##
## Allow the specified domain to
@@ -19125,7 +19158,7 @@ index 97fcdac..e5652a1 100644
## Example attributes:
##
##
-@@ -4866,3 +5162,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5181,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -30696,10 +30729,10 @@ index 0000000..ed13d1e
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..2ee2be0
+index 0000000..e4d7098
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,79 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -30773,12 +30806,14 @@ index 0000000..2ee2be0
+
+optional_policy(`
+ apache_content_template(collectd)
-+
++
++ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..29aa481 100644
+index 74505cc..3824f02 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
@@ -30813,7 +30848,7 @@ index 74505cc..29aa481 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +73,29 @@ files_list_mnt(colord_t)
+@@ -65,19 +73,30 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -30832,6 +30867,7 @@ index 74505cc..29aa481 100644
miscfiles_read_localization(colord_t)
-sysnet_dns_name_resolve(colord_t)
++fs_getattr_tmpfs(colord_t)
+userdom_rw_user_tmpfs_files(colord_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -30844,7 +30880,7 @@ index 74505cc..29aa481 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +107,10 @@ optional_policy(`
+@@ -89,6 +108,10 @@ optional_policy(`
')
optional_policy(`
@@ -30855,7 +30891,7 @@ index 74505cc..29aa481 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +118,16 @@ optional_policy(`
+@@ -96,5 +119,16 @@ optional_policy(`
')
optional_policy(`
@@ -33272,7 +33308,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..843d5fd 100644
+index 1a1becd..0aa5aaf 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -33297,7 +33333,7 @@ index 1a1becd..843d5fd 100644
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
-@@ -62,107 +61,26 @@ template(`dbus_role_template',`
+@@ -62,106 +61,31 @@ template(`dbus_role_template',`
# Local policy
#
@@ -33403,16 +33439,19 @@ index 1a1becd..843d5fd 100644
- optional_policy(`
- hal_dbus_chat($1_dbusd_t)
- ')
--
++ auth_use_nsswitch($1_dbusd_t)
+
- optional_policy(`
- xserver_use_xdm_fds($1_dbusd_t)
- xserver_rw_xdm_pipes($1_dbusd_t)
-- ')
-+ auth_use_nsswitch($1_dbusd_t)
++ tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs($1_dbusd_t)
++ fs_manage_fusefs_files($1_dbusd_t)
++ fs_manage_fusefs_symlinks($1_dbusd_t)
+ ')
')
- #######################################
-@@ -181,11 +99,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,11 +105,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -33426,7 +33465,7 @@ index 1a1becd..843d5fd 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -198,6 +117,34 @@ interface(`dbus_system_bus_client',`
+@@ -198,6 +123,34 @@ interface(`dbus_system_bus_client',`
#######################################
##
@@ -33461,7 +33500,7 @@ index 1a1becd..843d5fd 100644
## Template for creating connections to
## a user DBUS.
##
-@@ -218,6 +165,8 @@ interface(`dbus_session_bus_client',`
+@@ -218,6 +171,8 @@ interface(`dbus_session_bus_client',`
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
@@ -33470,7 +33509,7 @@ index 1a1becd..843d5fd 100644
')
