1,27 +1,29 @@ @@ -40529,62 +37921,98 @@ index f6c00d8..b573f79 100644 ## ## ## -@@ -182,27 +178,27 @@ interface(`kerberos_rw_config',` +@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',` ######################################## ## -## Create, read, write, and delete -## kerberos home files. -+## Read the kerberos key table. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # +-## +-## +-## +-## Domain allowed access. +-## +-## +-# -interface(`kerberos_manage_krb5_home_files',` -+interface(`kerberos_read_keytab',` - gen_require(` +- gen_require(` - type krb5_home_t; -+ type krb5_keytab_t; - ') - +- ') +- - userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file manage_file_perms; -+ files_search_etc($1) -+ allow $1 krb5_keytab_t:file read_file_perms; - ') +-') +- +-######################################## +-## +-## Relabel kerberos home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`kerberos_relabel_krb5_home_files',` +- gen_require(` +- type krb5_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 krb5_home_t:file relabel_file_perms; +-') +- +-######################################## +-## +-## Create objects in user home +-## directories with the krb5 home type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +-# +-interface(`kerberos_home_filetrans_krb5_home',` +- gen_require(` +- type krb5_home_t; +- ') +- +- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) +-') +- +-######################################## +-## +-## Read kerberos key table files. ++## Read the kerberos key table. + ## + ## + ## +@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',` ######################################## ## --## Relabel kerberos home files. +-## Read and write kerberos key table files. +## Read/Write the kerberos key table. ## ## ## -@@ -210,322 +206,329 @@ interface(`kerberos_manage_krb5_home_files',` - ## - ## - # --interface(`kerberos_relabel_krb5_home_files',` -+interface(`kerberos_rw_keytab',` - gen_require(` -- type krb5_home_t; -+ type krb5_keytab_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 krb5_home_t:file relabel_file_perms; -+ files_search_etc($1) -+ allow $1 krb5_keytab_t:file rw_file_perms; - ') +@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',` ######################################## ## --## Create objects in user home --## directories with the krb5 home type. +-## Create, read, write, and delete +-## kerberos key table files. +## Create keytab file in /etc ## ## @@ -40592,6 +38020,27 @@ index f6c00d8..b573f79 100644 ## Domain allowed access. ## ## +-# +-interface(`kerberos_manage_keytab_files',` +- gen_require(` +- type krb5_keytab_t; +- ') +- +- files_search_etc($1) +- allow $1 krb5_keytab_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Create specified objects in generic +-## etc directories with the kerberos +-## keytab file type. +-## +-## +-## +-## Domain allowed access. +-## +-## -## -## -## Class of the object being created. @@ -40600,193 +38049,139 @@ index f6c00d8..b573f79 100644 ## ## ## The name of the object being created. - ## - ## - # --interface(`kerberos_home_filetrans_krb5_home',` -+interface(`kerberos_etc_filetrans_keytab',` - gen_require(` -- type krb5_home_t; -+ type krb5_keytab_t; +@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',` + type krb5_keytab_t; ') -- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) +- files_etc_filetrans($1, krb5_keytab_t, $2, $3) + allow $1 krb5_keytab_t:file manage_file_perms; + files_etc_filetrans($1, krb5_keytab_t, file, $2) ') ######################################## ## --## Read kerberos key table files. +-## Create a derived type for kerberos +-## keytab files. +## Create a derived type for kerberos keytab ## -+## -+## -+## The prefix to be used for deriving type names. -+## -+## - ## + ## ## - ## Domain allowed access. - ## +@@ -354,21 +255,21 @@ interface(`kerberos_etc_filetrans_keytab',` ## --## # --interface(`kerberos_read_keytab',` -- gen_require(` -- type krb5_keytab_t; -- ') -+template(`kerberos_keytab_template',` + template(`kerberos_keytab_template',` + gen_require(` + attribute kerberos_keytab_domain; + ') -- files_search_etc($1) -- allow $1 krb5_keytab_t:file read_file_perms; +- ######################################## +- # +- # Declarations +- # + typeattribute $2 kerberos_keytab_domain; -+ -+ type $1_keytab_t; -+ files_type($1_keytab_t) -+ + + type $1_keytab_t; + files_type($1_keytab_t) + +- ######################################## +- # +- # Policy +- # + allow $2 self:process setfscreate; + allow $2 $1_keytab_t:file read_file_perms; -+ + +- allow $2 $1_keytab_t:file read_file_perms; + seutil_read_file_contexts($2) + seutil_read_config($2) + selinux_get_enforce_mode($2) -+ -+ kerberos_read_keytab($2) -+ kerberos_use($2) - ') + + kerberos_read_keytab($2) + kerberos_use($2) +@@ -376,7 +277,26 @@ template(`kerberos_keytab_template',` ######################################## ## --## Read and write kerberos key table files. +-## Read kerberos kdc configuration files. +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`kerberos_rw_keytab',` -- gen_require(` -- type krb5_keytab_t; -- ') ++# +interface(`kerberos_keytab_domains',` + gen_require(` + attribute kerberos_keytab_domain; + ') - -- files_search_etc($1) -- allow $1 krb5_keytab_t:file rw_file_perms; ++ + typeattribute $1 kerberos_keytab_domain; - ') - - ######################################## - ## --## Create, read, write, and delete --## kerberos key table files. ++') ++ ++######################################## ++## +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## - ## Domain allowed access. - ## - ## -+## - # --interface(`kerberos_manage_keytab_files',` -+interface(`kerberos_read_kdc_config',` - gen_require(` -- type krb5_keytab_t; -+ type krb5kdc_conf_t; - ') - - files_search_etc($1) -- allow $1 krb5_keytab_t:file manage_file_perms; -+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) - ') +@@ -396,8 +316,7 @@ interface(`kerberos_read_kdc_config',` ######################################## ## --## Create specified objects in generic --## etc directories with the kerberos --## keytab file type. +-## Create, read, write, and delete +-## kerberos host rcache files. +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## -+## - # --interface(`kerberos_etc_filetrans_keytab',` -+interface(`kerberos_manage_host_rcache',` - gen_require(` -- type krb5_keytab_t; -+ type krb5_host_rcache_t; +@@ -411,34 +330,99 @@ interface(`kerberos_manage_host_rcache',` + type krb5_host_rcache_t; ') -- files_etc_filetrans($1, krb5_keytab_t, $2, $3) + # creates files as system_u no matter what the selinux user + # cjp: should be in the below tunable but typeattribute + # does not work in conditionals -+ domain_obj_id_change_exemption($1) -+ + domain_obj_id_change_exemption($1) + +- tunable_policy(`allow_kerberos',` + tunable_policy(`kerberos_enabled',` -+ allow $1 self:process setfscreate; -+ -+ selinux_validate_context($1) -+ -+ seutil_read_file_contexts($1) -+ + allow $1 self:process setfscreate; + + selinux_validate_context($1) + + seutil_read_file_contexts($1) + + files_rw_generic_tmp_dir($1) + manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) -+ files_search_tmp($1) -+ ') + files_search_tmp($1) +- allow $1 krb5_host_rcache_t:file manage_file_perms; + ') ') ######################################## ## --## Create a derived type for kerberos --## keytab files. +-## Create objects in generic temporary +-## directories with the kerberos host +-## rcache type. +## All of the rules required to administrate +## an kerberos environment ## --## -+## + ## ## --## The prefix to be used for deriving type names. +-## Domain allowed to transition. +## Domain allowed access. ## ## --## +-## +## ## --## Domain allowed access. +-## Class of the object being created. +## The role to be allowed to manage the kerberos domain. - ## - ## ++## ++## +## - # --template(`kerberos_keytab_template',` -- refpolicywarn(`$0($*) has been deprecated.') -- kerberos_read_keytab($2) -- kerberos_use($2) ++# +interface(`kerberos_admin',` + gen_require(` + type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; @@ -40835,120 +38230,36 @@ index f6c00d8..b573f79 100644 + admin_pattern($1, krb5kdc_tmp_t) + + admin_pattern($1, krb5kdc_var_run_t) - ') - - ######################################## - ## --## Read kerberos kdc configuration files. ++') ++ ++######################################## ++## +## Type transition files created in /tmp +## to the krb5_host_rcache type. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+## ++## ++## +## -+## The name of the object being created. -+## -+## - # --interface(`kerberos_read_kdc_config',` -+interface(`kerberos_tmp_filetrans_host_rcache',` - gen_require(` -- type krb5kdc_conf_t; -+ type krb5_host_rcache_t; - ') - -- files_search_etc($1) -- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) -+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) -+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) - ') - - ######################################## - ## --## Create, read, write, and delete --## kerberos host rcache files. -+## read kerberos homedir content (.k5login) - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`kerberos_manage_host_rcache',` -+interface(`kerberos_read_home_content',` - gen_require(` -- type krb5_host_rcache_t; -+ type krb5_home_t; - ') - -- domain_obj_id_change_exemption($1) -- -- tunable_policy(`allow_kerberos',` -- allow $1 self:process setfscreate; -- -- selinux_validate_context($1) -- -- seutil_read_file_contexts($1) -- -- files_search_tmp($1) -- allow $1 krb5_host_rcache_t:file manage_file_perms; -- ') -+ userdom_search_user_home_dirs($1) -+ read_files_pattern($1, krb5_home_t, krb5_home_t) - ') - - ######################################## - ## --## Create objects in generic temporary --## directories with the kerberos host --## rcache type. -+## create kerberos content in the in the /root directory -+## with an correct label. - ## - ## - ## --## Domain allowed to transition. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. +## Domain allowed access. ## ## - # --interface(`kerberos_tmp_filetrans_host_rcache',` -+interface(`kerberos_filetrans_admin_home_content',` - gen_require(` -- type krb5_host_rcache_t; -+ type krb5_home_t; + ## +@@ -452,12 +436,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',` + type krb5_host_rcache_t; ') - files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3) -+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login") ++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) ++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) ') ######################################## ## -## Connect to krb524 service. -+## Transition to kerberos named content ++## read kerberos homedir content (.k5login) ## ## ## --## Domain allowed access. -+## Domain allowed access. +@@ -465,82 +450,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',` ## ## # @@ -40963,27 +38274,43 @@ index f6c00d8..b573f79 100644 - - corenet_sendrecv_kerberos_master_client_packets($1) - corenet_udp_sendrecv_kerberos_master_port($1) -+interface(`kerberos_filetrans_home_content',` ++interface(`kerberos_read_home_content',` + gen_require(` + type krb5_home_t; ') + -+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login") ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, krb5_home_t, krb5_home_t) ') ######################################## ## -## All of the rules required to -## administrate an kerberos environment. -+## Transition to kerberos named content ++## create kerberos content in the in the /root directory ++## with an correct label. ## ## ## --## Domain allowed access. --## --## + ## Domain allowed access. + ## + ## -## --## ++# ++interface(`kerberos_filetrans_admin_home_content',` ++ gen_require(` ++ type krb5_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login") ++') ++ ++######################################## ++## ++## Transition to kerberos named content ++## ++## + ## -## Role allowed access. +## Domain allowed access. ## @@ -40991,14 +38318,14 @@ index f6c00d8..b573f79 100644 -## # -interface(`kerberos_admin',` -+interface(`kerberos_filetrans_named_content',` ++interface(`kerberos_filetrans_home_content',` gen_require(` - type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; - type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; - type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; +- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; - type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; - type krb5kdc_var_run_t, krb5_host_rcache_t; -+ type krb5kdc_principal_t; ++ type krb5_home_t; ') - allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms }; @@ -41026,10 +38353,27 @@ index f6c00d8..b573f79 100644 - - files_list_pids($1) - admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t }) -- ++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login") ++') + - files_list_etc($1) - admin_pattern($1, krb5_conf_t) -- ++######################################## ++## ++## Transition to kerberos named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kerberos_filetrans_named_content',` ++ gen_require(` ++ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; ++ type krb5kdc_principal_t; ++ ') + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") - - admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t }) @@ -41056,16 +38400,16 @@ index f6c00d8..b573f79 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 8833d59..31ad037 100644 +index 3465a9a..31ad037 100644 --- a/kerberos.te +++ b/kerberos.te @@ -1,4 +1,4 @@ --policy_module(kerberos, 1.12.0) +-policy_module(kerberos, 1.11.7) +policy_module(kerberos, 1.11.0) ######################################## # -@@ -6,11 +6,13 @@ policy_module(kerberos, 1.12.0) +@@ -6,11 +6,13 @@ policy_module(kerberos, 1.11.7) # ## @@ -41457,15 +38801,9 @@ index 714448f..fa0c994 100644 domain_system_change_exemption($1) role_transition $2 kerneloops_initrc_exec_t system_r; diff --git a/kerneloops.te b/kerneloops.te -index bcdb295..7f1061d 100644 +index 1101985..7f1061d 100644 --- a/kerneloops.te +++ b/kerneloops.te -@@ -1,4 +1,4 @@ --policy_module(kerneloops, 1.5.0) -+policy_module(kerneloops, 1.4.1) - - ######################################## - # @@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t) domain_use_interactive_fds(kerneloops_t) @@ -41536,15 +38874,9 @@ index 8982b91..6134ef2 100644 + allow $1 keyboardd_t:fifo_file read_fifo_file_perms; ') diff --git a/keyboardd.te b/keyboardd.te -index 628b78b..a60b664 100644 +index adfe3dc..a60b664 100644 --- a/keyboardd.te +++ b/keyboardd.te -@@ -1,4 +1,4 @@ --policy_module(keyboardd, 1.1.0) -+policy_module(keyboardd, 1.0.1) - - ######################################## - # @@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; files_manage_etc_runtime_files(keyboardd_t) @@ -41569,7 +38901,7 @@ index b273d80..6a07210 100644 + +/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0) diff --git a/keystone.if b/keystone.if -index e88fb16..f20248c 100644 +index d3e7fc9..f20248c 100644 --- a/keystone.if +++ b/keystone.if @@ -1,42 +1,218 @@ @@ -41793,7 +39125,8 @@ index e88fb16..f20248c 100644 logging_search_logs($1) admin_pattern($1, keystone_log_t) - files_search_var_lib($1) +- files_search_var_lib($1 ++ files_search_var_lib($1) admin_pattern($1, keystone_var_lib_t) - files_search_tmp($1) @@ -41807,15 +39140,9 @@ index e88fb16..f20248c 100644 + ') ') diff --git a/keystone.te b/keystone.te -index 9929647..6009a94 100644 +index 3494d9b..6009a94 100644 --- a/keystone.te +++ b/keystone.te -@@ -1,4 +1,4 @@ --policy_module(keystone, 1.1.0) -+policy_module(keystone, 1.0.1) - - ######################################## - # @@ -18,13 +18,20 @@ logging_log_file(keystone_log_t) type keystone_var_lib_t; files_type(keystone_var_lib_t) @@ -41914,15 +39241,9 @@ index aa2a337..7ff229f 100644 files_search_var_lib($1) admin_pattern($1, kismet_var_lib_t) diff --git a/kismet.te b/kismet.te -index 8ad0d4d..e60f701 100644 +index ea64ed5..e60f701 100644 --- a/kismet.te +++ b/kismet.te -@@ -1,4 +1,4 @@ --policy_module(kismet, 1.7.0) -+policy_module(kismet, 1.6.1) - - ######################################## - # @@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t) corecmd_exec_bin(kismet_t) @@ -41970,7 +39291,7 @@ index e736c45..4b1e1e4 100644 /var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --git a/ksmtuned.if b/ksmtuned.if -index 93a64bc..3ac0b8b 100644 +index c530214..3ac0b8b 100644 --- a/ksmtuned.if +++ b/ksmtuned.if @@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',` @@ -42026,15 +39347,15 @@ index 93a64bc..3ac0b8b 100644 - domain_system_change_exemption($1) - role_transition $2 ksmtuned_initrc_exec_t system_r; - allow $2 system_r; -- -- allow $1 ksmtuned_t:process { ptrace signal_perms }; + allow $1 ksmtuned_t:process signal_perms; - ps_process_pattern($1, ksmtuned_t) ++ ps_process_pattern($1, ksmtuned_t) +- allow $1 ksmtuned_t:process { ptrace signal_perms }; +- ps_process_pattern(ksmtumed_t) + tunable_policy(`deny_ptrace',`',` + allow $1 ksmtuned_t:process ptrace; + ') -+ + files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) @@ -42046,15 +39367,10 @@ index 93a64bc..3ac0b8b 100644 + allow $1 ksmtuned_unit_file_t:service all_service_perms; ') diff --git a/ksmtuned.te b/ksmtuned.te -index 8eef134..fd0a17f 100644 +index c1539b5..fd0a17f 100644 --- a/ksmtuned.te +++ b/ksmtuned.te -@@ -1,14 +1,31 @@ --policy_module(ksmtuned, 1.1.1) -+policy_module(ksmtuned, 1.0.1) - - ######################################## - # +@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.0.1) # Declarations # @@ -42196,20 +39512,13 @@ index 19777b8..55d1556 100644 + ') +') diff --git a/ktalk.te b/ktalk.te -index c5548c5..f932c32 100644 +index 2cf3815..f932c32 100644 --- a/ktalk.te +++ b/ktalk.te -@@ -1,4 +1,4 @@ --policy_module(ktalk, 1.9.2) -+policy_module(ktalk, 1.8.1) - - ######################################## - # -@@ -7,12 +7,15 @@ policy_module(ktalk, 1.9.2) +@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1) type ktalkd_t; type ktalkd_exec_t; --init_daemon_domain(ktalkd_t, ktalkd_exec_t) +init_domain(ktalkd_t, ktalkd_exec_t) inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) @@ -42222,24 +39531,19 @@ index c5548c5..f932c32 100644 type ktalkd_tmp_t; files_tmp_file(ktalkd_tmp_t) -@@ -36,21 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t) +@@ -35,11 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t) kernel_read_system_state(ktalkd_t) kernel_read_network_state(ktalkd_t) --corenet_all_recvfrom_unlabeled(ktalkd_t) - corenet_all_recvfrom_netlabel(ktalkd_t) ++corenet_all_recvfrom_netlabel(ktalkd_t) +corenet_tcp_sendrecv_generic_if(ktalkd_t) - corenet_udp_sendrecv_generic_if(ktalkd_t) ++corenet_udp_sendrecv_generic_if(ktalkd_t) +corenet_tcp_sendrecv_generic_node(ktalkd_t) - corenet_udp_sendrecv_generic_node(ktalkd_t) --corenet_udp_bind_generic_node(ktalkd_t) -- --corenet_sendrecv_ktalkd_server_packets(ktalkd_t) ++corenet_udp_sendrecv_generic_node(ktalkd_t) +corenet_tcp_sendrecv_all_ports(ktalkd_t) +corenet_udp_sendrecv_all_ports(ktalkd_t) - corenet_udp_bind_ktalkd_port(ktalkd_t) --corenet_udp_sendrecv_ktalkd_port(ktalkd_t) - ++corenet_udp_bind_ktalkd_port(ktalkd_t) ++ dev_read_urand(ktalkd_t) fs_getattr_xattr_fs(ktalkd_t) @@ -42250,7 +39554,7 @@ index c5548c5..f932c32 100644 auth_use_nsswitch(ktalkd_t) -@@ -58,4 +61,5 @@ init_read_utmp(ktalkd_t) +@@ -47,4 +61,5 @@ init_read_utmp(ktalkd_t) logging_send_syslog_msg(ktalkd_t) @@ -42277,15 +39581,9 @@ index 5297064..6ba8108 100644 domain_system_change_exemption($1) role_transition $2 kudzu_initrc_exec_t system_r; diff --git a/kudzu.te b/kudzu.te -index 1664036..34aa63b 100644 +index 9725f1a..34aa63b 100644 --- a/kudzu.te +++ b/kudzu.te -@@ -1,4 +1,4 @@ --policy_module(kudzu, 1.9.0) -+policy_module(kudzu, 1.8.2) - - ######################################## - # @@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t) domain_use_interactive_fds(kudzu_t) @@ -42560,15 +39858,9 @@ index 73e2803..34ca3aa 100644 role_transition $2 l2tpd_initrc_exec_t system_r; allow $2 system_r; diff --git a/l2tp.te b/l2tp.te -index bb06a7f..bbbda10 100644 +index 19f2b97..bbbda10 100644 --- a/l2tp.te +++ b/l2tp.te -@@ -1,4 +1,4 @@ --policy_module(l2tp, 1.1.0) -+policy_module(l2tp, 1.0.5) - - ######################################## - # @@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) # @@ -42636,10 +39928,10 @@ index bb06a7f..bbbda10 100644 ppp_signal(l2tpd_t) ppp_kill(l2tpd_t) diff --git a/ldap.fc b/ldap.fc -index b7e5679..6692d91 100644 +index bc25c95..6692d91 100644 --- a/ldap.fc +++ b/ldap.fc -@@ -1,29 +1,26 @@ +@@ -1,8 +1,11 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) -/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) + @@ -42653,19 +39945,7 @@ index b7e5679..6692d91 100644 /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) --/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - /usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - - /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) - /var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) - --/var/lib/openldap-data(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) --/var/lib/openldap-ldbm(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) --/var/lib/openldap-slurpd(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -- - /var/lock/subsys/ldap -- gen_context(system_u:object_r:slapd_lock_t,s0) - /var/lock/subsys/slapd -- gen_context(system_u:object_r:slapd_lock_t,s0) - +@@ -17,8 +20,7 @@ /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) @@ -42679,7 +39959,7 @@ index b7e5679..6692d91 100644 +/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/ldap.if b/ldap.if -index 3602712..4ac8f2d 100644 +index ee0c7cc..4ac8f2d 100644 --- a/ldap.if +++ b/ldap.if @@ -1,8 +1,68 @@ @@ -42886,7 +40166,7 @@ index 3602712..4ac8f2d 100644 type slapd_t, slapd_tmp_t, slapd_replog_t; type slapd_lock_t, slapd_etc_t, slapd_var_run_t; - type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; -- type slapd_db_t, slapd_keytab_t; +- type slapd_db_t; + type slapd_initrc_exec_t; + type slapd_unit_file_t; ') @@ -42905,7 +40185,7 @@ index 3602712..4ac8f2d 100644 allow $2 system_r; files_list_etc($1) -- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t }) +- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t }) + admin_pattern($1, slapd_etc_t) - files_list_locks($1) @@ -42929,27 +40209,20 @@ index 3602712..4ac8f2d 100644 + allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 4c2b111..d0fdb7c 100644 +index d7d9b09..d0fdb7c 100644 --- a/ldap.te +++ b/ldap.te -@@ -1,4 +1,4 @@ --policy_module(ldap, 1.11.1) -+policy_module(ldap, 1.10.2) - - ######################################## - # -@@ -21,8 +21,8 @@ files_config_file(slapd_etc_t) +@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) type slapd_initrc_exec_t; init_script_file(slapd_initrc_exec_t) --type slapd_keytab_t; --files_type(slapd_keytab_t) +type slapd_unit_file_t; +systemd_unit_file(slapd_unit_file_t) - ++ type slapd_lock_t; files_lock_file(slapd_lock_t) -@@ -49,7 +49,7 @@ files_pid_file(slapd_var_run_t) + +@@ -46,7 +49,7 @@ files_pid_file(slapd_var_run_t) allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; dontaudit slapd_t self:capability sys_tty_config; @@ -42958,13 +40231,7 @@ index 4c2b111..d0fdb7c 100644 allow slapd_t self:fifo_file rw_fifo_file_perms; allow slapd_t self:tcp_socket { accept listen }; -@@ -63,15 +63,11 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) - - allow slapd_t slapd_etc_t:file read_file_perms; - --allow slapd_t slapd_keytab_t:file read_file_perms; -- - allow slapd_t slapd_lock_t:file manage_file_perms; +@@ -64,9 +67,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms; files_lock_filetrans(slapd_t, slapd_lock_t, file) manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) @@ -42975,7 +40242,7 @@ index 4c2b111..d0fdb7c 100644 logging_log_filetrans(slapd_t, slapd_log_t, { file dir }) manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) -@@ -93,7 +89,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) +@@ -88,7 +89,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) @@ -42983,7 +40250,7 @@ index 4c2b111..d0fdb7c 100644 corenet_all_recvfrom_netlabel(slapd_t) corenet_tcp_sendrecv_generic_if(slapd_t) corenet_tcp_sendrecv_generic_node(slapd_t) -@@ -115,26 +110,23 @@ fs_getattr_all_fs(slapd_t) +@@ -110,25 +110,23 @@ fs_getattr_all_fs(slapd_t) fs_search_auto_mountpoints(slapd_t) files_read_etc_runtime_files(slapd_t) @@ -43002,13 +40269,11 @@ index 4c2b111..d0fdb7c 100644 userdom_dontaudit_search_user_home_dirs(slapd_t) optional_policy(` + kerberos_keytab_template(slapd, slapd_t) - kerberos_manage_host_rcache(slapd_t) -- kerberos_read_keytab(slapd_t) - kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0") - kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487") - kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55") -- kerberos_use(slapd_t) -+ kerberos_keytab_template(slapd, slapd_t) + kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487") + kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55") @@ -43029,15 +40294,9 @@ index 33a28b9..33ffe24 100644 + ') ') diff --git a/lightsquid.te b/lightsquid.te -index 09c4f27..308accb 100644 +index 40a2607..308accb 100644 --- a/lightsquid.te +++ b/lightsquid.te -@@ -1,4 +1,4 @@ --policy_module(lightsquid, 1.1.0) -+policy_module(lightsquid, 1.0.2) - - ######################################## - # @@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t) dev_read_urand(lightsquid_t) @@ -43193,15 +40452,9 @@ index bd20e8c..3393a01 100644 - admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t }) -') diff --git a/likewise.te b/likewise.te -index d8c2442..e86ead6 100644 +index 408fbe3..e86ead6 100644 --- a/likewise.te +++ b/likewise.te -@@ -1,4 +1,4 @@ --policy_module(likewise, 1.3.0) -+policy_module(likewise, 1.2.1) - - ################################# - # @@ -26,7 +26,7 @@ type likewise_var_lib_t; files_type(likewise_var_lib_t) @@ -43266,15 +40519,9 @@ index dff21a7..b6981c8 100644 init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/lircd.te b/lircd.te -index 483c87b..1150694 100644 +index 98b5405..1150694 100644 --- a/lircd.te +++ b/lircd.te -@@ -1,4 +1,4 @@ --policy_module(lircd, 1.2.0) -+policy_module(lircd, 1.1.2) - - ######################################## - # @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; init_script_file(lircd_initrc_exec_t) @@ -43342,15 +40589,9 @@ index e354181..c6b2383 100644 ######################################## diff --git a/livecd.te b/livecd.te -index 2f974bf..a920c08 100644 +index 33f64b5..a920c08 100644 --- a/livecd.te +++ b/livecd.te -@@ -1,4 +1,4 @@ --policy_module(livecd, 1.3.0) -+policy_module(livecd, 1.2.1) - - ######################################## - # @@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t) # Local policy # @@ -43431,15 +40672,9 @@ index d18c960..fb5b674 100644 domain_system_change_exemption($1) role_transition $2 lldpad_initrc_exec_t system_r; diff --git a/lldpad.te b/lldpad.te -index 2a491d9..07f58a5 100644 +index 648def0..07f58a5 100644 --- a/lldpad.te +++ b/lldpad.te -@@ -1,4 +1,4 @@ --policy_module(lldpad, 1.1.0) -+policy_module(lldpad, 1.0.1) - - ######################################## - # @@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t) # Local policy # @@ -43468,15 +40703,9 @@ index 2a491d9..07f58a5 100644 + networkmanager_dgram_send(lldpad_t) +') diff --git a/loadkeys.te b/loadkeys.te -index d2f4643..bd5406a 100644 +index 6cbb977..bd5406a 100644 --- a/loadkeys.te +++ b/loadkeys.te -@@ -1,4 +1,4 @@ --policy_module(loadkeys, 1.9.0) -+policy_module(loadkeys, 1.8.1) - - ######################################## - # @@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t) corecmd_exec_bin(loadkeys_t) corecmd_exec_shell(loadkeys_t) @@ -43532,15 +40761,9 @@ index 4313b8b..cd1435c 100644 ## ## Role access for lockdev. diff --git a/lockdev.te b/lockdev.te -index 61db5a0..30bfb76 100644 +index db87831..30bfb76 100644 --- a/lockdev.te +++ b/lockdev.te -@@ -1,4 +1,4 @@ --policy_module(lockdev, 1.5.0) -+policy_module(lockdev, 1.4.1) - - ######################################## - # @@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t) logging_send_syslog_msg(lockdev_t) @@ -43620,11 +40843,11 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..5c1e801 100644 +index 7bab8e5..5c1e801 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,26 @@ --policy_module(logrotate, 1.15.0) +-policy_module(logrotate, 1.14.5) +policy_module(logrotate, 1.14.0) ######################################## @@ -43767,9 +40990,8 @@ index be0ab84..5c1e801 100644 -auth_manage_login_records(logrotate_t) -auth_use_nsswitch(logrotate_t) - --init_all_labeled_script_domtrans(logrotate_t) +# cjp: why is this needed? -+init_domtrans_script(logrotate_t) + init_domtrans_script(logrotate_t) logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) @@ -43940,30 +41162,20 @@ index be0ab84..5c1e801 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index ab65034..9125f9f 100644 +index 4256a4c..9125f9f 100644 --- a/logwatch.te +++ b/logwatch.te -@@ -1,4 +1,4 @@ --policy_module(logwatch, 1.12.2) -+policy_module(logwatch, 1.11.6) - - ################################# - # -@@ -6,16 +6,16 @@ policy_module(logwatch, 1.12.2) +@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6) + # Declarations # - ## --##

--## Determine whether logwatch can connect --## to mail over the network. --##

++## +##

+## Allow epylog to send mail +##

- ## --gen_tunable(logwatch_can_network_connect_mail, false) ++## +gen_tunable(logwatch_can_sendmail, false) - ++ type logwatch_t; type logwatch_exec_t; -init_system_domain(logwatch_t, logwatch_exec_t) @@ -43972,7 +41184,7 @@ index ab65034..9125f9f 100644 type logwatch_cache_t; files_type(logwatch_cache_t) -@@ -45,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; +@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) @@ -43982,7 +41194,7 @@ index ab65034..9125f9f 100644 files_lock_filetrans(logwatch_t, logwatch_lock_t, file) manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) -@@ -75,10 +76,11 @@ files_list_var(logwatch_t) +@@ -67,10 +76,11 @@ files_list_var(logwatch_t) files_search_all(logwatch_t) files_read_var_symlinks(logwatch_t) files_read_etc_runtime_files(logwatch_t) @@ -43995,7 +41207,7 @@ index ab65034..9125f9f 100644 fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) -@@ -100,32 +102,18 @@ libs_read_lib_files(logwatch_t) +@@ -92,13 +102,14 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) @@ -44011,26 +41223,7 @@ index ab65034..9125f9f 100644 mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) mta_getattr_spool(logwatch_t) - --tunable_policy(`logwatch_can_network_connect_mail',` -- corenet_all_recvfrom_unlabeled(logwatch_t) -- corenet_all_recvfrom_netlabel(logwatch_t) -- corenet_tcp_sendrecv_generic_if(logwatch_t) -- corenet_tcp_sendrecv_generic_node(logwatch_t) -- -- corenet_sendrecv_smtp_client_packets(logwatch_t) -- corenet_tcp_connect_smtp_port(logwatch_t) -- corenet_tcp_sendrecv_smtp_port(logwatch_t) -- -- corenet_sendrecv_pop_client_packets(logwatch_t) -- corenet_tcp_connect_pop_port(logwatch_t) -- corenet_tcp_sendrecv_pop_port(logwatch_t) --') -- - tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(logwatch_t) - ') -@@ -160,6 +148,12 @@ optional_policy(` +@@ -137,6 +148,12 @@ optional_policy(` ') optional_policy(` @@ -44043,7 +41236,7 @@ index ab65034..9125f9f 100644 rpc_search_nfs_state_data(logwatch_t) ') -@@ -168,6 +162,13 @@ optional_policy(` +@@ -145,6 +162,13 @@ optional_policy(` samba_read_share_files(logwatch_t) ') @@ -44057,7 +41250,7 @@ index ab65034..9125f9f 100644 ######################################## # # Mail local policy -@@ -187,6 +188,19 @@ dev_read_sysfs(logwatch_mail_t) +@@ -164,6 +188,19 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -44270,15 +41463,9 @@ index 6256371..ce2acb8 100644 can_exec($1, lpr_exec_t) ') diff --git a/lpd.te b/lpd.te -index 39d3164..15f3748 100644 +index b9270f7..15f3748 100644 --- a/lpd.te +++ b/lpd.te -@@ -1,4 +1,4 @@ --policy_module(lpd, 1.14.0) -+policy_module(lpd, 1.13.5) - - ######################################## - # @@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t) type print_spool_t; typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; @@ -44430,32 +41617,29 @@ index 39d3164..15f3748 100644 + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) ') diff --git a/lsm.fc b/lsm.fc -index c455730..d60293d 100644 ---- a/lsm.fc +new file mode 100644 +index 0000000..d60293d +--- /dev/null +++ b/lsm.fc -@@ -1,3 +1,7 @@ --/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) +@@ -0,0 +1,7 @@ +/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) - --/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) ++ +/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0) + +/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) + +/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/lsm.if b/lsm.if -index d314333..da30c5d 100644 ---- a/lsm.if +new file mode 100644 +index 0000000..da30c5d +--- /dev/null +++ b/lsm.if -@@ -1,25 +1,85 @@ --## Storage array management library. +@@ -0,0 +1,99 @@ + +## libStorageMgmt plug-in daemon - - ######################################## - ## --## All of the rules required to administrate --## an lsmd environment. ++ ++######################################## ++## +## Execute TEMPLATE in the lsmd domin. +## +## @@ -44475,13 +41659,12 @@ index d314333..da30c5d 100644 +######################################## +## +## Read lsmd PID files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`lsmd_read_pid_files',` + gen_require(` @@ -44523,26 +41706,24 @@ index d314333..da30c5d 100644 +## an lsmd environment +## +## - ## --## Role allowed access. ++## +## Domain allowed access. - ## - ## - ## - # - interface(`lsmd_admin',` - gen_require(` -- type lsmd_t, type lsmd_var_run_t; ++## ++## ++## ++# ++interface(`lsmd_admin',` ++ gen_require(` + type lsmd_t; + type lsmd_var_run_t; + type lsmd_unit_file_t; - ') - - allow $1 lsmd_t:process { ptrace signal_perms }; -@@ -27,4 +87,13 @@ interface(`lsmd_admin',` - - files_search_pids($1) - admin_pattern($1, lsmd_var_run_t) ++ ') ++ ++ allow $1 lsmd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, lsmd_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, lsmd_var_run_t) + + lsmd_systemctl($1) + admin_pattern($1, lsmd_unit_file_t) @@ -44552,15 +41733,19 @@ index d314333..da30c5d 100644 + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') - ') ++') diff --git a/lsm.te b/lsm.te -index 4ec0eea..7e8fde0 100644 ---- a/lsm.te +new file mode 100644 +index 0000000..7e8fde0 +--- /dev/null +++ b/lsm.te -@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) - # - # Declarations - # +@@ -0,0 +1,90 @@ ++policy_module(lsm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# +## +##

+## Determine whether lsmd_plugin can @@ -44568,13 +41753,14 @@ index 4ec0eea..7e8fde0 100644 +##

