--##
+##
+##
+## Domain allowed access.
@@ -56195,11 +56286,10 @@ index 28b88de..8e51296 100644
+## user home directory.
+##
+##
-+##
+ ##
## Do a domain transition to the specified
## domain when executing a program in the
- ## user home directory.
-@@ -1589,6 +1932,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1934,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -56208,7 +56298,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -1603,10 +1948,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1950,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -56223,7 +56313,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -1649,6 +1996,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1998,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -56249,7 +56339,7 @@ index 28b88de..8e51296 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1700,12 +2066,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2068,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -56282,7 +56372,7 @@ index 28b88de..8e51296 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2102,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2104,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -56300,7 +56390,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -1810,8 +2199,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2201,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -56310,7 +56400,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -1827,20 +2215,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2217,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -56324,18 +56414,19 @@ index 28b88de..8e51296 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
##
-@@ -2182,7 +2564,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ ## Do not audit attempts to execute user home files.
+@@ -2182,7 +2566,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -56344,7 +56435,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -2435,13 +2817,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2819,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -56360,7 +56451,7 @@ index 28b88de..8e51296 100644
##
##
##
-@@ -2462,26 +2845,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2847,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -56387,7 +56478,7 @@ index 28b88de..8e51296 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2815,7 +3178,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3180,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -56396,7 +56487,7 @@ index 28b88de..8e51296 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3194,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3196,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -56412,7 +56503,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -2917,7 +3282,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3284,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -56421,7 +56512,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -2972,7 +3337,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3339,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -56468,7 +56559,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -3009,6 +3412,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3414,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -56476,7 +56567,7 @@ index 28b88de..8e51296 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3491,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3493,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -56501,7 +56592,7 @@ index 28b88de..8e51296 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3139,3 +3561,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3563,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f317cd8..8bafbd8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,16 @@ exit 0
%endif
%changelog
+* Mon Apr 4 2011 Miroslav Grepl 3.9.16-12
+- Add /var/run/lock /var/lock definition to file_contexts.subs
+- nslcd_t is looking for kerberos cc files
+- SSH_USE_STRONG_RNG is 1 which requires /dev/random
+- Fix auth_rw_faillog definition
+- Allow sysadm_t to set attributes on fixed disks
+- allow user domains to execute lsof and look at application sockets
+- prelink_cron job calls telinit -u if init is rewritten
+- Fixes to run qemu_t from staff_t
+
* Sat Apr 2 2011 Miroslav Grepl 3.9.16-11
- Fix label for /var/run/udev to udev_var_run_t