diff --git a/abrt.te b/abrt.te
index 4ca892f..cb6f88a 100644
--- a/abrt.te
+++ b/abrt.te
@@ -226,6 +226,10 @@ optional_policy(`
')
optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+')
+
+optional_policy(`
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
diff --git a/collectd.te b/collectd.te
index 199d175..3dbef2a 100644
--- a/collectd.te
+++ b/collectd.te
@@ -34,7 +34,7 @@ systemd_unit_file(collectd_unit_file_t)
# collectd local policy
#
-allow collectd_t self:capability ipc_lock;
+allow collectd_t self:capability { ipc_lock setsched sys_nice };
allow collectd_t self:process { signal fork };
allow collectd_t self:fifo_file rw_fifo_file_perms;
diff --git a/glance.te b/glance.te
index 2e451b7..842165a 100644
--- a/glance.te
+++ b/glance.te
@@ -66,6 +66,8 @@ files_read_usr_files(glance_domain)
auth_read_passwd(glance_domain)
+libs_exec_ldconfig(glance_domain)
+
miscfiles_read_localization(glance_domain)
optional_policy(`
@@ -113,5 +115,3 @@ corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
dev_read_urand(glance_api_t)
fs_getattr_xattr_fs(glance_api_t)
-
-libs_exec_ldconfig(glance_api_t)
diff --git a/mozilla.fc b/mozilla.fc
index f1f3e51..60e7237 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -12,6 +12,7 @@ HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
diff --git a/mozilla.te b/mozilla.te
index 7bf56bf..04172bb 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -338,7 +338,6 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
-xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -369,6 +368,7 @@ corenet_tcp_connect_ftp_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_ircd_port(mozilla_plugin_t)
corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
@@ -416,6 +416,8 @@ auth_use_nsswitch(mozilla_plugin_t)
init_dontaudit_getattr_initctl(mozilla_plugin_t)
+libs_exec_lib_files(mozilla_plugin_t)
+
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
@@ -506,6 +508,8 @@ optional_policy(`
')
optional_policy(`
+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
xserver_use_user_fonts(mozilla_plugin_t)
diff --git a/nova.te b/nova.te
index b0d25bb..415b098 100644
--- a/nova.te
+++ b/nova.te
@@ -141,7 +141,7 @@ allow nova_cert_t self:process setfscreate;
allow nova_cert_t self:udp_socket create_socket_perms;
-auth_read_passwd(nova_cert_t)
+auth_use_nsswitch(nova_cert_t)
miscfiles_read_certs(nova_cert_t)
diff --git a/samba.fc b/samba.fc
index 5c02dec..3d65472 100644
--- a/samba.fc
+++ b/samba.fc
@@ -39,6 +39,7 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
@@ -53,6 +54,7 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
diff --git a/samba.if b/samba.if
index f9a546d..9642fe3 100644
--- a/samba.if
+++ b/samba.if
@@ -42,6 +42,25 @@ interface(`samba_signal_nmbd',`
########################################
##
+## Search the samba pid directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`samba_search_pid',`
+ gen_require(`
+ type smbd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 smbd_var_run_t:dir search_dir_perms;
+')
+
+########################################
+##
## Connect to nmbd.
##
##
@@ -55,7 +74,7 @@ interface(`samba_stream_connect_nmbd',`
type nmbd_t, nmbd_var_run_t;
')
- files_search_pids($1)
+ samba_search_pid($1)
stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
')
@@ -715,7 +734,7 @@ interface(`samba_read_winbind_pid',`
type winbind_var_run_t;
')
- files_search_pids($1)
+ samba_search_pid($1)
allow $1 winbind_var_run_t:file read_file_perms;
')
@@ -734,7 +753,7 @@ interface(`samba_stream_connect_winbind',`
type samba_var_t, winbind_t, winbind_var_run_t;
')
- files_search_pids($1)
+ samba_search_pid($1)
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
samba_read_config($1)
diff --git a/samba.te b/samba.te
index 627d070..110ed47 100644
--- a/samba.te
+++ b/samba.te
@@ -265,7 +265,6 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow smbd_t nmbd_t:process { signal signull };
-allow winbind_t smbd_var_run_t:dir search_dir_perms;
allow smbd_t nmbd_var_run_t:file rw_file_perms;
stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
@@ -520,10 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
+manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
+filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -535,8 +535,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
allow nmbd_t smbcontrol_t:process signal;
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
@@ -844,7 +842,6 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t smbd_var_run_t:dir search_dir_perms;
read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
@@ -872,10 +869,13 @@ userdom_manage_user_tmp_dirs(winbind_t)
userdom_manage_user_tmp_files(winbind_t)
userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
-manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
-files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir })
+files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
+filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
+# /run/samba/krb5cc_samba
+manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
kernel_read_kernel_sysctls(winbind_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
index e010142..4e69f51 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -178,6 +178,7 @@ dev_read_urand(setroubleshoot_fixit_t)
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+seutil_read_module_store(setroubleshoot_fixit_t)
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
diff --git a/uucp.te b/uucp.te
index fef39c0..2f0887d 100644
--- a/uucp.te
+++ b/uucp.te
@@ -136,6 +136,8 @@ files_read_etc_files(uux_t)
fs_rw_anon_inodefs_files(uux_t)
+auth_use_nsswitch(uux_t)
+
logging_send_syslog_msg(uux_t)
miscfiles_read_localization(uux_t)
@@ -147,10 +149,5 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(uux_t)
-')
-
-optional_policy(`
postfix_rw_master_pipes(uux_t)
')
-