+## +gen_tunable(lsmd_plugin_connect_any, false) - - type lsmd_t; - type lsmd_exec_t; -@@ -12,12 +19,23 @@ init_daemon_domain(lsmd_t, lsmd_exec_t) - type lsmd_var_run_t; - files_pid_file(lsmd_var_run_t) - ++ ++type lsmd_t; ++type lsmd_exec_t; ++init_daemon_domain(lsmd_t, lsmd_exec_t) ++ ++type lsmd_var_run_t; ++files_pid_file(lsmd_var_run_t) ++ +type lsmd_unit_file_t; +systemd_unit_file(lsmd_unit_file_t) + @@ -44586,25 +41772,23 @@ index 4ec0eea..7e8fde0 100644 +type lsmd_plugin_tmp_t; +files_tmp_file(lsmd_plugin_tmp_t) + - ######################################## - # --# Local policy ++######################################## ++# +# lsmd local policy - # -- --allow lsmd_t self:capability setgid; ++# +allow lsmd_t self:capability { setgid }; +allow lsmd_t self:process { fork }; - allow lsmd_t self:unix_stream_socket create_stream_socket_perms; - - manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -@@ -26,4 +44,47 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) - manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) - files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) - ++allow lsmd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) ++ +corecmd_exec_bin(lsmd_t) + - logging_send_syslog_msg(lsmd_t) ++logging_send_syslog_msg(lsmd_t) + +######################################## +# @@ -44647,13 +41831,10 @@ index 4ec0eea..7e8fde0 100644 + +sysnet_read_config(lsmd_plugin_t) diff --git a/mailman.fc b/mailman.fc -index 995d0a5..bbe6b01 100644 +index 7fa381b..bbe6b01 100644 --- a/mailman.fc +++ b/mailman.fc -@@ -1,11 +1,14 @@ --/etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -+/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -+/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +@@ -3,10 +3,12 @@ /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) @@ -44978,14 +42159,10 @@ index 108c0f1..a248501 100644 domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') diff --git a/mailman.te b/mailman.te -index ac81c7f..a057913 100644 +index 8eaf51b..a057913 100644 --- a/mailman.te +++ b/mailman.te -@@ -1,9 +1,15 @@ --policy_module(mailman, 1.10.0) -+policy_module(mailman, 1.9.4) - - ######################################## +@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4) # # Declarations # @@ -45076,7 +42253,7 @@ index ac81c7f..a057913 100644 + fs_manage_fusefs_symlinks(mailman_domain) +') diff --git a/mailscanner.if b/mailscanner.if -index 214cb44..bd1d48e 100644 +index 0293f34..bd1d48e 100644 --- a/mailscanner.if +++ b/mailscanner.if @@ -2,29 +2,27 @@ @@ -45149,7 +42326,7 @@ index 214cb44..bd1d48e 100644 admin_pattern($1, mscan_etc_t) + files_list_etc($1) -- files_search_pids($1) +- files_search_pids($1 admin_pattern($1, mscan_var_run_t) - - files_search_spool($1) @@ -45157,15 +42334,9 @@ index 214cb44..bd1d48e 100644 + files_list_pids($1) ') diff --git a/mailscanner.te b/mailscanner.te -index 6b6e2e1..cec64d0 100644 +index 725ba32..cec64d0 100644 --- a/mailscanner.te +++ b/mailscanner.te -@@ -1,4 +1,4 @@ --policy_module(mailscanner, 1.1.0) -+policy_module(mailscanner, 1.0.2) - - ######################################## - # @@ -34,6 +34,7 @@ allow mscan_t self:process signal; allow mscan_t self:fifo_file rw_fifo_file_perms; @@ -45373,14 +42544,13 @@ index e08c55d..9e634bd 100644 + +') diff --git a/mandb.fc b/mandb.fc -index 8ae78b5..c127555 100644 +index 2de0f64..c127555 100644 --- a/mandb.fc +++ b/mandb.fc @@ -1 +1,12 @@ --/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0) +HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) + -+/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0) + /etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0) + +/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) + @@ -45629,16 +42799,10 @@ index 327f3f7..4f61561 100644 + ') ') diff --git a/mandb.te b/mandb.te -index e6136fd..8fc7de0 100644 +index 5a414e0..8fc7de0 100644 --- a/mandb.te +++ b/mandb.te -@@ -1,4 +1,4 @@ --policy_module(mandb, 1.1.1) -+policy_module(mandb, 1.0.3) - - ######################################## - # -@@ -10,48 +10,54 @@ roleattribute system_r mandb_roles; +@@ -10,28 +10,54 @@ roleattribute system_r mandb_roles; type mandb_t; type mandb_exec_t; @@ -45660,12 +42824,11 @@ index e6136fd..8fc7de0 100644 # Local policy # --allow mandb_t self:capability { setuid setgid }; - allow mandb_t self:process { setsched signal }; +-allow mandb_t self:process signal; ++allow mandb_t self:process { setsched signal }; allow mandb_t self:fifo_file rw_fifo_file_perms; allow mandb_t self:unix_stream_socket create_stream_socket_perms; --kernel_read_kernel_sysctls(mandb_t) +manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) @@ -45681,9 +42844,6 @@ index e6136fd..8fc7de0 100644 kernel_read_system_state(mandb_t) corecmd_exec_bin(mandb_t) --corecmd_exec_shell(mandb_t) -- --dev_search_sysfs(mandb_t) domain_use_interactive_fds(mandb_t) @@ -45694,21 +42854,6 @@ index e6136fd..8fc7de0 100644 +fs_getattr_all_fs(mandb_t) miscfiles_manage_man_cache(mandb_t) --miscfiles_read_man_pages(mandb_t) --miscfiles_read_localization(mandb_t) -- --ifdef(`distro_debian',` -- optional_policy(` -- apt_exec(mandb_t) -- apt_read_db(mandb_t) -- ') -- -- optional_policy(` -- dpkg_exec(mandb_t) -- dpkg_read_db(mandb_t) -- userdom_dontaudit_search_user_home_dirs(mandb_t) -- ') --') +miscfiles_setattr_man_pages(mandb_t) optional_policy(` @@ -45716,7 +42861,7 @@ index e6136fd..8fc7de0 100644 ') + diff --git a/mcelog.if b/mcelog.if -index f89651e..c73214d 100644 +index 9dbe694..c73214d 100644 --- a/mcelog.if +++ b/mcelog.if @@ -19,6 +19,25 @@ interface(`mcelog_domtrans',` @@ -45745,16 +42890,18 @@ index f89651e..c73214d 100644 ######################################## ## ## All of the rules required to +@@ -56,6 +75,6 @@ interface(`mcelog_admin',` + logging_search_logs($1) + admin_pattern($1, mcelog_log_t) + +- files_search_pids($1 ++ files_search_pids($1) + admin_pattern($1, mcelog_var_run_t) + ') diff --git a/mcelog.te b/mcelog.te -index 59b3b3d..2b4e761 100644 +index 13ea191..2b4e761 100644 --- a/mcelog.te +++ b/mcelog.te -@@ -1,4 +1,4 @@ --policy_module(mcelog, 1.2.0) -+policy_module(mcelog, 1.1.3) - - ######################################## - # @@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false) ## gen_tunable(mcelog_server, false) @@ -46169,15 +43316,9 @@ index 1d4eb19..650014e 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te -index 29b7521..4396320 100644 +index 4926208..4396320 100644 --- a/memcached.te +++ b/memcached.te -@@ -1,4 +1,4 @@ --policy_module(memcached, 1.3.1) -+policy_module(memcached, 1.2.3) - - ######################################## - # @@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t) # Local policy # @@ -46187,7 +43328,15 @@ index 29b7521..4396320 100644 dontaudit memcached_t self:capability sys_tty_config; allow memcached_t self:process { setrlimit signal_perms }; allow memcached_t self:tcp_socket { accept listen }; -@@ -59,4 +59,3 @@ term_dontaudit_use_console(memcached_t) +@@ -51,10 +51,11 @@ corenet_tcp_sendrecv_all_ports(memcached_t) + corenet_udp_bind_memcache_port(memcached_t) + corenet_udp_sendrecv_all_ports(memcached_t) + ++dev_read_sysfs(memcached_t) ++ + term_dontaudit_use_all_ptys(memcached_t) + term_dontaudit_use_all_ttys(memcached_t) + term_dontaudit_use_console(memcached_t) auth_use_nsswitch(memcached_t) @@ -46375,11 +43524,11 @@ index cba62db..562833a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 4dc99f4..9c51c34 100644 +index 92508b2..9c51c34 100644 --- a/milter.te +++ b/milter.te @@ -1,77 +1,121 @@ --policy_module(milter, 1.5.0) +-policy_module(milter, 1.4.2) +policy_module(milter, 1.4.0) ######################################## @@ -46578,340 +43727,6 @@ index 4dc99f4..9c51c34 100644 optional_policy(` spamassassin_domtrans_client(spamass_milter_t) ') -diff --git a/minidlna.fc b/minidlna.fc -deleted file mode 100644 -index 02c1b50..0000000 ---- a/minidlna.fc -+++ /dev/null -@@ -1,14 +0,0 @@ --/etc/rc\.d/init\.d/minidlna -- gen_context(system_u:object_r:minidlna_initrc_exec_t,s0) -- --/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_conf_t,s0) -- --/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0) -- --/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0) -- --/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0) -- --/var/log/minidlna(/.*)? gen_context(system_u:object_r:minidlna_log_t,s0) --/var/log/minidlna\.log.* -- gen_context(system_u:object_r:minidlna_log_t,s0) -- --/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0) -diff --git a/minidlna.if b/minidlna.if -deleted file mode 100644 -index 358917a..0000000 ---- a/minidlna.if -+++ /dev/null -@@ -1,64 +0,0 @@ --## MiniDLNA lightweight DLNA/UPnP media server -- --######################################## --## --## All of the rules required to --## administrate an minidlna environment. --## --## --## --## Domain allowed access. --## --## --## --## --## Role allowed access. --## --## --## --# --interface(`minidlna_admin',` -- gen_require(` -- type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t; -- type minidlna_conf_t, minidlna_log_t, minidlna_db_t; -- ') -- -- allow $1 minidlna_t:process { ptrace signal_perms }; -- ps_process_pattern($1, minidlna_t) -- -- minidlna_initrc_domtrans($1) -- domain_system_change_exemption($1) -- role_transition $2 minidlna_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_search_etc($1) -- admin_pattern($1, minidlna_conf_t) -- -- logging_search_logs($1) -- admin_pattern($1, minidlna_log_t) -- -- files_search_var_lib($1) -- admin_pattern($1, minidlna_db_t) -- -- files_search_pids($1) -- admin_pattern($1, minidlna_var_run_t) --') -- --######################################## --## --## Execute minidlna init scripts in --## the initrc domain. --## --## --## --## Domain allowed to transition. --## --## --# --interface(`minidlna_initrc_domtrans',` -- gen_require(` -- type minidlna_initrc_exec_t; -- ') -- -- init_labeled_script_domtrans($1, minidlna_initrc_exec_t) --') -diff --git a/minidlna.te b/minidlna.te -deleted file mode 100644 -index 4911ac0..0000000 ---- a/minidlna.te -+++ /dev/null -@@ -1,102 +0,0 @@ --policy_module(minidlna, 0.1) -- --############################################# --# --# Declarations --# -- --## --##

--## Determine whether minidlna can read generic user content. --##

--## --gen_tunable(minidlna_read_generic_user_content, false) -- --type minidlna_t; --type minidlna_exec_t; --init_daemon_domain(minidlna_t, minidlna_exec_t) -- --type minidlna_conf_t; --files_config_file(minidlna_conf_t) -- --type minidlna_db_t; --files_type(minidlna_db_t) -- --type minidlna_initrc_exec_t; --init_script_file(minidlna_initrc_exec_t) -- --type minidlna_log_t; --logging_log_file(minidlna_log_t) -- --type minidlna_var_run_t; --files_pid_file(minidlna_var_run_t) -- --############################################### --# --# Local policy --# -- --allow minidlna_t self:process setsched; --allow minidlna_t self:tcp_socket create_stream_socket_perms; --allow minidlna_t self:udp_socket create_socket_perms; --allow minidlna_t self:netlink_route_socket r_netlink_socket_perms; --allow minidlna_t minidlna_conf_t:file read_file_perms; -- --allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms }; --allow minidlna_t minidlna_db_t:file manage_file_perms; -- --allow minidlna_t minidlna_log_t:file append_file_perms; --create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t) -- --allow minidlna_t minidlna_var_run_t:file manage_file_perms; --allow minidlna_t minidlna_var_run_t:dir rw_dir_perms; --files_pid_filetrans(minidlna_t, minidlna_var_run_t, file) -- --kernel_read_fs_sysctls(minidlna_t) --kernel_read_system_state(minidlna_t) -- --corecmd_exec_bin(minidlna_t) --corecmd_exec_shell(minidlna_t) -- --corenet_all_recvfrom_netlabel(minidlna_t) --corenet_all_recvfrom_unlabeled(minidlna_t) -- --corenet_sendrecv_ssdp_server_packets(minidlna_t) --corenet_sendrecv_trivnet1_server_packets(minidlna_t) -- --corenet_tcp_bind_generic_node(minidlna_t) --corenet_tcp_bind_trivnet1_port(minidlna_t) --corenet_tcp_sendrecv_generic_if(minidlna_t) --corenet_tcp_sendrecv_generic_node(minidlna_t) --corenet_tcp_sendrecv_trivnet1_port(minidlna_t) -- --corenet_udp_bind_generic_node(minidlna_t) --corenet_udp_bind_ssdp_port(minidlna_t) --corenet_udp_sendrecv_generic_if(minidlna_t) --corenet_udp_sendrecv_generic_node(minidlna_t) --corenet_udp_sendrecv_ssdp_port(minidlna_t) -- --files_search_var_lib(minidlna_t) -- --auth_use_nsswitch(minidlna_t) -- --logging_search_logs(minidlna_t) -- --miscfiles_read_localization(minidlna_t) --miscfiles_read_public_files(minidlna_t) -- --tunable_policy(`minidlna_read_generic_user_content',` -- userdom_list_user_tmp(minidlna_t) -- userdom_read_user_home_content_files(minidlna_t) -- userdom_read_user_home_content_symlinks(minidlna_t) -- userdom_read_user_tmp_files(minidlna_t) -- userdom_read_user_tmp_symlinks(minidlna_t) --',` -- files_dontaudit_list_home(minidlna_t) -- files_dontaudit_list_tmp(minidlna_t) -- -- userdom_dontaudit_list_user_home_dirs(minidlna_t) -- userdom_dontaudit_list_user_tmp(minidlna_t) -- userdom_dontaudit_read_user_home_content_files(minidlna_t) -- userdom_dontaudit_read_user_tmp_files(minidlna_t) --') -diff --git a/minissdpd.fc b/minissdpd.fc -deleted file mode 100644 -index 4970404..0000000 ---- a/minissdpd.fc -+++ /dev/null -@@ -1,8 +0,0 @@ --/etc/default/minissdpd -- gen_context(system_u:object_r:minissdpd_conf_t,s0) -- --/etc/rc\.d/init\.d/minissdpd -- gen_context(system_u:object_r:minissdpd_initrc_exec_t,s0) -- --/usr/sbin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0) -- --/var/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_var_run_t,s0) --/var/run/minissdpd\.sock -s gen_context(system_u:object_r:minissdpd_var_run_t,s0) -diff --git a/minissdpd.if b/minissdpd.if -deleted file mode 100644 -index b330161..0000000 ---- a/minissdpd.if -+++ /dev/null -@@ -1,58 +0,0 @@ --## Daemon used by MiniUPnPc to speed up device discoveries. -- --######################################## --## --## Read minissdpd configuration files. --## --## --## --## Domain allowed access. --## --## --# --interface(`minissdpd_read_config',` -- gen_require(` -- type minissdpd_conf_t; -- ') -- -- files_search_etc($1) -- allow $1 minissdpd_conf_t:file read_file_perms; --') -- --######################################## --## --## All of the rules required to --## administrate an minissdpd environment. --## --## --## --## Domain allowed access. --## --## --## --## --## Role allowed access. --## --## --## --# --interface(`minissdpd_admin',` -- gen_require(` -- type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t; -- type minissdpd_var_run_t -- ') -- -- allow $1 minissdpd_t:process { ptrace signal_perms }; -- ps_process_pattern($1, minissdpd_t) -- -- init_labeled_script_domtrans($1, minissdpd_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 minissdpd_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_search_etc($1) -- admin_pattern($1, minissdpd_conf_t) -- -- files_search_pids($1) -- admin_pattern($1, minissdpd_var_run_t) --') -diff --git a/minissdpd.te b/minissdpd.te -deleted file mode 100644 -index 34d75a7..0000000 ---- a/minissdpd.te -+++ /dev/null -@@ -1,51 +0,0 @@ --policy_module(minissdpd, 1.0.0) -- --######################################## --# --# Declarations --# -- --type minissdpd_t; --type minissdpd_exec_t; --init_daemon_domain(minissdpd_t, minissdpd_exec_t) -- --type minissdpd_initrc_exec_t; --init_script_file(minissdpd_initrc_exec_t) -- --type minissdpd_conf_t; --files_config_file(minissdpd_conf_t) -- --type minissdpd_var_run_t; --files_pid_file(minissdpd_var_run_t) -- --######################################## --# --# Local policy --# -- --allow minissdpd_t self:capability { sys_module net_admin }; --allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms; --allow minissdpd_t self:udp_socket create_socket_perms; --allow minissdpd_t self:unix_dgram_socket create_socket_perms; -- --allow minissdpd_t minissdpd_var_run_t:file manage_file_perms; --allow minissdpd_t minissdpd_var_run_t:sock_file manage_sock_file_perms; --files_pid_filetrans(minissdpd_t, minissdpd_var_run_t, { file sock_file }) -- --kernel_load_module(minissdpd_t) --kernel_read_network_state(minissdpd_t) --kernel_request_load_module(minissdpd_t) -- --corenet_all_recvfrom_unlabeled(minissdpd_t) --corenet_all_recvfrom_netlabel(minissdpd_t) --corenet_udp_sendrecv_generic_if(minissdpd_t) --corenet_udp_sendrecv_generic_node(minissdpd_t) --corenet_udp_bind_generic_node(minissdpd_t) -- --corenet_sendrecv_ssdp_server_packets(minissdpd_t) --corenet_udp_bind_ssdp_port(minissdpd_t) --corenet_udp_sendrecv_ssdp_port(minissdpd_t) -- --logging_send_syslog_msg(minissdpd_t) -- --miscfiles_read_localization(minissdpd_t) -\ No newline at end of file diff --git a/mip6d.fc b/mip6d.fc new file mode 100644 index 0000000..767bbad @@ -48059,9 +44874,15 @@ index b1ac8b5..9b22bea 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..25f2cfe 100644 +index cb4c13d..25f2cfe 100644 --- a/modemmanager.te +++ b/modemmanager.te +@@ -1,4 +1,4 @@ +-policy_module(modemmanager, 1.1.1) ++policy_module(modemmanager, 1.2.1) + + ######################################## + # @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) typealias modemmanager_t alias ModemManager_t; typealias modemmanager_exec_t alias ModemManager_exec_t; @@ -48099,6 +44920,12 @@ index d15eb5b..25f2cfe 100644 logging_send_syslog_msg(modemmanager_t) +@@ -54,4 +59,5 @@ optional_policy(` + + optional_policy(` + udev_read_db(modemmanager_t) ++ udev_manage_pid_files(modemmanager_t) + ') diff --git a/mojomojo.if b/mojomojo.if index 73952f4..b19a6ee 100644 --- a/mojomojo.if @@ -48112,15 +44939,10 @@ index 73952f4..b19a6ee 100644 interface(`mojomojo_admin',` refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.') diff --git a/mojomojo.te b/mojomojo.te -index b94102e..3652584 100644 +index 7e534cf..3652584 100644 --- a/mojomojo.te +++ b/mojomojo.te -@@ -1,25 +1,45 @@ --policy_module(mojomojo, 1.1.0) -+policy_module(mojomojo, 1.0.1) - - ######################################## - # +@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.0.1) # Declarations # @@ -48183,15 +45005,9 @@ index 6fcfc31..9e6d170 100644 /var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0) diff --git a/mongodb.te b/mongodb.te -index 169f236..c27b44b 100644 +index 4de8949..c27b44b 100644 --- a/mongodb.te +++ b/mongodb.te -@@ -1,4 +1,4 @@ --policy_module(mongodb, 1.1.0) -+policy_module(mongodb, 1.0.2) - - ######################################## - # @@ -49,13 +49,12 @@ corenet_all_recvfrom_unlabeled(mongod_t) corenet_all_recvfrom_netlabel(mongod_t) corenet_tcp_sendrecv_generic_if(mongod_t) @@ -48209,15 +45025,9 @@ index 169f236..c27b44b 100644 -miscfiles_read_localization(mongod_t) diff --git a/mono.te b/mono.te -index a6a8643..3dc493c 100644 +index d287fe9..3dc493c 100644 --- a/mono.te +++ b/mono.te -@@ -1,4 +1,4 @@ --policy_module(mono, 1.9.0) -+policy_module(mono, 1.8.1) - - ######################################## - # @@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack }; # local policy # @@ -48241,15 +45051,9 @@ index 8fdaece..5440757 100644 files_search_pids($1) diff --git a/monop.te b/monop.te -index 5f93763..84944d1 100644 +index 4462c0e..84944d1 100644 --- a/monop.te +++ b/monop.te -@@ -1,4 +1,4 @@ --policy_module(monop, 1.8.0) -+policy_module(monop, 1.7.1) - - ######################################## - # @@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t) kernel_list_proc(monopd_t) kernel_read_proc_symlinks(monopd_t) @@ -49469,16 +46273,16 @@ index 6194b80..ecab2e6 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..c4db163 100644 +index 6a306ee..c4db163 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ --policy_module(mozilla, 2.8.0) +-policy_module(mozilla, 2.7.4) +policy_module(mozilla, 2.6.0) ######################################## # -@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) +@@ -6,17 +6,56 @@ policy_module(mozilla, 2.7.4) # ## @@ -50613,16 +47417,10 @@ index 5fa77c7..2e01c7d 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index fe72523..b8c9bf1 100644 +index 7c8afcc..b8c9bf1 100644 --- a/mpd.te +++ b/mpd.te -@@ -1,4 +1,4 @@ --policy_module(mpd, 1.1.1) -+policy_module(mpd, 1.0.4) - - ######################################## - # -@@ -7,6 +7,13 @@ policy_module(mpd, 1.1.1) +@@ -7,6 +7,13 @@ policy_module(mpd, 1.0.4) ## ##

@@ -50636,7 +47434,7 @@ index fe72523..b8c9bf1 100644 ## Determine whether mpd can traverse ## user home directories. ##

-@@ -62,6 +69,12 @@ files_type(mpd_var_lib_t) +@@ -62,18 +69,25 @@ files_type(mpd_var_lib_t) type mpd_user_data_t; userdom_user_home_content(mpd_user_data_t) # customizable @@ -50649,7 +47447,13 @@ index fe72523..b8c9bf1 100644 ######################################## # # Local policy -@@ -74,6 +87,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen }; + # + + allow mpd_t self:capability { dac_override kill setgid setuid }; +-allow mpd_t self:process { getsched setsched setrlimit signal signull }; ++allow mpd_t self:process { getsched setsched setrlimit signal signull setcap }; + allow mpd_t self:fifo_file rw_fifo_file_perms; + allow mpd_t self:unix_stream_socket { accept connectto listen }; allow mpd_t self:unix_dgram_socket sendto; allow mpd_t self:tcp_socket { accept listen }; allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -50780,16 +47584,10 @@ index 861d5e9..1c3d5a5 100644 + userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer") +') diff --git a/mplayer.te b/mplayer.te -index 0f03cd9..f92829c 100644 +index 9aca704..f92829c 100644 --- a/mplayer.te +++ b/mplayer.te -@@ -1,4 +1,4 @@ --policy_module(mplayer, 2.5.0) -+policy_module(mplayer, 2.4.4) - - ######################################## - # -@@ -11,7 +11,7 @@ policy_module(mplayer, 2.5.0) +@@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4) ## its stack executable. ##

