This is the Changelog for the old refpolicy-contrib submodule. This submodule was removed and its contents moved back to the main Reference Policy repository on 2018-23-06. * Sun Jan 14 2018 Chris PeBenito - 2.20180114 Chad Hanson (1): Allow rpm to relabel files at all levels Chris PeBenito (46): Remove deprecated interfaces more than one year old. Remove complement and wildcard in allow rules. Merge branch 'master' of git://github.com/teg/refpolicy-contrib dbus: Module version bump for dbus-broker patch from Tom Gundersen. Module version bump for patches from Guido Trentalancia. Module version bumps for patches from David Sugar. dhcp, logrotate: Module version bump. Module version bumps for chkrootkit, dkim, dmidecode, portage, and rkhunter. Module version bumps. spamassassin: Move lines. mandb, spamassassin: Module version bumps. spamassassin: Fix build error. spamassassin: Add missing requirement in spamassassin_admin(). dphysswapfile: Module version bump. gpg, pulseaudio, rpc: Module version bump. dnsmasq, gnome, mon, mta, openoffice, pulseaudio, wm: Version bumps. Revert "postfix: Some table drivers (notably cdb) need to mmap() their databases" java, mozilla, mta, postfix: Module version bump. portage: Fix usr_t map interface usage. apache, portage: Module version bump. dbus, policykit, wm: Module version bump. dbus: Add comment. Merge branch 'nm_audit' of git://github.com/bigon/refpolicy-contrib networkmanager: Module version bump. virt: Move a line. alsa, mon, virt: Module version bump. gpg, mozilla, rpc: Module version bump. Several module version bumps. blueman, evolution, gpg, mozilla, openoffice, thunderbird, wireshark, wm: Module version bump. wm: Module version bump. networkmanager: Move line. networkmanager: Module version bump. Merge branch 'pkcs' of https://github.com/dodys/refpolicy-contrib pkcs: Rename pkcs_slotd_unit_file_t. pkcs: Module version bump. accountsd, policykit: Module version bump. dbus, devicekit, modemmanager, networkmanager, virt: Module version bump. modemmanager: Move lines. rpm: Module version bump. cachefilesd, dbus, dirmngr, gnome, gpg, pulseaudio: Module version bump. Replace deprecated mmap perm sets and pattern usage. gssproxy: Module version bump. monit: Module version bump. apache, dkim, monit: Module version bump. spamassassin: Module version bump. Bump module versions for release. Christian Göttsche (20): dkim: align filecontexts dkim: update milter: align filecontexts apache: align filecontexts dmidecode: use userdom_use_inherited_user_terminals spamassassin: align filecontexts chkrootkit: update rkhunter: add several missing permission fakehwclock: update milter: update mandb: fixes for systemd timer and /usr/local/man label spamassassin: update dphysswapfile: fix swapfile creation apache: update monit: update dkim: align file contexts dkim: update apache: update monit: read /usr/share/ca-certificates for cert verification spamassassin: fix missing perms Daniel Jurgens (1): networkmanager: Grant access to unlabeled PKeys David Sugar (5): mon: move rpc_* into optional wm: consolidate networkmanger interface calls into single optional cron: optional_policy for mta_* interfaces Label /usr/bin/mutter Allow to read /proc/sys/crypto/fips_enabled Eduardo Barretto (2): Update pkcs policy to include pkccsslotd.service Update missing permissions for pkcs Guido Trentalancia (13): libmtp: read symlinks in user home directories spamassassin: update rules for the Bayesian classifier trainer wm: let gnome-shell start properly gnome: keyring daemon dbus policy update gnome: keyring daemon read SELinux config openoffice: improve temporary directories' operations pulseaudio: general update wm: gnome-shell SELinux integration mozilla: run Java Web Start applications wm: run PolicyKit dbus: read user home content files mozilla: read generic SSL certificates contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") Jason Zaman (12): cgmanager: Apply auth_use_nsswitch interface alsa: needs to map its tmpfs files virt: add policy for virtlogd virt: updated perms for starting guests gssproxy: add policy rpc: Allow stream connect to gssproxy gpg: search dir when connecting to agent socket dirmngr: allow filetrans in gpg_runtime_t gpg: Add gpg_agent_use_card boolean for OpenPGP cards cachefilesd: make cachefilesd_cache_t a mountpoint Set user_runtime_content_type for all remaining types in /run/user/%{UID}/ gssproxy: allow writing kerberos rcache Jason Zaman via refpolicy (3): pulseaudio: Add neccessary map permissions gpg: add fcontexts for user runtime sockets rpc: add sm-notify pid fcontext Laurent Bigonville (2): Allow NetworkManager to write to audit Call systemd_write_inherited_logind_inhibit_pipes() where needed Luis Ressel (12): portage: Allow portage_t and portage_sandbox_t to access locale_t postfix: Some table drivers (notably cdb) need to mmap() their databases portage: Grant the map permissions neccessary for git and install alsa: alsactl needs to map its configuration mozilla: Add neccessary map permissions mandb: man-db needs to map its 'index.db' cache portage: Remove nonsensical dontaudit of an allowed permission portage: Transition to ldconfig_t when calling ldconfig postfix: Some table drivers (notably cdb) need to mmap() their databases postfix: Silence cap_dac_read_search denials portage: Grant portage the map permission on usr_t Allow gtk apps to map usr_t files Nicolas Iooss (2): dbus: move comments out of the file context definitions logrotate: allow systemd to start logrotate Russell Coker (3): udev and dhcpd minor nspawn, dnsmasq, and mon patches refpolicy and certs Tom Gundersen (1): dbus: add policy for dbus-broker * Sat Aug 05 2017 Chris PeBenito - 2.20170805 Chris PeBenito (82): Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. Module version bump for usrmerge FC fixes from Jason Zaman. mon policy from Russell Coker. Module version bump for cups patches from Guido Trentalancia. Module version bump for tbird and mozilla printing from Guido Trentalancia. Revert "cups/lpd: read permission for cupsd_var_run_t socket files" Module version bump for cups revert. Sort capabilities permissions from Russell Coker. Little misc patch from Russell Coker. mon: Fix deprecated interface usage. dpkg: Updates from Russell Coker. Monit policy from Russell Coker and cgzones. monit: Fix build error. fetchmail, mysql, tor: Misc fixes from Russell Coker. Merge branch 'alsa_module' of git://github.com/cgzones/refpolicy-contrib Merge branch 'vnstat_module' of git://github.com/cgzones/refpolicy-contrib Module version bump for alsa and vnstatd fixes from cgzones. Merge branch 'ntp_module' of git://github.com/cgzones/refpolicy-contrib Module version bump for ntp fixes from cgzones. samba: A few line moves. Module version bump for samba patch from Russell Coker. Systemd fixes from Russell Coker. Xen fixes from Russell Coker. mailman: Fixes from Russell Coker. MTA