########################################
-@@ -322,6 +271,11 @@ interface(`dbus_connect_session_bus',`
+@@ -322,6 +277,11 @@ interface(`dbus_connect_session_bus',`
## Allow a application domain to be started
## by the session dbus.
##
@@ -33482,7 +33521,7 @@ index 1a1becd..843d5fd 100644
##
##
## Type to be used as a domain.
-@@ -336,13 +290,13 @@ interface(`dbus_connect_session_bus',`
+@@ -336,13 +296,13 @@ interface(`dbus_connect_session_bus',`
#
interface(`dbus_session_domain',`
gen_require(`
@@ -33500,7 +33539,7 @@ index 1a1becd..843d5fd 100644
')
########################################
-@@ -421,27 +375,16 @@ interface(`dbus_system_bus_unconfined',`
+@@ -421,27 +381,16 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
@@ -33530,7 +33569,7 @@ index 1a1becd..843d5fd 100644
')
########################################
-@@ -464,26 +407,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -464,26 +413,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
##
@@ -33563,7 +33602,7 @@ index 1a1becd..843d5fd 100644
##
##
##
-@@ -491,10 +433,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +439,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
@@ -57061,10 +57100,10 @@ index 0000000..486d53d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..0c1e385
+index 0000000..96adff5
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,100 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -57072,6 +57111,20 @@ index 0000000..0c1e385
+# Declarations
+#
+
++##
++##
++## Allow confined virtual guests to manage nfs files
++##
++##
++gen_tunable(sanlock_use_nfs, false)
++
++##
++##
++## Allow confined virtual guests to manage cifs files
++##
++##
++gen_tunable(sanlock_use_samba, false)
++
+type sanlock_t;
+type sanlock_exec_t;
+init_daemon_domain(sanlock_t, sanlock_exec_t)
@@ -57128,6 +57181,20 @@ index 0000000..0c1e385
+
+miscfiles_read_localization(sanlock_t)
+
++tunable_policy(`sanlock_use_nfs',`
++ fs_manage_nfs_dirs(sanlock_t)
++ fs_manage_nfs_files(sanlock_t)
++ fs_manage_nfs_named_sockets(sanlock_t)
++ fs_read_nfs_symlinks(sanlock_t)
++')
++
++tunable_policy(`sanlock_use_samba',`
++ fs_manage_cifs_dirs(sanlock_t)
++ fs_manage_cifs_files(sanlock_t)
++ fs_manage_cifs_named_sockets(sanlock_t)
++ fs_read_cifs_symlinks(sanlock_t)
++')
++
+optional_policy(`
+ wdmd_stream_connect(sanlock_t)
+')
@@ -57877,7 +57944,7 @@ index 623c8fa..0a802f7 100644
/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
-index 275f9fb..4f4a192 100644
+index 275f9fb..2a0e198 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -11,12 +11,12 @@
@@ -57897,7 +57964,33 @@ index 275f9fb..4f4a192 100644
')
########################################
-@@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
+@@ -47,6 +47,25 @@ interface(`snmp_udp_chat',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
++#######################################
++##
++## Allow caller domain to read snmpd libraries dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`snmp_read_snmp_var_lib_dirs',`
++ gen_require(`
++ type snmpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 snmpd_var_lib_t:dir list_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Read snmpd libraries.
+@@ -62,6 +81,7 @@ interface(`snmp_read_snmp_var_lib_files',`
type snmpd_var_lib_t;
')
@@ -57905,7 +57998,7 @@ index 275f9fb..4f4a192 100644
allow $1 snmpd_var_lib_t:dir list_dir_perms;
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-@@ -69,6 +70,45 @@ interface(`snmp_read_snmp_var_lib_files',`
+@@ -69,6 +89,45 @@ interface(`snmp_read_snmp_var_lib_files',`
########################################
##
@@ -57951,7 +58044,7 @@ index 275f9fb..4f4a192 100644
## dontaudit Read snmpd libraries.
##
##
-@@ -81,9 +121,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+@@ -81,9 +140,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
gen_require(`
type snmpd_var_lib_t;
')
@@ -57963,7 +58056,7 @@ index 275f9fb..4f4a192 100644
')
########################################
-@@ -123,12 +164,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+@@ -123,12 +183,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
#
interface(`snmp_admin',`
gen_require(`
@@ -65824,10 +65917,21 @@ index c9981d1..11013a6 100644
corenet_sendrecv_zabbix_agent_client_packets($1)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 7f88f5f..bd6493d 100644
+index 7f88f5f..5f1e19c 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
-@@ -36,16 +36,17 @@ files_pid_file(zabbix_var_run_t)
+@@ -23,6 +23,10 @@ init_script_file(zabbix_agent_initrc_exec_t)
+ type zabbix_log_t;
+ logging_log_file(zabbix_log_t)
+
++# tmp files
++type zabbix_tmp_t;
++files_tmp_file(zabbix_tmp_t)
++
+ # shared memory
+ type zabbix_tmpfs_t;
+ files_tmpfs_file(zabbix_tmpfs_t)
+@@ -36,19 +40,25 @@ files_pid_file(zabbix_var_run_t)
# zabbix local policy
#
@@ -65849,22 +65953,64 @@ index 7f88f5f..bd6493d 100644
manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
logging_log_filetrans(zabbix_t, zabbix_log_t, file)
-@@ -58,11 +59,15 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
++# tmp files
++manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
++manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
++files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file })