## @@ -50835,31 +47633,7 @@ index 0f03cd9..f92829c 100644 allow mencoder_t self:process { execmem execstack }; ') -@@ -130,7 +129,6 @@ tunable_policy(`use_samba_home_dirs',` - allow mplayer_t self:process { signal_perms getsched }; - allow mplayer_t self:fifo_file rw_fifo_file_perms; - allow mplayer_t self:sem create_sem_perms; --allow mplayer_t self:udp_socket create_socket_perms; - - allow mplayer_t mplayer_etc_t:dir list_dir_perms; - allow mplayer_t mplayer_etc_t:file read_file_perms; -@@ -156,15 +154,6 @@ kernel_read_kernel_sysctls(mplayer_t) - corecmd_exec_bin(mplayer_t) - corecmd_exec_shell(mplayer_t) - --corenet_all_recvfrom_unlabeled(mplayer_t) --corenet_all_recvfrom_netlabel(mplayer_t) --corenet_tcp_sendrecv_generic_if(mplayer_t) --corenet_tcp_sendrecv_generic_node(mplayer_t) -- --corenet_tcp_connect_http_port(mplayer_t) --corenet_tcp_sendrecv_http_port(mplayer_t) --corenet_sendrecv_http_client_packets(mplayer_t) -- - dev_read_rand(mplayer_t) - dev_read_realtime_clock(mplayer_t) - dev_read_sound_mixer(mplayer_t) -@@ -183,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t) +@@ -173,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t) files_read_non_security_files(mplayer_t) files_list_home(mplayer_t) files_read_etc_runtime_files(mplayer_t) @@ -50867,7 +47641,7 @@ index 0f03cd9..f92829c 100644 fs_getattr_all_fs(mplayer_t) fs_search_auto_mountpoints(mplayer_t) -@@ -204,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file }) +@@ -194,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file }) userdom_manage_user_home_content_dirs(mplayer_t) userdom_manage_user_home_content_files(mplayer_t) @@ -50876,7 +47650,7 @@ index 0f03cd9..f92829c 100644 userdom_write_user_tmp_sockets(mplayer_t) -@@ -221,15 +209,15 @@ ifndef(`enable_mls',` +@@ -211,15 +209,15 @@ ifndef(`enable_mls',` fs_read_iso9660_files(mplayer_t) ') @@ -50896,7 +47670,7 @@ index 0f03cd9..f92829c 100644 allow mplayer_t self:process { execmem execstack }; ') -@@ -245,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',` +@@ -235,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_symlinks(mplayer_t) ') @@ -50936,15 +47710,9 @@ index c595094..2346458 100644 ## ## diff --git a/mrtg.te b/mrtg.te -index 65a246a..9411154 100644 +index c97c177..9411154 100644 --- a/mrtg.te +++ b/mrtg.te -@@ -1,4 +1,4 @@ --policy_module(mrtg, 1.9.0) -+policy_module(mrtg, 1.8.2) - - ######################################## - # @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t) corecmd_exec_bin(mrtg_t) corecmd_exec_shell(mrtg_t) @@ -52184,11 +48952,11 @@ index ed81cac..837a43a 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..bff8488 100644 +index afd2fad..bff8488 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ --policy_module(mta, 2.7.3) +-policy_module(mta, 2.6.5) +policy_module(mta, 2.5.0) ######################################## @@ -52214,7 +48982,7 @@ index ff1d68c..bff8488 100644 type sendmail_exec_t; mta_agent_executable(sendmail_exec_t) -@@ -43,180 +43,79 @@ role system_r types system_mail_t; +@@ -43,178 +43,79 @@ role system_r types system_mail_t; mta_base_mail_template(user) typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; @@ -52254,7 +49022,6 @@ index ff1d68c..bff8488 100644 - -can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t }) - --kernel_read_crypto_sysctls(user_mail_domain) -kernel_read_system_state(user_mail_domain) -kernel_read_kernel_sysctls(user_mail_domain) -kernel_read_network_state(user_mail_domain) @@ -52309,7 +49076,6 @@ index ff1d68c..bff8488 100644 - exim_domtrans(user_mail_domain) - exim_manage_log(user_mail_domain) - exim_manage_spool_files(user_mail_domain) -- exim_read_var_lib_files(user_mail_domain) -') - -optional_policy(` @@ -52390,11 +49156,11 @@ index ff1d68c..bff8488 100644 + +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) - --userdom_use_user_terminals(system_mail_t) ++ +allow system_mail_t mail_home_t:file manage_file_perms; +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) -+ + +-userdom_use_user_terminals(system_mail_t) + +logging_append_all_logs(system_mail_t) + @@ -52432,7 +49198,7 @@ index ff1d68c..bff8488 100644 ') optional_policy(` -@@ -225,18 +124,21 @@ optional_policy(` +@@ -223,18 +124,18 @@ optional_policy(` ') optional_policy(` @@ -52451,16 +49217,18 @@ index ff1d68c..bff8488 100644 optional_policy(` - courier_stream_connect_authdaemon(system_mail_t) -+ courier_manage_spool_dirs(system_mail_t) -+ courier_manage_spool_files(system_mail_t) -+ courier_rw_spool_pipes(system_mail_t) - ') - - optional_policy(` -@@ -244,9 +146,10 @@ optional_policy(` + courier_manage_spool_dirs(system_mail_t) + courier_manage_spool_files(system_mail_t) + courier_rw_spool_pipes(system_mail_t) +@@ -245,14 +146,10 @@ optional_policy(` ') optional_policy(` +- exim_domtrans(system_mail_t) +- exim_manage_log(system_mail_t) +-') +- +-optional_policy(` - fail2ban_dontaudit_rw_stream_sockets(system_mail_t) - fail2ban_append_log(system_mail_t) - fail2ban_rw_inherited_tmp_files(system_mail_t) @@ -52471,7 +49239,7 @@ index ff1d68c..bff8488 100644 ') optional_policy(` -@@ -258,10 +161,17 @@ optional_policy(` +@@ -264,10 +161,17 @@ optional_policy(` ') optional_policy(` @@ -52489,7 +49257,7 @@ index ff1d68c..bff8488 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -272,6 +182,19 @@ optional_policy(` +@@ -278,6 +182,19 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -52509,7 +49277,7 @@ index ff1d68c..bff8488 100644 ') optional_policy(` -@@ -279,6 +202,10 @@ optional_policy(` +@@ -285,6 +202,10 @@ optional_policy(` ') optional_policy(` @@ -52520,7 +49288,7 @@ index ff1d68c..bff8488 100644 userdom_dontaudit_use_user_ptys(system_mail_t) optional_policy(` -@@ -287,42 +214,36 @@ optional_policy(` +@@ -293,42 +214,36 @@ optional_policy(` ') optional_policy(` @@ -52573,7 +49341,7 @@ index ff1d68c..bff8488 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,40 +252,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -337,40 +252,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -52622,7 +49390,7 @@ index ff1d68c..bff8488 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -372,6 +279,17 @@ optional_policy(` +@@ -378,6 +279,17 @@ optional_policy(` ') optional_policy(` @@ -52640,7 +49408,7 @@ index ff1d68c..bff8488 100644 postfix_rw_inherited_master_pipes(mailserver_delivery) ') -@@ -381,24 +299,176 @@ optional_policy(` +@@ -387,24 +299,176 @@ optional_policy(` ######################################## # @@ -53155,16 +49923,17 @@ index b744fe3..e713bb6 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index b708708..0911867 100644 +index 97370e4..0911867 100644 --- a/munin.te +++ b/munin.te -@@ -1,4 +1,4 @@ --policy_module(munin, 1.9.1) -+policy_module(munin, 1.8.10) - - ######################################## - # -@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) +@@ -37,44 +37,47 @@ munin_plugin_template(disk) + munin_plugin_template(mail) + munin_plugin_template(selinux) + munin_plugin_template(services) ++ ++type services_munin_plugin_tmpfs_t; ++files_tmpfs_file(services_munin_plugin_tmpfs_t) ++ munin_plugin_template(system) munin_plugin_template(unconfined) @@ -53213,7 +49982,7 @@ index b708708..0911867 100644 optional_policy(` nscd_use(munin_plugin_domain) -@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +@@ -114,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) @@ -53222,7 +49991,7 @@ index b708708..0911867 100644 manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t) +@@ -130,7 +133,6 @@ kernel_read_all_sysctls(munin_t) corecmd_exec_bin(munin_t) corecmd_exec_shell(munin_t) @@ -53230,7 +49999,7 @@ index b708708..0911867 100644 corenet_all_recvfrom_netlabel(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) corenet_tcp_sendrecv_generic_node(munin_t) -@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t) +@@ -153,7 +155,6 @@ domain_use_interactive_fds(munin_t) domain_read_all_domains_state(munin_t) files_read_etc_runtime_files(munin_t) @@ -53238,7 +50007,7 @@ index b708708..0911867 100644 files_list_spool(munin_t) fs_getattr_all_fs(munin_t) -@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t) +@@ -165,7 +166,6 @@ logging_send_syslog_msg(munin_t) logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) @@ -53246,7 +50015,7 @@ index b708708..0911867 100644 miscfiles_setattr_fonts_cache_dirs(munin_t) sysnet_exec_ifconfig(munin_t) -@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t) +@@ -173,13 +173,6 @@ sysnet_exec_ifconfig(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t) @@ -53260,7 +50029,7 @@ index b708708..0911867 100644 optional_policy(` cron_system_entry(munin_t, munin_exec_t) -@@ -217,7 +206,6 @@ optional_policy(` +@@ -213,7 +206,6 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) @@ -53268,7 +50037,7 @@ index b708708..0911867 100644 ') optional_policy(` -@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; +@@ -242,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -53296,7 +50065,7 @@ index b708708..0911867 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -272,6 +262,10 @@ optional_policy(` +@@ -268,6 +262,10 @@ optional_policy(` fstools_exec(disk_munin_plugin_t) ') @@ -53307,7 +50076,7 @@ index b708708..0911867 100644 #################################### # # Mail local policy -@@ -279,27 +273,38 @@ optional_policy(` +@@ -275,27 +273,38 @@ optional_policy(` allow mail_munin_plugin_t self:capability dac_override; @@ -53350,15 +50119,17 @@ index b708708..0911867 100644 ') optional_policy(` -@@ -326,7 +331,6 @@ allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; - - manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) - manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) --fs_tmpfs_filetrans(services_munin_plugin_t, services_munin_plugin_tmpfs_t, { dir file }) +@@ -320,6 +329,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; + allow services_munin_plugin_t self:udp_socket create_socket_perms; + allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) ++manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) ++ corenet_sendrecv_all_client_packets(services_munin_plugin_t) corenet_tcp_connect_all_ports(services_munin_plugin_t) -@@ -339,7 +343,7 @@ dev_read_rand(services_munin_plugin_t) + corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -331,7 +343,7 @@ dev_read_rand(services_munin_plugin_t) sysnet_read_config(services_munin_plugin_t) optional_policy(` @@ -53367,7 +50138,7 @@ index b708708..0911867 100644 ') optional_policy(` -@@ -348,6 +352,10 @@ optional_policy(` +@@ -340,6 +352,10 @@ optional_policy(` ') optional_policy(` @@ -53378,7 +50149,7 @@ index b708708..0911867 100644 lpd_exec_lpr(services_munin_plugin_t) ') -@@ -361,7 +369,11 @@ optional_policy(` +@@ -353,7 +369,11 @@ optional_policy(` ') optional_policy(` @@ -53391,7 +50162,7 @@ index b708708..0911867 100644 ') optional_policy(` -@@ -393,6 +405,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) +@@ -385,6 +405,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) @@ -53399,7 +50170,7 @@ index b708708..0911867 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -421,3 +434,32 @@ optional_policy(` +@@ -413,3 +434,32 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -53433,14 +50204,13 @@ index b708708..0911867 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index 06f8666..297f831 100644 +index c48dc17..297f831 100644 --- a/mysql.fc +++ b/mysql.fc -@@ -1,12 +1,25 @@ +@@ -1,11 +1,25 @@ -HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) - -/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) --/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) -/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) - -/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) @@ -53471,7 +50241,7 @@ index 06f8666..297f831 100644 /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) -@@ -14,14 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) +@@ -13,13 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) @@ -53486,7 +50256,6 @@ index 06f8666..297f831 100644 +/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) +/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) --/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0) @@ -54050,16 +50819,16 @@ index 687af38..a77dc09 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..dfca76c 100644 +index 9f6179e..dfca76c 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ --policy_module(mysql, 1.14.1) +-policy_module(mysql, 1.13.5) +policy_module(mysql, 1.13.0) ######################################## # -@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1) +@@ -6,20 +6,15 @@ policy_module(mysql, 1.13.5) # ## @@ -54101,7 +50870,7 @@ index 7584bbe..dfca76c 100644 type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) -@@ -62,24 +59,24 @@ files_pid_file(mysqlmanagerd_var_run_t) +@@ -62,27 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t) # Local policy # @@ -54131,9 +50900,16 @@ index 7584bbe..dfca76c 100644 allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; +allow mysqld_t mysqld_etc_t:dir list_dir_perms; - manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) - manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) -@@ -95,50 +92,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +-allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(mysqld_t, mysqld_log_t, file) ++manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) ++manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) ++manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) ++logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) + + manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) + manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -93,50 +92,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) @@ -54211,7 +50987,7 @@ index 7584bbe..dfca76c 100644 ') optional_policy(` -@@ -146,6 +153,10 @@ optional_policy(` +@@ -144,6 +153,10 @@ optional_policy(` ') optional_policy(` @@ -54222,7 +50998,7 @@ index 7584bbe..dfca76c 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,31 +166,25 @@ optional_policy(` +@@ -153,29 +166,25 @@ optional_policy(` ####################################### # @@ -54247,10 +51023,10 @@ index 7584bbe..dfca76c 100644 -allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms; +domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) - list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) --manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) - manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) ++list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) ++manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -54261,7 +51037,7 @@ index 7584bbe..dfca76c 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +192,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -183,21 +192,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -54277,9 +51053,9 @@ index 7584bbe..dfca76c 100644 +files_dontaudit_access_check_root(mysqld_safe_t) files_dontaudit_search_all_mountpoints(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) -+ -+files_write_root_dirs(mysqld_safe_t) ++files_write_root_dirs(mysqld_safe_t) ++ +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) logging_send_syslog_msg(mysqld_safe_t) @@ -54297,7 +51073,7 @@ index 7584bbe..dfca76c 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +222,7 @@ optional_policy(` +@@ -205,7 +222,7 @@ optional_policy(` ######################################## # @@ -54306,7 +51082,7 @@ index 7584bbe..dfca76c 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +231,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -214,11 +231,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -54324,7 +51100,7 @@ index 7584bbe..dfca76c 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +244,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -226,31 +244,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -55007,15 +51783,9 @@ index 0641e97..cad402c 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682..39bcd98 100644 +index 44ad3b7..39bcd98 100644 --- a/nagios.te +++ b/nagios.te -@@ -1,4 +1,4 @@ --policy_module(nagios, 1.13.0) -+policy_module(nagios, 1.12.3) - - ######################################## - # @@ -27,7 +27,7 @@ type nagios_var_run_t; files_pid_file(nagios_var_run_t) @@ -55421,15 +52191,9 @@ index db9578f..4309e3d 100644 ') + diff --git a/ncftool.te b/ncftool.te -index 71f30ba..c8baed2 100644 +index b13c0b1..c8baed2 100644 --- a/ncftool.te +++ b/ncftool.te -@@ -1,4 +1,4 @@ --policy_module(ncftool, 1.2.0) -+policy_module(ncftool, 1.1.2) - - ######################################## - # @@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t; allow ncftool_t self:capability net_admin; @@ -55478,15 +52242,9 @@ index 71f30ba..c8baed2 100644 optional_policy(` diff --git a/nessus.te b/nessus.te -index fe1068b..173a2c0 100644 +index 56c0fbd..173a2c0 100644 --- a/nessus.te +++ b/nessus.te -@@ -1,4 +1,4 @@ --policy_module(nessus, 1.9.0) -+policy_module(nessus, 1.8.1) - - ######################################## - # @@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t) corecmd_exec_bin(nessusd_t) @@ -55513,10 +52271,10 @@ index fe1068b..173a2c0 100644 userdom_dontaudit_use_unpriv_user_fds(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc -index 94b9734..dfb99d2 100644 +index a1fb3c3..dfb99d2 100644 --- a/networkmanager.fc +++ b/networkmanager.fc -@@ -1,44 +1,47 @@ +@@ -1,43 +1,47 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -55548,7 +52306,6 @@ index 94b9734..dfb99d2 100644 +/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) --/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) +/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -55589,7 +52346,7 @@ index 94b9734..dfb99d2 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 86dc29d..9b302e8 100644 +index 0e8508c..9b302e8 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -55727,72 +52484,50 @@ index 86dc29d..9b302e8 100644 ## ## ## -@@ -133,29 +158,31 @@ interface(`networkmanager_dbus_chat',` - allow NetworkManager_t $1:dbus send_msg; - ') +@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',` --####################################### -+######################################## + ######################################## ## --## Read metworkmanager process state files. +-## Send generic signals to networkmanager. +## Do not audit attempts to send and +## receive messages from NetworkManager +## over dbus. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`networkmanager_read_state',` ++## ++## ++# +interface(`networkmanager_dontaudit_dbus_chat',` - gen_require(` - type NetworkManager_t; ++ gen_require(` ++ type NetworkManager_t; + class dbus send_msg; - ') - -- allow $1 NetworkManager_t:dir search_dir_perms; -- allow $1 NetworkManager_t:file read_file_perms; -- allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; ++ ') ++ + dontaudit $1 NetworkManager_t:dbus send_msg; + dontaudit NetworkManager_t $1:dbus send_msg; - ') - - ######################################## - ## --## Send generic signals to networkmanager. ++') ++ ++######################################## ++## +## Send a generic signal to NetworkManager ## ## ## -@@ -173,8 +200,7 @@ interface(`networkmanager_signal',` +@@ -153,7 +200,7 @@ interface(`networkmanager_signal',` ######################################## ## --## Create, read, and write --## networkmanager library files. +-## Read networkmanager lib files. +## Read NetworkManager lib files. ## ## ## -@@ -182,18 +208,38 @@ interface(`networkmanager_signal',` - ## - ## - # --interface(`networkmanager_manage_lib_files',` -+interface(`networkmanager_read_lib_files',` - gen_require(` - type NetworkManager_var_lib_t; - ') +@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',` + read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + ') - files_search_var_lib($1) -- manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -+ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -+ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -+') -+ +####################################### +## +## Read NetworkManager conf files. @@ -55810,70 +52545,64 @@ index 86dc29d..9b302e8 100644 + + allow $1 NetworkManager_etc_t:dir list_dir_perms; + read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) - ') - ++') ++ ######################################## ## --## Read networkmanager lib files. +-## Append networkmanager log files. +## Read NetworkManager PID files. ## ## ## -@@ -201,19 +247,18 @@ interface(`networkmanager_manage_lib_files',` +@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',` ## ## # --interface(`networkmanager_read_lib_files',` +-interface(`networkmanager_append_log_files',` +interface(`networkmanager_read_pid_files',` gen_require(` -- type NetworkManager_var_lib_t; +- type NetworkManager_log_t; + type NetworkManager_var_run_t; ') -- files_search_var_lib($1) -- list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -- read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +- logging_search_logs($1) +- allow $1 NetworkManager_log_t:dir list_dir_perms; +- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) + files_search_pids($1) + read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ') ######################################## ## --## Append networkmanager log files. +-## Read networkmanager pid files. +## Manage NetworkManager PID files. ## ## ## -@@ -221,19 +266,18 @@ interface(`networkmanager_read_lib_files',` +@@ -201,25 +266,97 @@ interface(`networkmanager_append_log_files',` ## ## # --interface(`networkmanager_append_log_files',` +-interface(`networkmanager_read_pid_files',` +interface(`networkmanager_manage_pid_files',` - gen_require(` -- type NetworkManager_log_t; ++ gen_require(` + type NetworkManager_var_run_t; - ') - -- logging_search_logs($1) -- allow $1 NetworkManager_log_t:dir list_dir_perms; -- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) ++ ') ++ + files_search_pids($1) + manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) - ') - - ######################################## - ## --## Read networkmanager pid files. ++') ++ ++######################################## ++## +## Manage NetworkManager PID sock files. - ## - ## - ## -@@ -241,45 +285,78 @@ interface(`networkmanager_append_log_files',` - ## - ## - # --interface(`networkmanager_read_pid_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`networkmanager_manage_pid_sock_files',` gen_require(` type NetworkManager_var_run_t; @@ -55884,22 +52613,18 @@ index 86dc29d..9b302e8 100644 + manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ') --#################################### -+######################################## + ######################################## ## --## Connect to networkmanager over --## a unix domain stream socket. +-## All of the rules required to +-## administrate an networkmanager environment. +## Create objects in /etc with a private +## type using a type_transition. ## ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## -+## + ## + ## Domain allowed access. + ## + ## +## +## +## Private file type. @@ -55914,31 +52639,25 @@ index 86dc29d..9b302e8 100644 +## +## The name of the object being created. +## - ## - # --interface(`networkmanager_stream_connect',` ++## ++# +interface(`networkmanager_pid_filetrans',` - gen_require(` -- type NetworkManager_t, NetworkManager_var_run_t; ++ gen_require(` + type NetworkManager_var_run_t; - ') - -- files_search_pids($1) -- stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) ++ ') ++ + filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4) - ') - - ######################################## - ## --## All of the rules required to --## administrate an networkmanager environment. ++') ++ ++######################################## ++## +## Delete NetworkManager PID files. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`networkmanager_delete_pid_files',` + gen_require(` @@ -55962,7 +52681,7 @@ index 86dc29d..9b302e8 100644 ## ## ## Role allowed access. -@@ -287,33 +364,170 @@ interface(`networkmanager_stream_connect',` +@@ -227,33 +364,170 @@ interface(`networkmanager_read_pid_files',` ## ## # @@ -56153,11 +52872,11 @@ index 86dc29d..9b302e8 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..9e9b2dc 100644 +index 0b48a30..9e9b2dc 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ --policy_module(networkmanager, 1.15.2) +-policy_module(networkmanager, 1.14.7) +policy_module(networkmanager, 1.14.0) ######################################## @@ -56188,7 +52907,7 @@ index 55f2009..9e9b2dc 100644 # Local policy # --allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; +-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; -dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace }; -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; +# networkmanager will ptrace itself if gdb is installed @@ -56519,13 +53238,12 @@ index 55f2009..9e9b2dc 100644 ') optional_policy(` -@@ -320,14 +380,19 @@ optional_policy(` +@@ -320,13 +380,19 @@ optional_policy(` ') optional_policy(` - udev_exec(NetworkManager_t) - udev_read_db(NetworkManager_t) -- udev_read_pid_files(NetworkManager_t) + systemd_write_inhibit_pipes(NetworkManager_t) + systemd_read_logind_sessions_files(NetworkManager_t) + systemd_dbus_chat_logind(NetworkManager_t) @@ -56544,7 +53262,7 @@ index 55f2009..9e9b2dc 100644 ') optional_policy(` -@@ -357,6 +422,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +422,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -56993,11 +53711,11 @@ index 46e55c3..6e4e061 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index 3a6b035..6aeb9dd 100644 +index 3e4a31c..6aeb9dd 100644 --- a/nis.te +++ b/nis.te @@ -1,12 +1,10 @@ --policy_module(nis, 1.12.0) +-policy_module(nis, 1.11.1) +policy_module(nis, 1.11.0) ######################################## @@ -58076,11 +54794,11 @@ index 8f2ab09..bc2c7fe 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index bcd7d0a..2bbc3a6 100644 +index df4c10f..2bbc3a6 100644 --- a/nscd.te +++ b/nscd.te @@ -1,36 +1,37 @@ --policy_module(nscd, 1.11.0) +-policy_module(nscd, 1.10.3) +policy_module(nscd, 1.10.0) gen_require(` @@ -58387,11 +55105,11 @@ index a9c60ff..ad4f14a 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index 47bb1d2..b3662dd 100644 +index dde7f42..b3662dd 100644 --- a/nsd.te +++ b/nsd.te @@ -1,4 +1,4 @@ --policy_module(nsd, 1.8.0) +-policy_module(nsd, 1.7.1) +policy_module(nsd, 1.7.0) ######################################## @@ -58686,11 +55404,11 @@ index 97df768..852d1c6 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index 421bf1a..c37998e 100644 +index a3e56f0..c37998e 100644 --- a/nslcd.te +++ b/nslcd.te @@ -1,4 +1,4 @@ --policy_module(nslcd, 1.4.1) +-policy_module(nslcd, 1.3.1) +policy_module(nslcd, 1.3.0) ######################################## @@ -58712,7 +55430,7 @@ index 421bf1a..c37998e 100644 allow nslcd_t nslcd_conf_t:file read_file_perms; -@@ -36,16 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) +@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) kernel_read_system_state(nslcd_t) @@ -58726,13 +55444,11 @@ index 421bf1a..c37998e 100644 -corenet_sendrecv_ldap_client_packets(nslcd_t) corenet_tcp_connect_ldap_port(nslcd_t) -corenet_tcp_sendrecv_ldap_port(nslcd_t) -- --dev_read_sysfs(nslcd_t) +corenet_sendrecv_ldap_client_packets(nslcd_t) files_read_usr_symlinks(nslcd_t) files_list_tmp(nslcd_t) -@@ -54,10 +50,14 @@ auth_use_nsswitch(nslcd_t) +@@ -52,10 +50,14 @@ auth_use_nsswitch(nslcd_t) logging_send_syslog_msg(nslcd_t) @@ -59570,15 +56286,9 @@ index 0000000..7d839fe + pulseaudio_setattr_home_dir(nsplugin_t) +') diff --git a/ntop.te b/ntop.te -index 8ec7859..0f7f5e4 100644 +index 52757d8..0f7f5e4 100644 --- a/ntop.te +++ b/ntop.te -@@ -1,4 +1,4 @@ --policy_module(ntop, 1.10.0) -+policy_module(ntop, 1.9.2) - - ######################################## - # @@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; dontaudit ntop_t self:capability sys_tty_config; allow ntop_t self:process signal_perms; @@ -59622,7 +56332,7 @@ index af3c91e..6882a3f 100644 /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) diff --git a/ntp.if b/ntp.if -index e96a309..24f45be 100644 +index b59196f..24f45be 100644 --- a/ntp.if +++ b/ntp.if @@ -1,4 +1,4 @@ @@ -59671,7 +56381,7 @@ index e96a309..24f45be 100644 ') ######################################## -@@ -98,23 +117,46 @@ interface(`ntp_initrc_domtrans',` +@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',` init_labeled_script_domtrans($1, ntpd_initrc_exec_t) ') @@ -59694,37 +56404,33 @@ index e96a309..24f45be 100644 + allow $1 ntpd_unit_file_t:file read_file_perms; +') + - ######################################## - ## --## Read ntp drift files. ++######################################## ++## +## Execute ntpd server in the ntpd domain. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain allowed to transition. - ## - ## - # --interface(`ntp_read_drift_files',` ++## ++## ++# +interface(`ntp_systemctl',` - gen_require(` -- type ntp_drift_t; ++ gen_require(` + type ntpd_unit_file_t; + type ntpd_t; - ') - -- files_search_var_lib($1) -- read_files_pattern($1, ntp_drift_t, ntp_drift_t) ++ ') ++ + systemd_exec_systemctl($1) + allow $1 ntpd_unit_file_t:file read_file_perms; + allow $1 ntpd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, ntpd_t) - ') - ++') ++ ######################################## -@@ -141,8 +183,27 @@ interface(`ntp_rw_shm',` + ## + ## Read and write ntpd shared memory. +@@ -122,8 +183,27 @@ interface(`ntp_rw_shm',` ######################################## ## @@ -59754,7 +56460,7 @@ index e96a309..24f45be 100644 ## ## ## -@@ -151,7 +212,7 @@ interface(`ntp_rw_shm',` +@@ -132,7 +212,7 @@ interface(`ntp_rw_shm',` ## ## ## @@ -59763,7 +56469,7 @@ index e96a309..24f45be 100644 ## ## ## -@@ -159,20 +220,22 @@ interface(`ntp_rw_shm',` +@@ -140,20 +220,22 @@ interface(`ntp_rw_shm',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; @@ -59786,18 +56492,12 @@ index e96a309..24f45be 100644 allow $2 system_r; - files_list_etc($1) -- admin_pattern($1, { ntpd_key_t ntp_conf_t }) +- admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t }) + admin_pattern($1, ntpd_key_t) logging_list_logs($1) admin_pattern($1, ntpd_log_t) -@@ -180,11 +243,33 @@ interface(`ntp_admin',` - files_list_tmp($1) - admin_pattern($1, ntpd_tmp_t) - -- files_list_var_lib($1) -- admin_pattern($1, ntp_drift_t) -- +@@ -164,5 +246,30 @@ interface(`ntp_admin',` files_list_pids($1) admin_pattern($1, ntpd_var_run_t) @@ -59830,15 +56530,9 @@ index e96a309..24f45be 100644 + files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod") ') diff --git a/ntp.te b/ntp.te -index f81b113..ae081d4 100644 +index b90e343..ae081d4 100644 --- a/ntp.te +++ b/ntp.te -@@ -1,4 +1,4 @@ --policy_module(ntp, 1.11.0) -+policy_module(ntp, 1.10.3) - - ######################################## - # @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; type ntpd_initrc_exec_t; init_script_file(ntpd_initrc_exec_t) @@ -60031,16 +56725,16 @@ index 0d3c270..709dda1 100644 + ') ') diff --git a/numad.te b/numad.te -index b0a1be4..f050103 100644 +index f5d145d..f050103 100644 --- a/numad.te +++ b/numad.te @@ -1,4 +1,4 @@ --policy_module(numad, 1.1.0) +-policy_module(numad, 1.0.3) +policy_module(numad, 1.0.0) ######################################## # -@@ -8,37 +8,44 @@ policy_module(numad, 1.1.0) +@@ -8,37 +8,44 @@ policy_module(numad, 1.0.3) type numad_t; type numad_exec_t; init_daemon_domain(numad_t, numad_exec_t) @@ -60223,16 +56917,16 @@ index 57c0161..4534676 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d..8ee90b0 100644 +index 0c9deb7..8ee90b0 100644 --- a/nut.te +++ b/nut.te @@ -1,4 +1,4 @@ --policy_module(nut, 1.3.0) +-policy_module(nut, 1.2.4) +policy_module(nut, 1.2.0) ######################################## # -@@ -7,131 +7,124 @@ policy_module(nut, 1.3.0) +@@ -7,131 +7,124 @@ policy_module(nut, 1.2.4) attribute nut_domain; @@ -60499,15 +57193,9 @@ index 251d681..50ae2a9 100644 + filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh") +') diff --git a/nx.te b/nx.te -index 091f872..d181d03 100644 +index b1832ca..d181d03 100644 --- a/nx.te +++ b/nx.te -@@ -1,4 +1,4 @@ --policy_module(nx, 1.7.0) -+policy_module(nx, 1.6.1) - - ######################################## - # @@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t) type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -60550,15 +57238,9 @@ index 091f872..d181d03 100644 sysnet_read_config(nx_server_t) diff --git a/oav.te b/oav.te -index b09c4c4..1a9e754 100644 +index 75fdf58..1a9e754 100644 --- a/oav.te +++ b/oav.te -@@ -1,4 +1,4 @@ --policy_module(oav, 1.10.0) -+policy_module(oav, 1.9.1) - - ######################################## - # @@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t) domain_use_interactive_fds(scannerdaemon_t) @@ -60990,11 +57672,11 @@ index c87bd2a..7de054a 100644 + ') ') diff --git a/oddjob.te b/oddjob.te -index e403097..edc3e32 100644 +index 296a1d3..edc3e32 100644 --- a/oddjob.te +++ b/oddjob.te @@ -1,12 +1,10 @@ --policy_module(oddjob, 1.10.0) +-policy_module(oddjob, 1.9.2) +policy_module(oddjob, 1.9.0) ######################################## @@ -61091,37 +57773,18 @@ index e403097..edc3e32 100644 +userdom_home_manager(oddjob_mkhomedir_t) +userdom_stream_connect(oddjob_mkhomedir_t) + -diff --git a/oident.te b/oident.te -index edfad9d..cd22d87 100644 ---- a/oident.te -+++ b/oident.te -@@ -1,4 +1,4 @@ --policy_module(oident, 2.3.0) -+policy_module(oident, 2.2.1) - - ######################################## - # -diff --git a/openca.te b/openca.te -index 0fc3a58..d808ab0 100644 ---- a/openca.te -+++ b/openca.te -@@ -1,4 +1,4 @@ --policy_module(openca, 1.3.0) -+policy_module(openca, 1.2.1) - - ######################################## - # diff --git a/openct.te b/openct.te -index 3b6920e..428ae48 100644 +index 8467596..428ae48 100644 --- a/openct.te +++ b/openct.te -@@ -1,4 +1,4 @@ --policy_module(openct, 1.6.1) -+policy_module(openct, 1.5.1) +@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t) - ######################################## - # -@@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) + dontaudit openct_t self:capability sys_tty_config; + allow openct_t self:process signal_perms; ++allow openct_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) + manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) @@ -61136,7 +57799,7 @@ index 3b6920e..428ae48 100644 dev_read_sysfs(openct_t) dev_rw_usbfs(openct_t) dev_rw_smartcard(openct_t) -@@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t) +@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t) domain_use_interactive_fds(openct_t) @@ -61153,15 +57816,9 @@ index 3b6920e..428ae48 100644 userdom_dontaudit_search_user_home_dirs(openct_t) diff --git a/openhpi.te b/openhpi.te -index 8de6191..e66751b 100644 +index 7f398c0..e66751b 100644 --- a/openhpi.te +++ b/openhpi.te -@@ -1,4 +1,4 @@ --policy_module(openhpi, 1.1.0) -+policy_module(openhpi, 1.0.1) - - ######################################## - # @@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t) dev_read_urand(openhpid_t) @@ -63137,16 +59794,10 @@ index 6837e9a..21e6dae 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 63957a3..baf76c1 100644 +index 3270ff9..baf76c1 100644 --- a/openvpn.te +++ b/openvpn.te -@@ -1,4 +1,4 @@ --policy_module(openvpn, 1.12.2) -+policy_module(openvpn, 1.11.3) - - ######################################## - # -@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2) +@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) # ## @@ -63160,25 +59811,22 @@ index 63957a3..baf76c1 100644 ##

## Determine whether openvpn can ## read generic user home content files. -@@ -14,12 +21,12 @@ policy_module(openvpn, 1.12.2) +@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3) + ## gen_tunable(openvpn_enable_homedirs, false) - ## --##

--## Determine whether openvpn can --## connect to the TCP network. --##

++## +##

+## Determine whether openvpn can +## connect to the TCP network. +##

- ## --gen_tunable(openvpn_can_network_connect, false) ++## +gen_tunable(openvpn_can_network_connect, true) - ++ attribute_role openvpn_roles; -@@ -34,14 +41,17 @@ files_config_file(openvpn_etc_t) + type openvpn_t; +@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t) type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -63191,14 +59839,13 @@ index 63957a3..baf76c1 100644 type openvpn_status_t; logging_log_file(openvpn_status_t) --type openvpn_tmp_t; --files_tmp_file(openvpn_tmp_t) +type openvpn_var_lib_t; +files_type(openvpn_var_lib_t) - ++ type openvpn_var_log_t; logging_log_file(openvpn_var_log_t) -@@ -54,7 +64,7 @@ files_pid_file(openvpn_var_run_t) + +@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t) # Local policy # @@ -63207,14 +59854,13 @@ index 63957a3..baf76c1 100644 allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; -@@ -73,13 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) +@@ -62,10 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) allow openvpn_t openvpn_status_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") --allow openvpn_t openvpn_tmp_t:file manage_file_perms; +manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) - files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) - ++files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) ++ +manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t) +files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file }) + @@ -63226,7 +59872,7 @@ index 63957a3..baf76c1 100644 logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -@@ -97,7 +108,6 @@ kernel_request_load_module(openvpn_t) +@@ -83,7 +108,6 @@ kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) @@ -63234,7 +59880,7 @@ index 63957a3..baf76c1 100644 corenet_all_recvfrom_netlabel(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t) -@@ -117,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) +@@ -103,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) corenet_sendrecv_http_server_packets(openvpn_t) corenet_tcp_bind_http_port(openvpn_t) corenet_sendrecv_http_client_packets(openvpn_t) @@ -63251,7 +59897,7 @@ index 63957a3..baf76c1 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -132,21 +144,31 @@ files_read_etc_runtime_files(openvpn_t) +@@ -118,21 +144,31 @@ files_read_etc_runtime_files(openvpn_t) fs_getattr_all_fs(openvpn_t) fs_search_auto_mountpoints(openvpn_t) @@ -63286,22 +59932,20 @@ index 63957a3..baf76c1 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -158,9 +180,11 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` +@@ -143,11 +179,25 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(openvpn_t) ') - tunable_policy(`openvpn_can_network_connect',` -- corenet_sendrecv_all_client_packets(openvpn_t) -- corenet_tcp_connect_all_ports(openvpn_t) -- corenet_tcp_sendrecv_all_ports(openvpn_t) ++tunable_policy(`openvpn_can_network_connect',` + corenet_tcp_connect_all_ports(openvpn_t) +') + +optional_policy(` + brctl_domtrans(openvpn_t) - ') - ++') ++ optional_policy(` -@@ -168,6 +192,12 @@ optional_policy(` + daemontools_service_domain(openvpn_t, openvpn_exec_t) ') optional_policy(` @@ -63314,7 +59958,7 @@ index 63957a3..baf76c1 100644 dbus_system_bus_client(openvpn_t) dbus_connect_system_bus(openvpn_t) -@@ -175,3 +205,27 @@ optional_policy(` +@@ -155,3 +205,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -63643,11 +60287,11 @@ index 9b15730..eedd136 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..452ad74 100644 +index 508fedf..452ad74 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -1,4 +1,4 @@ --policy_module(openvswitch, 1.1.1) +-policy_module(openvswitch, 1.0.1) +policy_module(openvswitch, 1.0.0) ######################################## @@ -63666,7 +60310,13 @@ index 44dbc99..452ad74 100644 type openvswitch_var_lib_t; files_type(openvswitch_var_lib_t) -@@ -27,20 +24,28 @@ files_tmp_file(openvswitch_tmp_t) +@@ -21,23 +18,34 @@ files_type(openvswitch_var_lib_t) + type openvswitch_log_t; + logging_log_file(openvswitch_log_t) + ++type openvswitch_tmp_t; ++files_tmp_file(openvswitch_tmp_t) ++ type openvswitch_var_run_t; files_pid_file(openvswitch_var_run_t) @@ -63703,7 +60353,7 @@ index 44dbc99..452ad74 100644 manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -@@ -48,9 +53,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l +@@ -45,45 +53,57 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) @@ -63714,7 +60364,14 @@ index 44dbc99..452ad74 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -65,33 +68,42 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ ++manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) ++manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) ++manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) ++files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir }) ++ + manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -64532,15 +61189,10 @@ index 9682d9a..d47f913 100644 + ') ') diff --git a/pacemaker.te b/pacemaker.te -index 6e6efb6..993c92c 100644 +index 3dd8ada..993c92c 100644 --- a/pacemaker.te +++ b/pacemaker.te -@@ -1,10 +1,17 @@ --policy_module(pacemaker, 1.1.0) -+policy_module(pacemaker, 1.0.2) - - ######################################## - # +@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2) # Declarations # @@ -64663,15 +61315,9 @@ index 6e097c9..503c97a 100644 domain_system_change_exemption($1) role_transition $2 pads_initrc_exec_t system_r; diff --git a/pads.te b/pads.te -index 078adc4..446e5ca 100644 +index 29a7364..446e5ca 100644 --- a/pads.te +++ b/pads.te -@@ -1,4 +1,4 @@ --policy_module(pads, 1.1.0) -+policy_module(pads, 1.0.1) - - ######################################## - # @@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t) # @@ -64900,11 +61546,11 @@ index bf59ef7..2d8335f 100644 +') + diff --git a/passenger.te b/passenger.te -index 08ec33b..d688bab 100644 +index 4e114ff..d688bab 100644 --- a/passenger.te +++ b/passenger.te @@ -1,4 +1,4 @@ --policy_module(passanger, 1.1.1) +-policy_module(passanger, 1.0.3) +policy_module(passanger, 1.0.0) ######################################## @@ -64951,7 +61597,7 @@ index 08ec33b..d688bab 100644 manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -@@ -45,7 +50,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +@@ -45,19 +50,22 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) @@ -64964,8 +61610,8 @@ index 08ec33b..d688bab 100644 kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) -@@ -53,13 +62,10 @@ kernel_read_network_state(passenger_t) - kernel_read_net_sysctls(passenger_t) ++kernel_read_network_state(passenger_t) ++kernel_read_net_sysctls(passenger_t) corenet_all_recvfrom_netlabel(passenger_t) -corenet_all_recvfrom_unlabeled(passenger_t) @@ -64979,7 +61625,7 @@ index 08ec33b..d688bab 100644 corecmd_exec_bin(passenger_t) corecmd_exec_shell(passenger_t) -@@ -68,8 +74,6 @@ dev_read_urand(passenger_t) +@@ -66,19 +74,20 @@ dev_read_urand(passenger_t) domain_read_all_domains_state(passenger_t) @@ -64988,7 +61634,13 @@ index 08ec33b..d688bab 100644 auth_use_nsswitch(passenger_t) logging_send_syslog_msg(passenger_t) -@@ -83,6 +87,7 @@ userdom_dontaudit_use_user_terminals(passenger_t) + + miscfiles_read_localization(passenger_t) + ++sysnet_exec_ifconfig(passenger_t) ++ + userdom_dontaudit_use_user_terminals(passenger_t) + optional_policy(` apache_append_log(passenger_t) apache_read_sys_content(passenger_t) @@ -64996,7 +61648,7 @@ index 08ec33b..d688bab 100644 ') optional_policy(` -@@ -94,14 +99,21 @@ optional_policy(` +@@ -90,14 +99,21 @@ optional_policy(` ') optional_policy(` @@ -65025,15 +61677,9 @@ index 08ec33b..d688bab 100644 + rpm_read_db(passenger_t) ') diff --git a/pcmcia.te b/pcmcia.te -index 8176e4a..49baca5 100644 +index 3ad10b5..49baca5 100644 --- a/pcmcia.te +++ b/pcmcia.te -@@ -1,4 +1,4 @@ --policy_module(pcmcia, 1.7.0) -+policy_module(pcmcia, 1.6.1) - - ######################################## - # @@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t) logging_send_syslog_msg(cardmgr_t) @@ -65553,15 +62199,9 @@ index 43d50f9..7f77d32 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 1fb1964..a958595 100644 +index 96db654..a958595 100644 --- a/pcscd.te +++ b/pcscd.te -@@ -1,4 +1,4 @@ --policy_module(pcscd, 1.8.0) -+policy_module(pcscd, 1.7.3) - - ######################################## - # @@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") # @@ -65779,11 +62419,11 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..37539ec 100644 +index 7bcf327..37539ec 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ --policy_module(pegasus, 1.9.0) +-policy_module(pegasus, 1.8.3) +policy_module(pegasus, 1.8.0) ######################################## @@ -66292,16 +62932,6 @@ index 608f454..37539ec 100644 virt_domtrans(pegasus_t) virt_stream_connect(pegasus_t) virt_manage_config(pegasus_t) -diff --git a/perdition.te b/perdition.te -index 9feb1ef..39027de 100644 ---- a/perdition.te -+++ b/perdition.te -@@ -1,4 +1,4 @@ --policy_module(perdition, 1.8.0) -+policy_module(perdition, 1.7.1) - - ######################################## - # diff --git a/pesign.fc b/pesign.fc new file mode 100644 index 0000000..7b54c39 @@ -66497,15 +63127,9 @@ index 21a6ecb..b99e4cb 100644 domain_system_change_exemption($1) role_transition $2 pingd_initrc_exec_t system_r; diff --git a/pingd.te b/pingd.te -index ab01060..1ee68e9 100644 +index 0f77942..1ee68e9 100644 --- a/pingd.te +++ b/pingd.te -@@ -1,4 +1,4 @@ --policy_module(pingd, 1.1.0) -+policy_module(pingd, 1.0.1) - - ######################################## - # @@ -10,7 +10,7 @@ type pingd_exec_t; init_daemon_domain(pingd_t, pingd_exec_t) @@ -67051,7 +63675,7 @@ index 0000000..a989aea +sysnet_read_config(piranha_domain) diff --git a/pkcs.fc b/pkcs.fc deleted file mode 100644 -index 9a72226..0000000 +index f9dc0be..0000000 --- a/pkcs.fc +++ /dev/null @@ -1,7 +0,0 @@ @@ -67061,7 +63685,7 @@ index 9a72226..0000000 - -/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0) - --/var/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) +-/var/run/pkcsslotd\.pid -- gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) diff --git a/pkcs.if b/pkcs.if deleted file mode 100644 index 69be2aa..0000000 @@ -67115,11 +63739,11 @@ index 69be2aa..0000000 -') diff --git a/pkcs.te b/pkcs.te deleted file mode 100644 -index 8eb3f7b..0000000 +index 977b972..0000000 --- a/pkcs.te +++ /dev/null -@@ -1,60 +0,0 @@ --policy_module(pkcs, 1.0.1) +@@ -1,58 +0,0 @@ +-policy_module(pkcs, 1.0.0) - -######################################## -# @@ -67150,7 +63774,7 @@ index 8eb3f7b..0000000 -# Local policy -# - --allow pkcs_slotd_t self:capability { fsetid kill chown }; +-allow pkcs_slotd_t self:capability kill; -allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; -allow pkcs_slotd_t self:sem create_sem_perms; -allow pkcs_slotd_t self:shm create_shm_perms; @@ -67161,10 +63785,8 @@ index 8eb3f7b..0000000 -manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) -files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir) - --manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) -manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) --manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) --files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, { sock_file file dir }) +-files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, file) - -manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) -manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) @@ -68434,11 +65056,11 @@ index 30e751f..61feb3a 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 3078ce9..b78836f 100644 +index b1f412b..b78836f 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -1,4 +1,4 @@ --policy_module(plymouthd, 1.2.0) +-policy_module(plymouthd, 1.1.4) +policy_module(plymouthd, 1.0.1) ######################################## @@ -68560,15 +65182,9 @@ index 3078ce9..b78836f 100644 hal_dontaudit_write_log(plymouth_t) hal_dontaudit_rw_pipes(plymouth_t) diff --git a/podsleuth.te b/podsleuth.te -index 9123f71..b196183 100644 +index a14b3bc..b196183 100644 --- a/podsleuth.te +++ b/podsleuth.te -@@ -1,4 +1,4 @@ --policy_module(podsleuth, 1.7.0) -+policy_module(podsleuth, 1.6.1) - - ######################################## - # @@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) # @@ -68882,16 +65498,16 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index ee91778..55d1871 100644 +index 49694e8..55d1871 100644 --- a/policykit.te +++ b/policykit.te @@ -1,4 +1,4 @@ --policy_module(policykit, 1.3.0) +-policy_module(policykit, 1.2.8) +policy_module(policykit, 1.1.0) ######################################## # -@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0) +@@ -7,9 +7,6 @@ policy_module(policykit, 1.2.8) attribute policykit_domain; @@ -69489,16 +66105,16 @@ index ae27bb7..d00f6ba 100644 + allow $1 polipo_unit_file_t:service all_service_perms; ') diff --git a/polipo.te b/polipo.te -index 9764bfe..6646219 100644 +index 316d53a..6646219 100644 --- a/polipo.te +++ b/polipo.te @@ -1,4 +1,4 @@ --policy_module(polipo, 1.1.1) +-policy_module(polipo, 1.0.4) +policy_module(polipo, 1.0.0) ######################################## # -@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1) +@@ -7,19 +7,27 @@ policy_module(polipo, 1.0.4) ## ##