fixes from Russell Coker. Network daemon patches from Russell Coker. apache: Fix CI error. Merge branch 'modutils_adapt_interfaces' of git://github.com/cgzones/refpolicy-contrib Merge branch 'corecmd_read_bin_symlinks' of git://github.com/cgzones/refpolicy-contrib Module version bumps for fixes from cgzones. Merge branch 'mandb' of git://github.com/cgzones/refpolicy-contrib Merge branch 'dphysswapfile' of git://github.com/cgzones/refpolicy-contrib Module version bump for dphysswapfile and mandb fixes from cgzones. Merge branch 'var_run_filecontext' of git://github.com/cgzones/refpolicy-contrib Merge branch 'vnstatd' of git://github.com/cgzones/refpolicy-contrib Module version bump for fixes from cgzones. dontaudit net_admin for SO_SNDBUFFORCE /var/run -> /run again Merge branch 'monit' of git://github.com/cgzones/refpolicy-contrib Module version bump for monit patch from cgzones. systemd-resolvd, sessions, and tmpfiles take2 Misc fc changes from Russell Coker. Systemd-related changes from Russell Coker. networkmanager: adjust interface docs format. wm: interface docs adjustment. Module version bump for misc fixes from Guido Trentalancia. systemd init from Russell Coker misc daemons from Russell Coker. logging patches from Russell Coker kmod, lvm, brctl patches from Russell Coker devicekit, mount, xserver, and selinuxutil from Russell Coker some userdomain patches from Russell Coker Module version bump for gnome fix from Guido Trentalancia. apache: Move blocks. No rule changes. Module version bump for changes from Sven Vermeulen and Guido Trentalancia. login take 4 from Russell Coker. Rename apm to acpi from Russell Coker. Module version bump for patches from Russell Coker. some little misc things from Russell Coker. apt/dpkg strict patches from Russell Coker. Module version bump for minor fixes from Guido Trentalancia. Merge branch 'usr_bin_fc' of git://github.com/fishilico/selinux-refpolicy-contrib Module version bump for /usr/bin fc fixes from Nicolas Iooss. Module version bump for chronyd changes from Luis Ressel. openoffice: Move ooffice_rw_tmp_files() implementation. Module version bump for openoffice fix from Guido Trentalancia. libmtp: move lines Module version bump for fixes from Guido Trentalancia. Module version bump for mmap fixes from Stephen Smalley. Module version bump for misc patches from Guido Trentalancia. gpg: Fix overspecified dependencies in gpg_agent_tmp_filetrans. dirmngr: Whitespace fixes. Module version bumps for patches from Jason Zaman. cgmanager: Move lines Module version bumps for patches from Jason Zaman. gpg: Module version bump for patch from Guido Trentalancia. mozilla: Module version bump for patch from Luis Ressel. rkhunter: Fix module version and move lines. Module version bump for patches from cgzones. chkrootkit: Fix module version. Module version bump for patches from cgzones. Bump module versions for release. Guido Trentalancia (28): cups: read permission for cupsd_var_run_t socket files in cups_stream_connect() cups/lpd: read permission for cupsd_var_run_t socket files thunderbird: allow stream connections to cups so that it can print mozilla: allow stream connections to cups so that it can print java: enable interactive use evolution: add dbus acquire service permission evolution: do not audit kernel read state evolution: add some critical permissions mozilla: read hardware state information mozilla: add a permission wm: load the NetworkManager applet wm: interactive start Gnome and Evolution dbus chat permissions openoffice: support starting it from the window manager evolution: minor fixes and updates java: error messages terminal printout loadkeys: use init fds (system bootup) plymouth: pid interface usability shutdown: send msg to syslog openoffice: open files retrieved using mozilla contrib: new libmtp module openoffice: minor update gnome: improved integration with openoffice cups: let hplip read udev pid files dbus: let session bus daemon manage user runtime dirs zabbix: Grant zabbix_agent_t to call setrlimit on self ntp: fix the drift file context and transition gpg: manage user runtime socket files and directories Jason Zaman (12): usrmerge: Add missed /usr fcontexts java: update fcontexts for new versions of icedtea dirmngr: add to roles and allow gpg to domtrans gpg dirmngr: create and connect to socket dirmngr: fcontext for ~/.gnupg/crls.d/ dirmngr: Network rules to connect to keyserver cgmanager: add policy from gentoo consolekit: Add support for consolekit2 consolekit: allow purging tmp consolekit: introduce consolekit_use_inhibit_lock interface dbus: use consolekit inhibit locks networkmanager: use consolekit inhibit locks Luis Ressel (3): chronyd: Re-align fc file chronyd: Allow init scripts to create /run/chrony mozilla: Add fc for the files used by the firefox addon "vimperator" Nicolas Iooss (1): Support systems with a single /usr/bin directory Russell Coker (1): patch for samba Stephen Smalley (1): contrib: allow map permission where needed Sven Vermeulen (1): rpc_* interfaces should be wrapped by optional_policy() cgzones (16): update ntp module update alsa module vnstatd: update module corecmd_read_bin_symlinks(): remove deprecated and redundant calls modutils: adopt calls to new interfaces vnstatd: update dphysswapfile: update monit: update mandb: update logrotate: reload monit after log rotation remove /var/run file context lefovers, add dbus exception monit: add syslog access and support for monit systemd service rkhunter: add policy module arpwatch: align file contexts chkrootkit: add policy module arpwatch: update * Sat Feb 04 2017 Chris PeBenito - 2.20170204 Chris PeBenito (41): Module version bump for patches from Jason Zaman. authbind: Remove dead policy. Module version bump for cups patch from Guido Trentalancia. Merge pull request #29 from cgzones/deprecated_macros Module version bump for Debian fprintd fc entry from Laurent Bigonville. Module version bumps for openoffice patches from Guido Trentalancia. Module version bumps for patches from Guido Trentalancia. Merge pull request #30 from cgzones/trailing_whitespaces Module version bumps for mozilla and gpg patches from Luis Ressel. Module version bump for patches from Guido Trentalancia. Module version bump for patches from Guido Trentalancia. rtkit, wm: Remove calls to nonexistant interfaces. Module version bumps for patches from Guido Trentalancia. rtkit: enable dbus chat with xdm Module version bump for patches from Guido Trentalancia. Module version bump for xscreensaver patch from Guido Trentalancia. Merge branch 'run_transition' of git://github.com/cgzones/refpolicy-contrib Module version bumps for /run fc changes from cgzones. Module version bump for openoffice and wm patches from Guido Trentalancia. Module version bump for patches from Guido Trentalancia. Module version bump for wm patch from Guido Trentalancia. Merge branch 'usr-fc' of