++
+ # shared memory
+ rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+ fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
+@@ -58,14 +68,25 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
++kernel_read_system_state(zabbix_t)
+kernel_read_kernel_sysctls(zabbix_t)
+
++corecmd_exec_bin(zabbix_t)
++corecmd_exec_shell(zabbix_t)
++
corenet_tcp_bind_generic_node(zabbix_t)
corenet_tcp_bind_zabbix_port(zabbix_t)
++#needed by zabbix-server-mysql
++corenet_tcp_connect_http_port(zabbix_t)
++
++dev_read_urand(zabbix_t)
files_read_etc_files(zabbix_t)
++files_read_usr_files(zabbix_t)
+-miscfiles_read_localization(zabbix_t)
+auth_use_nsswitch(zabbix_t)
+
+-sysnet_dns_name_resolve(zabbix_t)
++miscfiles_read_localization(zabbix_t)
+
+ zabbix_agent_tcp_connect(zabbix_t)
+
+@@ -74,9 +95,21 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ netutils_domtrans_ping(zabbix_t)
++')
+
- miscfiles_read_localization(zabbix_t)
++optional_policy(`
+ postgresql_stream_connect(zabbix_t)
+ ')
- sysnet_dns_name_resolve(zabbix_t)
++optional_policy(`
++ snmp_read_snmp_var_lib_dirs(zabbix_t)
++')
++
++optional_policy(`
++ sysnet_dns_name_resolve(zabbix_t)
++')
++
+ ########################################
+ #
+ # zabbix agent local policy
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
index 3defaa1..2ad2488 100644
--- a/policy/modules/services/zarafa.fc
@@ -68112,7 +68258,7 @@ index 94fd8dd..f2689e3 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..49a7fbd 100644
+index 29a9565..7d9e51c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -68312,7 +68458,8 @@ index 29a9565..49a7fbd 100644
+storage_raw_rw_fixed_disk(init_t)
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
+')
+
@@ -68422,8 +68569,7 @@ index 29a9565..49a7fbd 100644
+ lvm_rw_pipes(init_t)
+')
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ consolekit_manage_log(init_t)
')
@@ -68431,18 +68577,18 @@ index 29a9565..49a7fbd 100644
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
@@ -69006,7 +69152,7 @@ index 29a9565..49a7fbd 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1248,160 @@ optional_policy(`
+@@ -854,3 +1248,157 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -69064,7 +69210,7 @@ index 29a9565..49a7fbd 100644
+ allow daemon init_t:unix_dgram_socket sendto;
+ # need write to /var/run/systemd/notify
+ init_write_pid_socket(daemon)
-+ dontaudit daemon init_t:unix_stream_socket { read ioctl getattr };
++ allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+# daemons started from init will
@@ -69101,16 +69247,13 @@ index 29a9565..49a7fbd 100644
+allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow systemprocess initrc_transition_domain:fd use;
+
-+dontaudit systemprocess init_t:unix_stream_socket getattr;
-+
-+
+tunable_policy(`init_systemd',`
+ # Handle upstart/systemd direct transition to a executable
+ allow init_t systemprocess:process { dyntransition siginh };
+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+ allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+ allow systemprocess init_t:unix_dgram_socket sendto;
-+ dontaudit systemprocess init_t:unix_stream_socket { read getattr ioctl };
++ allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+ifdef(`hide_broken_symptoms',`
@@ -70148,9 +70291,9 @@ index 808ba93..4ff705d 100644
+ ')
+
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
-+ #files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
-+ #files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index e5836d3..eae9427 100644
@@ -71950,7 +72093,7 @@ index 8b5c196..da41726 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..4930474 100644
+index 15832c7..bb2ac39 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,17 +17,29 @@ type mount_exec_t;
@@ -71993,8 +72136,8 @@ index 15832c7..4930474 100644
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
-+allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin sys_nice dac_override dac_read_search chown sys_tty_config setuid setgid };
++allow mount_t self:process { getcap getsched setsched ptrace setcap setrlimit signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
@@ -72051,7 +72194,7 @@ index 15832c7..4930474 100644
dev_dontaudit_rw_generic_chr_files(mount_t)
domain_use_interactive_fds(mount_t)
-+domain_dontaudit_search_all_domains_state(mount_t)
++domain_read_all_domains_state(mount_t)
files_search_all(mount_t)
files_read_etc_files(mount_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cf6329d..40f4ad3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 57%{?dist}
+Release: 58%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Nov 21 2011 Miroslav Grepl 3.10.0-58
+- Allow mcelog_t to create dir and file in /var/run and label it correctly
+- Allow dbus to manage fusefs
+- Mount needs to read process state when mounting gluster file systems
+- Allow collectd-web to read collectd lib files
+- Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr
+- Allow colord to get the attributes of tmpfs filesystem
+- Add sanlock_use_nfs and sanlock_use_samba booleans
+- Add bin_t label for /usr/lib/virtualbox/VBoxManage
+
* Thu Nov 16 2011 Miroslav Grepl 3.10.0-57
- We need to treat port_t and unreserved_port_t as generic_port types