@@ -69565,7 +66181,7 @@ index 9764bfe..6646219 100644 type polipo_cache_t; files_type(polipo_cache_t) -@@ -56,116 +63,98 @@ files_type(polipo_cache_t) +@@ -56,112 +63,98 @@ files_type(polipo_cache_t) type polipo_log_t; logging_log_file(polipo_log_t) @@ -69672,24 +66288,24 @@ index 9764bfe..6646219 100644 optional_policy(` - cron_system_entry(polipo_system_t, polipo_exec_t) + cron_system_entry(polipo_t, polipo_exec_t) ++') ++ ++tunable_policy(`polipo_connect_all_unreserved',` ++ corenet_tcp_connect_all_unreserved_ports(polipo_t) ') -tunable_policy(`polipo_system_use_cifs',` - fs_manage_cifs_files(polipo_system_t) -',` - fs_dontaudit_read_cifs_files(polipo_system_t) -+tunable_policy(`polipo_connect_all_unreserved',` -+ corenet_tcp_connect_all_unreserved_ports(polipo_t) ++tunable_policy(`polipo_use_cifs',` ++ fs_manage_cifs_files(polipo_t) ') -tunable_policy(`polipo_system_use_nfs',` - fs_manage_nfs_files(polipo_system_t) -',` - fs_dontaudit_read_nfs_files(polipo_system_t) -+tunable_policy(`polipo_use_cifs',` -+ fs_manage_cifs_files(polipo_t) -+') -+ +tunable_policy(`polipo_use_nfs',` + fs_manage_nfs_files(polipo_t) ') @@ -69708,21 +66324,17 @@ index 9764bfe..6646219 100644 -corenet_tcp_sendrecv_generic_if(polipo_daemon) -corenet_tcp_sendrecv_generic_node(polipo_daemon) -corenet_tcp_bind_generic_node(polipo_daemon) -- ++read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t) ++manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) + -corenet_sendrecv_http_client_packets(polipo_daemon) -corenet_tcp_sendrecv_http_port(polipo_daemon) -corenet_tcp_connect_http_port(polipo_daemon) -+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t) -+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) ++auth_use_nsswitch(polipo_session_t) -corenet_sendrecv_http_cache_server_packets(polipo_daemon) -corenet_tcp_sendrecv_http_cache_port(polipo_daemon) -corenet_tcp_bind_http_cache_port(polipo_daemon) -+auth_use_nsswitch(polipo_session_t) - --corenet_sendrecv_tor_client_packets(polipo_daemon) --corenet_tcp_sendrecv_tor_port(polipo_daemon) --corenet_tcp_connect_tor_port(polipo_daemon) +userdom_use_user_terminals(polipo_session_t) -files_read_usr_files(polipo_daemon) @@ -69749,15 +66361,9 @@ index 67e8c12..18b89d7 100644 allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; diff --git a/portage.te b/portage.te -index b410c67..b9b5418 100644 +index a95fc4a..b9b5418 100644 --- a/portage.te +++ b/portage.te -@@ -1,4 +1,4 @@ --policy_module(portage, 1.14.0) -+policy_module(portage, 1.13.7) - - ######################################## - # @@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t) files_manage_etc_files(gcc_config_t) @@ -69794,15 +66400,9 @@ index cd45831..69406ee 100644 /var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) /var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) diff --git a/portmap.te b/portmap.te -index 18b255e..04a202e 100644 +index 738c13b..04a202e 100644 --- a/portmap.te +++ b/portmap.te -@@ -1,4 +1,4 @@ --policy_module(portmap, 1.11.0) -+policy_module(portmap, 1.10.1) - - ######################################## - # @@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file) kernel_read_system_state(portmap_t) kernel_read_kernel_sysctls(portmap_t) @@ -69871,15 +66471,9 @@ index 5ad5291..7f1ae2a 100644 portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/portreserve.te b/portreserve.te -index 00b01e2..49758db 100644 +index a38b57a..49758db 100644 --- a/portreserve.te +++ b/portreserve.te -@@ -1,4 +1,4 @@ --policy_module(portreserve, 1.4.0) -+policy_module(portreserve, 1.3.1) - - ######################################## - # @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } corecmd_getattr_bin_files(portreserve_t) @@ -69900,15 +66494,9 @@ index 00b01e2..49758db 100644 + sssd_search_lib(portreserve_t) +') diff --git a/portslave.te b/portslave.te -index cbe36c1..a7d7c55 100644 +index e85e33d..a7d7c55 100644 --- a/portslave.te +++ b/portslave.te -@@ -1,4 +1,4 @@ --policy_module(portslave, 1.8.0) -+policy_module(portslave, 1.7.2) - - ######################################## - # @@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t) corecmd_exec_bin(portslave_t) corecmd_exec_shell(portslave_t) @@ -70019,7 +66607,7 @@ index c0e8785..c0e0959 100644 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/postfix.if b/postfix.if -index ded95ec..d8a163f 100644 +index 2e23946..d8a163f 100644 --- a/postfix.if +++ b/postfix.if @@ -1,4 +1,4 @@ @@ -70739,7 +67327,7 @@ index ded95ec..d8a163f 100644 ##