git://github.com/fishilico/selinux-refpolicy-contrib Module version bump for fc updates from Nicolas Iooss. Module version bump for patches from Guido Trentalancia. Module version bump for capability2 fixes from Guido Trentalancia. Module version bump for plymouth fix from Guido Trentalancia. boinc: Update from Russell Coker. Module version bump for mozilla update from Guido Trentalancia. Merge pull request #47 from cgzones/dphysswap_module Merge pull request #40 from cgzones/fakehwclock_module Merge branch 'gpg_module' of git://github.com/cgzones/refpolicy-contrib Merge branch 'irqbalance_module' of git://github.com/cgzones/refpolicy-contrib Merge branch 'loadkeys_module' of git://github.com/cgzones/refpolicy-contrib Module version bumps for patches from cgzones. Merge branch 'exim_module' of git://github.com/cgzones/refpolicy-contrib Merge branch 'screen_module' of git://github.com/cgzones/refpolicy-contrib Module version bump for screen and exim changes from cgzones. screen: Revert broken interface call. cups: Move hplip_domtrans interface. Module version bump for cups patch from Guido Trentalancia. Bump module versions for release. Dominick Grift (1): Re-add raid fc spec that must have been removed earlier by mistake Guido Trentalancia (29): cups: descend "rw" directories when reading configuration files Apache OpenOffice module (contrib policy part) openoffice: rename two interfaces in openoffice and evolution mozilla: extend dbus connection permissions openoffice: permission to read user temporary files xguest: restrict ability to execute files on noxattr filesystems pulseaudio: update server and client permissions mozilla: remove redundant pulseaudio interface calls networkmanager: read user certs not user content (was enable userdom_read_user_certs() throughout the policy) Make several calls to mta interfaces optional wm: update the window manager (wm) module and enable its role template (v7) rtkit: enable dbus chat with xdm networkmanager: enable dbus chat with xdm policykit: enable dbus chat with xdm games: general update and improved pulseaudio integration wm: improved integration with games xscreensaver: update the module so that it can be effectively used wm: properly set domain entrypoint in wm_application_domain() openoffice: add writer support for sending email directly to multiple recipients contrib: use new genhomedircon template for username contrib: extend wm ability to launch confined graphical applications contrib: support the new interface to manage X session logs networkmanager: dbus chat with cups cups: add cups-browsed executable fc devicekit: add new wake_alarm permission (capability2) networkmanager: add new wake_alarm permission (capability2) plymouth: use the correct running domain for the client mozilla: execute evolution to send emails cups: new interface to execute HPLIP applications in their own domain Jason Zaman (4): pcscd: dbus and domain lookup devicekit: fcontext for udisks2 gnome: add gkeyring rules and fcontext gpg: add new socket paths Laurent Bigonville (1): Add debian path for fprintd daemon Luis Ressel (3): gpg: Add filetrans for scdaemon socket and gpg-agent extra sockets gpg.fc: Adjust whitespace mozilla: Add miscfiles_dontaudit_setattr_fonts_cache_dirs() Nicolas Iooss (1): Add file contexts for files in /usr/{lib,sbin} cgzones (10): use domain_auto_transition_pattern instead of domain_auto_trans remove trailing whitespaces transition file contexts to /run update loadkeys module add fakehwclock module add dphysswapfile module update gpg module update screen module update irqbalance module update exim module * Sun Oct 23 2016 Chris PeBenito - 2.20161023 Adam Tkac (2): varnishncsa (varnishlog_t) reads localization files Grant certmonger "chown" capability Chris PeBenito (42): Merge branch 'bigon-geoclue' Add additional comments in geoclue. Merge branch 'bigon-virt-1' Merge branch 'nm-1' of git://github.com/bigon/refpolicy-contrib into bigon-nm-1 Merge branch 'bigon-nm-1' Module version bump for virt and networkmanager patches from Laurent Bigonville. Merge branch 'master' of git://github.com/bigon/refpolicy-contrib Module version bump for firewalld updates from Laurent Bigonville. Module version bump for collectd update from Jason Zaman. Module version bumps for user runtime fixes from Jason Zaman. Boinc updates from Russell Coker. rpcbind: Read /sys/devices/system/cpu/online from Russell Coker. watchdog: Move line. Module version bump for watchdog pidfile option from Russell Coker. Systemd units from Russell Coker. Module version bump for pulseaudio fc fix from Jason Zaman. cpucontrol: revise cpucontrol_conf_t labeling, from Guido Trentalancia. Module version bumps for patches from Guido Trentalancia. Update the telepathy module: Update the alsa module so that the alsa_etc_t file context (previously alsa_etc_rw_t) is widened to the whole alsa share directory, instead of just a couple of files. alsa: Add compatibility alias for alsa_etc_rw_t. Update the sysnetwork module to add some permissions needed by the dhcp client (another separate patch makes changes to the ifconfig part). Module version bump for various patches from Guido Trentalancia. pulseaudio: Fix compile errors. Merge branch 'master' of https://github.com/SeanPlacchetti/refpolicy-contrib Module version bump for webalizer dead type removal from Sean Placchetti. Module version bump for Evolution SSL fix from Guido Trentalancia. evolution: Read user certs from Guido Trentalancia. cups: Move can_exec() line. cups: Module version bump for hplip patch from Guido Trentalancia pulseaudio: Move interface definitions. Module version bump for mozilla patch from Guido Trentalancia. Module version bump for gnome patch from Guido Trentalancia. Module version bump for evolution patch from Guido Trentalancia. gpg: Whitespace fix. Merge branch 'feature/fix-networkmanager-varrun-macro' of https://github.com/rfkrocktk/refpolicy-contrib Module version bump for networkmanager fix from Naftuli Tzvi Kay. Merge branch 'rfkrocktk-feature/syncthing' Rearrange lines in syncthing. webalizer: Rearrange a couple lines. Module version bump for webalizer patch from Russell Coker. Bump module versions for release. Dominick Grift (18): Module version bump for changes to the geoclue module by Laurent Bigonville. Module version bump for changes to various modules from Laurent Bigonville. geoclue: move kernel interface call to the appropriate position Actually associate mailmain_domain attribute with mailman domains Module version bumps for changes to various modules by Nicolas Iooss Module version bump for changes to the cron module by Jason Zaman Module version bump for changes to the redis module by Grant Ridder Module version bump for changes to the raid module by Laurent Bigonville Module version bump for changes to the networkmanager module by Laurent Bigonville. Module version bump for changes to the redis module by Grant Ridder. Module