##
## Allow the specified domain to
@@ -19284,7 +19319,7 @@ index 97fcdac..630ff53 100644
## Example attributes:
##
##
-@@ -4866,3 +5200,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5218,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -45980,7 +46015,7 @@ index 8581040..2367841 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..1147e19 100644
+index bf64a4c..9ad9024 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -25,7 +25,10 @@ type nagios_var_run_t;
@@ -46127,14 +46162,24 @@ index bf64a4c..1147e19 100644
')
optional_policy(`
-@@ -363,7 +376,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
--kernel_read_system_state(nagios_system_plugin_t)
++read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
++
+ kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
- corecmd_exec_bin(nagios_system_plugin_t)
+@@ -376,6 +391,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
+
+ files_read_etc_files(nagios_system_plugin_t)
+
++fs_getattr_all_fs(nagios_system_plugin_t)
++
+ # needed by check_users plugin
+ optional_policy(`
+ init_read_utmp(nagios_system_plugin_t)
diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
index 74da57f..b94bb3b 100644
--- a/policy/modules/services/nessus.fc
@@ -51873,7 +51918,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..6451f82 100644
+index 29b9295..d45c661 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -51927,7 +51972,19 @@ index 29b9295..6451f82 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -125,6 +138,11 @@ optional_policy(`
+@@ -107,6 +120,11 @@ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(procmail_t)
+ fs_manage_cifs_files(procmail_t)
+ fs_manage_cifs_symlinks(procmail_t)
++
++optional_policy(`
++ clamav_domtrans_clamscan(procmail_t)
++ clamav_search_lib(procmail_t)
++ cyrus_stream_connect(procmail_t)
+ ')
+
+ optional_policy(`
+@@ -125,6 +143,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -56059,7 +56116,7 @@ index cda37bb..617e83f 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..372f918 100644
+index b1468ed..4f18830 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -56210,7 +56267,7 @@ index b1468ed..372f918 100644
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
-+fs_search_nfsd_fs(gssd_t)
++fs_read_nfsd_files(gssd_t)
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
@@ -58422,7 +58479,7 @@ index 275f9fb..2a0e198 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..e666122 100644
+index 3d8d1b3..8cd0c85 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -58449,7 +58506,7 @@ index 3d8d1b3..e666122 100644
allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;
-@@ -41,18 +43,18 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+@@ -41,18 +43,19 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
@@ -58465,14 +58522,15 @@ index 3d8d1b3..e666122 100644
kernel_read_kernel_sysctls(snmpd_t)
kernel_read_fs_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
- kernel_read_proc_symlinks(snmpd_t)
+-kernel_read_proc_symlinks(snmpd_t)
-kernel_read_system_state(snmpd_t)
--kernel_read_network_state(snmpd_t)
+ kernel_read_network_state(snmpd_t)
++kernel_read_proc_symlinks(snmpd_t)
+kernel_read_all_proc(snmpd_t)
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
-@@ -94,15 +96,19 @@ files_search_home(snmpd_t)
+@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
@@ -58493,7 +58551,7 @@ index 3d8d1b3..e666122 100644
logging_send_syslog_msg(snmpd_t)
-@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -66497,7 +66555,7 @@ index 21ae664..3e448dd 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..6e2c42a 100644
+index 9fb4747..92c156b 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -66511,16 +66569,7 @@ index 9fb4747..6e2c42a 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -41,6 +45,8 @@ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t
- manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
- files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
-
-+dev_read_rand(zarafa_deliver_t)
-+
- ########################################
- #
- # zarafa_gateway local policy
-@@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -57,6 +61,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -66541,7 +66590,7 @@ index 9fb4747..6e2c42a 100644
#######################################
#
# zarafa-ical local policy
-@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
+@@ -107,7 +125,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
files_read_usr_files(zarafa_server_t)
@@ -66549,22 +66598,16 @@ index 9fb4747..6e2c42a 100644
logging_send_audit_msgs(zarafa_server_t)
sysnet_dns_name_resolve(zarafa_server_t)
-@@ -136,6 +155,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
- corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
- corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+@@ -138,6 +155,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
-+dev_read_rand(zarafa_spooler_t)
-+
-+########################################
-+#
+ ########################################
+ #
+# zarafa_gateway local policy
+#
+
+allow zarafa_gateway_t self:capability { chown kill };
+allow zarafa_gateway_t self:process setrlimit;
+
-+dev_read_rand(zarafa_gateway_t)
-+
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
@@ -66583,10 +66626,19 @@ index 9fb4747..6e2c42a 100644
+
+allow zarafa_monitor_t self:capability chown;
+
- ########################################
- #
++########################################
++#
# zarafa domains local policy
-@@ -156,6 +205,6 @@ kernel_read_system_state(zarafa_domain)
+ #
+
+@@ -152,10 +195,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+
+ read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
+
++dev_read_rand(zarafa_domain)
++dev_read_urand(zarafa_domain)
++
+ kernel_read_system_state(zarafa_domain)
files_read_etc_files(zarafa_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 58ec662..a727853 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 69%{?dist}
+Release: 70%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jan 3 2012 Miroslav Grepl 3.10.0-70
+- Allow systemctl running as logrotate_t to connect to private systemd socket
+- Allow tmpwatch to read meminfo
+- Allow rpc.svcgssd to read supported_krb5_enctype
+- Allow zarafa domains to read /dev/random and /dev/urandom
+- Allow snmpd to read dev_snmp6
+- Allow procmail to talk with cyrus
+- Add fixes for check_disk and check_nagios plugins
+
* Sun Dec 25 2011 Miroslav Grepl 3.10.0-69
- Fix bug in the boinc policy