## ## -@@ -710,38 +801,137 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -710,37 +801,137 @@ interface(`postfix_domtrans_user_mail_handler',` # interface(`postfix_admin',` gen_require(` @@ -70747,7 +67335,6 @@ index ded95ec..d8a163f 100644 - type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; - type postfix_data_t, postfix_var_run_t, postfix_public_t; - type postfix_private_t, postfix_map_tmp_t, postfix_exec_t; -- type postfix_keytab_t; + attribute postfix_spool_type; + type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; + type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; @@ -70801,7 +67388,7 @@ index ded95ec..d8a163f 100644 allow $2 system_r; - files_search_etc($1) -- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t }) +- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t }) + admin_pattern($1, postfix_data_t) - files_search_spool($1) @@ -70899,16 +67486,16 @@ index ded95ec..d8a163f 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..f88edc4 100644 +index 191a66f..f88edc4 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ --policy_module(postfix, 1.15.1) +-policy_module(postfix, 1.14.10) +policy_module(postfix, 1.14.0) ######################################## # -@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) +@@ -6,27 +6,23 @@ policy_module(postfix, 1.14.10) # ## @@ -70942,13 +67529,7 @@ index 5cfb83e..f88edc4 100644 postfix_server_domain_template(cleanup) -@@ -36,22 +32,22 @@ files_config_file(postfix_etc_t) - type postfix_exec_t; - application_executable_file(postfix_exec_t) - --type postfix_keytab_t; --files_type(postfix_keytab_t) -- +@@ -39,16 +35,19 @@ application_executable_file(postfix_exec_t) postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) @@ -70969,7 +67550,7 @@ index 5cfb83e..f88edc4 100644 mta_mailserver(postfix_t, postfix_master_exec_t) type postfix_initrc_exec_t; -@@ -63,6 +59,7 @@ postfix_server_domain_template(pipe) +@@ -60,6 +59,7 @@ postfix_server_domain_template(pipe) postfix_user_domain_template(postdrop) mta_mailserver_user_agent(postfix_postdrop_t) @@ -70977,7 +67558,7 @@ index 5cfb83e..f88edc4 100644 postfix_user_domain_template(postqueue) mta_mailserver_user_agent(postfix_postqueue_t) -@@ -83,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t) +@@ -80,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t) postfix_server_domain_template(smtpd) type postfix_spool_t, postfix_spool_type; @@ -70994,7 +67575,7 @@ index 5cfb83e..f88edc4 100644 type postfix_public_t; files_type(postfix_public_t) -@@ -97,6 +94,7 @@ files_type(postfix_public_t) +@@ -94,6 +94,7 @@ files_type(postfix_public_t) type postfix_var_run_t; files_pid_file(postfix_var_run_t) @@ -71002,7 +67583,7 @@ index 5cfb83e..f88edc4 100644 type postfix_data_t; files_type(postfix_data_t) -@@ -105,164 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t) +@@ -102,160 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t) ######################################## # @@ -71120,10 +67701,9 @@ index 5cfb83e..f88edc4 100644 allow postfix_master_t postfix_data_t:dir manage_dir_perms; allow postfix_master_t postfix_data_t:file manage_file_perms; --allow postfix_master_t postfix_keytab_t:file read_file_perms; -+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; - -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; ++allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; ++ +allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; @@ -71155,7 +67735,7 @@ index 5cfb83e..f88edc4 100644 manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush") -- + -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t) -manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) @@ -71172,17 +67752,15 @@ index 5cfb83e..f88edc4 100644 -delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) --filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer") --filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred") -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") - +- -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") +- +-can_exec(postfix_master_t, postfix_exec_t) +manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) --can_exec(postfix_master_t, postfix_exec_t) -- -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) +kernel_read_all_sysctls(postfix_master_t) @@ -71191,7 +67769,7 @@ index 5cfb83e..f88edc4 100644 corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) corenet_udp_sendrecv_generic_if(postfix_master_t) -@@ -270,65 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -71253,11 +67831,6 @@ index 5cfb83e..f88edc4 100644 -optional_policy(` - cyrus_stream_connect(postfix_master_t) --') -- --optional_policy(` -- kerberos_read_keytab(postfix_master_t) -- kerberos_use(postfix_master_t) +ifdef(`distro_redhat',` + # for newer main.cf that uses /etc/aliases + mta_manage_aliases(postfix_master_t) @@ -71265,6 +67838,10 @@ index 5cfb83e..f88edc4 100644 ') optional_policy(` +- kerberos_keytab_template(postfix, postfix_t) +-') +- +-optional_policy(` - mailman_manage_data_files(postfix_master_t) + cyrus_stream_connect(postfix_master_t) ') @@ -71275,7 +67852,7 @@ index 5cfb83e..f88edc4 100644 ') optional_policy(` -@@ -341,12 +221,14 @@ optional_policy(` +@@ -333,12 +221,14 @@ optional_policy(` ######################################## # @@ -71292,7 +67869,7 @@ index 5cfb83e..f88edc4 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -363,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool ######################################## # @@ -71339,7 +67916,7 @@ index 5cfb83e..f88edc4 100644 optional_policy(` mailman_read_data_files(postfix_cleanup_t) -@@ -401,36 +280,50 @@ optional_policy(` +@@ -393,36 +280,50 @@ optional_policy(` ######################################## # @@ -71399,7 +67976,7 @@ index 5cfb83e..f88edc4 100644 ') optional_policy(` -@@ -442,16 +335,25 @@ optional_policy(` +@@ -434,16 +335,25 @@ optional_policy(` ') optional_policy(` @@ -71425,7 +68002,7 @@ index 5cfb83e..f88edc4 100644 procmail_domtrans(postfix_local_t) ') -@@ -466,15 +368,17 @@ optional_policy(` +@@ -458,15 +368,17 @@ optional_policy(` ######################################## # @@ -71449,7 +68026,7 @@ index 5cfb83e..f88edc4 100644 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -484,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -71469,7 +68046,7 @@ index 5cfb83e..f88edc4 100644 corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) -@@ -500,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t) +@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) @@ -71477,7 +68054,7 @@ index 5cfb83e..f88edc4 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -508,21 +412,22 @@ auth_use_nsswitch(postfix_map_t) +@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -71503,7 +68080,7 @@ index 5cfb83e..f88edc4 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -532,21 +437,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -524,21 +437,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -71529,7 +68106,7 @@ index 5cfb83e..f88edc4 100644 write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) -@@ -557,6 +462,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) +@@ -549,6 +462,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) corecmd_exec_bin(postfix_pipe_t) optional_policy(` @@ -71540,7 +68117,7 @@ index 5cfb83e..f88edc4 100644 dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -584,19 +493,26 @@ optional_policy(` +@@ -576,19 +493,26 @@ optional_policy(` ######################################## # @@ -71572,7 +68149,7 @@ index 5cfb83e..f88edc4 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -611,10 +527,7 @@ optional_policy(` +@@ -603,10 +527,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -71584,7 +68161,7 @@ index 5cfb83e..f88edc4 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -629,17 +542,24 @@ optional_policy(` +@@ -621,17 +542,24 @@ optional_policy(` ####################################### # @@ -71612,7 +68189,7 @@ index 5cfb83e..f88edc4 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -655,69 +575,77 @@ optional_policy(` +@@ -647,67 +575,77 @@ optional_policy(` ######################################## # @@ -71693,12 +68270,11 @@ index 5cfb83e..f88edc4 100644 rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) --corenet_tcp_bind_generic_node(postfix_smtp_t) +# for spampd +corenet_tcp_connect_spamd_port(postfix_master_t) + +files_search_all_mountpoints(postfix_smtp_t) - ++ optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') @@ -71709,7 +68285,7 @@ index 5cfb83e..f88edc4 100644 ') optional_policy(` -@@ -730,28 +658,32 @@ optional_policy(` +@@ -720,28 +658,32 @@ optional_policy(` ######################################## # @@ -71750,7 +68326,7 @@ index 5cfb83e..f88edc4 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) -@@ -764,6 +696,7 @@ optional_policy(` +@@ -754,6 +696,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -71758,7 +68334,7 @@ index 5cfb83e..f88edc4 100644 ') optional_policy(` -@@ -774,31 +707,99 @@ optional_policy(` +@@ -764,31 +707,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -71890,15 +68466,9 @@ index 5de8173..985b877 100644 init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/postfixpolicyd.te b/postfixpolicyd.te -index ea1582a..77d4cd9 100644 +index 70f0533..77d4cd9 100644 --- a/postfixpolicyd.te +++ b/postfixpolicyd.te -@@ -1,4 +1,4 @@ --policy_module(postfixpolicyd, 1.3.0) -+policy_module(postfixpolicyd, 1.2.1) - - ######################################## - # @@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) @@ -71957,15 +68527,9 @@ index b9e71b5..a7502cd 100644 domain_system_change_exemption($1) role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te -index fd58805..04e3809 100644 +index 3b11496..04e3809 100644 --- a/postgrey.te +++ b/postgrey.te -@@ -1,4 +1,4 @@ --policy_module(postgrey, 1.9.0) -+policy_module(postgrey, 1.8.1) - - ######################################## - # @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; init_script_file(postgrey_initrc_exec_t) @@ -72566,16 +69130,16 @@ index cd8b8b9..6c73980 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..3ed75e7 100644 +index b2b5dba..3ed75e7 100644 --- a/ppp.te +++ b/ppp.te @@ -1,4 +1,4 @@ --policy_module(ppp, 1.14.0) +-policy_module(ppp, 1.13.5) +policy_module(ppp, 1.13.0) ######################################## # -@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) +@@ -6,41 +6,47 @@ policy_module(ppp, 1.13.5) # ## @@ -73085,16 +69649,16 @@ index 20d4697..e6605c1 100644 + files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") +') diff --git a/prelink.te b/prelink.te -index 8e26216..e04bdd6 100644 +index c0f047a..e04bdd6 100644 --- a/prelink.te +++ b/prelink.te @@ -1,4 +1,4 @@ --policy_module(prelink, 1.11.0) +-policy_module(prelink, 1.10.2) +policy_module(prelink, 1.10.0) ######################################## # -@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0) +@@ -6,13 +6,10 @@ policy_module(prelink, 1.10.2) attribute prelink_object; @@ -73459,15 +70023,9 @@ index c83a838..f41a4f7 100644 admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/prelude.te b/prelude.te -index 8f44609..f7eb5e0 100644 +index db864df..f7eb5e0 100644 --- a/prelude.te +++ b/prelude.te -@@ -1,4 +1,4 @@ --policy_module(prelude, 1.4.0) -+policy_module(prelude, 1.3.2) - - ######################################## - # @@ -13,7 +13,7 @@ type prelude_initrc_exec_t; init_script_file(prelude_initrc_exec_t) @@ -73585,15 +70143,9 @@ index bdcee30..34f3143 100644 init_labeled_script_domtrans($1, privoxy_initrc_exec_t) domain_system_change_exemption($1) diff --git a/privoxy.te b/privoxy.te -index ec21f80..072d425 100644 +index 85b1c9a..072d425 100644 --- a/privoxy.te +++ b/privoxy.te -@@ -1,4 +1,4 @@ --policy_module(privoxy, 1.12.0) -+policy_module(privoxy, 1.11.1) - - ######################################## - # @@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t) corenet_tcp_connect_tor_port(privoxy_t) corenet_tcp_sendrecv_tor_port(privoxy_t) @@ -73792,11 +70344,11 @@ index 00edeab..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index cc426e6..f3e6fbf 100644 +index d447152..f3e6fbf 100644 --- a/procmail.te +++ b/procmail.te @@ -1,4 +1,4 @@ --policy_module(procmail, 1.13.1) +-policy_module(procmail, 1.12.2) +policy_module(procmail, 1.12.0) ######################################## @@ -73827,7 +70379,7 @@ index cc426e6..f3e6fbf 100644 allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -40,83 +44,98 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) +@@ -40,89 +44,108 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) @@ -73962,16 +70514,18 @@ index cc426e6..f3e6fbf 100644 postfix_dontaudit_rw_local_tcp_sockets(procmail_t) postfix_dontaudit_use_fds(procmail_t) postfix_read_spool_files(procmail_t) -@@ -126,11 +145,18 @@ optional_policy(` - ') - - optional_policy(` -+ nagios_search_spool(procmail_t) + postfix_read_local_state(procmail_t) + postfix_read_master_state(procmail_t) +- postfix_rw_master_pipes(procmail_t) ++ postfix_rw_inherited_master_pipes(procmail_t) +') + +optional_policy(` - pyzor_domtrans(procmail_t) - pyzor_signal(procmail_t) ++ nagios_search_spool(procmail_t) + ') + + optional_policy(` +@@ -131,6 +154,9 @@ optional_policy(` ') optional_policy(` @@ -74485,15 +71039,9 @@ index d4dcf78..3cce82e 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/psad.te b/psad.te -index b5d717b..718c847 100644 +index 5427bb6..718c847 100644 --- a/psad.te +++ b/psad.te -@@ -1,4 +1,4 @@ --policy_module(psad, 1.1.0) -+policy_module(psad, 1.0.1) - - ######################################## - # @@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t) corecmd_exec_bin(psad_t) corecmd_exec_shell(psad_t) @@ -74519,24 +71067,10 @@ index b5d717b..718c847 100644 sysnet_exec_ifconfig(psad_t) optional_policy(` -diff --git a/ptchown.fc b/ptchown.fc -index dd96822..9fc398e 100644 ---- a/ptchown.fc -+++ b/ptchown.fc -@@ -1,3 +1 @@ - /usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) -- --/usr/lib/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) diff --git a/ptchown.te b/ptchown.te -index 28d2abc..2da9eca 100644 +index d67905e..2da9eca 100644 --- a/ptchown.te +++ b/ptchown.te -@@ -1,4 +1,4 @@ --policy_module(ptchown, 1.2.0) -+policy_module(ptchown, 1.1.2) - - ######################################## - # @@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t; allow ptchown_t self:capability { chown fowner fsetid setuid }; allow ptchown_t self:process { getcap setcap }; @@ -74551,16 +71085,6 @@ index 28d2abc..2da9eca 100644 -miscfiles_read_localization(ptchown_t) +auth_read_passwd(ptchown_t) -diff --git a/publicfile.te b/publicfile.te -index 3246bef..d7df1b3 100644 ---- a/publicfile.te -+++ b/publicfile.te -@@ -1,4 +1,4 @@ --policy_module(publicfile, 1.2.0) -+policy_module(publicfile, 1.1.1) - - ######################################## - # diff --git a/pulseaudio.fc b/pulseaudio.fc index 6864479..0e7d875 100644 --- a/pulseaudio.fc @@ -74585,10 +71109,10 @@ index 6864479..0e7d875 100644 +/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) +/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --git a/pulseaudio.if b/pulseaudio.if -index 45843b5..99cfa95 100644 +index fa3dc8e..99cfa95 100644 --- a/pulseaudio.if +++ b/pulseaudio.if -@@ -2,43 +2,44 @@ +@@ -2,47 +2,44 @@ ######################################## ## @@ -74619,16 +71143,20 @@ index 45843b5..99cfa95 100644 - pulseaudio_run($2, $1) + role $1 types pulseaudio_t; -+ -+ # Transition from the user domain to the derived domain. -+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) - allow $2 pulseaudio_t:process { ptrace signal_perms }; - ps_process_pattern($2, pulseaudio_t) +- ps_process_pattern($2, pulseaudio_t) ++ # Transition from the user domain to the derived domain. ++ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) - allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; ++ ps_process_pattern($2, pulseaudio_t) + +- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse") +- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth") +- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie") + allow pulseaudio_t $2:process { signal signull }; + allow $2 pulseaudio_t:process { signal signull sigkill }; + ps_process_pattern(pulseaudio_t, $2) @@ -74650,7 +71178,7 @@ index 45843b5..99cfa95 100644 ') ######################################## -@@ -65,9 +66,8 @@ interface(`pulseaudio_domtrans',` +@@ -69,9 +66,8 @@ interface(`pulseaudio_domtrans',` ######################################## ## @@ -74662,7 +71190,7 @@ index 45843b5..99cfa95 100644 ## ## ## -@@ -82,16 +82,16 @@ interface(`pulseaudio_domtrans',` +@@ -86,16 +82,16 @@ interface(`pulseaudio_domtrans',` # interface(`pulseaudio_run',` gen_require(` @@ -74682,7 +71210,7 @@ index 45843b5..99cfa95 100644 ## ## ## -@@ -104,13 +104,12 @@ interface(`pulseaudio_exec',` +@@ -108,13 +104,12 @@ interface(`pulseaudio_exec',` type pulseaudio_exec_t; ') @@ -74697,7 +71225,7 @@ index 45843b5..99cfa95 100644 ## ## ## -@@ -128,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',` +@@ -132,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',` ######################################## ## @@ -74706,7 +71234,7 @@ index 45843b5..99cfa95 100644 ## processes. ## ## -@@ -147,8 +146,8 @@ interface(`pulseaudio_signull',` +@@ -151,8 +146,8 @@ interface(`pulseaudio_signull',` ##################################### ## @@ -74717,7 +71245,7 @@ index 45843b5..99cfa95 100644 ## ## ## -@@ -158,11 +157,15 @@ interface(`pulseaudio_signull',` +@@ -162,11 +157,15 @@ interface(`pulseaudio_signull',` # interface(`pulseaudio_stream_connect',` gen_require(` @@ -74735,7 +71263,7 @@ index 45843b5..99cfa95 100644 ') ######################################## -@@ -188,9 +191,9 @@ interface(`pulseaudio_dbus_chat',` +@@ -192,9 +191,9 @@ interface(`pulseaudio_dbus_chat',` ######################################## ## @@ -74747,7 +71275,7 @@ index 45843b5..99cfa95 100644 ## ## Domain allowed access. ## -@@ -201,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',` +@@ -205,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',` type pulseaudio_home_t; ') @@ -74986,16 +71514,16 @@ index 45843b5..99cfa95 100644 + ps_process_pattern($1, pulseaudio_t) ') diff --git a/pulseaudio.te b/pulseaudio.te -index 6643b49..d261e97 100644 +index e31bbe1..d261e97 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -1,4 +1,4 @@ --policy_module(pulseaudio, 1.6.0) +-policy_module(pulseaudio, 1.5.4) +policy_module(pulseaudio, 1.5.0) ######################################## # -@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0) +@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.5.4) attribute pulseaudio_client; attribute pulseaudio_tmpfsfile; @@ -75003,7 +71531,7 @@ index 6643b49..d261e97 100644 - type pulseaudio_t; type pulseaudio_exec_t; --# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) +-init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) +#init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t) -role pulseaudio_roles types pulseaudio_t; @@ -75087,7 +71615,7 @@ index 6643b49..d261e97 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -85,62 +70,57 @@ kernel_read_kernel_sysctls(pulseaudio_t) +@@ -85,60 +70,57 @@ kernel_read_kernel_sysctls(pulseaudio_t) corecmd_exec_bin(pulseaudio_t) @@ -75139,8 +71667,6 @@ index 6643b49..d261e97 100644 logging_send_syslog_msg(pulseaudio_t) -miscfiles_read_localization(pulseaudio_t) -- --userdom_read_user_tmpfs_files(pulseaudio_t) userdom_search_user_home_dirs(pulseaudio_t) userdom_write_user_tmp_sockets(pulseaudio_t) @@ -75168,7 +71694,7 @@ index 6643b49..d261e97 100644 ') optional_policy(` -@@ -153,8 +133,9 @@ optional_policy(` +@@ -151,8 +133,9 @@ optional_policy(` optional_policy(` dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) @@ -75180,7 +71706,7 @@ index 6643b49..d261e97 100644 optional_policy(` consolekit_dbus_chat(pulseaudio_t) -@@ -174,29 +155,49 @@ optional_policy(` +@@ -172,29 +155,49 @@ optional_policy(` ') optional_policy(` @@ -75232,7 +71758,7 @@ index 6643b49..d261e97 100644 # # Client local policy # -@@ -210,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi +@@ -208,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi fs_getattr_tmpfs(pulseaudio_client) @@ -75241,7 +71767,7 @@ index 6643b49..d261e97 100644 corenet_tcp_sendrecv_generic_if(pulseaudio_client) corenet_tcp_sendrecv_generic_node(pulseaudio_client) -@@ -220,40 +219,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) +@@ -218,36 +219,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) pulseaudio_stream_connect(pulseaudio_client) @@ -75274,10 +71800,6 @@ index 6643b49..d261e97 100644 - fs_manage_cifs_dirs(pulseaudio_client) - fs_manage_cifs_files(pulseaudio_client) - fs_read_cifs_symlinks(pulseaudio_client) --') -- --optional_policy(` -- pulseaudio_dbus_chat(pulseaudio_client) + fs_getattr_cifs(pulseaudio_client) + fs_manage_cifs_dirs(pulseaudio_client) + fs_manage_cifs_files(pulseaudio_client) @@ -75285,19 +71807,19 @@ index 6643b49..d261e97 100644 ') optional_policy(` -- rtkit_scheduled(pulseaudio_client) +- pulseaudio_dbus_chat(pulseaudio_client) + pulseaudio_dbus_chat(pulseaudio_client) ') optional_policy(` -- unconfined_signull(pulseaudio_client) +- rtkit_scheduled(pulseaudio_client) + rtkit_scheduled(pulseaudio_client) ') diff --git a/puppet.fc b/puppet.fc -index d68e26d..cad91e2 100644 +index 4ecda09..cad91e2 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -1,18 +1,20 @@ +@@ -1,14 +1,20 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) @@ -75306,27 +71828,23 @@ index d68e26d..cad91e2 100644 +/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0) +/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) --/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) --/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) --/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +#helper scripts +/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) --/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) --/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) --/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) +/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) --/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) +-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) --/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) -- -/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) @@ -75673,10 +72191,16 @@ index 7cb8b1f..9422c90 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..0903e67 100644 +index f2309f4..0903e67 100644 --- a/puppet.te +++ b/puppet.te -@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) +@@ -1,4 +1,4 @@ +-policy_module(puppet, 1.3.7) ++policy_module(puppet, 1.4.0) + + ######################################## + # +@@ -6,25 +6,32 @@ policy_module(puppet, 1.3.7) # ## @@ -76345,15 +72869,9 @@ index 3078e34..215df88 100644 - -miscfiles_read_localization(pwauth_t) diff --git a/pxe.te b/pxe.te -index 06bec9b..6dae5e5 100644 +index 72db707..6dae5e5 100644 --- a/pxe.te +++ b/pxe.te -@@ -1,4 +1,4 @@ --policy_module(pxe, 1.5.0) -+policy_module(pxe, 1.4.1) - - ######################################## - # @@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t) domain_use_interactive_fds(pxe_t) @@ -76440,11 +72958,11 @@ index 0ccea82..0000000 -') diff --git a/pyicqt.te b/pyicqt.te deleted file mode 100644 -index f2863de..0000000 +index 99bebbd..0000000 --- a/pyicqt.te +++ /dev/null @@ -1,92 +0,0 @@ --policy_module(pyicqt, 1.1.0) +-policy_module(pyicqt, 1.0.1) - -######################################## -# @@ -76692,11 +73210,11 @@ index 593c03d..2c411af 100644 + admin_pattern($1, pyzor_var_lib_t) ') diff --git a/pyzor.te b/pyzor.te -index 2439d13..86daaba 100644 +index 6c456d2..86daaba 100644 --- a/pyzor.te +++ b/pyzor.te @@ -1,61 +1,82 @@ --policy_module(pyzor, 2.3.0) +-policy_module(pyzor, 2.2.1) +policy_module(pyzor, 2.1.0) ######################################## @@ -76937,15 +73455,14 @@ index 2439d13..86daaba 100644 + logging_send_syslog_msg(pyzord_t) +') diff --git a/qemu.fc b/qemu.fc -index 86ea53c..64d877e 100644 +index 6b53fa4..64d877e 100644 --- a/qemu.fc +++ b/qemu.fc -@@ -1,6 +1,4 @@ +@@ -1,5 +1,4 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) --/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) - /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/qemu.if b/qemu.if @@ -77318,16 +73835,16 @@ index eaf56b8..580f9ee 100644 # interface(`qemu_entry_type',` diff --git a/qemu.te b/qemu.te -index 4f90743..695c857 100644 +index 2e824eb..695c857 100644 --- a/qemu.te +++ b/qemu.te @@ -1,4 +1,4 @@ --policy_module(qemu, 1.8.0) +-policy_module(qemu, 1.7.4) +policy_module(qemu, 1.7.0) ######################################## # -@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0) +@@ -6,28 +6,58 @@ policy_module(qemu, 1.7.4) # ## @@ -77736,11 +74253,11 @@ index e4f0000..05e219e 100644 + allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms; +') diff --git a/qmail.te b/qmail.te -index 8742944..af2850e 100644 +index 1bef513..af2850e 100644 --- a/qmail.te +++ b/qmail.te @@ -1,11 +1,11 @@ --policy_module(qmail, 1.6.1) +-policy_module(qmail, 1.5.1) +policy_module(qmail, 1.5.0) ######################################## @@ -77762,7 +74279,7 @@ index 8742944..af2850e 100644 type qmail_inject_exec_t; domain_type(qmail_inject_t) domain_entry_file(qmail_inject_t, qmail_inject_exec_t) -@@ -32,21 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t) +@@ -32,18 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t) mta_mailserver_delivery(qmail_lspawn_t) qmail_child_domain_template(qmail_queue, qmail_inject_t) @@ -77777,11 +74294,8 @@ index 8742944..af2850e 100644 qmail_child_domain_template(qmail_send, qmail_start_t) + qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) --qmail_child_domain_template(qmail_splogger, qmail_start_t) - --type qmail_keytab_t; --files_type(qmail_keytab_t) -+qmail_child_domain_template(qmail_splogger, qmail_start_t) ++ + qmail_child_domain_template(qmail_splogger, qmail_start_t) type qmail_spool_t; -files_type(qmail_spool_t) @@ -77789,7 +74303,7 @@ index 8742944..af2850e 100644 type qmail_start_t; type qmail_start_exec_t; -@@ -58,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) +@@ -55,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) ######################################## # @@ -77820,7 +74334,7 @@ index 8742944..af2850e 100644 # read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) -@@ -87,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) +@@ -84,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) ######################################## # @@ -77835,7 +74349,7 @@ index 8742944..af2850e 100644 allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; -@@ -99,18 +81,18 @@ corecmd_search_bin(qmail_inject_t) +@@ -96,18 +81,18 @@ corecmd_search_bin(qmail_inject_t) files_search_var(qmail_inject_t) @@ -77858,7 +74372,7 @@ index 8742944..af2850e 100644 manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) -@@ -137,12 +119,17 @@ mta_append_spool(qmail_local_t) +@@ -134,12 +119,17 @@ mta_append_spool(qmail_local_t) qmail_domtrans_queue(qmail_local_t) optional_policy(` @@ -77877,7 +74391,7 @@ index 8742944..af2850e 100644 # allow qmail_lspawn_t self:capability { setuid setgid }; -@@ -156,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; +@@ -153,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) @@ -77904,7 +74418,7 @@ index 8742944..af2850e 100644 manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) -@@ -186,28 +175,34 @@ optional_policy(` +@@ -183,28 +175,34 @@ optional_policy(` ######################################## # @@ -77946,7 +74460,7 @@ index 8742944..af2850e 100644 # allow qmail_rspawn_t self:process signal_perms; -@@ -217,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; +@@ -214,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) @@ -77960,7 +74474,7 @@ index 8742944..af2850e 100644 # allow qmail_send_t self:process signal_perms; -@@ -237,15 +235,14 @@ optional_policy(` +@@ -234,7 +235,8 @@ optional_policy(` ######################################## # @@ -77970,25 +74484,7 @@ index 8742944..af2850e 100644 # allow qmail_smtpd_t self:process signal_perms; - allow qmail_smtpd_t self:fifo_file write_fifo_file_perms; - allow qmail_smtpd_t self:tcp_socket create_socket_perms; - --allow qmail_smtpd_t qmail_keytab_t:file read_file_perms; -- - allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms; - - dev_read_rand(qmail_smtpd_t) -@@ -258,8 +255,7 @@ optional_policy(` - ') - - optional_policy(` -- kerberos_read_keytab(qmail_smtpd_t) -- kerberos_use(qmail_smtpd_t) -+ kerberos_keytab_template(qmail, qmail_smtpd_t) - ') - - optional_policy(` -@@ -268,26 +264,26 @@ optional_policy(` +@@ -262,26 +264,26 @@ optional_policy(` ######################################## # @@ -78020,7 +74516,7 @@ index 8742944..af2850e 100644 can_exec(qmail_start_t, qmail_start_exec_t) -@@ -304,7 +300,8 @@ optional_policy(` +@@ -298,7 +300,8 @@ optional_policy(` ######################################## # @@ -78031,7 +74527,7 @@ index 8742944..af2850e 100644 allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; diff --git a/qpid.if b/qpid.if -index fe2adf8..f7e9c70 100644 +index cd51b96..f7e9c70 100644 --- a/qpid.if +++ b/qpid.if @@ -1,4 +1,4 @@ @@ -78299,7 +74795,7 @@ index fe2adf8..f7e9c70 100644 + allow $1 qpidd_t:process ptrace; + ') -- files_search_var_lib($1) +- files_search_var_lib($1( - admin_pattern($1, qpidd_var_lib_t) + qpidd_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -78315,15 +74811,9 @@ index fe2adf8..f7e9c70 100644 + admin_pattern($1, qpidd_var_run_t) ') diff --git a/qpid.te b/qpid.te -index 83eb09e..f7670b2 100644 +index 76f5b39..f7670b2 100644 --- a/qpid.te +++ b/qpid.te -@@ -1,4 +1,4 @@ --policy_module(qpid, 1.1.0) -+policy_module(qpid, 1.0.1) - - ######################################## - # @@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) type qpidd_initrc_exec_t; init_script_file(qpidd_initrc_exec_t) @@ -78761,11 +75251,11 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..7cc3063 100644 +index 769d1fd..7cc3063 100644 --- a/quantum.te +++ b/quantum.te @@ -1,96 +1,180 @@ --policy_module(quantum, 1.1.0) +-policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) ######################################## @@ -79294,11 +75784,11 @@ index da64218..3fb8575 100644 + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) ') diff --git a/quota.te b/quota.te -index f47c8e8..1aee969 100644 +index 4b2c272..1aee969 100644 --- a/quota.te +++ b/quota.te @@ -1,16 +1,14 @@ --policy_module(quota, 1.6.0) +-policy_module(quota, 1.5.2) +policy_module(quota, 1.5.0) ######################################## @@ -79465,15 +75955,10 @@ index 2c3d338..7d49554 100644 init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..f1b94dd 100644 +index 3698b51..f1b94dd 100644 --- a/rabbitmq.te +++ b/rabbitmq.te -@@ -1,17 +1,18 @@ --policy_module(rabbitmq, 1.0.2) -+policy_module(rabbitmq, 1.0.0) - - ######################################## - # +@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.0) # Declarations # @@ -79504,7 +75989,7 @@ index dc3b0ed..f1b94dd 100644 type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) -@@ -27,98 +31,92 @@ files_pid_file(rabbitmq_var_run_t) +@@ -27,80 +31,92 @@ files_pid_file(rabbitmq_var_run_t) ###################################### # @@ -79523,63 +76008,55 @@ index dc3b0ed..f1b94dd 100644 -append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -- --manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) --manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) -- --can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) +allow rabbitmq_t self:capability setuid; --domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) +-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +allow rabbitmq_t self:process { setsched signal signull }; +allow rabbitmq_t self:fifo_file rw_fifo_file_perms; +allow rabbitmq_t self:tcp_socket { accept listen }; --kernel_read_system_state(rabbitmq_beam_t) --kernel_read_fs_sysctls(rabbitmq_beam_t) +-can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file }) --corecmd_exec_bin(rabbitmq_beam_t) --corecmd_exec_shell(rabbitmq_beam_t) +-domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +manage_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +logging_log_filetrans(rabbitmq_t, rabbitmq_var_log_t, { dir file }) --corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) --corenet_all_recvfrom_netlabel(rabbitmq_beam_t) --corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) --corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t) --corenet_tcp_bind_generic_node(rabbitmq_beam_t) +-kernel_read_system_state(rabbitmq_beam_t) +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) +manage_files_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) +files_lock_filetrans(rabbitmq_t, rabbitmq_var_lock_t, file) --corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) --corenet_tcp_bind_amqp_port(rabbitmq_beam_t) --corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t) +-corecmd_exec_bin(rabbitmq_beam_t) +-corecmd_exec_shell(rabbitmq_beam_t) +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file }) --corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) --corenet_tcp_connect_epmd_port(rabbitmq_beam_t) --corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) +-corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) +-corenet_all_recvfrom_netlabel(rabbitmq_beam_t) +-corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) +-corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t) +-corenet_tcp_bind_generic_node(rabbitmq_beam_t) +kernel_read_system_state(rabbitmq_t) +kernel_read_fs_sysctls(rabbitmq_t) --corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t) --corenet_tcp_bind_couchdb_port(rabbitmq_beam_t) --corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t) +-corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) +-corenet_tcp_bind_amqp_port(rabbitmq_beam_t) +-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t) +corecmd_exec_bin(rabbitmq_t) +corecmd_exec_shell(rabbitmq_t) --dev_read_sysfs(rabbitmq_beam_t) --dev_read_urand(rabbitmq_beam_t) +-corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) +-corenet_tcp_connect_epmd_port(rabbitmq_beam_t) +-corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) +corenet_tcp_bind_generic_node(rabbitmq_t) +corenet_udp_bind_generic_node(rabbitmq_t) +corenet_all_recvfrom_unlabeled(rabbitmq_t) @@ -79602,28 +76079,18 @@ index dc3b0ed..f1b94dd 100644 +corenet_tcp_sendrecv_epmd_port(rabbitmq_t) +corenet_tcp_connect_http_port(rabbitmq_t) --fs_getattr_all_fs(rabbitmq_beam_t) --fs_search_cgroup_dirs(rabbitmq_beam_t) +-dev_read_sysfs(rabbitmq_beam_t) +domain_read_all_domains_state(rabbitmq_t) -files_read_etc_files(rabbitmq_beam_t) +auth_read_passwd(rabbitmq_t) +auth_use_pam(rabbitmq_t) --storage_getattr_fixed_disk_dev(rabbitmq_beam_t) +-miscfiles_read_localization(rabbitmq_beam_t) +files_getattr_all_mountpoints(rabbitmq_t) --miscfiles_read_localization(rabbitmq_beam_t) -- -sysnet_dns_name_resolve(rabbitmq_beam_t) - -- optional_policy(` -- couchdb_manage_lib_files(rabbitmq_beam_t) -- couchdb_read_conf_files(rabbitmq_beam_t) -- couchdb_read_log_files(rabbitmq_beam_t) -- couchdb_read_pid_files(rabbitmq_beam_t) -- ') -- -######################################## -# -# Epmd local policy @@ -79671,16 +76138,9 @@ index dc3b0ed..f1b94dd 100644 -miscfiles_read_localization(rabbitmq_epmd_t) diff --git a/radius.fc b/radius.fc -index d447e85..4125f6d 100644 +index c84b7ae..4125f6d 100644 --- a/radius.fc +++ b/radius.fc -@@ -1,5 +1,5 @@ - /etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) --/etc/cron\.((daily)|(weekly)|(monthly))/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) -+/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) - - /etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0) - @@ -9,7 +9,9 @@ /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) /usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) @@ -79754,15 +76214,9 @@ index 4460582..60cf556 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..eb72458 100644 +index 1e7927f..eb72458 100644 --- a/radius.te +++ b/radius.te -@@ -1,4 +1,4 @@ --policy_module(radius, 1.13.0) -+policy_module(radius, 1.12.1) - - ######################################## - # @@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) @@ -79866,15 +76320,9 @@ index ac7058d..48739ac 100644 init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/radvd.te b/radvd.te -index 6d162e4..046f5b8 100644 +index b31f2d7..046f5b8 100644 --- a/radvd.te +++ b/radvd.te -@@ -1,4 +1,4 @@ --policy_module(radvd, 1.14.0) -+policy_module(radvd, 1.13.1) - - ######################################## - # @@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t) logging_send_syslog_msg(radvd_t) @@ -80123,15 +76571,9 @@ index 951db7f..c0cabe8 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") ') diff --git a/raid.te b/raid.te -index c99753f..36acb6c 100644 +index 2c1730b..36acb6c 100644 --- a/raid.te +++ b/raid.te -@@ -1,4 +1,4 @@ --policy_module(raid, 1.13.1) -+policy_module(raid, 1.12.5) - - ######################################## - # @@ -15,6 +15,18 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) @@ -80151,7 +76593,7 @@ index c99753f..36acb6c 100644 type mdadm_var_run_t alias mdadm_map_t; files_pid_file(mdadm_var_run_t) dev_associate(mdadm_var_run_t) -@@ -25,44 +37,72 @@ dev_associate(mdadm_var_run_t) +@@ -25,43 +37,72 @@ dev_associate(mdadm_var_run_t) # allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; @@ -80224,7 +76666,7 @@ index c99753f..36acb6c 100644 -files_dontaudit_getattr_all_files(mdadm_t) +files_dontaudit_getattr_tmpfs_files(mdadm_t) - fs_getattr_all_fs(mdadm_t) ++fs_getattr_all_fs(mdadm_t) fs_list_auto_mountpoints(mdadm_t) fs_list_hugetlbfs(mdadm_t) fs_rw_cgroup_files(mdadm_t) @@ -80233,7 +76675,7 @@ index c99753f..36acb6c 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -71,15 +111,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +111,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -80257,7 +76699,7 @@ index c99753f..36acb6c 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -90,17 +137,38 @@ optional_policy(` +@@ -89,17 +137,38 @@ optional_policy(` ') optional_policy(` @@ -80774,11 +77216,11 @@ index 1e4b523..fee3b7c 100644 ## ## diff --git a/razor.te b/razor.te -index 68455f9..4e15f29 100644 +index 5ddedbc..4e15f29 100644 --- a/razor.te +++ b/razor.te @@ -1,139 +1,128 @@ --policy_module(razor, 2.4.0) +-policy_module(razor, 2.3.2) +policy_module(razor, 2.3.0) ######################################## @@ -81141,7 +77583,7 @@ index 9196c1d..b775931 100644 userdom_dontaudit_use_unpriv_user_fds(rdisc_t) diff --git a/readahead.fc b/readahead.fc -index f01b32f..0428aee 100644 +index f307db4..0428aee 100644 --- a/readahead.fc +++ b/readahead.fc @@ -1,7 +1,10 @@ @@ -81155,7 +77597,7 @@ index f01b32f..0428aee 100644 + /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) --/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0) +-/var/run/readahead,* gen_context(system_u:object_r:readahead_var_run_t,s0) +/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) diff --git a/readahead.if b/readahead.if index 661bb88..06f69c4 100644 @@ -81190,15 +77632,9 @@ index 661bb88..06f69c4 100644 +') + diff --git a/readahead.te b/readahead.te -index c0b02c9..8ee7e70 100644 +index f1512d6..8ee7e70 100644 --- a/readahead.te +++ b/readahead.te -@@ -1,4 +1,4 @@ --policy_module(readahead, 1.13.0) -+policy_module(readahead, 1.12.2) - - ######################################## - # @@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; type readahead_var_run_t; @@ -81413,16 +77849,16 @@ index bff31df..3b2a829 100644 +') + diff --git a/realmd.te b/realmd.te -index 5bc878b..3baa71a 100644 +index 9a8f052..3baa71a 100644 --- a/realmd.te +++ b/realmd.te @@ -1,4 +1,4 @@ --policy_module(realmd, 1.1.0) +-policy_module(realmd, 1.0.2) +policy_module(realmd, 1.0.0) ######################################## # -@@ -7,47 +7,89 @@ policy_module(realmd, 1.1.0) +@@ -7,47 +7,89 @@ policy_module(realmd, 1.0.2) type realmd_t; type realmd_exec_t; @@ -81598,38 +78034,33 @@ index 5bc878b..3baa71a 100644 + unconfined_domain_noaudit(realmd_consolehelper_t) ') diff --git a/redis.fc b/redis.fc -index e240ac9..741b785 100644 ---- a/redis.fc +new file mode 100644 +index 0000000..741b785 +--- /dev/null +++ b/redis.fc -@@ -1,9 +1,12 @@ - /etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) - --/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) +@@ -0,0 +1,12 @@ ++/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) ++ +/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) - --/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) ++ +/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) - --/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) ++ +/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) - --/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) ++ +/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) + +/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) +/var/run/redis\.sock -- gen_context(system_u:object_r:redis_var_run_t,s0) diff --git a/redis.if b/redis.if -index 16c8ecb..2640ab5 100644 ---- a/redis.if +new file mode 100644 +index 0000000..2640ab5 +--- /dev/null +++ b/redis.if -@@ -1,9 +1,224 @@ --## Advanced key-value store. +@@ -0,0 +1,266 @@ +## Advanced key-value store - - ######################################## - ## --## All of the rules required to --## administrate an redis environment. ++ ++######################################## ++## +## Execute redis server in the redis domin. +## +## @@ -81847,30 +78278,41 @@ index 16c8ecb..2640ab5 100644 +## +## All of the rules required to administrate +## an redis environment - ## - ## - ## -@@ -20,7 +235,7 @@ - interface(`redis_admin',` - gen_require(` - type redis_t, redis_initrc_exec_t, redis_var_lib_t; -- type redis_log_t, redis_var_run_t; ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`redis_admin',` ++ gen_require(` ++ type redis_t, redis_initrc_exec_t, redis_var_lib_t; + type redis_log_t, redis_var_run_t, redis_unit_file_t; - ') - - allow $1 redis_t:process { ptrace signal_perms }; -@@ -32,11 +247,20 @@ interface(`redis_admin',` - allow $2 system_r; - - logging_search_logs($1) -- admin_pattern($!, redis_log_t) ++ ') ++ ++ allow $1 redis_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, redis_t) ++ ++ init_labeled_script_domtrans($1, redis_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 redis_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) + admin_pattern($1, redis_log_t) - - files_search_var_lib($1) - admin_pattern($1, redis_var_lib_t) - - files_search_pids($1) - admin_pattern($1, redis_var_run_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, redis_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, redis_var_run_t) + + redis_systemctl($1) + admin_pattern($1, redis_unit_file_t) @@ -81880,56 +78322,76 @@ index 16c8ecb..2640ab5 100644 + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') - ') ++') diff --git a/redis.te b/redis.te -index 25cd417..51cd1fe 100644 ---- a/redis.te +new file mode 100644 +index 0000000..51cd1fe +--- /dev/null +++ b/redis.te -@@ -1,4 +1,4 @@ --policy_module(redis, 1.0.1) +@@ -0,0 +1,64 @@ +policy_module(redis, 1.0.0) - - ######################################## - # -@@ -21,9 +21,12 @@ files_type(redis_var_lib_t) - type redis_var_run_t; - files_pid_file(redis_var_run_t) - ++ ++######################################## ++# ++# Declarations ++# ++ ++type redis_t; ++type redis_exec_t; ++init_daemon_domain(redis_t, redis_exec_t) ++ ++type redis_initrc_exec_t; ++init_script_file(redis_initrc_exec_t) ++ ++type redis_log_t; ++logging_log_file(redis_log_t) ++ ++type redis_var_lib_t; ++files_type(redis_var_lib_t) ++ ++type redis_var_run_t; ++files_pid_file(redis_var_run_t) ++ +type redis_unit_file_t; +systemd_unit_file(redis_unit_file_t) + - ######################################## - # --# Local policy ++######################################## ++# +# redis local policy - # - - allow redis_t self:process { setrlimit signal_perms }; -@@ -42,18 +45,13 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) - manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) - manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) - manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) ++# ++ ++allow redis_t self:process { setrlimit signal_perms }; ++allow redis_t self:fifo_file rw_fifo_file_perms; ++allow redis_t self:unix_stream_socket create_stream_socket_perms; ++allow redis_t self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) ++manage_files_pattern(redis_t, redis_log_t, redis_log_t) ++manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) ++ ++manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) ++manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) ++manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) ++ ++manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) ++manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) ++manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) +manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) +files_pid_filetrans(redis_t, redis_var_run_t, { sock_file }) - - kernel_read_system_state(redis_t) - --corenet_all_recvfrom_unlabeled(redis_t) --corenet_all_recvfrom_netlabel(redis_t) --corenet_tcp_sendrecv_generic_if(redis_t) --corenet_tcp_sendrecv_generic_node(redis_t) - corenet_tcp_bind_generic_node(redis_t) -- --corenet_sendrecv_redis_server_packets(redis_t) - corenet_tcp_bind_redis_port(redis_t) --corenet_tcp_sendrecv_redis_port(redis_t) - - dev_read_sysfs(redis_t) - dev_read_urand(redis_t) -@@ -63,3 +61,4 @@ logging_send_syslog_msg(redis_t) - miscfiles_read_localization(redis_t) - - sysnet_dns_name_resolve(redis_t) ++ ++kernel_read_system_state(redis_t) ++ ++corenet_tcp_bind_generic_node(redis_t) ++corenet_tcp_bind_redis_port(redis_t) ++ ++dev_read_sysfs(redis_t) ++dev_read_urand(redis_t) ++ ++logging_send_syslog_msg(redis_t) ++ ++miscfiles_read_localization(redis_t) ++ ++sysnet_dns_name_resolve(redis_t) + diff --git a/remotelogin.fc b/remotelogin.fc index 327baf0..d8691bd 100644 @@ -82010,11 +78472,11 @@ index a9ce68e..92520aa 100644 + allow $1 remote_login_t:process signull; ') diff --git a/remotelogin.te b/remotelogin.te -index ae30871..bef8238 100644 +index c51a32c..bef8238 100644 --- a/remotelogin.te +++ b/remotelogin.te @@ -1,4 +1,4 @@ --policy_module(remotelogin, 1.8.0) +-policy_module(remotelogin, 1.7.2) +policy_module(remotelogin, 1.7.0) ######################################## @@ -82131,15 +78593,9 @@ index ae30871..bef8238 100644 ') diff --git a/resmgr.te b/resmgr.te -index f6eb358..6bef328 100644 +index 6f219b3..6bef328 100644 --- a/resmgr.te +++ b/resmgr.te -@@ -1,4 +1,4 @@ --policy_module(resmgr, 1.3.0) -+policy_module(resmgr, 1.2.2) - - ######################################## - # @@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t) domain_use_interactive_fds(resmgrd_t) @@ -82384,16 +78840,16 @@ index 1c2f9aa..a4133dc 100644 + allow $1 rgmanager_var_lib_t:dir search_dir_perms; +') diff --git a/rgmanager.te b/rgmanager.te -index c8a1e16..1ad9c12 100644 +index b418d1c..1ad9c12 100644 --- a/rgmanager.te +++ b/rgmanager.te @@ -1,4 +1,4 @@ --policy_module(rgmanager, 1.3.0) +-policy_module(rgmanager, 1.2.2) +policy_module(rgmanager, 1.2.0) ######################################## # -@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0) +@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.2.2) # ## @@ -82724,7 +79180,7 @@ index 47de2d6..5ad36aa 100644 +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index c8bdea2..1337d42 100644 +index 56bc01f..1337d42 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -82768,7 +79224,7 @@ index c8bdea2..1337d42 100644 manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -- files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file }) +- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file }) + files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file }) - optional_policy(` @@ -83486,15 +79942,9 @@ index c8bdea2..1337d42 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..a8f6097 100644 +index 2c2de9a..a8f6097 100644 --- a/rhcs.te +++ b/rhcs.te -@@ -1,4 +1,4 @@ --policy_module(rhcs, 1.2.1) -+policy_module(rhcs, 1.1.4) - - ######################################## - # @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) ## gen_tunable(fenced_can_ssh, false) @@ -84862,15 +81312,9 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..7dc8f6e 100644 +index 1cedd70..7dc8f6e 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te -@@ -1,4 +1,4 @@ --policy_module(rhsmcertd, 1.1.1) -+policy_module(rhsmcertd, 1.0.2) - - ######################################## - # @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) type rhsmcertd_lock_t; files_lock_file(rhsmcertd_lock_t) @@ -84907,7 +81351,7 @@ index d32e1a2..7dc8f6e 100644 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -@@ -51,24 +57,51 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) +@@ -51,22 +57,51 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) @@ -84933,13 +81377,13 @@ index d32e1a2..7dc8f6e 100644 +files_create_boot_flag(rhsmcertd_t) + +auth_read_passwd(rhsmcertd_t) -+ -+libs_exec_ldconfig(rhsmcertd_t) - - init_read_state(rhsmcertd_t) -miscfiles_read_localization(rhsmcertd_t) -miscfiles_read_generic_certs(rhsmcertd_t) ++libs_exec_ldconfig(rhsmcertd_t) ++ ++init_read_state(rhsmcertd_t) ++ +logging_send_syslog_msg(rhsmcertd_t) + +miscfiles_manage_cert_files(rhsmcertd_t) @@ -85197,15 +81641,9 @@ index 2ab3ed1..23d579c 100644 role_transition $2 ricci_initrc_exec_t system_r; allow $2 system_r; diff --git a/ricci.te b/ricci.te -index 0ba2569..a265af9 100644 +index 9702ed2..a265af9 100644 --- a/ricci.te +++ b/ricci.te -@@ -1,4 +1,4 @@ --policy_module(ricci, 1.8.0) -+policy_module(ricci, 1.7.4) - - ######################################## - # @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t) corecmd_exec_bin(ricci_t) @@ -85448,34 +81886,10 @@ index 050479d..0e1b364 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index ee27948..15d7ca6 100644 +index d34cdec..15d7ca6 100644 --- a/rlogin.te +++ b/rlogin.te -@@ -1,4 +1,4 @@ --policy_module(rlogin, 1.11.3) -+policy_module(rlogin, 1.10.1) - - ######################################## - # -@@ -9,7 +9,6 @@ type rlogind_t; - type rlogind_exec_t; - auth_login_pgm_domain(rlogind_t) - inetd_service_domain(rlogind_t, rlogind_exec_t) --init_daemon_domain(rlogind_t, rlogind_exec_t) - - type rlogind_devpts_t; - term_login_pty(rlogind_devpts_t) -@@ -17,9 +16,6 @@ term_login_pty(rlogind_devpts_t) - type rlogind_home_t; - userdom_user_home_content(rlogind_home_t) - --type rlogind_keytab_t; --files_type(rlogind_keytab_t) -- - type rlogind_tmp_t; - files_tmp_file(rlogind_tmp_t) - -@@ -34,18 +30,17 @@ files_pid_file(rlogind_var_run_t) +@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t) allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; allow rlogind_t self:process signal_perms; allow rlogind_t self:fifo_file rw_fifo_file_perms; @@ -85486,38 +81900,32 @@ index ee27948..15d7ca6 100644 allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(rlogind_t, rlogind_devpts_t) +@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms; - allow rlogind_t rlogind_home_t:file read_file_perms; - --allow rlogind_t rlogind_keytab_t:file read_file_perms; -- manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) -files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file }) manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) -@@ -56,14 +51,15 @@ kernel_read_kernel_sysctls(rlogind_t) +@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) kernel_read_network_state(rlogind_t) -corenet_all_recvfrom_unlabeled(rlogind_t) corenet_all_recvfrom_netlabel(rlogind_t) corenet_tcp_sendrecv_generic_if(rlogind_t) -+corenet_udp_sendrecv_generic_if(rlogind_t) - corenet_tcp_sendrecv_generic_node(rlogind_t) -- --corenet_sendrecv_rlogind_server_packets(rlogind_t) -+corenet_udp_sendrecv_generic_node(rlogind_t) -+corenet_tcp_sendrecv_all_ports(rlogind_t) -+corenet_udp_sendrecv_all_ports(rlogind_t) + corenet_udp_sendrecv_generic_if(rlogind_t) +@@ -58,6 +58,8 @@ corenet_tcp_sendrecv_generic_node(rlogind_t) + corenet_udp_sendrecv_generic_node(rlogind_t) + corenet_tcp_sendrecv_all_ports(rlogind_t) + corenet_udp_sendrecv_all_ports(rlogind_t) +corenet_tcp_bind_rlogin_port(rlogind_t) - corenet_tcp_bind_rlogind_port(rlogind_t) --corenet_tcp_sendrecv_rlogind_port(rlogind_t) ++corenet_tcp_bind_rlogind_port(rlogind_t) dev_read_urand(rlogind_t) -@@ -73,6 +69,7 @@ fs_getattr_all_fs(rlogind_t) +@@ -67,6 +69,7 @@ fs_getattr_all_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) @@ -85525,7 +81933,7 @@ index ee27948..15d7ca6 100644 auth_rw_login_records(rlogind_t) auth_use_nsswitch(rlogind_t) -@@ -83,31 +80,23 @@ init_rw_utmp(rlogind_t) +@@ -77,30 +80,23 @@ init_rw_utmp(rlogind_t) logging_send_syslog_msg(rlogind_t) @@ -85557,29 +81965,25 @@ index ee27948..15d7ca6 100644 +rlogin_read_home_content(rlogind_t) optional_policy(` -- kerberos_read_keytab(rlogind_t) + kerberos_keytab_template(rlogind, rlogind_t) - kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0") - kerberos_manage_host_rcache(rlogind_t) -- kerberos_use(rlogind_t) -+ kerberos_keytab_template(rlogind, rlogind_t) + kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0") ') optional_policy(` diff --git a/rngd.fc b/rngd.fc -index fa19aa8..276eb3a 100644 +index 5dd779e..276eb3a 100644 --- a/rngd.fc +++ b/rngd.fc -@@ -1,5 +1,5 @@ +@@ -1,3 +1,5 @@ /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) --/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) +/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0) - --/var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0) -+/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) ++ + /usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) diff --git a/rngd.if b/rngd.if -index 13f788f..9c83bc9 100644 +index 0e759a2..9c83bc9 100644 --- a/rngd.if +++ b/rngd.if @@ -2,6 +2,28 @@ @@ -85611,14 +82015,14 @@ index 13f788f..9c83bc9 100644 ## All of the rules required to ## administrate an rng environment. ## -@@ -17,19 +39,24 @@ +@@ -17,16 +39,24 @@ ## ## # -interface(`rngd_admin',` +interface(`rng_admin',` gen_require(` -- type rngd_t, rngd_initrc_exec_t, rngd_var_run_t; +- type