version bump for changes to the mozilla module by Laurent Bigonville. Module version bump for changes to the geoclue module by Nicolas Iooss. Add hwloc-dump-hwdata SELinux policy Module version bump for changes to the varnishd module by Robert Moucha Module version bump for changes to the puppet module by Thomas Mueller Module version bump for changes to the varnishd module by Adam Tkac Module version bump for changes to the certmonger module by Adam Tkac Revert "dbus: allow system, and session bus clients to answer to dbus unconfined domains" Grant Ridder (2): Add read/write perms for redis-sentinel Allow tcp_connect to redis_port_t for redis_t Guido Trentalancia (7): Policykit module: add fs_getattr_xattr_fs() Update the policy for module apm Let gpg disable core dumps Update the rtkit module Update the pulseaudio module for usability and ORC support cups: update permissions for HP printers (load firmware) gpg: public key signature verification in evolution Guido Trentalancia via refpolicy (3): evolution: read SSL certificates mozilla: let mozilla play audio gnome: add support for the OIL Runtime Compiler (ORC) optimized code execution Jason Zaman (10): cron: Allow locks to be lnk_files collectd: update policy for 5.5 consolekit: allow managing user runtime pulseaudio: fcontext and filetrans for runtime ftp: Add filetrans from user_runtime gnome: Add filetrans from user_runtime mplayer: Add filetrans from user_runtime userhelper: Add filetrans from user_runtime wm: Add filetrans from user_runtime pulseaudio: fix user runtime fcontext Laurent Bigonville (13): Add initial geoclue 2 module Properly escape dot in the path to the geoclue daemon Use auth_use_nsswitch() as we need DNS resolving and access nsswitch.conf virt.fc: Add some debian contexts networkmanager.fc: nm-dispatcher.action has been renamed to nm-dispatcher Allow some domain to read sysctl_vm_overcommit_t Allow mdadm read efivarfs files Allow /var/run/firewalld/ directory to transition to firewalld_var_run_t Add an interface to allow a domain to read firewalld_var_run_t files Allow firewalld to create firewalld_var_run_t directory. dontaudit firewalld attempt to relabel its own config files Allow NM to execute arping Debian now ships firefox-esr, properly label the executable Luis Ressel (1): New policy for tboot utilities Naftuli Tzvi Kay (2): Fix NetworkManager Read Pid Files Macro Syncthing Policy Nicolas Iooss (3): Describe _initrc_domtrans interfaces differently from the _domtrans ones Fix typos in several interfaces Add Arch Linux path for geoclue module Robert Moucha (1): Fix trivial typo in varnishncsa name Russell Coker (2): watchdog reads pid files named reads vm sysctls Russell Coker via refpolicy (1): webalizer patch for inclusion Sean Placchetti (1): -Remove unused declarations from webalizer type enforcement file Thomas Mueller (1): Allow puppet_t transtition to shorewall_t doverride (3): Merge pull request #8 from bigon/geoclue Merge pull request #11 from bigon/overcommit-1 Merge pull request #12 from fishilico/typos * Tue Dec 08 2015 Chris PeBenito - 2.20151208 Alexander Wetzel (1): add vfio support for libvirt Chas Williams - CONTRACTOR (1): afs: update labels, file contexts and allow access to urandom Chris PeBenito (14): Module version bump for hadoop_admin() fix from Jazon Zaman. Module version bump for fc typo in radius from Sven Vermeulen. Module version bump for patches from Jason Zaman. Module version bump for init_startstop_service from Jason Zaman. Module version bump for cron_admin interface from Jason Zaman. Comment/whitespace fix in virt.te. Module version bump for vfio support for libvirt from Alexander Wetzel. Add systemd unit types. Add systemd socket activations. Merge branch 'pebenito-master' Module version bump for systemd additions. Merge branch 'bigon-systemd' Module version bump for dbus systemd patch from Laurent Bigonville. Bump module versions for release. Dominick Grift (16): Module version bump for courier fixes from Sven Vermeulen. Module version bump for afs fixes from Chas Williams. Redundant rules and afs_files_t is not a filesystem type Various samhain fixes Cachefilesd module updates Module version bump for changes to the dnsmasq policy module by Jason Zaman Module version bump for changes to the snmp policy module by Jason Zaman Module version bump for changes to the pulseaudio policy module by Jason Zaman cachefiles: It is cachefilesd_cache_t Module version bump for update to the networkmanager policy module by Stephen Smalley. Module version bumps for "Remove run interface calls from admin interfaces" changes by Jason Zaman. Module version bump for changes to the pulseaudio module by Niklas Haas. Changes to the git, hadoop and rsync modules by Jason Zaman. Module version bump for changes to the virt module by Jason Zaman Module version bump for changes to the mozilla module from Laurent Bigonville. Module version bump for changes to the wine module by Nicolas Iooss Jason Zaman (19): hadoop: remove _role from _admin interface rpcbind: typo fix git: make inetd interface optional rpc: introduce allow_gssd_write_tmp boolean rpc: allow setgid capability virt: add virt_tmpfs_t type and permissions introduce virt_leaseshelper_t dnsmasq: allow exec shell for scripts snmp: missing fcontext for snmpd pulseaudio: filetrans for autospawn.lock Use init_startstop_service in admin interfaces A-M Use init_startstop_service in admin interfaces N-Z Remove _run() interfaces from _admin() Introduce cron_admin interface rsync: remove rsync_run from admin interface git: allow git_system_t to listen on tcp_sockets hadoop: init_startstop_service() can not take attributes virt: Allow creating qemu guest agent socket virt: Add policy for virtlockd the Virtual machine lock manager Laurent Bigonville (2): Transition D-Bus system service out of the init_t domain when PID1 is systemd Label iceweasel plugin-container executable as mozilla_plugin_exec_t Nicolas Iooss (1): wine: remove use of nonexisting interface Niklas Haas (1): pulse: don't give pulseaudio_client full access to user_home_t Stephen Smalley (1): contrib: networkmanager: allow netlink_generic_socket access Sven Vermeulen (6): Locate authdaemon socket and communicate with authdaemon Allow authdaemon to access selinux fs to check SELinux state Grant setuid/setgid to courier_pop_t Execute courier helper script after authentication Courier IMAP needs to manage the users' maildir Fix typo for radiusd /var/lib location doverride (2): Merge pull request #3 from haasn/pulse-nohome Merge pull request #6 from bigon/mozilla-1 * Wed Dec 03 2014 Chris PeBenito - 2.20141203 Chris PeBenito (26): Whitespace fix in ntp.fc. Module version bump for ntp fc entries from Laurent Bigonville. Whitespace fix in shibboleth.te. Module version bump for new shibboleth module from Martin Lang. Module version bump for apt fix from Nicolas Iooss. Module version bump for dnsmasq MTU fix from Sven Vermeulen. Module version bump for apache content interfaces from Sven Vermeulen. Module version bump for gitweb fc entry on Debian and ArchLinux from Nicolas Iooss. Module version bump for fc regex fixes from Nicolas Iooss. Module version bump for various fixes from Laurent Bigonville. Module version bump for ModemManager fc entry from Laurent Bigonville. Add missing cron_admin_role() dependency. Move sock_file filetrans to fcron_crond conditional. Module version bump for cron and snort updates from Sven Vermeulen. Module version bump for java icedtea fc entries from Sven Vermeulen. Module version bump for apache/mlogc patch from Elia Pinto. Remove name from ntp-kod ntp_drift_t filetrans. Module version bump for ntp-kod file support from Jason Zaman. Module version bump for init_daemon_pid_file use from Sven Vermeulen. Module version bump for alsa and hiawatha fixes from Sven Vermeulen. Module version bump for ftp and tftp fixes from Nicolas Iooss. Move irc exec lines. Module version bump for irc re-exec itself patch from Luis Ressel. Module version bump for NetworkManager fc fix for ArchLinux from Nicolas Iooss. Module version bump for _admin fixes from Jason Zaman. Bump module versions for release. Dominick Grift (3): Module version bump for changes to the loadkeys module by Nicolas Iooss cron: that boolean identifier does not exist also require it Module version bump for changes to the networkmanager modules by Lubomir Rintel Elia Pinto (1): apache.te: Add labelling support for /var/log/mlogc Jason Zaman (20): Add filetrans for ntp-kod file ccs: syntax errors in ccs_admin interface condor: syntax error in condor_admin distcc: syntax error in distcc_admin ftp: syntax error in ftp_admin kerberos: syntax error in kerberos_admin kismet: syntax error in kismet_admin nut: syntax error in nut_admin prelude: syntax error in prelude_admin psad: syntax error in psad_admin quota: syntax error in quota_admin rpcbind: syntax error in rpcbind_admin rpm: syntax error in rpm_admin systemtap: syntax error in stapserver_admin svnserve: syntax error in svnserve_admin uptime: syntax error in uptime_admin zabbix: syntax error in zabbix_admin remove pyzor_role() from pyzor_admin() remove spamassassin_role() from spamassassin_admin() rsync: syntax error in rsync_admin Laurent Bigonville (7): Add several fcontext for debian specific paths for ntp Fix dbus_all_session_domain(), session_bus_type is an attribute Allow gconfd to be started by the session bus Fix the usage of dbus_spec_session_domain() interface Properly label exim4 initscript under Debian Add new gnome_spec_domtrans_all_gkeyringd() interface Label /usr/sbin/ModemManager as modemmanager_exec_t Lubomir Rintel (1): Allow NetworkManager to create Bluetooth SDP sockets Luis Ressel (1): irc.te: Allow irssi to re-execute itself Martin Lang (1): Add a policy module for shibboleth authentication Nicolas Iooss (7): apt: remove non-existing permission set write_dir_perms Label /usr/share/gitweb/static as httpd_git_content_t Fix strange file patterns ftp: fix labels in /var/lock/subsys/ Label /usr/bin/tftpd as tftpd_exec_t Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/ Allow loadkeys to read usr_t files Sven Vermeulen (17): dnsmasq reads MTU sysctl Support read/append/manage functions for various httpd content Snort policy updates fcron socket support Fix typo in dnsmasq.if Mark icedtea binaries as java_exec_t Use init_daemon_pid_file for contrib modules Enable asound.state.lock support Add support for Hiawatha web server Use logging_search_logs, not logging_search_log Use logging_search_logs, not logging_search_log Use files_search_etc, not logging_search_etc Use files_search_etc, not logging_search_etc Use files_search_etc, not files_search_config Use corecmd_search_bin, not corecmd_searh_bin Use fs_search_tmpfs, not files_search_tmpfs Use domain_auto_trans, not auto_trans * Tue Mar 11 2014 Chris PeBenito - 2.20140311 Chris PeBenito (17): Minor rearrangement of minidlna lines. Module version bump for openvpn tmp files from Sven Vermeulen. Update modules for file_t merge into unlabeled_t. Module version bump for postfix showq fc from Laurent Bigonville. Rename gpg_agent_connect to gpg_stream_connect_agent. Module version bump for gpg agent interface from Luis Ressel. Whitespace fixes in git.fc. Module version bump for debian git fc entries from Laurent Bigonville. Move bin_t fc to corecommands. Move exec/transition lines in couchdb. Add comment about couchdb_js policy. Module version bump for couchdb updates from Luis Ressel. Module version bump for pcscd fix from Luis Ressel. Move screen dontaudit rule. Module version bump for screen fix from Luis Ressel. Module version bump for git fc fix from Nicolas Iooss. Bump module versions for release. Dan Walsh (28): Allow irc_t to use tcp sockets Add labels for apache logs under miq package Allow smbcontrol to create content in /var/lib/samba Allow ktalkd to bind to the ktalkd_port Allow memcache to read sysfs data Allow mdadm to getattr any file system Allow cupsd_lpd_t to bind to the printer port Allow rlogind to bind to the rlogin_port Allow cvs to bind to the cvs_port svirt domains neeed to create kobject_uevint_sockets Lots of new access required for sosreport Allow tgtd_t to connect to isns ports openct needs to be able to create netlink_object_uevent_sockets Allow glusterd to create sock_file in /run Add support for tmp directories to openvswitch Allow virt_domain with USB devices to look at dos file systems Additional access for MLS Additional access for MLS window manager Additional access for MLS window manager Additional access for MLS window manager Allow rpcbind to use nsswitch Allow gpg_agent to use ssh-add Add apache labeling for glpi Allow pegasus to transition to dmidecode Allow mcelog to use the /dev/cpu device Allow apmd to request the kernel load modules Allow postfix programs to getattr on all executables label mate-keyring-daemon with gkeyringd_exec_t Dominick Grift (126): Typo fix in ksmtuned_admin() by Shintaro Fujiwara Fix monolithic built Change file context spec for aide log files to catch suffixes Module version bumps for changes in various policy modules by Sven Vermeulen Squid: Use a single pattern for brevity Irc was already allowed to create tcp sockets, it only needed an additional accept, and listen to be able to act as a proxy Its probably a better idea to use the httpd_sys_ra_content_t type sid for logs in these locations Module version bump for changes to the tcsd policy module by Lukas Vrabec Module version bump for changes to various policy modules by Miroslav Grepl Module version bump for changes to the samba policy module by Dan Walsh Module version bump for changes to the telepathy policy module by Miroslav Grepl We do not have a boinc domain type attribute Change boolean description a bit Additional rabbitmq couchdb support Module version