rngd_t, rngd_initrc_exec_t; + type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t; ') @@ -85634,50 +82038,26 @@ index 13f788f..9c83bc9 100644 domain_system_change_exemption($1) role_transition $2 rngd_initrc_exec_t system_r; allow $2 system_r; - -- files_search_pids($1) -- admin_pattern($1, rngd_var_run_t) ++ + rng_systemctl_rngd($1) + admin_pattern($1, rngd_unit_file_t) + allow $1 rngd_unit_file_t:service all_service_perms; ') diff --git a/rngd.te b/rngd.te -index a7b7717..2519caa 100644 +index 35c1427..2519caa 100644 --- a/rngd.te +++ b/rngd.te -@@ -1,4 +1,4 @@ --policy_module(rngd, 1.1.0) -+policy_module(rngd, 1.0.2) - - ######################################## - # -@@ -12,22 +12,19 @@ init_daemon_domain(rngd_t, rngd_exec_t) +@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t) type rngd_initrc_exec_t; init_script_file(rngd_initrc_exec_t) --type rngd_var_run_t; --files_pid_file(rngd_var_run_t) +type rngd_unit_file_t; +systemd_unit_file(rngd_unit_file_t) - ++ ######################################## # # Local policy - # - --allow rngd_t self:capability { ipc_lock sys_admin }; -+allow rngd_t self:capability sys_admin; - allow rngd_t self:process signal; - allow rngd_t self:fifo_file rw_fifo_file_perms; - allow rngd_t self:unix_stream_socket { accept listen }; - --allow rngd_t rngd_var_run_t:file manage_file_perms; --files_pid_filetrans(rngd_t, rngd_var_run_t, file, "rngd.pid") -- - kernel_rw_kernel_sysctl(rngd_t) - - dev_read_rand(rngd_t) -@@ -35,8 +32,5 @@ dev_read_urand(rngd_t) +@@ -29,8 +32,5 @@ dev_read_urand(rngd_t) dev_rw_tpm(rngd_t) dev_write_rand(rngd_t) @@ -85704,15 +82084,9 @@ index 975bb6a..ce4f5ea 100644 init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) diff --git a/roundup.te b/roundup.te -index ccb5991..3b74aae 100644 +index 353960c..3b74aae 100644 --- a/roundup.te +++ b/roundup.te -@@ -1,4 +1,4 @@ --policy_module(roundup, 1.8.0) -+policy_module(roundup, 1.7.1) - - ######################################## - # @@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t) corecmd_exec_bin(roundup_t) @@ -85787,7 +82161,7 @@ index a6fb30c..b0c22f7 100644 +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + diff --git a/rpc.if b/rpc.if -index 0bf13c2..eec0a35 100644 +index 3bd6446..eec0a35 100644 --- a/rpc.if +++ b/rpc.if @@ -1,4 +1,4 @@ @@ -86243,7 +82617,7 @@ index 0bf13c2..eec0a35 100644 - attribute rpc_domain; - type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; - type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; -- type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t; +- type nfsd_ro_t, nfsd_rw_t; + type var_lib_nfs_t; ') @@ -86256,7 +82630,7 @@ index 0bf13c2..eec0a35 100644 - allow $2 system_r; - - files_list_etc($1) -- admin_pattern($1, { gssd_keytab_t exports_t }) +- admin_pattern($1, exports_t) - - files_list_var_lib($1) - admin_pattern($1, var_lib_nfs_t) @@ -86276,16 +82650,16 @@ index 0bf13c2..eec0a35 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index 2da9fca..fbbff71 100644 +index e5212e6..fbbff71 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ --policy_module(rpc, 1.15.1) +-policy_module(rpc, 1.14.6) +policy_module(rpc, 1.14.0) ######################################## # -@@ -6,143 +6,76 @@ policy_module(rpc, 1.15.1) +@@ -6,24 +6,20 @@ policy_module(rpc, 1.14.6) # ## @@ -86320,15 +82694,7 @@ index 2da9fca..fbbff71 100644 type exports_t; files_config_file(exports_t) - - rpc_domain_template(gssd) - --type gssd_keytab_t; --files_type(gssd_keytab_t) -- - type gssd_tmp_t; - files_tmp_file(gssd_tmp_t) - +@@ -36,110 +32,50 @@ files_tmp_file(gssd_tmp_t) type rpcd_var_run_t; files_pid_file(rpcd_var_run_t) @@ -86453,7 +82819,7 @@ index 2da9fca..fbbff71 100644 kernel_read_sysctl(rpcd_t) kernel_rw_fs_sysctls(rpcd_t) kernel_dontaudit_getattr_core_if(rpcd_t) -@@ -163,21 +96,26 @@ fs_getattr_all_fs(rpcd_t) +@@ -160,13 +96,14 @@ fs_getattr_all_fs(rpcd_t) storage_getattr_fixed_disk_dev(rpcd_t) @@ -86464,29 +82830,26 @@ index 2da9fca..fbbff71 100644 miscfiles_read_generic_certs(rpcd_t) -seutil_dontaudit_search_config(rpcd_t) +- +-userdom_signal_all_users(rpcd_t) +userdom_signal_unpriv_users(rpcd_t) +userdom_read_user_home_content_files(rpcd_t) --userdom_signal_all_users(rpcd_t) -+optional_policy(` -+ automount_signal(rpcd_t) -+ automount_dontaudit_write_pipes(rpcd_t) -+') - --ifdef(`distro_debian',` -- term_dontaudit_use_unallocated_ttys(rpcd_t) -+optional_policy(` -+ domain_unconfined_signal(rpcd_t) - ') - optional_policy(` -- automount_signal(rpcd_t) -- automount_dontaudit_write_pipes(rpcd_t) -+ quota_manage_db(rpcd_t) + automount_signal(rpcd_t) +@@ -174,19 +111,27 @@ optional_policy(` ') optional_policy(` -@@ -185,15 +123,15 @@ optional_policy(` ++ domain_unconfined_signal(rpcd_t) ++') ++ ++optional_policy(` ++ quota_manage_db(rpcd_t) ++') ++ ++optional_policy(` + nis_read_ypserv_config(rpcd_t) ') optional_policy(` @@ -86505,7 +82868,7 @@ index 2da9fca..fbbff71 100644 ') ######################################## -@@ -202,41 +140,56 @@ optional_policy(` +@@ -195,41 +140,56 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -86570,7 +82933,7 @@ index 2da9fca..fbbff71 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -86578,7 +82941,7 @@ index 2da9fca..fbbff71 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -86593,7 +82956,7 @@ index 2da9fca..fbbff71 100644 ') ######################################## -@@ -270,16 +222,15 @@ optional_policy(` +@@ -263,7 +222,7 @@ optional_policy(` # GSSD local policy # @@ -86602,9 +82965,7 @@ index 2da9fca..fbbff71 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; --allow gssd_t gssd_keytab_t:file read_file_perms; -- - manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -86612,7 +82973,7 @@ index 2da9fca..fbbff71 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +239,30 @@ kernel_signal(gssd_t) +@@ -279,25 +239,30 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -86646,15 +83007,12 @@ index 2da9fca..fbbff71 100644 ') optional_policy(` -@@ -314,10 +270,12 @@ optional_policy(` - ') +@@ -306,8 +271,11 @@ optional_policy(` optional_policy(` + kerberos_keytab_template(gssd, gssd_t) - kerberos_manage_host_rcache(gssd_t) -- kerberos_read_keytab(gssd_t) - kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") -- kerberos_use(gssd_t) -+ kerberos_keytab_template(gssd, gssd_t) + kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0") +') + @@ -86818,15 +83176,9 @@ index 3b5e9ee..ff1163f 100644 + admin_pattern($1, rpcbind_var_run_t) ') diff --git a/rpcbind.te b/rpcbind.te -index 54de77c..56cb0c2 100644 +index c49828c..56cb0c2 100644 --- a/rpcbind.te +++ b/rpcbind.te -@@ -1,4 +1,4 @@ --policy_module(rpcbind, 1.6.1) -+policy_module(rpcbind, 1.5.4) - - ######################################## - # @@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) kernel_request_load_module(rpcbind_t) @@ -86835,18 +83187,21 @@ index 54de77c..56cb0c2 100644 corenet_all_recvfrom_netlabel(rpcbind_t) corenet_tcp_sendrecv_generic_if(rpcbind_t) corenet_udp_sendrecv_generic_if(rpcbind_t) -@@ -68,8 +67,8 @@ auth_use_nsswitch(rpcbind_t) +@@ -62,12 +61,11 @@ corecmd_exec_shell(rpcbind_t) + + domain_use_interactive_fds(rpcbind_t) - logging_send_syslog_msg(rpcbind_t) +-files_read_etc_files(rpcbind_t) + files_read_etc_runtime_files(rpcbind_t) + +-logging_send_syslog_msg(rpcbind_t) ++auth_use_nsswitch(rpcbind_t) -miscfiles_read_localization(rpcbind_t) -+sysnet_dns_name_resolve(rpcbind_t) ++logging_send_syslog_msg(rpcbind_t) + + sysnet_dns_name_resolve(rpcbind_t) --ifdef(`distro_debian',` -- term_dontaudit_use_unallocated_ttys(rpcbind_t) -+optional_policy(` -+ nis_use_ypbind(rpcbind_t) - ') diff --git a/rpm.fc b/rpm.fc index ebe91fc..576ca21 100644 --- a/rpm.fc @@ -86970,7 +83325,7 @@ index ebe91fc..576ca21 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b225..e9dbd7e 100644 +index 0628d50..e9dbd7e 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -87552,7 +83907,7 @@ index ef3b225..e9dbd7e 100644 - admin_pattern($1, rpm_var_run_t) - - fs_search_tmpfs($1) -- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t }) +- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t } - - rpm_run($1, $2) + allow $1 rpm_script_t:fd use; @@ -87561,11 +83916,11 @@ index ef3b225..e9dbd7e 100644 + allow rpm_script_t $1:process sigchld; ') diff --git a/rpm.te b/rpm.te -index 6fc360e..a461faa 100644 +index 5cbe81c..a461faa 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ --policy_module(rpm, 1.16.0) +-policy_module(rpm, 1.15.3) +policy_module(rpm, 1.15.0) + +attribute rpm_transition_domain; @@ -88088,11 +84443,11 @@ index 7ad29c0..2e87d76 100644 domtrans_pattern($1, rshd_exec_t, rshd_t) ') diff --git a/rshd.te b/rshd.te -index 864e089..24cf46d 100644 +index f842825..24cf46d 100644 --- a/rshd.te +++ b/rshd.te -@@ -1,68 +1,75 @@ --policy_module(rshd, 1.8.1) +@@ -1,62 +1,75 @@ +-policy_module(rshd, 1.7.1) +policy_module(rshd, 1.7.0) ######################################## @@ -88104,9 +84459,6 @@ index 864e089..24cf46d 100644 type rshd_exec_t; -auth_login_pgm_domain(rshd_t) inetd_tcp_service_domain(rshd_t, rshd_exec_t) -- --type rshd_keytab_t; --files_type(rshd_keytab_t) +domain_subj_id_change_exemption(rshd_t) +domain_role_change_exemption(rshd_t) +role system_r types rshd_t; @@ -88122,8 +84474,6 @@ index 864e089..24cf46d 100644 allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; --allow rshd_t rshd_keytab_t:file read_file_perms; -- kernel_read_kernel_sysctls(rshd_t) -corenet_all_recvfrom_unlabeled(rshd_t) @@ -88185,24 +84535,16 @@ index 864e089..24cf46d 100644 +userdom_home_reader(rshd_t) optional_policy(` + kerberos_keytab_template(rshd, rshd_t) - kerberos_manage_host_rcache(rshd_t) -- kerberos_read_keytab(rshd_t) - kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0") -- kerberos_use(rshd_t) -+ kerberos_keytab_template(rshd, rshd_t) ') optional_policy(` diff --git a/rssh.te b/rssh.te -index 5c5465f..7ee8502 100644 +index d1fd97f..7ee8502 100644 --- a/rssh.te +++ b/rssh.te -@@ -1,4 +1,4 @@ --policy_module(rssh, 2.3.0) -+policy_module(rssh, 2.2.1) - - ######################################## - # @@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) kernel_read_system_state(rssh_t) kernel_read_kernel_sysctls(rssh_t) @@ -88522,16 +84864,16 @@ index f1140ef..8afe362 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index abeb302..7a6ca6c 100644 +index e3e7c96..7a6ca6c 100644 --- a/rsync.te +++ b/rsync.te @@ -1,4 +1,4 @@ --policy_module(rsync, 1.13.0) +-policy_module(rsync, 1.12.2) +policy_module(rsync, 1.12.0) ######################################## # -@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0) +@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2) # ## @@ -89067,7 +85409,7 @@ index 0000000..9a5164c + unconfined_domain(rtas_errd_t) +') diff --git a/rtkit.if b/rtkit.if -index e904ec4..051addd 100644 +index bd35afe..051addd 100644 --- a/rtkit.if +++ b/rtkit.if @@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',` @@ -89078,7 +85420,7 @@ index e904ec4..051addd 100644 domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) ') -@@ -42,56 +41,43 @@ interface(`rtkit_daemon_dbus_chat',` +@@ -42,55 +41,43 @@ interface(`rtkit_daemon_dbus_chat',` ######################################## ## @@ -89102,7 +85444,6 @@ index e904ec4..051addd 100644 - allow rtkit_daemon_t $1:process { getsched setsched }; - -- kernel_search_proc($1) - ps_process_pattern(rtkit_daemon_t, $1) - - optional_policy(` @@ -89151,15 +85492,9 @@ index e904ec4..051addd 100644 + rtkit_daemon_dbus_chat($1) ') diff --git a/rtkit.te b/rtkit.te -index 7eea21f..29a8e9e 100644 +index 3f5a8ef..29a8e9e 100644 --- a/rtkit.te +++ b/rtkit.te -@@ -1,4 +1,4 @@ --policy_module(rtkit, 1.2.0) -+policy_module(rtkit, 1.1.2) - - ######################################## - # @@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t) logging_send_syslog_msg(rtkit_daemon_t) @@ -89187,15 +85522,9 @@ index 0360ff0..e6cb34f 100644 init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rwho.te b/rwho.te -index 7fb75f4..6746952 100644 +index 9927d29..6746952 100644 --- a/rwho.te +++ b/rwho.te -@@ -1,4 +1,4 @@ --policy_module(rwho, 1.7.0) -+policy_module(rwho, 1.6.1) - - ######################################## - # @@ -16,7 +16,7 @@ type rwho_log_t; files_type(rwho_log_t) @@ -89333,7 +85662,7 @@ index b8b66ff..d1fa967 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/samba.if b/samba.if -index 50d07fb..a6bab06 100644 +index aee75af..a6bab06 100644 --- a/samba.if +++ b/samba.if @@ -1,8 +1,12 @@ @@ -89998,7 +86327,7 @@ index 50d07fb..a6bab06 100644 ## ## ## -@@ -684,42 +840,71 @@ interface(`samba_stream_connect_winbind',` +@@ -684,41 +840,71 @@ interface(`samba_stream_connect_winbind',` interface(`samba_admin',` gen_require(` type nmbd_t, nmbd_var_run_t, smbd_var_run_t; @@ -90007,25 +86336,24 @@ index 50d07fb..a6bab06 100644 - type samba_etc_t, samba_share_t, samba_initrc_exec_t; - type swat_var_run_t, swat_tmp_t, winbind_log_t; - type winbind_var_run_t, winbind_tmp_t; -- type smbd_keytab_t; + type smbd_t, smbd_tmp_t, samba_secrets_t; + type samba_initrc_exec_t, samba_log_t, samba_var_t; + type samba_etc_t, samba_share_t, winbind_log_t; + type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t; + type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; + type samba_unit_file_t; -+ ') -+ + ') + +- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { nmbd_t smbd_t }) + allow $1 smbd_t:process signal_perms; + ps_process_pattern($1, smbd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 smbd_t:process ptrace; + allow $1 nmbd_t:process ptrace; + allow $1 samba_unconfined_script_t:process ptrace; - ') - -- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { nmbd_t smbd_t }) ++ ') ++ + allow $1 nmbd_t:process signal_perms; + ps_process_pattern($1, nmbd_t) + @@ -90042,11 +86370,11 @@ index 50d07fb..a6bab06 100644 role_transition $2 samba_initrc_exec_t system_r; allow $2 system_r; +- files_list_etc($1) + admin_pattern($1, nmbd_var_run_t) + -+ admin_pattern($1, samba_etc_t) - files_list_etc($1) -- admin_pattern($1, { samba_etc_t smbd_keytab_t }) + admin_pattern($1, samba_etc_t) ++ files_list_etc($1) + admin_pattern($1, samba_log_t) logging_list_logs($1) @@ -90091,16 +86419,16 @@ index 50d07fb..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..8736764 100644 +index 57c034b..8736764 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ --policy_module(samba, 1.16.3) +-policy_module(samba, 1.15.7) +policy_module(samba, 1.15.0) ################################# # -@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) +@@ -6,100 +6,80 @@ policy_module(samba, 1.15.7) # ## @@ -90255,7 +86583,7 @@ index 2b7c441..8736764 100644 type samba_net_tmp_t; files_tmp_file(samba_net_tmp_t) -@@ -136,25 +119,26 @@ files_type(samba_var_t) +@@ -136,7 +119,7 @@ files_type(samba_var_t) type smbcontrol_t; type smbcontrol_exec_t; application_domain(smbcontrol_t, smbcontrol_exec_t) @@ -90264,11 +86592,7 @@ index 2b7c441..8736764 100644 type smbd_t; type smbd_exec_t; - init_daemon_domain(smbd_t, smbd_exec_t) - --type smbd_keytab_t; --files_type(smbd_keytab_t) -- +@@ -145,13 +128,17 @@ init_daemon_domain(smbd_t, smbd_exec_t) type smbd_tmp_t; files_tmp_file(smbd_tmp_t) @@ -90288,7 +86612,7 @@ index 2b7c441..8736764 100644 type swat_t; type swat_exec_t; -@@ -173,28 +157,29 @@ type winbind_exec_t; +@@ -170,27 +157,29 @@ type winbind_exec_t; init_daemon_domain(winbind_t, winbind_exec_t) type winbind_helper_t; @@ -90316,7 +86640,7 @@ index 2b7c441..8736764 100644 # - allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; - allow samba_net_t self:capability2 block_suspend; ++allow samba_net_t self:capability2 block_suspend; allow samba_net_t self:process { getsched setsched }; -allow samba_net_t self:unix_stream_socket { accept listen }; +allow samba_net_t self:unix_dgram_socket create_socket_perms; @@ -90326,7 +86650,7 @@ index 2b7c441..8736764 100644 allow samba_net_t samba_etc_t:file read_file_perms; -@@ -210,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) +@@ -206,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") @@ -90353,7 +86677,7 @@ index 2b7c441..8736764 100644 dev_read_urand(samba_net_t) -@@ -233,15 +223,16 @@ auth_manage_cache(samba_net_t) +@@ -229,15 +223,16 @@ auth_manage_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) @@ -90374,7 +86698,7 @@ index 2b7c441..8736764 100644 ') optional_policy(` -@@ -249,46 +240,56 @@ optional_policy(` +@@ -245,44 +240,56 @@ optional_policy(` ') optional_policy(` @@ -90421,8 +86745,7 @@ index 2b7c441..8736764 100644 -allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms }; +allow smbd_t nmbd_var_run_t:file rw_file_perms; +stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) - --allow smbd_t smbd_keytab_t:file read_file_perms; ++ +allow smbd_t samba_etc_t:file { rw_file_perms setattr }; manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) @@ -90444,7 +86767,7 @@ index 2b7c441..8736764 100644 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) allow smbd_t samba_share_t:filesystem { getattr quotaget }; -@@ -298,20 +299,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -292,20 +299,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") @@ -90475,7 +86798,7 @@ index 2b7c441..8736764 100644 kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -321,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t) +@@ -315,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t) kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) @@ -90530,7 +86853,7 @@ index 2b7c441..8736764 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) -@@ -366,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -360,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -90597,7 +86920,7 @@ index 2b7c441..8736764 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +429,10 @@ tunable_policy(`samba_domain_controller',` +@@ -413,20 +429,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -90620,7 +86943,7 @@ index 2b7c441..8736764 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +441,7 @@ tunable_policy(`samba_share_nfs',` +@@ -435,6 +441,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -90628,7 +86951,7 @@ index 2b7c441..8736764 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,17 +449,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -442,17 +449,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -90646,7 +86969,7 @@ index 2b7c441..8736764 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -466,6 +456,7 @@ optional_policy(` +@@ -460,6 +456,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -90654,22 +86977,19 @@ index 2b7c441..8736764 100644 ') optional_policy(` -@@ -474,8 +465,13 @@ optional_policy(` +@@ -473,6 +470,11 @@ optional_policy(` ') optional_policy(` -- kerberos_read_keytab(smbd_t) - kerberos_use(smbd_t) -+ kerberos_keytab_template(smbd, smbd_t) ++ ldap_stream_connect(smbd_t) ++ dirsrv_stream_connect(smbd_t) +') + +optional_policy(` -+ ldap_stream_connect(smbd_t) -+ dirsrv_stream_connect(smbd_t) + lpd_exec_lpr(smbd_t) ') - optional_policy(` -@@ -488,6 +484,10 @@ optional_policy(` +@@ -482,6 +484,10 @@ optional_policy(` ') optional_policy(` @@ -90680,7 +87000,7 @@ index 2b7c441..8736764 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,9 +499,36 @@ optional_policy(` +@@ -493,9 +499,36 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -90718,7 +87038,7 @@ index 2b7c441..8736764 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive }; +@@ -506,9 +539,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -90733,7 +87053,7 @@ index 2b7c441..8736764 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -90757,7 +87077,7 @@ index 2b7c441..8736764 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +572,42 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -90806,14 +87126,14 @@ index 2b7c441..8736764 100644 - userdom_use_unpriv_users_fds(nmbd_t) -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -+userdom_dontaudit_search_user_home_dirs(nmbd_t) - +- -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(nmbd_t) - files_list_non_auth_dirs(nmbd_t) - files_read_non_auth_files(nmbd_t) -') -- ++userdom_dontaudit_search_user_home_dirs(nmbd_t) + -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(nmbd_t) - files_manage_non_auth_files(nmbd_t) @@ -90824,7 +87144,7 @@ index 2b7c441..8736764 100644 ') optional_policy(` -@@ -606,20 +620,26 @@ optional_policy(` +@@ -600,19 +620,26 @@ optional_policy(` ######################################## # @@ -90844,19 +87164,19 @@ index 2b7c441..8736764 100644 -read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) +allow smbcontrol_t nmbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) - --manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) ++ +allow smbcontrol_t smbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) +allow smbcontrol_t winbind_t:process { signal signull }; +files_search_var_lib(smbcontrol_t) samba_read_config(smbcontrol_t) +-samba_rw_var_files(smbcontrol_t) +manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) samba_search_var(smbcontrol_t) samba_read_winbind_pid(smbcontrol_t) -@@ -627,16 +647,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +647,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -90874,7 +87194,7 @@ index 2b7c441..8736764 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +660,23 @@ optional_policy(` +@@ -637,22 +660,23 @@ optional_policy(` ######################################## # @@ -90906,7 +87226,7 @@ index 2b7c441..8736764 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -90942,7 +87262,7 @@ index 2b7c441..8736764 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +712,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +712,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -91034,7 +87354,7 @@ index 2b7c441..8736764 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -91058,7 +87378,7 @@ index 2b7c441..8736764 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +805,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +805,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -91101,7 +87421,7 @@ index 2b7c441..8736764 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +835,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +835,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -91115,7 +87435,7 @@ index 2b7c441..8736764 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +858,20 @@ optional_policy(` +@@ -833,17 +858,20 @@ optional_policy(` # Winbind local policy # @@ -91141,7 +87461,7 @@ index 2b7c441..8736764 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -91152,7 +87472,7 @@ index 2b7c441..8736764 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -91182,7 +87502,7 @@ index 2b7c441..8736764 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +915,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +915,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -91203,7 +87523,7 @@ index 2b7c441..8736764 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -91214,7 +87534,7 @@ index 2b7c441..8736764 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -924,26 +941,43 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,26 +941,43 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -91260,7 +87580,7 @@ index 2b7c441..8736764 100644 ') optional_policy(` -@@ -959,31 +993,29 @@ optional_policy(` +@@ -952,31 +993,29 @@ optional_policy(` # Winbind helper local policy # @@ -91298,7 +87618,7 @@ index 2b7c441..8736764 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1029,38 @@ optional_policy(` +@@ -990,25 +1029,38 @@ optional_policy(` ######################################## # @@ -91351,15 +87671,9 @@ index 2b7c441..8736764 100644 + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/sambagui.te b/sambagui.te -index e18b0a2..9c40dbd 100644 +index d9f8784..9c40dbd 100644 --- a/sambagui.te +++ b/sambagui.te -@@ -1,4 +1,4 @@ --policy_module(sambagui, 1.2.0) -+policy_module(sambagui, 1.1.2) - - ######################################## - # @@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t) dev_dontaudit_read_urand(sambagui_t) @@ -91400,15 +87714,9 @@ index f0236d6..78a792a 100644 ######################################## diff --git a/samhain.te b/samhain.te -index c41ce4b..bd9a4c7 100644 +index 931312b..bd9a4c7 100644 --- a/samhain.te +++ b/samhain.te -@@ -1,4 +1,4 @@ --policy_module(samhain, 1.2.0) -+policy_module(samhain, 1.1.1) - - ######################################## - # @@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain) init_read_utmp(samhain_domain) @@ -92666,16 +88974,16 @@ index cd6c213..34b861a 100644 + allow $1 sanlock_unit_file_t:service all_service_perms; ') diff --git a/sanlock.te b/sanlock.te -index 0045465..e19c914 100644 +index a34eac4..e19c914 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ --policy_module(sanlock, 1.1.0) +-policy_module(sanlock, 1.0.2) +policy_module(sanlock,1.0.0) ######################################## # -@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0) +@@ -6,21 +6,26 @@ policy_module(sanlock, 1.0.2) # ## @@ -92834,7 +89142,7 @@ index 54f41c2..7e58679 100644 +/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) /var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) diff --git a/sasl.if b/sasl.if -index 8c3c151..3e6a93f 100644 +index b2f388a..3e6a93f 100644 --- a/sasl.if +++ b/sasl.if @@ -1,4 +1,4 @@ @@ -92854,12 +89162,11 @@ index 8c3c151..3e6a93f 100644 ## ## ## -@@ -38,21 +38,21 @@ interface(`sasl_connect',` +@@ -38,11 +38,15 @@ interface(`sasl_connect',` # interface(`sasl_admin',` gen_require(` - type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t; -- type saslauthd_keytab_t; + type saslauthd_t, saslauthd_var_run_t; + type saslauthd_initrc_exec_t; ') @@ -92873,26 +89180,17 @@ index 8c3c151..3e6a93f 100644 init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) domain_system_change_exemption($1) - role_transition $2 saslauthd_initrc_exec_t system_r; - allow $2 system_r; - -- files_list_etc($1) -- admin_pattern($1, saslauthd_keytab_t) -- - files_list_pids($1) - admin_pattern($1, saslauthd_var_run_t) - ') diff --git a/sasl.te b/sasl.te -index 6c3bc20..1c9e41b 100644 +index a63b875..1c9e41b 100644 --- a/sasl.te +++ b/sasl.te @@ -1,4 +1,4 @@ --policy_module(sasl, 1.15.1) +-policy_module(sasl, 1.14.3) +policy_module(sasl, 1.14.0) ######################################## # -@@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1) +@@ -6,12 +6,11 @@ policy_module(sasl, 1.14.3) # ## @@ -92909,30 +89207,18 @@ index 6c3bc20..1c9e41b 100644 type saslauthd_t; type saslauthd_exec_t; -@@ -20,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t) - type saslauthd_initrc_exec_t; - init_script_file(saslauthd_initrc_exec_t) - --type saslauthd_keytab_t; --files_type(saslauthd_keytab_t) -- - type saslauthd_var_run_t; - files_pid_file(saslauthd_var_run_t) - -@@ -35,9 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice }; +@@ -32,7 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice }; dontaudit saslauthd_t self:capability sys_tty_config; allow saslauthd_t self:process { setsched signal_perms }; allow saslauthd_t self:fifo_file rw_fifo_file_perms; -allow saslauthd_t self:unix_stream_socket { accept listen }; -- --allow saslauthd_t saslauthd_keytab_t:file read_file_perms; +allow saslauthd_t self:unix_dgram_socket create_socket_perms; +allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; +allow saslauthd_t self:tcp_socket create_socket_perms; manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -@@ -48,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t) +@@ -43,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) kernel_rw_afs_state(saslauthd_t) @@ -92968,7 +89254,7 @@ index 6c3bc20..1c9e41b 100644 fs_getattr_all_fs(saslauthd_t) fs_search_auto_mountpoints(saslauthd_t) -@@ -78,34 +65,37 @@ selinux_compute_access_vector(saslauthd_t) +@@ -73,33 +65,37 @@ selinux_compute_access_vector(saslauthd_t) auth_use_pam(saslauthd_t) @@ -93000,12 +89286,10 @@ index 6c3bc20..1c9e41b 100644 ') optional_policy(` -- kerberos_read_keytab(saslauthd_t) ++ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0") + kerberos_keytab_template(saslauthd, saslauthd_t) - kerberos_manage_host_rcache(saslauthd_t) - kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0") -- kerberos_use(saslauthd_t) -+ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0") -+ kerberos_keytab_template(saslauthd, saslauthd_t) ') optional_policy(` @@ -93225,16 +89509,10 @@ index 98c9e0a..562666e 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756b..21c15bb 100644 +index 4a23d84..21c15bb 100644 --- a/sblim.te +++ b/sblim.te -@@ -1,4 +1,4 @@ --policy_module(sblim, 1.1.0) -+policy_module(sblim, 1.0.3) - - ######################################## - # -@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) +@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3) attribute sblim_domain; @@ -93383,13 +89661,12 @@ index 299756b..21c15bb 100644 + rpm_dontaudit_manage_db(sblim_sfcbd_t) +') diff --git a/screen.fc b/screen.fc -index e7c2cf7..b73334e 100644 +index ac04d27..b73334e 100644 --- a/screen.fc +++ b/screen.fc -@@ -1,9 +1,19 @@ +@@ -1,8 +1,19 @@ -HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) -HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) --HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) +# +# /home +# @@ -93414,7 +89691,7 @@ index e7c2cf7..b73334e 100644 +/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/screen.if b/screen.if -index be5cce2..4dd623e 100644 +index c21ddcc..4dd623e 100644 --- a/screen.if +++ b/screen.if @@ -1,4 +1,4 @@ @@ -93435,7 +89712,7 @@ index be5cce2..4dd623e 100644 ') ######################################## -@@ -35,50 +34,48 @@ template(`screen_role_template',` +@@ -35,49 +34,48 @@ template(`screen_role_template',` # type $1_screen_t, screen_domain; @@ -93479,7 +89756,6 @@ index be5cce2..4dd623e 100644 - - userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen") - userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") -- userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf") + manage_fifo_files_pattern($3, screen_home_t, screen_home_t) + manage_dirs_pattern($3, screen_home_t, screen_home_t) + manage_files_pattern($3, screen_home_t, screen_home_t) @@ -93510,7 +89786,7 @@ index be5cce2..4dd623e 100644 tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) -@@ -88,3 +85,41 @@ template(`screen_role_template',` +@@ -87,3 +85,41 @@ template(`screen_role_template',` fs_nfs_domtrans($1_screen_t, $3) ') ') @@ -93553,11 +89829,11 @@ index be5cce2..4dd623e 100644 +') + diff --git a/screen.te b/screen.te -index 5466a73..ee69aa7 100644 +index f095081..ee69aa7 100644 --- a/screen.te +++ b/screen.te @@ -1,13 +1,11 @@ --policy_module(screen, 2.6.0) +-policy_module(screen, 2.5.3) +policy_module(screen, 2.5.0) ######################################## @@ -93584,7 +89860,7 @@ index 5466a73..ee69aa7 100644 type screen_var_run_t; typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; -@@ -30,34 +23,35 @@ ubac_constrained(screen_var_run_t) +@@ -30,33 +23,35 @@ ubac_constrained(screen_var_run_t) ######################################## # @@ -93599,13 +89875,12 @@ index 5466a73..ee69aa7 100644 -allow screen_domain self:fd use; allow screen_domain self:fifo_file rw_fifo_file_perms; -allow screen_domain self:tcp_socket { accept listen }; --allow screen_domain self:unix_stream_socket { accept connectto listen }; +-allow screen_domain self:unix_stream_socket connectto; - -manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t) -manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) -manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) -files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir }) --filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file) +allow screen_domain self:tcp_socket create_stream_socket_perms; +allow screen_domain self:udp_socket create_socket_perms; +# Internal screen networking @@ -93634,7 +89909,7 @@ index 5466a73..ee69aa7 100644 kernel_read_kernel_sysctls(screen_domain) corecmd_list_bin(screen_domain) -@@ -66,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain) +@@ -65,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain) corecmd_read_bin_pipes(screen_domain) corecmd_read_bin_sockets(screen_domain) @@ -93742,16 +90017,16 @@ index c78a569..9007451 100644 - allow sectoolm_t $2:unix_dgram_socket sendto; -') diff --git a/sectoolm.te b/sectoolm.te -index 4bc8c13..b6a0bbd 100644 +index 8193bf1..b6a0bbd 100644 --- a/sectoolm.te +++ b/sectoolm.te @@ -1,4 +1,4 @@ --policy_module(sectoolm, 1.1.0) +-policy_module(sectoolm, 1.0.1) +policy_module(sectoolm, 1.0.0) ######################################## # -@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0) +@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.1) type sectoolm_t; type sectoolm_exec_t; @@ -93859,7 +90134,7 @@ index d14b6bf..da5d41d 100644 +/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/sendmail.if b/sendmail.if -index 35ad2a7..133d993 100644 +index 88e753f..133d993 100644 --- a/sendmail.if +++ b/sendmail.if @@ -1,4 +1,4 @@ @@ -94046,10 +90321,9 @@ index 35ad2a7..133d993 100644 ######################################## ## -## Execute sendmail in the unconfined sendmail domain. -+## Set the attributes of sendmail pid files. - ## - ## - ## +-## +-## +-## -## Domain allowed to transition. -## -## @@ -94072,9 +90346,10 @@ index 35ad2a7..133d993 100644 -## sendmail domain, and allow the -## specified role the unconfined -## sendmail domain. --## --## --## ++## Set the attributes of sendmail pid files. + ## + ## + ## -## Domain allowed to transition. -## -## @@ -94108,12 +90383,11 @@ index 35ad2a7..133d993 100644 ## ## ## -@@ -353,20 +304,20 @@ interface(`sendmail_run_unconfined',` +@@ -353,13 +304,17 @@ interface(`sendmail_run_unconfined',` interface(`sendmail_admin',` gen_require(` type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; - type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; -- type sendmail_keytab_t; + type sendmail_tmp_t, sendmail_var_run_t; + type mail_spool_t; ') @@ -94131,13 +90405,7 @@ index 35ad2a7..133d993 100644 domain_system_change_exemption($1) role_transition $2 sendmail_initrc_exec_t system_r; -- files_list_etc($1) -- admin_pattern($1, sendmail_keytab_t) -- - logging_list_logs($1) - admin_pattern($1, sendmail_log_t) - -@@ -376,6 +327,6 @@ interface(`sendmail_admin',` +@@ -372,6 +327,6 @@ interface(`sendmail_admin',` files_list_pids($1) admin_pattern($1, sendmail_var_run_t) @@ -94147,11 +90415,11 @@ index 35ad2a7..133d993 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 12700b4..65aed74 100644 +index 5f35d78..65aed74 100644 --- a/sendmail.te +++ b/sendmail.te -@@ -1,21 +1,10 @@ --policy_module(sendmail, 1.12.1) +@@ -1,18 +1,10 @@ +-policy_module(sendmail, 1.11.5) +policy_module(sendmail, 1.11.0) ######################################## @@ -94167,13 +90435,10 @@ index 12700b4..65aed74 100644 -type sendmail_initrc_exec_t; -init_script_file(sendmail_initrc_exec_t) - --type sendmail_keytab_t; --files_type(sendmail_keytab_t) -- type sendmail_log_t; logging_log_file(sendmail_log_t) -@@ -29,29 +18,27 @@ type sendmail_t; +@@ -26,27 +18,27 @@ type sendmail_t; mta_sendmail_mailserver(sendmail_t) mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -94199,8 +90464,6 @@ index 12700b4..65aed74 100644 allow sendmail_t self:fifo_file rw_fifo_file_perms; -allow sendmail_t self:unix_stream_socket { accept listen }; -allow sendmail_t self:tcp_socket { accept listen }; -- --allow sendmail_t sendmail_keytab_t:file read_file_perms; +allow sendmail_t self:unix_stream_socket create_stream_socket_perms; +allow sendmail_t self:unix_dgram_socket create_socket_perms; +allow sendmail_t self:tcp_socket create_stream_socket_perms; @@ -94215,7 +90478,7 @@ index 12700b4..65aed74 100644 logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -@@ -63,33 +50,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) +@@ -58,33 +50,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) kernel_read_network_state(sendmail_t) kernel_read_kernel_sysctls(sendmail_t) @@ -94253,7 +90516,7 @@ index 12700b4..65aed74 100644 fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) -@@ -98,35 +73,49 @@ fs_rw_anon_inodefs_files(sendmail_t) +@@ -93,35 +73,49 @@ fs_rw_anon_inodefs_files(sendmail_t) term_dontaudit_use_console(sendmail_t) term_dontaudit_use_generic_ptys(sendmail_t) @@ -94309,7 +90572,7 @@ index 12700b4..65aed74 100644 ') optional_policy(` -@@ -134,8 +123,8 @@ optional_policy(` +@@ -129,8 +123,8 @@ optional_policy(` ') optional_policy(` @@ -94320,21 +90583,15 @@ index 12700b4..65aed74 100644 ') optional_policy(` -@@ -159,8 +148,11 @@ optional_policy(` +@@ -158,14 +152,27 @@ optional_policy(` ') optional_policy(` -- kerberos_read_keytab(sendmail_t) -- kerberos_use(sendmail_t) -+ kerberos_keytab_template(sendmail, sendmail_t) ++ inn_write_inherited_news_lib(sendmail_t) +') + +optional_policy(` -+ inn_write_inherited_news_lib(sendmail_t) - ') - - optional_policy(` -@@ -168,10 +160,19 @@ optional_policy(` + milter_stream_connect_all(sendmail_t) ') optional_policy(` @@ -94354,7 +90611,7 @@ index 12700b4..65aed74 100644 postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) postfix_domtrans_postqueue(sendmail_t) -@@ -193,21 +194,13 @@ optional_policy(` +@@ -187,21 +194,13 @@ optional_policy(` ') optional_policy(` @@ -94657,16 +90914,16 @@ index 3a9a70b..903109c 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index ce67935..0f1e101 100644 +index 49b12ae..0f1e101 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -1,4 +1,4 @@ --policy_module(setroubleshoot, 1.12.1) +-policy_module(setroubleshoot, 1.11.2) +policy_module(setroubleshoot, 1.11.0) ######################################## # -@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1) +@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.11.2) type setroubleshootd_t alias setroubleshoot_t; type setroubleshootd_exec_t; @@ -94767,7 +91024,15 @@ index ce67935..0f1e101 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) -@@ -109,27 +117,24 @@ init_read_utmp(setroubleshootd_t) +@@ -101,33 +109,32 @@ selinux_read_policy(setroubleshootd_t) + term_dontaudit_use_all_ptys(setroubleshootd_t) + term_dontaudit_use_all_ttys(setroubleshootd_t) + ++mls_dbus_recv_all_levels(setroubleshootd_t) ++ + auth_use_nsswitch(setroubleshootd_t) + + init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) @@ -94800,7 +91065,7 @@ index ce67935..0f1e101 100644 ') optional_policy(` -@@ -137,10 +142,18 @@ optional_policy(` +@@ -135,10 +142,18 @@ optional_policy(` ') optional_policy(` @@ -94819,7 +91084,7 @@ index ce67935..0f1e101 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -150,26 +163,36 @@ optional_policy(` +@@ -148,26 +163,36 @@ optional_policy(` ######################################## # @@ -94858,7 +91123,7 @@ index ce67935..0f1e101 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -175,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -95319,15 +91584,9 @@ index 1aeef8a..d5ce40a 100644 admin_pattern($1, shorewall_etc_t) diff --git a/shorewall.te b/shorewall.te -index 7710b9f..e0ebb61 100644 +index ca03de6..e0ebb61 100644 --- a/shorewall.te +++ b/shorewall.te -@@ -1,4 +1,4 @@ --policy_module(shorewall, 1.4.0) -+policy_module(shorewall, 1.3.5) - - ######################################## - # @@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t) allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; @@ -95547,15 +91806,9 @@ index d1706bf..87ab4a7 100644 ## ## diff --git a/shutdown.te b/shutdown.te -index e2544e1..8804935 100644 +index 7880d1f..8804935 100644 --- a/shutdown.te +++ b/shutdown.te -@@ -1,4 +1,4 @@ --policy_module(shutdown, 1.2.0) -+policy_module(shutdown, 1.1.2) - - ######################################## - # @@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t) mls_file_write_to_clearance(shutdown_t) @@ -95592,56 +91845,20 @@ index e2544e1..8804935 100644 xserver_dontaudit_write_log(shutdown_t) + xserver_xdm_append_log(shutdown_t) ') -diff --git a/slocate.fc b/slocate.fc -index 5844628..6eede98 100644 ---- a/slocate.fc -+++ b/slocate.fc -@@ -1,7 +1,3 @@ --/etc/cron\.daily/[sm]locate -- gen_context(system_u:object_r:locate_exec_t,s0) -- --/usr/bin/updatedb.* -- gen_context(system_u:object_r:locate_exec_t,s0) -+/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0) - - /var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0) -- --/var/run/mlocate\.daily\.lock -- gen_context(system_u:object_r:locate_var_run_t,s0) diff --git a/slocate.te b/slocate.te -index 7292dc0..f2745d2 100644 +index ba26427..f2745d2 100644 --- a/slocate.te +++ b/slocate.te -@@ -1,4 +1,4 @@ --policy_module(slocate, 1.12.2) -+policy_module(slocate, 1.11.1) - - ################################# - # -@@ -12,9 +12,6 @@ init_system_domain(locate_t, locate_exec_t) - type locate_var_lib_t; - files_type(locate_var_lib_t) - --type locate_var_run_t; --files_pid_file(locate_var_run_t) -- - ######################################## +@@ -18,7 +18,7 @@ files_type(locate_var_lib_t) # - # Local policy -@@ -28,24 +25,22 @@ allow locate_t self:unix_stream_socket create_socket_perms; - manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) - manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) - --allow locate_t locate_var_run_t:file manage_file_perms; --files_pid_filetrans(locate_t, locate_var_run_t, file, "mlocate.daily.lock") -- --can_exec(locate_t, locate_exec_t) -- - kernel_read_system_state(locate_t) - kernel_dontaudit_search_network_state(locate_t) - kernel_dontaudit_search_sysctl(locate_t) - corecmd_exec_bin(locate_t) --corecmd_exec_shell(locate_t) + allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; +-allow locate_t self:process { execmem execheap execstack signal }; ++allow locate_t self:process { execmem execheap execstack signal setsched }; + allow locate_t self:fifo_file rw_fifo_file_perms; + allow locate_t self:unix_stream_socket create_socket_perms; - dev_getattr_all_blk_files(locate_t) +@@ -35,8 +35,12 @@ dev_getattr_all_blk_files(locate_t) dev_getattr_all_chr_files(locate_t) files_list_all(locate_t) @@ -95654,7 +91871,7 @@ index 7292dc0..f2745d2 100644 files_getattr_all_pipes(locate_t) files_getattr_all_sockets(locate_t) files_read_etc_runtime_files(locate_t) -@@ -62,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t) +@@ -53,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t) auth_use_nsswitch(locate_t) @@ -95662,7 +91879,7 @@ index 7292dc0..f2745d2 100644 ifdef(`enable_mls',` files_dontaudit_getattr_all_dirs(locate_t) -@@ -71,3 +65,8 @@ ifdef(`enable_mls',` +@@ -62,3 +65,8 @@ ifdef(`enable_mls',` optional_policy(` cron_system_entry(locate_t, locate_exec_t) ') @@ -95740,15 +91957,9 @@ index ca32e89..98278dd 100644 + ') diff --git a/slpd.te b/slpd.te -index 731512a..5efa3fd 100644 +index 66ac42a..5efa3fd 100644 --- a/slpd.te +++ b/slpd.te -@@ -1,4 +1,4 @@ --policy_module(slpd, 1.1.0) -+policy_module(slpd, 1.0.3) - - ######################################## - # @@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t) # Local policy # @@ -95783,15 +91994,9 @@ index 731512a..5efa3fd 100644 + +sysnet_dns_name_resolve(slpd_t) diff --git a/slrnpull.te b/slrnpull.te -index 59eb07f..3dfc982 100644 +index 5437237..3dfc982 100644 --- a/slrnpull.te +++ b/slrnpull.te -@@ -1,4 +1,4 @@ --policy_module(slrnpull, 1.5.0) -+policy_module(slrnpull, 1.4.1) - - ######################################## - # @@ -13,7 +13,7 @@ type slrnpull_var_run_t; files_pid_file(slrnpull_var_run_t) @@ -95818,16 +92023,6 @@ index 59eb07f..3dfc982 100644 userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) userdom_dontaudit_search_user_home_dirs(slrnpull_t) -diff --git a/smartmon.fc b/smartmon.fc -index 36e908f..2c29fc5 100644 ---- a/smartmon.fc -+++ b/smartmon.fc -@@ -1,4 +1,4 @@ --/etc/rc\.d/init\.d/(smartd|smartmontools) -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/((smartd)|(smartmontools)) -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) - - /usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) - diff --git a/smartmon.if b/smartmon.if index e0644b5..ea347cc 100644 --- a/smartmon.if @@ -95848,15 +92043,9 @@ index e0644b5..ea347cc 100644 domain_system_change_exemption($1) role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te -index 9cf6582..60d6c41 100644 +index 9ade9c5..60d6c41 100644 --- a/smartmon.te +++ b/smartmon.te -@@ -1,4 +1,4 @@ --policy_module(smartmon, 1.12.0) -+policy_module(smartmon, 1.11.3) - - ######################################## - # @@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t) corecmd_exec_all_executables(fsdaemon_t) @@ -95943,15 +92132,9 @@ index 1fa51c1..82e111c 100644 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te -index ec031a0..4689a59 100644 +index a8b1aaf..4689a59 100644 --- a/smokeping.te +++ b/smokeping.te -@@ -1,4 +1,4 @@ --policy_module(smokeping, 1.2.0) -+policy_module(smokeping, 1.1.2) - - ######################################## - # @@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t) # @@ -95988,23 +92171,10 @@ index ec031a0..4689a59 100644 sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) netutils_domtrans_ping(httpd_smokeping_cgi_script_t) -diff --git a/smoltclient.fc b/smoltclient.fc -index 1ff2958..27ddf8d 100644 ---- a/smoltclient.fc -+++ b/smoltclient.fc -@@ -1 +1 @@ --/usr/share/smolt/client/sendProfile\.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) -+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) diff --git a/smoltclient.te b/smoltclient.te -index b3f2c6f..d8d4623 100644 +index 9c8f9a5..d8d4623 100644 --- a/smoltclient.te +++ b/smoltclient.te -@@ -1,4 +1,4 @@ --policy_module(smoltclient, 1.2.0) -+policy_module(smoltclient, 1.1.1) - - ######################################## - # @@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t) corenet_sendrecv_http_client_packets(smoltclient_t) @@ -96381,18 +92551,6 @@ index 0000000..1fad7b8 +logging_send_syslog_msg(smsd_t) + +sysnet_dns_name_resolve(smsd_t) -diff --git a/smstools.fc b/smstools.fc -index 4afc690..8e7d825 100644 ---- a/smstools.fc -+++ b/smstools.fc -@@ -1,6 +1,6 @@ - /etc/smsd\.conf -- gen_context(system_u:object_r:smsd_conf_t,s0) - --/etc/rc\.d/init\.d/(smsd|smstools) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/((smsd)|(smstools)) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0) - - /usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0) - diff --git a/smstools.if b/smstools.if index cbfe369..6594af3 100644 --- a/smstools.if @@ -96640,12 +92798,11 @@ index 0000000..3591c8e + unconfined_domain(snapperd_t) +') diff --git a/snmp.fc b/snmp.fc -index 2f0a2f2..50d80f4 100644 +index c73fa24..50d80f4 100644 --- a/snmp.fc +++ b/snmp.fc @@ -1,6 +1,6 @@ --/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) -/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) +/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0) @@ -96782,15 +92939,9 @@ index 7a9cc9d..86cbca9 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 9dcaeb8..e0f790d 100644 +index 81864ce..e0f790d 100644 --- a/snmp.te +++ b/snmp.te -@@ -1,4 +1,4 @@ --policy_module(snmp, 1.14.0) -+policy_module(snmp, 1.13.4) - - ######################################## - # @@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t) # @@ -96886,20 +93037,6 @@ index 9dcaeb8..e0f790d 100644 mta_search_queue(snmpd_t) ') -diff --git a/snort.fc b/snort.fc -index 591b9a1..24a8e1b 100644 ---- a/snort.fc -+++ b/snort.fc -@@ -3,8 +3,8 @@ - /etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) - - /usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) --/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) - -+/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) - /usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) - - /var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) diff --git a/snort.if b/snort.if index 7d86b34..5f58180 100644 --- a/snort.if @@ -96933,15 +93070,9 @@ index 7d86b34..5f58180 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index 1af72df..6e335a9 100644 +index ccd28bb..6e335a9 100644 --- a/snort.te +++ b/snort.te -@@ -1,4 +1,4 @@ --policy_module(snort, 1.11.0) -+policy_module(snort, 1.10.1) - - ######################################## - # @@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t) allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; dontaudit snort_t self:capability sys_tty_config; @@ -97011,25 +93142,10 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index f2f507d..08a6332 100644 +index 703efa3..08a6332 100644 --- a/sosreport.te +++ b/sosreport.te -@@ -1,4 +1,4 @@ --policy_module(sosreport, 1.3.1) -+policy_module(sosreport, 1.2.2) - - ######################################## - # -@@ -13,15 +13,15 @@ type sosreport_exec_t; - application_domain(sosreport_t, sosreport_exec_t) - role sosreport_roles types sosreport_t; - --type sosreport_var_run_t; --files_pid_file(sosreport_var_run_t) -- - type sosreport_tmp_t; - files_tmp_file(sosreport_tmp_t) - +@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t) type sosreport_tmpfs_t; files_tmpfs_file(sosreport_tmpfs_t) @@ -97039,14 +93155,14 @@ index f2f507d..08a6332 100644 optional_policy(` pulseaudio_tmpfs_content(sosreport_tmpfs_t) ') -@@ -31,12 +31,14 @@ optional_policy(` +@@ -28,11 +31,14 @@ optional_policy(` # Local policy # -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; -+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override chown }; - dontaudit sosreport_t self:capability sys_ptrace; -allow sosreport_t self:process { setsched signull }; ++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override chown }; ++dontaudit sosreport_t self:capability sys_ptrace; +allow sosreport_t self:process { setpgid setsched signal_perms }; allow sosreport_t self:fifo_file rw_fifo_file_perms; allow sosreport_t self:tcp_socket { accept listen }; @@ -97056,24 +93172,20 @@ index f2f507d..08a6332 100644 manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -@@ -44,20 +46,32 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) --manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) --fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) -- - manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) - manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) - manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) - manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) - files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file }) - -+manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) -+fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) ++manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file }) + - kernel_read_network_state(sosreport_t) - kernel_read_all_sysctls(sosreport_t) + manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) + fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) + +@@ -48,6 +60,18 @@ kernel_read_all_sysctls(sosreport_t) kernel_read_software_raid_state(sosreport_t) kernel_search_debugfs(sosreport_t) kernel_read_messages(sosreport_t) @@ -97092,17 +93204,25 @@ index f2f507d..08a6332 100644 corecmd_exec_all_executables(sosreport_t) -@@ -69,6 +83,9 @@ dev_read_urand(sosreport_t) +@@ -58,6 +82,10 @@ dev_read_rand(sosreport_t) + dev_read_urand(sosreport_t) dev_read_raw_memory(sosreport_t) dev_read_sysfs(sosreport_t) - dev_rw_generic_usb_dev(sosreport_t) ++dev_rw_generic_usb_dev(sosreport_t) +dev_rw_lvm_control(sosreport_t) +dev_getattr_all_chr_files(sosreport_t) +dev_getattr_all_blk_files(sosreport_t) domain_getattr_all_domains(sosreport_t) domain_read_all_domains_state(sosreport_t) -@@ -83,7 +100,6 @@ files_list_all(sosreport_t) +@@ -65,12 +93,13 @@ domain_getattr_all_sockets(sosreport_t) + domain_getattr_all_pipes(sosreport_t) + + files_getattr_all_sockets(sosreport_t) ++files_getattr_all_files(sosreport_t) ++files_getattr_all_pipes(sosreport_t) + files_exec_etc_files(sosreport_t) + files_list_all(sosreport_t) files_read_config_files(sosreport_t) files_read_generic_tmp_files(sosreport_t) files_read_non_auth_files(sosreport_t) @@ -97110,7 +93230,7 @@ index f2f507d..08a6332 100644 files_read_var_lib_files(sosreport_t) files_read_var_symlinks(sosreport_t) files_read_kernel_modules(sosreport_t) -@@ -92,30 +108,49 @@ files_manage_etc_runtime_files(sosreport_t) +@@ -79,27 +108,49 @@ files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) fs_getattr_all_fs(sosreport_t) @@ -97122,8 +93242,8 @@ index f2f507d..08a6332 100644 +term_getattr_pty_fs(sosreport_t) +term_getattr_all_ptys(sosreport_t) - term_use_generic_ptys(sosreport_t) - ++term_use_generic_ptys(sosreport_t) ++ +# some config files do not have configfile attribute +# sosreport needs to read various files on system +files_read_non_security_files(sosreport_t) @@ -97150,7 +93270,7 @@ index f2f507d..08a6332 100644 optional_policy(` abrt_manage_pid_files(sosreport_t) abrt_manage_cache(sosreport_t) - abrt_stream_connect(sosreport_t) ++ abrt_stream_connect(sosreport_t) + abrt_signal(sosreport_t) +') + @@ -97163,7 +93283,7 @@ index f2f507d..08a6332 100644 ') optional_policy(` -@@ -127,6 +162,16 @@ optional_policy(` +@@ -111,6 +162,16 @@ optional_policy(` ') optional_policy(` @@ -97180,7 +93300,7 @@ index f2f507d..08a6332 100644 fstools_domtrans(sosreport_t) ') -@@ -136,6 +181,10 @@ optional_policy(` +@@ -120,6 +181,10 @@ optional_policy(` optional_policy(` hal_dbus_chat(sosreport_t) ') @@ -97191,7 +93311,7 @@ index f2f507d..08a6332 100644 ') optional_policy(` -@@ -147,15 +196,40 @@ optional_policy(` +@@ -131,15 +196,40 @@ optional_policy(` ') optional_policy(` @@ -97255,15 +93375,9 @@ index a5abc5a..b9eff74 100644 domain_system_change_exemption($1) role_transition $2 soundd_initrc_exec_t system_r; diff --git a/soundserver.te b/soundserver.te -index 0919e0c..b6c0d16 100644 +index db1bc6f..b6c0d16 100644 --- a/soundserver.te +++ b/soundserver.te -@@ -1,4 +1,4 @@ --policy_module(soundserver, 1.9.0) -+policy_module(soundserver, 1.8.1) - - ######################################## - # @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t) kernel_list_proc(soundd_t) kernel_read_proc_symlinks(soundd_t) @@ -97809,16 +93923,16 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..e8531d9 100644 +index 4faa7e0..e8531d9 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -1,4 +1,4 @@ --policy_module(spamassassin, 2.6.1) +-policy_module(spamassassin, 2.5.8) +policy_module(spamassassin, 2.5.0) ######################################## # -@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1) +@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.5.8) ## ##