bumps for changes to various policy modules by Miroslav Grepl Additional git tcp networking rules Additional ktalkd udp networking rules Module version bump for changes to various policy modules by Dan Walsh Addtional cups ldp tcp networking rules Should be server packets because it is binding, and not connecting Clean up telnet, and rlogin networking rules Additional cvs tcp networking rules Module version bump for changes to various policy modules by Dan Walsh Addtional tgtd tcp networking rules Additional polipo tcp networking rules Fix asterisk files_spool_filetrans() Module version bump for changes to the networkmanager policy module by Lukas Vrabec Additional fs_tmpfs_filetrans() for munin service plugin content on tmpfs Module version bump for changes to various policy modules by Miroslav Grepl Support rlogind, and telnetd as init daemon domains ( i think fedora is campaigning to get rid of (x)?inetd ) Support mariadb logging, file context specification for mariadb specific config location Change logwatch boolean identifier to something more self-documenting. Additional tcp networking rules Module version bump for changes to various policy modules by Miroslav Grepl Fix inconsistencies in the pkcs policy module Fix fetchmail inconsistencies Module version bump for changes in various policy modules by Dan Walsh Support for window managers to stream socket connect to pulseaudio Logwatch does not need to be able to bind tcp sockets to generic nodes since its only connecting Adds userhelper_exec_consolehelper for window managers Remove duplicate rules due to addition of auth_use_nsswitch() We dont use the arbt domain types template. Use a more uniform boolean discription Clean up libstoragemngmt policy module We do not yet support systemd Change type from etc_rw to conf for readability admin access to condor_conf_t Hit by a nasty optional policy nesting issue We will find another way to run pa as a system server Module version bump for changes to various policy modules by Miroslav Grepl Clean up hypervkvp policy module (seems incomplete) Clean up initial redis policy module Additional openvpn tcp networking rules redis: allow redis to bind tcp sockets to redis_port_t type ports bluetooth: bluetooth_t acquires org.bluez service on dbus system bus wm: associate wm_exec_t to core command executable files so that initrc_t (/sbin/start-stop-daemon) can access it (metacity) logrotate restarts syslogd via init script in Debian This file is called just man-db in Debian. exim: exim owns directory /var/lib/exim4 accountsd: accounts-daemon lists /var/log alsa: alsactl listing /dev/shm alsa: alsactl reading /dev/urandom alsa: alsactl getting attributes of devtmpfs / (/dev) alsa: alsactl maintains a pulseaudio tmpfs file Cron: /sbin/runlevel reads /run/utmp cron: anacron (system_cronjob_t) reading, writing inherited random crond tmp files (/tmp/tmpfk1VT2O) dbus: allow system, and session bus clients to answer to dbus unconfined domains apt: Run apt system cronjobs in the apt_t domain apt: apt system cronjob creates dpkg.status.* files in /var/backup devicekit: upowerd reads own unix stream socket devicekit: devicekit_power_t (runlevel) read /run/utmp mandb: Make the man-db cronjob work on Debian rtkit: traverse /proc to get to process state files networkmanager: NetworkManager reads /run/udev/data/n2 file avahi: create a avahi_initrc_domtrans for udev_t: udev runs a avahi dns check script which does, i guess, a dns check. If needed it starts, or stops avahi via its init script. I also created a avahi_manage_pid_files() for udev_t because the script manages a file called "checked_nameservers.*" in /run/avahi-daemon Cleanups of various modules with regard to regular expressions and white space apt: As it turns out the /var/backups directory is labeled in the backup module (which i incidentally did not have installed earlier). Instead of creating this file with a file type transition to apt_var_cache_t, allow apt_t to manage backup_store files mta: this needs to be verified again, it should just have been running in exim_t. I might have taken this from old logs mandb: /etc/cron.daily/man-db executes dpkg, reads dpkg db on Debian slocate: catch /usr/bin/updatedb.mlocate, and /etc/cron.daily/mlocate on Debian dpkg: catch /etc/cron.daily/dpkg on Debian dpkg: allow /etc/cron.daily/dpkg to manage backup store files on Debian cron: consistent usage of regular expressions cron: prelink no longer runs in the system cronjob domain alsa: alsactl wants to associate pulse-shm-.* to device_t type filesystems. This happens early on but i do not understand how that (/dev) relates to /dev/shm in this regard devicekit: reads udev pid files modemmanager: reads udev pid files vdagent: spice-vdagentd uses /dev/vport1p1 virtio console tmpreaper: mountall-bootcl in the tmpreaper_t domain reads, writes /dev/pts/0 inherited from init script revert regular expressions wm: allow $1_wm_t to stream connect to $1_gkeyringd_t mta: allow system_mail_t (user_mail_domains) to read kernel sysctls and to read exim var lib files. mta: These are duplicates because system_mail_t is a user_mail_domain, as it is based off of the mta_base_mail_template() which assigns that type attribute locate: extra rules needed by debian /etc/cron.daily/locate script backup: in Debian /etc/cron.daily/passwd backs-up shadow, passwd etc to /var/backups avahi: create interfaces that will allow calles to create avahi pid dirs and create specifc avahi pid objects with a type transition (for udev, which runs: /usr/lib/avahi/avahi-daemon-check-dns.sh in Debian Initial gdomap policy module Initial minissdpd policy module alsa: due to a bug in gnome 3.4, in debian, alsactl does all kinds of weird things related to pulseaudio various: revert regex fixes: fcsort does not want this now gdomap: gdomap_port_t is now available, gdomap binds tcp, and udp socket to it alsa: make alsa_t and pulseaudio_client so that pulseaudio_client rules apply to it. alsactl does not actually run pulseaudio it seems though. pulseaudio: allow all pulseaudio_client to send null signals to unconfined_t, since unconfined_t is not actually a pulseaudio_client ( unconfined_t runs pulseaudio without a domain transition) avahi: create avahi_setattr_pid_dirs() for udev (avahi dns check script run by udev in Debian) These { read write } tty_device_t chr files on boot up in Debian colord: colord executable file locations in Debian colord: reads /proc/1, reads /run/udev files vdagent: read/write mtrr file mandb: dpkg running in the mandb_t domain in Debian (mandb cronjob) traverses /root exim: traverses sysfs, uses system cronjob file descriptors (/dev/null) in Debian (/etc/cron.daily/exim) minissdpd fixes devicekit: disk reads /proc/sys/vm/overcommit_memory devicekit: edit devicekit_append_inherited_log_files to include get attribute permission so that it can be also used for fsadm devicekit: 95hdparm-apm (devicekit_power_t) gets attributes of /dev/sda (fixed_disk_device_t) networkmanager: added interfaces that fedora calls for dhcpc. In Debian it was confirmed that at least dhclient manages /var/lib/NetworkManager/dhclient-eth0.conf firewalld: various fixes that i borrowed from Fedora but that also apply to Debian (confirmed) firewalld: interfaces created for iptables irqbalance: getsched from Debian colord: colord reads /proc/3412/cmdline (cupsd state files) virt: libvirtd reads /run/udev/data/+input:input3 firewalld: traverses / on sysfs rngd: needs ipc_lock capability, maintains /run/rngd.pid tmpreaper: mountall-bootcl executes /bin/plymouth on Debian minissdpd: deal with assertion violation (sys_module) gdomap: missing networking rules, it traverses /tmp for some reason ntp: create ntp_read_drift_files() for dhclient dpkg: allow dpkg, and dpkg script to domain transition to initrc_t on any init script file type rather than only the generic initrc_exec_t init script file type exim: exim4 reads online apt: apt runs /usr/bin/apt-get apt: on_ac_power (apt_t) lists /sys/class/power_supply exim: exim_manage_var_lib_files created for init: init script runs helper apps that create/manage /var/lib/exim4/config.autogenerated.tmp gdomap/minissdpd: create read_config interfaces for initrc_t exim: make exim init script create /var/run/exim4 with a proper context pulseaudio: pulsaudio_t needs to be able to read user_tmpfs_files (/run/shm/pulse-shm-.*) dnsmasq: add support for /etc/dnsmasq.d/ Module version bumps for various policy modules Module version bump for changes to the logrotate module by Luis Ressel Git: git daemons can list and read git personal repositories Module version bumps for changes to various policy modules by Fedora redis, lsm: typo fixes userhelper: append newline James Carter (8): - Fixed typo in contrib/avahi.if - Fixed typo in contrib/glusterfs.te - Fixed typo in contrib/jabber.if - Fixed typo in contrib/keystone.if - Fixed typo in contrib/mailscanner.if - Fixed typo in contrib/qpid.if - Fixed typo in contrib/readahead.fc. - Fixed typo in contrib/rpm.if. Laurent Bigonville (2): Label /usr/lib/postfix/showq as postfix_showq_exec_t Properly label git-daemon and gitweb.cgi on Debian Luis Ressel (10): Allow initrc_t to create /var/run/opendkim Label /etc/cron.daily/logrotate correctly. gpg: Create gpg_agent_connect interface Minor updates to couchdb policy couchdb: Add separate domain for couchjs couchdb: Dontaudit denials caused by Erlang's disksup Reformat couchdb.fc pcscd.if: Permit access to pid files inside /var/run/pcscd/. Allow gpg-agent's scdaemon to connect to pcscd. Dontaudit screen asking for the sys_tty_config capability Lukas Vrabec (8): Allow tcsd to read utmp file fix boinc policy Add support for couchdb in rabbitmq policy Fix transition rules in asterisk policy Add fowner capability to networkmanager policy Add policy for lsmd Add policy for hypervkvpd Add policy for redis-server Mika Pflüger (1): Correct typo in passenger module name Miroslav Grepl (40): Allow passenger to execute ifconfig Allow mpd setcap which is needed by pulseaudio Allow block_suspend cap for samba-net Allow t-mission-control to manage gabble cache files Allow nslcd to read /sys/devices/system/cpu Add labeling for ~/.cache/telepathy/avatars/gabble Allow firewalld to read NM state Allow systemd running as git_systemd to bind git port Fix labeling for fetchmail pid files/dirs Fix polipo.te Fix cupsd.te Allow munin service plugins to manage own tmpfs files/dirs Make ktalk as init domain Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb Add logwatch_can_sendmail boolean Allow rhsmcertd to read init state Allow fsetid for pkcsslotd Allow fetchmail to create own pid with correct labeling Fix rhcs_domain_template() Add support for abrt-upload-watch Allow virtd to relabel unix stream socket Fix lsm.fc for pid files Also sock_file trans rule is needed in lsm Update condor_master rules to allow read system state info and allow logging Add labeling for /etc/condor and allow condor domain to write it (bug) Allow condor domains to manage own logs Allow glusterd to read domains state Add openvpn_can_network_connect() boolean Fix minissdpd_admin() Allow ctdb to getattr on al filesystems Watchdog opens the raw socket Allow watchdog to read network state info Add setroubleshoot_signull() interface Allow sosreport to send signull to setroubleshootd Allow sosreport all signal perms Allow sosreport to dbus chat with rpm Allow zabbix_agentd to read all domain state Allow smoltclient to execute ldconfig Allow sosreport to request the kernel to load a module Allow setpgid for sosreport Nicolas Iooss (1): git: fix file pattern after whitespace fixes Sven Vermeulen (6): Add minidlna policy Allow openvpn temporary files Add aide bin /usr/bin and mark /var/lib/aide Provide alsa_write_lib interface Run dmidecode after newrole or on terminals Grant write privileges to squid on its log files * Wed Apr 24 2013 Chris PeBenito - 2.20130424 Chris PeBenito (18): Rewrite of mcelog module from Guido Trentalancia Remove unnecessary lines in mcelog.te. Slight rearrangement in mcelog.te. Module version bump for mcelog update from Guido Trentalancia. Module version bump for ntp module fixes from Dominick Grift. Module version bump for fc substitutions optimizations from Sven Vermeulen. Module version bump for postfix/mta misc fixes from Sven Vermeulen. Module version bump for init_daemon_run_dirs usage from Sven Vermeulen. Turn off all tunables by default, from Guido Trentalancia. Module version bump for tunable default change. Module version bump for saslauthd tcp mysql connections from Mika Flueger. Move kernel request line in quota. Module version bump for quota kernel module request from Mika Pflueger. Module version bump for djbdns ports fixes from Russell Coker. Remove stray + in keystone.te. Whitespace fixes in cron.fc. Module version bump for pulseaudio type_transition conflict fix from Sven Vermeulen. Bump module versions for release. Dominick Grift (889): Initial BIRD Internet Routing Daemon policy oident daemon fixes Introduce ntp_conf_t Allow ntp_admin() to manage ntp_drift_t content. List etc_t directories Use "Role allowed access." for consistency Use permissions sets for compatibility. Remove getattr permision from ntp_admin() Initial Sensord policy module Various block_suspend capability2 support from Fedora Gitolite3 support from Fedora /var/lib/sqlgrey is greylist milter data from Fedora Terminal related fixes for plymouthd from Fedora Support block_suspend capability2 for plymouth Support minimal polkit in new location Support ldap for user authentication from Fedora Sanlock sends kill signals to non-root processes from Fedora Various other capabilities for sanlock from Fedora Initial support for sqlgrey from Fedora Tor reads network sysctls from Fedora GPG agent reads /dev/random from Fedora Freshclam