@@ -98253,29 +94367,29 @@ index cc58e35..e8531d9 100644 ') optional_policy(` -- mta_send_mail(spamc_t) -- mta_read_config(spamc_t) -- mta_read_queue(spamc_t) ++ postfix_domtrans_postdrop(spamc_t) ++ postfix_search_spool(spamc_t) ++ postfix_rw_local_pipes(spamc_t) ++ postfix_rw_inherited_master_pipes(spamc_t) ++') ++ ++optional_policy(` + mta_send_mail(spamc_t) + mta_read_config(spamc_t) + mta_read_queue(spamc_t) - sendmail_rw_pipes(spamc_t) -- sendmail_stub(spamc_t) + sendmail_stub(spamc_t) -') - -optional_policy(` - postfix_domtrans_postdrop(spamc_t) - postfix_search_spool(spamc_t) - postfix_rw_local_pipes(spamc_t) - postfix_rw_inherited_master_pipes(spamc_t) - ') - -+optional_policy(` -+ mta_send_mail(spamc_t) -+ mta_read_config(spamc_t) -+ mta_read_queue(spamc_t) -+ sendmail_stub(spamc_t) +- postfix_domtrans_postdrop(spamc_t) +- postfix_search_spool(spamc_t) +- postfix_rw_local_pipes(spamc_t) +- postfix_rw_master_pipes(spamc_t) + sendmail_rw_pipes(spamc_t) + sendmail_dontaudit_rw_tcp_sockets(spamc_t) -+') -+ + ') + ######################################## # -# Daemon local policy @@ -98811,15 +94925,9 @@ index 0000000..931fa6c +dev_read_urand(speech-dispatcher_t) + diff --git a/speedtouch.te b/speedtouch.te -index b38b8b1..388ce0a 100644 +index 9025dbd..388ce0a 100644 --- a/speedtouch.te +++ b/speedtouch.te -@@ -1,4 +1,4 @@ --policy_module(speedtouch, 1.5.0) -+policy_module(speedtouch, 1.4.1) - - ####################################### - # @@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t) domain_use_interactive_fds(speedmgmt_t) @@ -98907,15 +95015,9 @@ index 5e1f053..e7820bc 100644 domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index 03472ed..d892e00 100644 +index 221c560..d892e00 100644 --- a/squid.te +++ b/squid.te -@@ -1,4 +1,4 @@ --policy_module(squid, 1.12.1) -+policy_module(squid, 1.11.2) - - ######################################## - # @@ -29,7 +29,7 @@ type squid_cache_t; files_type(squid_cache_t) @@ -98950,7 +95052,14 @@ index 03472ed..d892e00 100644 ######################################## # # Local policy -@@ -78,14 +85,16 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t) +@@ -74,20 +81,20 @@ allow squid_t squid_conf_t:file read_file_perms; + allow squid_t squid_conf_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) +-append_files_pattern(squid_t, squid_log_t, squid_log_t) +-create_files_pattern(squid_t, squid_log_t, squid_log_t) +-setattr_files_pattern(squid_t, squid_log_t, squid_log_t) ++manage_files_pattern(squid_t, squid_log_t, squid_log_t) manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) logging_log_filetrans(squid_t, squid_log_t, { file dir }) @@ -98970,7 +95079,7 @@ index 03472ed..d892e00 100644 files_pid_filetrans(squid_t, squid_var_run_t, file) can_exec(squid_t, squid_exec_t) -@@ -94,7 +103,6 @@ kernel_read_kernel_sysctls(squid_t) +@@ -96,7 +103,6 @@ kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) kernel_read_network_state(squid_t) @@ -98978,7 +95087,7 @@ index 03472ed..d892e00 100644 corenet_all_recvfrom_netlabel(squid_t) corenet_tcp_sendrecv_generic_if(squid_t) corenet_udp_sendrecv_generic_if(squid_t) -@@ -132,6 +140,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) +@@ -134,6 +140,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) corenet_udp_sendrecv_gopher_port(squid_t) corenet_sendrecv_squid_server_packets(squid_t) @@ -98986,7 +95095,7 @@ index 03472ed..d892e00 100644 corenet_tcp_bind_squid_port(squid_t) corenet_udp_bind_squid_port(squid_t) corenet_tcp_sendrecv_squid_port(squid_t) -@@ -154,7 +163,6 @@ dev_read_urand(squid_t) +@@ -156,7 +163,6 @@ dev_read_urand(squid_t) domain_use_interactive_fds(squid_t) files_read_etc_runtime_files(squid_t) @@ -98994,7 +95103,7 @@ index 03472ed..d892e00 100644 files_search_spool(squid_t) files_dontaudit_getattr_tmp_dirs(squid_t) files_getattr_home_dir(squid_t) -@@ -176,7 +184,6 @@ libs_exec_lib_files(squid_t) +@@ -178,7 +184,6 @@ libs_exec_lib_files(squid_t) logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) @@ -99002,7 +95111,7 @@ index 03472ed..d892e00 100644 userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) -@@ -198,6 +205,8 @@ tunable_policy(`squid_use_tproxy',` +@@ -200,6 +205,8 @@ tunable_policy(`squid_use_tproxy',` optional_policy(` apache_content_template(squid) @@ -99011,7 +95120,7 @@ index 03472ed..d892e00 100644 corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) -@@ -207,18 +216,18 @@ optional_policy(` +@@ -209,18 +216,18 @@ optional_policy(` corenet_tcp_connect_http_cache_port(httpd_squid_script_t) corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) @@ -99037,7 +95146,7 @@ index 03472ed..d892e00 100644 ') optional_policy(` -@@ -236,3 +245,24 @@ optional_policy(` +@@ -238,3 +245,24 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -99485,11 +95594,11 @@ index a240455..3dd6f00 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..b400fb6 100644 +index 8b537aa..b400fb6 100644 --- a/sssd.te +++ b/sssd.te @@ -1,4 +1,4 @@ --policy_module(sssd, 1.2.0) +-policy_module(sssd, 1.1.4) +policy_module(sssd, 1.1.0) ######################################## @@ -99907,15 +96016,9 @@ index 0000000..337d201 +') + diff --git a/stunnel.te b/stunnel.te -index 27a8480..47f1802 100644 +index 9992e62..47f1802 100644 --- a/stunnel.te +++ b/stunnel.te -@@ -1,4 +1,4 @@ --policy_module(stunnel, 1.11.0) -+policy_module(stunnel, 1.10.2) - - ######################################## - # @@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t) corecmd_exec_bin(stunnel_t) @@ -100098,15 +96201,9 @@ index 2ac91b6..dd2ac36 100644 ') + diff --git a/svnserve.te b/svnserve.te -index 49d688d..84cdcac 100644 +index c6aaac7..84cdcac 100644 --- a/svnserve.te +++ b/svnserve.te -@@ -1,4 +1,4 @@ --policy_module(svnserve, 1.1.0) -+policy_module(svnserve, 1.0.2) - - ######################################## - # @@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) type svnserve_initrc_exec_t; init_script_file(svnserve_initrc_exec_t) @@ -100544,15 +96641,9 @@ index 0000000..6e39c4f + + diff --git a/sxid.te b/sxid.te -index 01a9d0a..1973f71 100644 +index c9824cb..1973f71 100644 --- a/sxid.te +++ b/sxid.te -@@ -1,4 +1,4 @@ --policy_module(sxid, 1.8.0) -+policy_module(sxid, 1.7.1) - - ######################################## - # @@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t) corecmd_exec_bin(sxid_t) corecmd_exec_shell(sxid_t) @@ -100580,15 +96671,9 @@ index 01a9d0a..1973f71 100644 userdom_dontaudit_use_unpriv_user_fds(sxid_t) diff --git a/sysstat.te b/sysstat.te -index b92f677..c81d332 100644 +index c8b80b2..c81d332 100644 --- a/sysstat.te +++ b/sysstat.te -@@ -1,4 +1,4 @@ --policy_module(sysstat, 1.8.0) -+policy_module(sysstat, 1.7.1) - - ######################################## - # @@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co allow sysstat_t self:fifo_file rw_fifo_file_perms; @@ -100706,11 +96791,11 @@ index c755e2d..0000000 -') diff --git a/systemtap.te b/systemtap.te deleted file mode 100644 -index ffde368..0000000 +index 6c06a84..0000000 --- a/systemtap.te +++ /dev/null @@ -1,101 +0,0 @@ --policy_module(systemtap, 1.1.0) +-policy_module(systemtap, 1.0.2) - -######################################## -# @@ -100812,15 +96897,9 @@ index ffde368..0000000 - rpm_exec(stapserver_t) -') diff --git a/tcpd.te b/tcpd.te -index 2d6d2c2..1e1a075 100644 +index f388db3..1e1a075 100644 --- a/tcpd.te +++ b/tcpd.te -@@ -1,4 +1,4 @@ --policy_module(tcpd, 1.5.0) -+policy_module(tcpd, 1.4.1) - - ######################################## - # @@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) @@ -100846,17 +96925,6 @@ index 2d6d2c2..1e1a075 100644 sysnet_read_config(tcpd_t) inetd_domtrans_child(tcpd_t) -diff --git a/tcsd.fc b/tcsd.fc -index c2c2636..a38b954 100644 ---- a/tcsd.fc -+++ b/tcsd.fc -@@ -1,4 +1,5 @@ --/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/trousers -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) - - /usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) - diff --git a/tcsd.if b/tcsd.if index b42ec1d..91b8f71 100644 --- a/tcsd.if @@ -100875,16 +96943,10 @@ index b42ec1d..91b8f71 100644 tcsd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/tcsd.te b/tcsd.te -index b26d44a..14da480 100644 +index ac8213a..14da480 100644 --- a/tcsd.te +++ b/tcsd.te -@@ -1,4 +1,4 @@ --policy_module(tcsd, 1.1.1) -+policy_module(tcsd, 1.0.3) - - ######################################## - # -@@ -41,12 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t) +@@ -41,10 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t) dev_read_urand(tcsd_t) dev_rw_tpm(tcsd_t) @@ -100892,20 +96954,19 @@ index b26d44a..14da480 100644 - auth_use_nsswitch(tcsd_t) - init_read_utmp(tcsd_t) +-logging_send_syslog_msg(tcsd_t) ++init_read_utmp(tcsd_t) - logging_send_syslog_msg(tcsd_t) -- -miscfiles_read_localization(tcsd_t) ++logging_send_syslog_msg(tcsd_t) diff --git a/telepathy.fc b/telepathy.fc -index 6c7f8f8..03fc880 100644 +index c7de0cf..03fc880 100644 --- a/telepathy.fc +++ b/telepathy.fc -@@ -1,35 +1,23 @@ +@@ -1,34 +1,23 @@ -HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0) +HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) --HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) -HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) -HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) @@ -101374,11 +97435,11 @@ index 42946bc..9f70e4c 100644 + can_exec($1, telepathy_executable) ') diff --git a/telepathy.te b/telepathy.te -index 9afcbc9..5a41683 100644 +index e9c0964..5a41683 100644 --- a/telepathy.te +++ b/telepathy.te @@ -1,29 +1,28 @@ --policy_module(telepathy, 1.4.2) +-policy_module(telepathy, 1.3.5) +policy_module(telepathy, 1.3.0) ######################################## @@ -101417,7 +97478,7 @@ index 9afcbc9..5a41683 100644 telepathy_domain_template(gabble) -@@ -67,179 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t) +@@ -67,176 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t) ####################################### # @@ -101488,14 +97549,14 @@ index 9afcbc9..5a41683 100644 - corenet_sendrecv_generic_client_packets(telepathy_gabble_t) corenet_tcp_connect_generic_port(telepathy_gabble_t) - corenet_tcp_sendrecv_generic_port(telepathy_gabble_t) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(telepathy_gabble_t) -- fs_manage_nfs_files(telepathy_gabble_t) + corenet_sendrecv_generic_client_packets(telepathy_gabble_t) ') +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(telepathy_gabble_t) +- fs_manage_nfs_files(telepathy_gabble_t) +-') +- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_gabble_t) - fs_manage_cifs_files(telepathy_gabble_t) @@ -101610,19 +97671,16 @@ index 9afcbc9..5a41683 100644 +userdom_search_user_home_dirs(telepathy_mission_control_t) -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) --manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) --filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") +manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) +manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) - --manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) --# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections") ++ +manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t }) -+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) + manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) +-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") +filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file }) --manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) --manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) +-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) +-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections") +optional_policy(` + gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir) + gnome_manage_home_config(telepathy_mission_control_t) @@ -101648,7 +97706,7 @@ index 9afcbc9..5a41683 100644 optional_policy(` dbus_system_bus_client(telepathy_mission_control_t) -@@ -248,59 +215,51 @@ optional_policy(` +@@ -245,59 +215,51 @@ optional_policy(` devicekit_dbus_chat_power(telepathy_mission_control_t) ') optional_policy(` @@ -101723,7 +97781,7 @@ index 9afcbc9..5a41683 100644 init_read_state(telepathy_msn_t) -@@ -310,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t) +@@ -307,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t) miscfiles_read_all_certs(telepathy_msn_t) @@ -101748,7 +97806,7 @@ index 9afcbc9..5a41683 100644 ') optional_policy(` -@@ -332,43 +292,33 @@ optional_policy(` +@@ -329,43 +292,33 @@ optional_policy(` ') ') @@ -101797,7 +97855,7 @@ index 9afcbc9..5a41683 100644 ') optional_policy(` -@@ -381,73 +331,53 @@ optional_policy(` +@@ -378,73 +331,53 @@ optional_policy(` ####################################### # @@ -101881,7 +97939,7 @@ index 9afcbc9..5a41683 100644 optional_policy(` xserver_read_xdm_pid(telepathy_sunshine_t) xserver_stream_connect(telepathy_sunshine_t) -@@ -455,31 +385,49 @@ optional_policy(` +@@ -452,31 +385,49 @@ optional_policy(` ####################################### # @@ -101939,45 +97997,21 @@ index 9afcbc9..5a41683 100644 ') + diff --git a/telnet.te b/telnet.te -index d7c8633..1bdef51 100644 +index 9f89916..1bdef51 100644 --- a/telnet.te +++ b/telnet.te -@@ -1,4 +1,4 @@ --policy_module(telnet, 1.11.3) -+policy_module(telnet, 1.10.2) - - ######################################## - # -@@ -8,14 +8,10 @@ policy_module(telnet, 1.11.3) - type telnetd_t; - type telnetd_exec_t; - inetd_service_domain(telnetd_t, telnetd_exec_t) --init_daemon_domain(telnetd_t, telnetd_exec_t) - - type telnetd_devpts_t; - term_login_pty(telnetd_devpts_t) - --type telnetd_keytab_t; --files_type(telnetd_keytab_t) -- - type telnetd_tmp_t; - files_tmp_file(telnetd_tmp_t) - -@@ -30,16 +26,17 @@ files_pid_file(telnetd_var_run_t) +@@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t) allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; allow telnetd_t self:process signal_perms; allow telnetd_t self:fifo_file rw_fifo_file_perms; --allow telnetd_t self:tcp_socket { accept listen }; +allow telnetd_t self:tcp_socket connected_stream_socket_perms; +allow telnetd_t self:udp_socket create_socket_perms; +# for identd; cjp: this should probably only be inetd_child rules? +allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; --term_create_pty(telnetd_t, telnetd_devpts_t) - --allow telnetd_t telnetd_keytab_t:file read_file_perms; -+term_create_pty(telnetd_t, telnetd_devpts_t) ++ + term_create_pty(telnetd_t, telnetd_devpts_t) manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) @@ -101985,26 +98019,23 @@ index d7c8633..1bdef51 100644 manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) -@@ -48,14 +45,14 @@ kernel_read_kernel_sysctls(telnetd_t) +@@ -41,7 +45,6 @@ kernel_read_kernel_sysctls(telnetd_t) kernel_read_system_state(telnetd_t) kernel_read_network_state(telnetd_t) -corenet_all_recvfrom_unlabeled(telnetd_t) corenet_all_recvfrom_netlabel(telnetd_t) corenet_tcp_sendrecv_generic_if(telnetd_t) -+corenet_udp_sendrecv_generic_if(telnetd_t) - corenet_tcp_sendrecv_generic_node(telnetd_t) -- --corenet_sendrecv_telnetd_server_packets(telnetd_t) -+corenet_udp_sendrecv_generic_node(telnetd_t) -+corenet_tcp_sendrecv_all_ports(telnetd_t) -+corenet_udp_sendrecv_all_ports(telnetd_t) - corenet_tcp_bind_telnetd_port(telnetd_t) --corenet_tcp_sendrecv_telnetd_port(telnetd_t) + corenet_udp_sendrecv_generic_if(telnetd_t) +@@ -49,6 +52,7 @@ corenet_tcp_sendrecv_generic_node(telnetd_t) + corenet_udp_sendrecv_generic_node(telnetd_t) + corenet_tcp_sendrecv_all_ports(telnetd_t) + corenet_udp_sendrecv_all_ports(telnetd_t) ++corenet_tcp_bind_telnetd_port(telnetd_t) corecmd_search_bin(telnetd_t) -@@ -63,7 +60,6 @@ dev_read_urand(telnetd_t) +@@ -56,7 +60,6 @@ dev_read_urand(telnetd_t) domain_interactive_fd(telnetd_t) @@ -102012,7 +98043,7 @@ index d7c8633..1bdef51 100644 files_read_etc_runtime_files(telnetd_t) files_search_home(telnetd_t) -@@ -76,12 +72,12 @@ init_rw_utmp(telnetd_t) +@@ -69,12 +72,12 @@ init_rw_utmp(telnetd_t) logging_send_syslog_msg(telnetd_t) @@ -102027,25 +98058,21 @@ index d7c8633..1bdef51 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) -@@ -92,10 +88,9 @@ tunable_policy(`use_samba_home_dirs',` - ') +@@ -86,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` -- kerberos_read_keytab(telnetd_t) + kerberos_keytab_template(telnetd, telnetd_t) - kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0") -+ kerberos_keytab_template(telnetd, telnetd_t) + kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0") kerberos_manage_host_rcache(telnetd_t) -- kerberos_use(telnetd_t) ') - optional_policy(` diff --git a/tftp.fc b/tftp.fc -index 3dd87da..621f343 100644 +index 93a5bf4..621f343 100644 --- a/tftp.fc +++ b/tftp.fc @@ -1,9 +1,9 @@ --/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0) +-/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0) +/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0) /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) @@ -102295,16 +98322,16 @@ index 9957e30..cf0b925 100644 + tftp_manage_config($1) ') diff --git a/tftp.te b/tftp.te -index cfaa2a1..a3b440c 100644 +index f455e70..a3b440c 100644 --- a/tftp.te +++ b/tftp.te @@ -1,4 +1,4 @@ --policy_module(tftp, 1.13.0) +-policy_module(tftp, 1.12.4) +policy_module(tftp, 1.12.0) ######################################## # -@@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0) +@@ -6,30 +6,24 @@ policy_module(tftp, 1.12.4) # ## @@ -102497,15 +98524,9 @@ index 5406b6e..dc5b46e 100644 admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te -index d010963..704a0e2 100644 +index c93c973..704a0e2 100644 --- a/tgtd.te +++ b/tgtd.te -@@ -1,4 +1,4 @@ --policy_module(tgtd, 1.3.1) -+policy_module(tgtd, 1.2.3) - - ######################################## - # @@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t) # Local policy # @@ -102515,7 +98536,7 @@ index d010963..704a0e2 100644 allow tgtd_t self:capability2 block_suspend; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; -@@ -56,32 +56,30 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) +@@ -56,29 +56,30 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) kernel_read_system_state(tgtd_t) kernel_read_fs_sysctls(tgtd_t) @@ -102529,11 +98550,8 @@ index d010963..704a0e2 100644 corenet_sendrecv_iscsi_server_packets(tgtd_t) corenet_tcp_bind_iscsi_port(tgtd_t) --corenet_tcp_sendrecv_iscsi_port(tgtd_t) -- --corenet_sendrecv_iscsi_client_packets(tgtd_t) - corenet_tcp_connect_isns_port(tgtd_t) -+corenet_tcp_sendrecv_iscsi_port(tgtd_t) ++corenet_tcp_connect_isns_port(tgtd_t) + corenet_tcp_sendrecv_iscsi_port(tgtd_t) dev_read_sysfs(tgtd_t) @@ -103091,15 +99109,9 @@ index 0000000..dd6ba2c + corenet_dontaudit_udp_bind_generic_node(thumb_t) +') diff --git a/thunderbird.te b/thunderbird.te -index 5e867da..fc265b8 100644 +index 4257ede..fc265b8 100644 --- a/thunderbird.te +++ b/thunderbird.te -@@ -1,4 +1,4 @@ --policy_module(thunderbird, 2.4.0) -+policy_module(thunderbird, 2.3.4) - - ######################################## - # @@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t) corecmd_exec_shell(thunderbird_t) @@ -103152,15 +99164,9 @@ index 5e867da..fc265b8 100644 ifndef(`enable_mls',` fs_search_removable(thunderbird_t) diff --git a/timidity.te b/timidity.te -index 97cd155..a1ef2d2 100644 +index 67ca5c5..a1ef2d2 100644 --- a/timidity.te +++ b/timidity.te -@@ -1,4 +1,4 @@ --policy_module(timidity, 1.10.0) -+policy_module(timidity, 1.9.1) - - ######################################## - # @@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f kernel_read_kernel_sysctls(timidity_t) kernel_read_system_state(timidity_t) @@ -103178,29 +99184,11 @@ index 97cd155..a1ef2d2 100644 files_search_tmp(timidity_t) fs_search_auto_mountpoints(timidity_t) -diff --git a/tmpreaper.fc b/tmpreaper.fc -index d19a6cf..ed08c94 100644 ---- a/tmpreaper.fc -+++ b/tmpreaper.fc -@@ -1,5 +1,5 @@ --/etc/rc\.d/init\.d/mountall-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) --/etc/rc\.d/init\.d/mountnfs-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) -+/etc/rc\.d/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) -+/etc/rc\.d/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) - - /usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) - /usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) diff --git a/tmpreaper.te b/tmpreaper.te -index 585a77f..9ae28c6 100644 +index a4a949c..9ae28c6 100644 --- a/tmpreaper.te +++ b/tmpreaper.te -@@ -1,4 +1,4 @@ --policy_module(tmpreaper, 1.7.1) -+policy_module(tmpreaper, 1.6.3) - - ######################################## - # -@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.7.1) +@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3) type tmpreaper_t; type tmpreaper_exec_t; init_system_domain(tmpreaper_t, tmpreaper_exec_t) @@ -103208,11 +99196,7 @@ index 585a77f..9ae28c6 100644 ######################################## # -@@ -15,48 +16,45 @@ init_system_domain(tmpreaper_t, tmpreaper_exec_t) - # - - allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; --allow tmpreaper_t self:fifo_file rw_fifo_file_perms; +@@ -18,20 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; kernel_list_unlabeled(tmpreaper_t) kernel_read_system_state(tmpreaper_t) @@ -103220,9 +99204,6 @@ index 585a77f..9ae28c6 100644 dev_read_urand(tmpreaper_t) --corecmd_exec_bin(tmpreaper_t) --corecmd_exec_shell(tmpreaper_t) -- fs_getattr_xattr_fs(tmpreaper_t) fs_list_all(tmpreaper_t) +fs_setattr_tmpfs_dirs(tmpreaper_t) @@ -103245,19 +99226,13 @@ index 585a77f..9ae28c6 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) - auth_use_nsswitch(tmpreaper_t) +@@ -39,14 +45,16 @@ auth_use_nsswitch(tmpreaper_t) --init_use_inherited_script_ptys(tmpreaper_t) -- logging_send_syslog_msg(tmpreaper_t) -miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) --ifdef(`distro_debian',` -- term_dontaudit_use_unallocated_ttys(tmpreaper_t) --') -- ifdef(`distro_redhat',` - userdom_list_all_user_home_content(tmpreaper_t) + userdom_list_user_home_content(tmpreaper_t) @@ -103270,7 +99245,7 @@ index 585a77f..9ae28c6 100644 ') optional_policy(` -@@ -64,6 +62,7 @@ optional_policy(` +@@ -54,6 +62,7 @@ optional_policy(` ') optional_policy(` @@ -103278,7 +99253,7 @@ index 585a77f..9ae28c6 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -79,11 +78,19 @@ optional_policy(` +@@ -69,7 +78,19 @@ optional_policy(` ') optional_policy(` @@ -103288,10 +99263,9 @@ index 585a77f..9ae28c6 100644 + +optional_policy(` + mandb_delete_cache(tmpreaper_t) - ') - - optional_policy(` -- plymouthd_exec_plymouth(tmpreaper_t) ++') ++ ++optional_policy(` + sandbox_list(tmpreaper_t) + sandbox_delete_dirs(tmpreaper_t) + sandbox_delete_files(tmpreaper_t) @@ -103794,14 +99768,11 @@ index 0000000..5a263b2 + tomcat_search_lib(tomcat_domain) +') diff --git a/tor.fc b/tor.fc -index dce42ec..ac02092 100644 +index 6b9d449..ac02092 100644 --- a/tor.fc +++ b/tor.fc -@@ -3,8 +3,11 @@ - /etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0) +@@ -6,6 +6,8 @@ - /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) -+ /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) +/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0) @@ -103879,16 +99850,10 @@ index 61c2e07..5e1df41 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..ea77295 100644 +index 964a395..ea77295 100644 --- a/tor.te +++ b/tor.te -@@ -1,4 +1,4 @@ --policy_module(tor, 1.9.0) -+policy_module(tor, 1.8.4) - - ######################################## - # -@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) +@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4) ## gen_tunable(tor_bind_all_unreserved_ports, false) @@ -103955,15 +99920,9 @@ index 5ceacde..ea77295 100644 seutil_sigchld_newrole(tor_t) ') diff --git a/transproxy.te b/transproxy.te -index 34973ee..494a46d 100644 +index 20d1a28..494a46d 100644 --- a/transproxy.te +++ b/transproxy.te -@@ -1,4 +1,4 @@ --policy_module(transproxy, 1.8.0) -+policy_module(transproxy, 1.7.1) - - ######################################## - # @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t) kernel_list_proc(transproxy_t) kernel_read_proc_symlinks(transproxy_t) @@ -103989,15 +99948,9 @@ index 34973ee..494a46d 100644 userdom_dontaudit_use_unpriv_user_fds(transproxy_t) diff --git a/tripwire.te b/tripwire.te -index 03aa6b7..2c989b4 100644 +index 2e1110d..2c989b4 100644 --- a/tripwire.te +++ b/tripwire.te -@@ -1,4 +1,4 @@ --policy_module(tripwire, 1.3.0) -+policy_module(tripwire, 1.2.1) - - ######################################## - # @@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t) logging_send_syslog_msg(tripwire_t) @@ -104037,18 +99990,6 @@ index 03aa6b7..2c989b4 100644 - -userdom_use_user_terminals(siggen_t) +userdom_use_inherited_user_terminals(siggen_t) -diff --git a/tuned.fc b/tuned.fc -index 956587a..23ba272 100644 ---- a/tuned.fc -+++ b/tuned.fc -@@ -1,6 +1,6 @@ - /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0) - --/etc/tuned(/.*)? gen_context(system_u:object_r:tuned_etc_t,s0) -+/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0) - /etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0) - - /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) diff --git a/tuned.if b/tuned.if index e29db63..061fb98 100644 --- a/tuned.if @@ -104069,15 +100010,9 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a330..3f42127 100644 +index 7116181..3f42127 100644 --- a/tuned.te +++ b/tuned.te -@@ -1,4 +1,4 @@ --policy_module(tuned, 1.2.0) -+policy_module(tuned, 1.1.4) - - ######################################## - # @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) type tuned_log_t; logging_log_file(tuned_log_t) @@ -104240,15 +100175,9 @@ index 1bb0f7c..372be2f 100644 ##

## Role access for tvtime diff --git a/tvtime.te b/tvtime.te -index afd2d6c..20099b0 100644 +index 3292fcc..20099b0 100644 --- a/tvtime.te +++ b/tvtime.te -@@ -1,4 +1,4 @@ --policy_module(tvtime, 2.3.0) -+policy_module(tvtime, 2.2.1) - - ######################################## - # @@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) @@ -104292,15 +100221,9 @@ index afd2d6c..20099b0 100644 optional_policy(` xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) diff --git a/tzdata.te b/tzdata.te -index 221c43b..9f86987 100644 +index aa6ae96..9f86987 100644 --- a/tzdata.te +++ b/tzdata.te -@@ -1,4 +1,4 @@ --policy_module(tzdata, 1.5.0) -+policy_module(tzdata, 1.4.1) - - ######################################## - # @@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t) locallogin_dontaudit_use_fds(tzdata_t) @@ -104315,15 +100238,9 @@ index 221c43b..9f86987 100644 optional_policy(` postfix_search_spool(tzdata_t) diff --git a/ucspitcp.te b/ucspitcp.te -index 7745b72..0fbc46e 100644 +index 5e365c2..0fbc46e 100644 --- a/ucspitcp.te +++ b/ucspitcp.te -@@ -1,4 +1,4 @@ --policy_module(ucspitcp, 1.4.0) -+policy_module(ucspitcp, 1.3.1) - - ######################################## - # @@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t) corenet_tcp_bind_generic_node(rblsmtpd_t) corenet_udp_bind_generic_port(rblsmtpd_t) @@ -104358,22 +100275,14 @@ index 9b95c3e..a892845 100644 init_labeled_script_domtrans($1, ulogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/ulogd.te b/ulogd.te -index de35e5f..022c367 100644 +index c6acbbe..022c367 100644 --- a/ulogd.te +++ b/ulogd.te -@@ -1,4 +1,4 @@ --policy_module(ulogd, 1.3.0) -+policy_module(ulogd, 1.2.1) - - ######################################## - # -@@ -26,11 +26,13 @@ logging_log_file(ulogd_var_log_t) - # Local policy +@@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t) # --allow ulogd_t self:capability { net_admin setuid setgid sys_nice }; + allow ulogd_t self:capability { net_admin sys_nice }; -allow ulogd_t self:process setsched; -+allow ulogd_t self:capability { net_admin sys_nice }; +allow ulogd_t self:process { setsched }; allow ulogd_t self:netlink_nflog_socket create_socket_perms; +allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; @@ -104410,15 +100319,9 @@ index ab5c1d0..d13105e 100644 allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; diff --git a/uml.te b/uml.te -index b68bd49..423afe4 100644 +index dc03cc5..423afe4 100644 --- a/uml.te +++ b/uml.te -@@ -1,4 +1,4 @@ --policy_module(uml, 2.3.0) -+policy_module(uml, 2.2.1) - - ######################################## - # @@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t) corecmd_exec_bin(uml_t) @@ -104463,15 +100366,9 @@ index b68bd49..423afe4 100644 userdom_dontaudit_search_user_home_dirs(uml_switch_t) diff --git a/updfstab.te b/updfstab.te -index 5ceb912..acbf304 100644 +index 2d871b8..acbf304 100644 --- a/updfstab.te +++ b/updfstab.te -@@ -1,4 +1,4 @@ --policy_module(updfstab, 1.6.0) -+policy_module(updfstab, 1.5.1) - - ######################################## - # @@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t) logging_search_logs(updfstab_t) logging_send_syslog_msg(updfstab_t) @@ -104507,15 +100404,9 @@ index 01a3234..19f4724 100644 ') diff --git a/uptime.te b/uptime.te -index 58397dc..8e5b35c 100644 +index 09741f6..8e5b35c 100644 --- a/uptime.te +++ b/uptime.te -@@ -1,4 +1,4 @@ --policy_module(uptime, 1.5.0) -+policy_module(uptime, 1.4.1) - - ######################################## - # @@ -16,7 +16,7 @@ type uptimed_initrc_exec_t; init_script_file(uptimed_initrc_exec_t) @@ -104535,15 +100426,9 @@ index 58397dc..8e5b35c 100644 userdom_dontaudit_search_user_home_dirs(uptimed_t) diff --git a/usbmodules.te b/usbmodules.te -index 279e511..3aa7952 100644 +index cb9b5bb..3aa7952 100644 --- a/usbmodules.te +++ b/usbmodules.te -@@ -1,4 +1,4 @@ --policy_module(usbmodules, 1.3.0) -+policy_module(usbmodules, 1.2.1) - - ######################################## - # @@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t) dev_list_usbfs(usbmodules_t) dev_rw_usbfs(usbmodules_t) @@ -104653,15 +100538,9 @@ index 1ec5e99..88e287d 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 34a8917..6a13ab8 100644 +index 8840be6..6a13ab8 100644 --- a/usbmuxd.te +++ b/usbmuxd.te -@@ -1,4 +1,4 @@ --policy_module(usbmuxd, 1.2.0) -+policy_module(usbmuxd, 1.1.1) - - ######################################## - # @@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles; type usbmuxd_t; @@ -104742,7 +100621,7 @@ index c416a83..cd83b89 100644 +/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/userhelper.if b/userhelper.if -index 98b51fd..cd80e83 100644 +index cf118fd..cd80e83 100644 --- a/userhelper.if +++ b/userhelper.if @@ -1,4 +1,4 @@ @@ -104805,46 +100684,52 @@ index 98b51fd..cd80e83 100644 + allow $1_userhelper_t self:unix_dgram_socket sendto; + allow $1_userhelper_t self:unix_stream_socket connectto; + allow $1_userhelper_t self:sock_file read_sock_file_perms; -+ + +- allow $1_consolehelper_t $3:unix_stream_socket connectto; + #Transition to the derived domain. + domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) -- allow $1_consolehelper_t $3:unix_stream_socket connectto; +- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) + allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; + rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) -- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) -+ can_exec($1_userhelper_t, userhelper_exec_t) - - allow $3 $1_consolehelper_t:process { ptrace signal_perms }; - ps_process_pattern($3, $1_consolehelper_t) -+ dontaudit $3 $1_userhelper_t:process signal; ++ can_exec($1_userhelper_t, userhelper_exec_t) - auth_use_pam($1_consolehelper_t) ++ dontaudit $3 $1_userhelper_t:process signal; + +- optional_policy(` +- dbus_connect_all_session_bus($1_consolehelper_t) + kernel_read_all_sysctls($1_userhelper_t) + kernel_getattr_debugfs($1_userhelper_t) + kernel_read_system_state($1_userhelper_t) -- optional_policy(` -- dbus_connect_all_session_bus($1_consolehelper_t) +- optional_policy(` +- userhelper_dbus_chat_all_consolehelper($3) +- ') +- ') + # Execute shells + corecmd_exec_shell($1_userhelper_t) + # By default, revert to the calling domain when a program is executed + corecmd_bin_domtrans($1_userhelper_t, $3) -- optional_policy(` -- userhelper_dbus_chat_all_consolehelper($3) -- ') -- ') +- ######################################## +- # +- # Userhelper local policy +- # + # Inherit descriptors from the current session. + domain_use_interactive_fds($1_userhelper_t) + # for when the user types "exec userhelper" at the command line + domain_sigchld_interactive_fds($1_userhelper_t) -+ + +- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) + dev_read_urand($1_userhelper_t) + # Read /dev directories and any symbolic links. + dev_list_all_dev_nodes($1_userhelper_t) -+ + +- dontaudit $3 $1_userhelper_t:process signal; + files_list_var_lib($1_userhelper_t) + # Read the /etc/security/default_type file + files_read_etc_files($1_userhelper_t) @@ -104853,7 +100738,8 @@ index 98b51fd..cd80e83 100644 + files_read_var_symlinks($1_userhelper_t) + # for some PAM modules and for cwd + files_search_home($1_userhelper_t) -+ + +- corecmd_bin_domtrans($1_userhelper_t, $3) + fs_search_auto_mountpoints($1_userhelper_t) + fs_read_nfs_files($1_userhelper_t) + fs_read_nfs_symlinks($1_userhelper_t) @@ -104875,33 +100761,24 @@ index 98b51fd..cd80e83 100644 + term_use_all_ttys($1_userhelper_t) + term_use_all_ptys($1_userhelper_t) -- ######################################## -- # -- # Userhelper local policy -- # -+ auth_domtrans_chk_passwd($1_userhelper_t) + auth_domtrans_chk_passwd($1_userhelper_t) + auth_manage_pam_pid($1_userhelper_t) + auth_manage_var_auth($1_userhelper_t) + auth_search_pam_console_data($1_userhelper_t) -+ auth_use_nsswitch($1_userhelper_t) + auth_use_nsswitch($1_userhelper_t) -- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) + logging_send_syslog_msg($1_userhelper_t) - -- dontaudit $3 $1_userhelper_t:process signal; ++ + # Inherit descriptors from the current session. + init_use_fds($1_userhelper_t) + # Write to utmp. + init_manage_utmp($1_userhelper_t) + init_pid_filetrans_utmp($1_userhelper_t) - -- corecmd_bin_domtrans($1_userhelper_t, $3) - -- auth_domtrans_chk_passwd($1_userhelper_t) -- auth_use_nsswitch($1_userhelper_t) ++ ++ + seutil_read_config($1_userhelper_t) + seutil_read_default_contexts($1_userhelper_t) - ++ + # Allow $1_userhelper_t to transition to user domains. userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) @@ -104982,14 +100859,14 @@ index 98b51fd..cd80e83 100644 ## ## ## -@@ -206,14 +263,82 @@ interface(`userhelper_exec',` +@@ -206,6 +263,93 @@ interface(`userhelper_exec',` type userhelper_exec_t; ') - corecmd_search_bin($1) can_exec($1, userhelper_exec_t) ') - ++ +####################################### +## +## The role template for the consolehelper module. @@ -105060,33 +100937,29 @@ index 98b51fd..cd80e83 100644 + ') +') + - ######################################## - ## --## Execute the consolehelper program --## in the caller domain. ++######################################## ++## +## Execute the consolehelper program in the caller domain. - ## - ## - ## -@@ -221,11 +346,10 @@ interface(`userhelper_exec',` - ## - ## - # --interface(`userhelper_exec_consolehelper',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userhelper_exec_console',` - gen_require(` - type consolehelper_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, consolehelper_exec_t) - ') ++ gen_require(` ++ type consolehelper_exec_t; ++ ') ++ ++ can_exec($1, consolehelper_exec_t) ++') diff --git a/userhelper.te b/userhelper.te -index 42cfce0..cc18d6f 100644 +index 274ed9c..cc18d6f 100644 --- a/userhelper.te +++ b/userhelper.te @@ -1,15 +1,12 @@ --policy_module(userhelper, 1.8.1) +-policy_module(userhelper, 1.7.3) +policy_module(userhelper, 1.7.0) ######################################## @@ -105306,16 +101179,10 @@ index 7deec55..c542887 100644 ') diff --git a/usernetctl.te b/usernetctl.te -index f973af8..465c661 100644 +index dd3f01e..465c661 100644 --- a/usernetctl.te +++ b/usernetctl.te -@@ -1,4 +1,4 @@ --policy_module(usernetctl, 1.7.0) -+policy_module(usernetctl, 1.6.1) - - ######################################## - # -@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.7.0) +@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.6.1) # attribute_role usernetctl_roles; @@ -105406,15 +101273,9 @@ index af9acc0..cdaf82e 100644 admin_pattern($1, uucpd_log_t) diff --git a/uucp.te b/uucp.te -index 849f607..c09534e 100644 +index 380902c..c09534e 100644 --- a/uucp.te +++ b/uucp.te -@@ -1,4 +1,4 @@ --policy_module(uucp, 1.13.0) -+policy_module(uucp, 1.12.1) - - ######################################## - # @@ -31,7 +31,7 @@ type uucpd_ro_t; files_type(uucpd_ro_t) @@ -105513,15 +101374,9 @@ index 6e48653..6abf74a 100644 uuidd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/uuidd.te b/uuidd.te -index f8e52fc..2b332c5 100644 +index e670f55..2b332c5 100644 --- a/uuidd.te +++ b/uuidd.te -@@ -1,4 +1,4 @@ --policy_module(uuidd, 1.1.0) -+policy_module(uuidd, 1.0.1) - - ######################################## - # @@ -42,6 +42,4 @@ dev_read_urand(uuidd_t) domain_use_interactive_fds(uuidd_t) @@ -105529,25 +101384,10 @@ index f8e52fc..2b332c5 100644 -files_read_etc_files(uuidd_t) -miscfiles_read_localization(uuidd_t) -diff --git a/uwimap.fc b/uwimap.fc -index e85c4ae..3c504c6 100644 ---- a/uwimap.fc -+++ b/uwimap.fc -@@ -1,3 +1,3 @@ --/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0) -+/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0) - - /var/run/imapd\.pid -- gen_context(system_u:object_r:imapd_var_run_t,s0) diff --git a/uwimap.te b/uwimap.te -index acdc78a..d120c52 100644 +index b81e5c8..d120c52 100644 --- a/uwimap.te +++ b/uwimap.te -@@ -1,4 +1,4 @@ --policy_module(uwimap, 1.10.0) -+policy_module(uwimap, 1.9.3) - - ######################################## - # @@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t) kernel_list_proc(imapd_t) kernel_read_proc_symlinks(imapd_t) @@ -105662,15 +101502,9 @@ index 9d4d8cb..1189323 100644 tunable_policy(`varnishd_connect_any',` corenet_sendrecv_all_client_packets(varnishd_t) diff --git a/vbetool.te b/vbetool.te -index 2a61f75..b33d259 100644 +index 14e1eec..b33d259 100644 --- a/vbetool.te +++ b/vbetool.te -@@ -1,4 +1,4 @@ --policy_module(vbetool, 1.7.0) -+policy_module(vbetool, 1.6.1) - - ######################################## - # @@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t; # @@ -105785,15 +101619,9 @@ index 31c752e..ef52235 100644 init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/vdagent.te b/vdagent.te -index 87da8a2..9ed83d0 100644 +index 77be35a..9ed83d0 100644 --- a/vdagent.te +++ b/vdagent.te -@@ -1,4 +1,4 @@ --policy_module(vdagent, 1.1.1) -+policy_module(vdagent, 1.0.2) - - ######################################## - # @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) dontaudit vdagent_t self:capability sys_admin; @@ -105802,31 +101630,29 @@ index 87da8a2..9ed83d0 100644 allow vdagent_t self:fifo_file rw_fifo_file_perms; allow vdagent_t self:unix_stream_socket { accept listen }; -@@ -39,23 +40,25 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) +@@ -39,20 +40,25 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) logging_log_filetrans(vdagent_t, vdagent_log_t, file) +kernel_request_load_module(vdagent_t) + dev_rw_input_dev(vdagent_t) --dev_rw_mtrr(vdagent_t) dev_read_sysfs(vdagent_t) dev_dontaudit_write_mtrr(vdagent_t) -files_read_etc_files(vdagent_t) -+init_read_state(vdagent_t) +- + init_read_state(vdagent_t) --term_use_virtio_console(vdagent_t) +-logging_send_syslog_msg(vdagent_t) +systemd_read_logind_sessions_files(vdagent_t) +systemd_login_read_pid_files(vdagent_t) --init_read_state(vdagent_t) +-miscfiles_read_localization(vdagent_t) +term_use_virtio_console(vdagent_t) ++ ++logging_send_syslog_msg(vdagent_t) - logging_send_syslog_msg(vdagent_t) - --miscfiles_read_localization(vdagent_t) -- userdom_read_all_users_state(vdagent_t) +xserver_read_xdm_state(vdagent_t) @@ -105854,15 +101680,9 @@ index 22edd58..c3a5364 100644 domain_system_change_exemption($1) role_transition $2 vhostmd_initrc_exec_t system_r; diff --git a/vhostmd.te b/vhostmd.te -index 3d11c6a..b96e329 100644 +index 0be8535..b96e329 100644 --- a/vhostmd.te +++ b/vhostmd.te -@@ -1,4 +1,4 @@ --policy_module(vhostmd, 1.1.0) -+policy_module(vhostmd, 1.0.1) - - ######################################## - # @@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t) dev_read_sysfs(vhostmd_t) @@ -105887,10 +101707,10 @@ index 3d11c6a..b96e329 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..9ccc90c 100644 +index c30da4c..9ccc90c 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,97 @@ +@@ -1,52 +1,97 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -105921,7 +101741,8 @@ index a4f20bc..9ccc90c 100644 +/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) --/etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/libvirt-bin -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) @@ -105958,24 +101779,32 @@ index a4f20bc..9ccc90c 100644 +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) -+ + +-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +- +-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +- +-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -+/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) -+/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + /var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) + /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +-/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) +-/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) +-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) +-/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +-/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) +/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) - --/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) --/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) --/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) ++ +/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) - --/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++ +# support for AEOLUS project +/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -105984,15 +101813,7 @@ index a4f20bc..9ccc90c 100644 +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) - --/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) --/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) --/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) --/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) --/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) --/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) --/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) --/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++ +# add support vios-proxy-* +/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -106027,7 +101848,7 @@ index a4f20bc..9ccc90c 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..c7a2d97 100644 +index 9dec06c..c7a2d97 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -107801,7 +103622,7 @@ index facdee8..c7a2d97 100644 - type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t; - type virt_var_run_t, virt_tmp_t, virt_log_t; - type virt_lock_t, svirt_var_run_t, virt_etc_rw_t; -- type virt_etc_t, svirt_cache_t, virtd_keytab_t; +- type virt_etc_t, svirt_cache_t; + attribute virt_domain; + attribute virt_system_domain; + attribute svirt_file_type; @@ -107834,7 +103655,7 @@ index facdee8..c7a2d97 100644 - admin_pattern($1, { virt_tmp_type virt_tmp_t }) - - files_search_etc($1) -- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) +- admin_pattern($1, { virt_etc_t virt_etc_rw_t }) - - logging_search_logs($1) - admin_pattern($1, virt_log_t) @@ -107879,11 +103700,11 @@ index facdee8..c7a2d97 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..92d1a81 100644 +index 1f22fba..92d1a81 100644 --- a/virt.te +++ b/virt.te -@@ -1,149 +1,223 @@ --policy_module(virt, 1.7.4) +@@ -1,147 +1,224 @@ +-policy_module(virt, 1.6.10) +policy_module(virt, 1.5.0) ######################################## @@ -108169,16 +103990,15 @@ index f03dcf5..92d1a81 100644 +type virtd_initrc_exec_t, virt_file_type; init_script_file(virtd_initrc_exec_t) --type virtd_keytab_t; --files_type(virtd_keytab_t) +type qemu_var_run_t, virt_file_type; +typealias qemu_var_run_t alias svirt_var_run_t; +files_pid_file(qemu_var_run_t) +mls_trusted_object(qemu_var_run_t) - ++ ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) -@@ -153,299 +227,132 @@ ifdef(`enable_mls',` + ') +@@ -150,295 +227,132 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -108240,7 +104060,6 @@ index f03dcf5..92d1a81 100644 -allow virt_domain self:process { signal getsched signull }; -allow virt_domain self:fifo_file rw_fifo_file_perms; --allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; -allow virt_domain self:netlink_route_socket r_netlink_socket_perms; -allow virt_domain self:shm create_shm_perms; -allow virt_domain self:tcp_socket create_stream_socket_perms; @@ -108387,7 +104206,6 @@ index f03dcf5..92d1a81 100644 -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(virt_domain) - dev_read_sysfs(virt_domain) -- fs_getattr_dos_fs(virt_domain) - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) -') @@ -108502,7 +104320,7 @@ index f03dcf5..92d1a81 100644 +') + allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; --allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; +-allow virtd_t self:unix_stream_socket { accept connectto listen }; -allow virtd_t self:tcp_socket { accept listen }; +allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto }; +allow virtd_t self:tcp_socket create_stream_socket_perms; @@ -108530,7 +104348,11 @@ index f03dcf5..92d1a81 100644 manage_files_pattern(virtd_t, virt_content_t, virt_content_t) -filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") --allow virtd_t virtd_keytab_t:file read_file_perms; +-allow virtd_t svirt_var_run_t:file relabel_file_perms; +-manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +-manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu") +allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; +allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill }; +allow virt_domain virtd_t:fd use; @@ -108539,12 +104361,7 @@ index f03dcf5..92d1a81 100644 + +can_exec(virtd_t, qemu_exec_t) +can_exec(virt_domain, qemu_exec_t) - --allow virtd_t svirt_var_run_t:file relabel_file_perms; --manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) --manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) --manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) --filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu") ++ +allow virtd_t qemu_var_run_t:file relabel_file_perms; +manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) @@ -108554,7 +104371,7 @@ index f03dcf5..92d1a81 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +362,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +362,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -108601,7 +104418,7 @@ index f03dcf5..92d1a81 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,16 +397,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +397,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -108623,7 +104440,7 @@ index f03dcf5..92d1a81 100644 kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -520,6 +410,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +410,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -108631,7 +104448,7 @@ index f03dcf5..92d1a81 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +418,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +418,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -108659,7 +104476,7 @@ index f03dcf5..92d1a81 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,22 +438,27 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +438,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -108692,7 +104509,7 @@ index f03dcf5..92d1a81 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -601,15 +489,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +489,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -108712,7 +104529,7 @@ index f03dcf5..92d1a81 100644 selinux_validate_context(virtd_t) -@@ -620,18 +511,26 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +511,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -108749,7 +104566,7 @@ index f03dcf5..92d1a81 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +539,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +539,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -108758,7 +104575,7 @@ index f03dcf5..92d1a81 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +564,12 @@ optional_policy(` +@@ -658,20 +564,12 @@ optional_policy(` ') optional_policy(` @@ -108779,7 +104596,7 @@ index f03dcf5..92d1a81 100644 ') optional_policy(` -@@ -691,20 +582,25 @@ optional_policy(` +@@ -684,14 +582,20 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -108802,14 +104619,7 @@ index f03dcf5..92d1a81 100644 iptables_manage_config(virtd_t) ') - optional_policy(` -- kerberos_read_keytab(virtd_t) -- kerberos_use(virtd_t) -+ kerberos_keytab_template(virtd, virtd_t) - ') - - optional_policy(` -@@ -712,11 +608,13 @@ optional_policy(` +@@ -704,11 +608,13 @@ optional_policy(` ') optional_policy(` @@ -108823,7 +104633,7 @@ index f03dcf5..92d1a81 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +625,18 @@ optional_policy(` +@@ -719,10 +625,18 @@ optional_policy(` ') optional_policy(` @@ -108842,11 +104652,8 @@ index f03dcf5..92d1a81 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -743,47 +649,279 @@ optional_policy(` - optional_policy(` - udev_domtrans(virtd_t) +@@ -737,44 +651,277 @@ optional_policy(` udev_read_db(virtd_t) -- udev_read_pid_files(virtd_t) ') -######################################## @@ -108992,7 +104799,7 @@ index f03dcf5..92d1a81 100644 +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +miscfiles_read_generic_certs(virt_domain) - ++ +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) @@ -109102,7 +104909,7 @@ index f03dcf5..92d1a81 100644 +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; -+ + +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -109146,7 +104953,7 @@ index f03dcf5..92d1a81 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +932,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +932,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -109173,7 +104980,7 @@ index f03dcf5..92d1a81 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +952,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,23 +952,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -109190,10 +104997,10 @@ index f03dcf5..92d1a81 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -109207,7 +105014,7 @@ index f03dcf5..92d1a81 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +989,20 @@ optional_policy(` +@@ -847,14 +989,20 @@ optional_policy(` ') optional_policy(` @@ -109229,7 +105036,7 @@ index f03dcf5..92d1a81 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1027,65 @@ optional_policy(` +@@ -879,49 +1027,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -109313,7 +105120,7 @@ index f03dcf5..92d1a81 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1097,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1097,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -109333,7 +105140,7 @@ index f03dcf5..92d1a81 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1118,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1118,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -109357,7 +105164,7 @@ index f03dcf5..92d1a81 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1143,317 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1143,317 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -109769,10 +105576,10 @@ index f03dcf5..92d1a81 100644 + +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) ++ ++append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) -allow svirt_prot_exec_t self:process { execmem execstack }; -+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) -+ +kernel_read_irq_sysctls(svirt_qemu_net_t) + +dev_read_sysfs(svirt_qemu_net_t) @@ -109815,7 +105622,7 @@ index f03dcf5..92d1a81 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1466,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1466,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -109830,7 +105637,7 @@ index f03dcf5..92d1a81 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1484,8 @@ optional_policy(` +@@ -1183,9 +1484,8 @@ optional_policy(` ######################################## # @@ -109841,7 +105648,7 @@ index f03dcf5..92d1a81 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1498,219 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1498,219 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -110064,15 +105871,9 @@ index f03dcf5..92d1a81 100644 + +allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; diff --git a/vlock.te b/vlock.te -index 6b72968..b5285e7 100644 +index 9ead775..b5285e7 100644 --- a/vlock.te +++ b/vlock.te -@@ -1,4 +1,4 @@ --policy_module(vlock, 1.2.0) -+policy_module(vlock, 1.1.1) - - ######################################## - # @@ -38,7 +38,7 @@ auth_use_pam(vlock_t) init_dontaudit_rw_utmp(vlock_t) @@ -110342,15 +106143,9 @@ index 20a1fb2..470ea95 100644 allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; diff --git a/vmware.te b/vmware.te -index 4ad1894..d7ec42b 100644 +index 3a56513..d7ec42b 100644 --- a/vmware.te +++ b/vmware.te -@@ -1,4 +1,4 @@ --policy_module(vmware, 2.7.0) -+policy_module(vmware, 2.6.1) - - ######################################## - # @@ -65,7 +65,8 @@ ifdef(`enable_mcs',` # Host local policy # @@ -110468,15 +106263,9 @@ index 137ac44..b644854 100644 domain_system_change_exemption($1) role_transition $2 vnstatd_initrc_exec_t system_r; diff --git a/vnstatd.te b/vnstatd.te -index e2220ae..ff18188 100644 +index febc3e5..ff18188 100644 --- a/vnstatd.te +++ b/vnstatd.te -@@ -1,4 +1,4 @@ --policy_module(vnstatd, 1.1.0) -+policy_module(vnstatd, 1.0.1) - - ######################################## - # @@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) @@ -110625,16 +106414,16 @@ index 7a7f342..afedcba 100644 ## ## diff --git a/vpn.te b/vpn.te -index 95b26d1..38a4bf3 100644 +index 9329eae..38a4bf3 100644 --- a/vpn.te +++ b/vpn.te @@ -1,4 +1,4 @@ --policy_module(vpn, 1.16.0) +-policy_module(vpn, 1.15.1) +policy_module(vpn, 1.15.0) ######################################## # -@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0) +@@ -6,6 +6,7 @@ policy_module(vpn, 1.15.1) # attribute_role vpnc_roles; @@ -110745,27 +106534,11 @@ index 95b26d1..38a4bf3 100644 - seutil_use_newrole_fds(vpnc_t) + networkmanager_manage_pid_files(vpnc_t) ') -diff --git a/w3c.fc b/w3c.fc -index 463c799..4834796 100644 ---- a/w3c.fc -+++ b/w3c.fc -@@ -1,4 +1,4 @@ --/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) -+/usr/lib/cgi-bin/check gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) - - /usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) - /usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) diff --git a/w3c.te b/w3c.te -index b14d6a9..d3cf4a8 100644 +index bcb76b6..d3cf4a8 100644 --- a/w3c.te +++ b/w3c.te -@@ -1,4 +1,4 @@ --policy_module(w3c, 1.1.0) -+policy_module(w3c, 1.0.1) - - ######################################## - # -@@ -7,10 +7,17 @@ policy_module(w3c, 1.1.0) +@@ -7,10 +7,17 @@ policy_module(w3c, 1.0.1) apache_content_template(w3c_validator) @@ -110801,15 +106574,9 @@ index eecd0e0..8df2e8c 100644 /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/watchdog.te b/watchdog.te -index 3548317..026b259 100644 +index 29f79e8..026b259 100644 --- a/watchdog.te +++ b/watchdog.te -@@ -1,4 +1,4 @@ --policy_module(watchdog, 1.8.0) -+policy_module(watchdog, 1.7.1) - - ################################# - # @@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) type watchdog_initrc_exec_t; init_script_file(watchdog_initrc_exec_t) @@ -111064,15 +106831,9 @@ index 1e3aec0..d17ff39 100644 + ') diff --git a/wdmd.te b/wdmd.te -index 4815a93..144c0e7 100644 +index ebbdaf6..144c0e7 100644 --- a/wdmd.te +++ b/wdmd.te -@@ -1,4 +1,4 @@ --policy_module(wdmd, 1.1.0) -+policy_module(wdmd, 1.0.3) - - ######################################## - # @@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t) dev_read_watchdog(wdmd_t) dev_write_watchdog(wdmd_t) @@ -111095,15 +106856,9 @@ index 4815a93..144c0e7 100644 + rhcs_rw_cluster_tmpfs(wdmd_t) ') diff --git a/webadm.te b/webadm.te -index 2a6cae7..d26f598 100644 +index 708254f..d26f598 100644 --- a/webadm.te +++ b/webadm.te -@@ -1,4 +1,4 @@ --policy_module(webadm, 1.2.0) -+policy_module(webadm, 1.1.1) - - ######################################## - # @@ -25,6 +25,9 @@ role webadm_r; userdom_base_user_template(webadm) @@ -111139,15 +106894,9 @@ index 2a6cae7..d26f598 100644 tunable_policy(`webadm_manage_user_files',` userdom_manage_user_home_content_files(webadm_t) diff --git a/webalizer.te b/webalizer.te -index ae919b9..3c09628 100644 +index cdca8c7..3c09628 100644 --- a/webalizer.te +++ b/webalizer.te -@@ -1,4 +1,4 @@ --policy_module(webalizer, 1.13.0) -+policy_module(webalizer, 1.12.1) - - ######################################## - # @@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t) kernel_read_kernel_sysctls(webalizer_t) kernel_read_system_state(webalizer_t) @@ -111362,16 +107111,10 @@ index fd2b6cc..938c4a7 100644 +') + diff --git a/wine.te b/wine.te -index 491b87b..e5944be 100644 +index b51923c..e5944be 100644 --- a/wine.te +++ b/wine.te -@@ -1,4 +1,4 @@ --policy_module(wine, 1.11.0) -+policy_module(wine, 1.10.1) - - ######################################## - # -@@ -14,10 +14,11 @@ policy_module(wine, 1.11.0) +@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1) ## gen_tunable(wine_mmap_zero_ignore, false) @@ -111470,15 +107213,9 @@ index 491b87b..e5944be 100644 ') + diff --git a/wireshark.te b/wireshark.te -index ff6ef38..a2d910f 100644 +index cf5cab6..a2d910f 100644 --- a/wireshark.te +++ b/wireshark.te -@@ -1,4 +1,4 @@ --policy_module(wireshark, 2.4.0) -+policy_module(wireshark, 2.3.1) - - ######################################## - # @@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) # Local Policy # @@ -111541,7 +107278,7 @@ index 304ae09..c1d10a1 100644 -/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/wm.if b/wm.if -index 95f888d..36b2f81 100644 +index 25b702d..36b2f81 100644 --- a/wm.if +++ b/wm.if @@ -1,4 +1,4 @@ @@ -111550,7 +107287,7 @@ index 95f888d..36b2f81 100644 ####################################### ## -@@ -29,69 +29,59 @@ +@@ -29,54 +29,46 @@ # template(`wm_role_template',` gen_require(` @@ -111611,9 +107348,6 @@ index 95f888d..36b2f81 100644 - auth_use_nsswitch($1_wm_t) - -- xserver_role($2, $1_wm_t) -- xserver_manage_core_devices($1_wm_t) -- - optional_policy(` - dbus_spec_session_bus_client($1, $1_wm_t) - dbus_system_bus_client($1_wm_t) @@ -111624,16 +107358,9 @@ index 95f888d..36b2f81 100644 - ') - optional_policy(` -- gnome_stream_connect_gkeyringd($1, $1_wm_t) -+ pulseaudio_run($1_wm_t, $2) - ') - - optional_policy(` -- pulseaudio_run($1_wm_t, $2) -+ xserver_role($2, $1_wm_t) -+ xserver_manage_core_devices($1_wm_t) + pulseaudio_run($1_wm_t, $2) ') - ') +@@ -89,7 +81,7 @@ template(`wm_role_template',` ######################################## ## @@ -111642,7 +107369,7 @@ index 95f888d..36b2f81 100644 ## ## ## -@@ -104,33 +94,5 @@ interface(`wm_exec',` +@@ -102,33 +94,5 @@ interface(`wm_exec',` type wm_exec_t; ') @@ -111677,11 +107404,11 @@ index 95f888d..36b2f81 100644 - allow $1_wm_t $2:dbus send_msg; -') diff --git a/wm.te b/wm.te -index 638d10f..20ce90b 100644 +index 7c7f7fa..20ce90b 100644 --- a/wm.te +++ b/wm.te -@@ -1,74 +1,88 @@ --policy_module(wm, 1.3.3) +@@ -1,36 +1,88 @@ +-policy_module(wm, 1.2.5) +policy_module(wm, 1.2.0) + +attribute wm_domain; @@ -111694,44 +107421,39 @@ index 638d10f..20ce90b 100644 -attribute wm_domain; - type wm_exec_t; - corecmd_executable_file(wm_exec_t) - +- -######################################## -# -# Common wm domain local policy -# -- ++corecmd_executable_file(wm_exec_t) + allow wm_domain self:fifo_file rw_fifo_file_perms; - allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched }; - allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms; +-allow wm_domain self:process getsched; ++allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched }; ++allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms; + allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; -kernel_read_system_state(wm_domain) - --corecmd_getattr_all_executables(wm_domain) -- --dev_read_sound(wm_domain) --dev_read_sysfs(wm_domain) dev_read_urand(wm_domain) --dev_rw_wireless(wm_domain) +dev_read_sound(wm_domain) - dev_write_sound(wm_domain) -- --files_read_usr_files(wm_domain) ++dev_write_sound(wm_domain) +dev_rw_wireless(wm_domain) +dev_read_sysfs(wm_domain) - - fs_getattr_all_fs(wm_domain) - ++ ++fs_getattr_all_fs(wm_domain) ++ +corecmd_dontaudit_access_all_executables(wm_domain) +corecmd_getattr_all_executables(wm_domain) -+ + +-files_read_usr_files(wm_domain) +application_signull(wm_domain) + +init_read_state(wm_domain) -+ + miscfiles_read_fonts(wm_domain) -miscfiles_read_localization(wm_domain) @@ -111741,28 +107463,16 @@ index 638d10f..20ce90b 100644 +systemd_read_logind_sessions_files(wm_domain) +systemd_write_inhibit_pipes(wm_domain) +systemd_login_read_pid_files(wm_domain) - --userdom_manage_user_home_content_dirs(wm_domain) --userdom_manage_user_home_content_files(wm_domain) --userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) ++ +userdom_read_user_home_content_files(wm_domain) - --optional_policy(` -- accountsd_dbus_chat(wm_domain) --') -- --optional_policy(` -- bluetooth_dbus_chat(wm_domain) --') ++ +udev_read_pid_files(wm_domain) - - optional_policy(` -- devicekit_dbus_chat_power(wm_domain) ++ ++optional_policy(` + gnome_stream_connect_gkeyringd(wm_domain) - ') - - optional_policy(` -- networkmanager_dbus_chat(wm_domain) ++') ++ ++optional_policy(` + dbus_system_bus_client(wm_domain) + dbus_session_bus_client(wm_domain) + optional_policy(` @@ -111788,22 +107498,22 @@ index 638d10f..20ce90b 100644 + optional_policy(` + systemd_dbus_chat_logind(wm_domain) + ') - ') - - optional_policy(` -- policykit_dbus_chat(wm_domain) ++') ++ ++optional_policy(` + pulseaudio_stream_connect(wm_domain) - ') - - optional_policy(` -- pulseaudio_stream_connect(wm_domain) ++') ++ ++optional_policy(` + userhelper_exec_console(wm_domain) - ') ++') - optional_policy(` -- userhelper_exec_consolehelper(wm_domain) +-userdom_manage_user_home_content_dirs(wm_domain) +-userdom_manage_user_home_content_files(wm_domain) +-userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) ++optional_policy(` + xserver_manage_core_devices(wm_domain) - ') ++') diff --git a/xen.fc b/xen.fc index 42d83b0..651d1cb 100644 --- a/xen.fc @@ -112135,11 +107845,11 @@ index f93558c..16e29c1 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index 6f736a9..3fe3e35 100644 +index ed40676..3fe3e35 100644 --- a/xen.te +++ b/xen.te @@ -1,42 +1,34 @@ --policy_module(xen, 1.13.0) +-policy_module(xen, 1.12.5) +policy_module(xen, 1.12.0) ######################################## @@ -112831,15 +108541,9 @@ index 6f736a9..3fe3e35 100644 - fs_manage_xenfs_files(xm_ssh_t) -') diff --git a/xfs.te b/xfs.te -index 0928c5d..7668014 100644 +index 0cea2cd..7668014 100644 --- a/xfs.te +++ b/xfs.te -@@ -1,4 +1,4 @@ --policy_module(xfs, 1.7.0) -+policy_module(xfs, 1.6.1) - - ######################################## - # @@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t) kernel_read_kernel_sysctls(xfs_t) kernel_read_system_state(xfs_t) @@ -112865,16 +108569,16 @@ index 0928c5d..7668014 100644 userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.te b/xguest.te -index a64aad3..0f1f514 100644 +index 2882821..0f1f514 100644 --- a/xguest.te +++ b/xguest.te @@ -1,4 +1,4 @@ --policy_module(xguest, 1.2.0) +-policy_module(xguest, 1.1.2) +policy_module(xguest, 1.1.0) ######################################## # -@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0) +@@ -6,46 +6,47 @@ policy_module(xguest, 1.1.2) # ## @@ -113161,15 +108865,9 @@ index 3c44d84..ce5e69d 100644 sysnet_read_config(xprint_t) diff --git a/xscreensaver.te b/xscreensaver.te -index 04096a0..485e77d 100644 +index c9c9650..485e77d 100644 --- a/xscreensaver.te +++ b/xscreensaver.te -@@ -1,4 +1,4 @@ --policy_module(xscreensaver, 1.2.0) -+policy_module(xscreensaver, 1.1.1) - - ######################################## - # @@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms; kernel_read_system_state(xscreensaver_t) @@ -113191,15 +108889,9 @@ index 04096a0..485e77d 100644 xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) diff --git a/yam.te b/yam.te -index 2695db2..910aeec 100644 +index d837e88..910aeec 100644 --- a/yam.te +++ b/yam.te -@@ -1,4 +1,4 @@ --policy_module(yam, 1.5.0) -+policy_module(yam, 1.4.1) - - ######################################## - # @@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t) logging_send_syslog_msg(yam_t) @@ -113216,12 +108908,12 @@ index 2695db2..910aeec 100644 userdom_search_user_home_dirs(yam_t) diff --git a/zabbix.fc b/zabbix.fc -index c3b5a81..14dc7c6 100644 +index ce10cb1..14dc7c6 100644 --- a/zabbix.fc +++ b/zabbix.fc @@ -1,15 +1,23 @@ -+/etc/rc\.d/init\.d/((zabbix)|(zabbix-server)) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) - /etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) + /etc/rc\.d/init\.d/((zabbix)|(zabbix-server)) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) /etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) @@ -113408,16 +109100,10 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..bf87704 100644 +index 46e4cd3..bf87704 100644 --- a/zabbix.te +++ b/zabbix.te -@@ -1,4 +1,4 @@ --policy_module(zabbix, 1.6.0) -+policy_module(zabbix, 1.5.3) - - ######################################## - # -@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) +@@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3) # ## @@ -113904,11 +109590,11 @@ index 36e32df..3d08962 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ') diff --git a/zarafa.te b/zarafa.te -index 3fded1c..ffeb7f4 100644 +index a4479b1..ffeb7f4 100644 --- a/zarafa.te +++ b/zarafa.te @@ -1,13 +1,18 @@ --policy_module(zarafa, 1.2.0) +-policy_module(zarafa, 1.1.4) +policy_module(zarafa, 1.1.0) ######################################## @@ -114305,16 +109991,16 @@ index 3416401..676925c 100644 + allow $1 zebra_unit_file_t:service all_service_perms; ') diff --git a/zebra.te b/zebra.te -index 2e80d04..e2b8723 100644 +index b0803c2..e2b8723 100644 --- a/zebra.te +++ b/zebra.te @@ -1,4 +1,4 @@ --policy_module(zebra, 1.13.0) +-policy_module(zebra, 1.12.1) +policy_module(zebra, 1.12.0) ######################################## # -@@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0) +@@ -6,23 +6,26 @@ policy_module(zebra, 1.12.1) # ## @@ -115068,15 +110754,9 @@ index b14698c..16e1581 100644 interface(`zosremote_run',` gen_require(` diff --git a/zosremote.te b/zosremote.te -index bc6a5db..983b6c8 100644 +index 9ba9f81..983b6c8 100644 --- a/zosremote.te +++ b/zosremote.te -@@ -1,4 +1,4 @@ --policy_module(zosremote, 1.2.0) -+policy_module(zosremote, 1.1.1) - - ######################################## - # @@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen }; auth_use_nsswitch(zos_remote_t)