reads system and network state from Fedora Execute wpa_cli in the NetworkManager_t domain for wicd from Fedora lpstat.cups reads fips_enabled from Fedora Initial system tap compile server policy module Systemtap server admin manages stapserver_var_lib_t content Telepathy Idle reads gschemas.compiled from Fedora Initial slpd policy module Initial lightsquid policy module Initial wdmd policy module Initial mailscanner policy module and some depencies. Support slpd log rotation Initial numad policy module Open log files for append only CGClear reads CGConfig files from Fedora Cosmetic changes to cgroup policy module File contexts of cgroup app executables files in /sbin also apply to /usr/sbin Make cgroup_admin() a bit more compact Initial svnserve policy module Various small changes to ucspitcp Initial fcoe policy module Initial lldpad policy module fcoemon sends to lldpad with a dgram socket Initial quantum policy module Initial dspam policy module Module version bump for Telepathy file context spec fixes from Laurent Bigonville. Initial isns policy module Various changes to tcs policy module Initial ctdb policy module Various changes to the sblim policy module and its dependencies Initial polipo policy module Module version bump for networkmanager fixes Fixes to the polipo policy module Module version bump for smartmon fixes from Laurent Bigonville. Module version bump for accountsd file context spec fix from Laurent Bigonville. Various changes to the raid module Module version bump for rtkit file context spec fix from Laurent Bigonville Initial couchdb policy module Changes to the bind policy module Initial dnssectrigger policy module Initial man2html policy module Initial openhpi policy module Bind sends/receives http server instead of client packets conditionally Two file context regular expression fixes by Eric Paris Type mdadm_t is no longer a unconfined type Initial pkcs policy module Initial cfengine policy module Initial keystone policy module Initial l2tp policy module Initial mongodb policy module cfengine whitespace cleanup Changes to the accountsservice policy module Changes to the acct policy module Changes to the ada policy module changes to the afs policy module Changes to the accountsservice policy module Changes to the aiccu policy module Changes to the aide policy module Syntax error in afs_admin() Changes to the aisexec policy module Changes to the alsa policy module Changes to the amanda policy module Changes to the amavisd policy module and relevant dependencies Changes to the amtu policy module Changes to the anaconda policy module Changes to the abrt policy module and relevant dependencies numad sends/receives msgs from Fedora Amtu executable file in installed in /usr/sbin in Fedora The (usr/)? expression does not work consistently so better not use it at all Changes to the httpd policy module Merge branch 'master' of ssh://dgrift@oss.tresys.com/home/git/refpolicy-contrib Fixes to the apache policy module and dependencies Changes to the apcupsd policy module Role attributes for lightsquid application domain Changes to the mailscanner module Changes to the svnserve policy module Changes to the quantum policy module Changes to the dspam module Changes to the ctdb policy module Changes to the couchdb policy module Changes to the openhpid policy module Changes to the keystone policy module Changes to the l2tp policy module Changes to the apm module and relevant dependencies Changes to the arpwatch policy module Changes to the apcupsd policy module Changes to the abrt policy module Changes to the apache policy module Changes to the asterisk policy module and dependencies Changes to the authbind policy module Changes to the automount policy module Change acpid lock file context spec Changes to the avahi policy module and dependencies Changes to the awstats policy module Changes to the bacula policy module Changes to the bcfg2 policy module Changes to the apt policy module Changes to the apache policy module Changes to the backup module Changes to the bind policy module Bird module clean up Fix arpwatch connected_stream_socket_perms Changes to the bitlbee policy module Changes to the blueman policy module Changes to the bluetooth policy module Changes to the brctl policy module Changes to the apache policy module Changes to the bugzilla policy module Changes to the calamaris policy module Implement lightsquid_admin() Changes to the apache policy module and dependencies Initial boinc policy module Initial callweaver policy module Changes to the canna policy module Changes to the ccs policy module Changes to the cdrecord policy module Changes to the certmaster policy module and various role attribute fixes cdrecord needs to read and write callers unix domain stream socket not create it Changes to the certmonger policy module and its dependencies Initial cachefilesd policy module Changes to the certwatch policy module Changes to the chronyd policy module Changes to the cipe policy module Changes to the clamav policy module Various network clean up Add dev_rw_cachefiles() to cachefilesd policy module Changes to the clockspeed policy module Changes to the clogd policy module Changes to the cmirrord policy module Changes to the cobbler policy module Changes to the colord policy module Changes to the comsat policy module Initial collectd policy module Initial condor policy module and relevant dependencies Changes to the consolekit policy module and relevant dependencies Changes to the corosync policy module and relevant dependencies Clean up couchdb network rules Changes to the courier policy module Changes to the cpucontrol policy module Changes to the cpufreqselector policy module Changes to the cron policy module and relevant dependencies Changes to the cups policy module and relevant dependencies Changes to the cvs policy module Remove redundant connect avperms Changes to the cyphesis policy module Remove redundant rules from apache_admin() Changes to the cyrus policy module Changes to the daemontools policy module Changes to the dante policy module Modify dbadm boolean descriptions Changes to the dbus policy module and its dependencies Changes to the dcc policy module Changes to the ddclient policy module Changes to the ddcprobe policy module Changes to the denyhosts policy module Changes to the devicekit policy module and relevant dependencies Changes to the dhcpd policy module Changes tothe dictd policy module Changes to the discc policy module Changes to the djbdns policy module Changes to the dkim policy module Changes to the dmidecode policy module Module bump for Laurent Bigonville trousers init script file context specification fix Module bump for Laurent Bigonville libvirt init script file context specification fix Changes to the dnsmasq policy module and relevant dependencies Changes to the dovecot policy module Changes to the dpkg policy module Changes to the entropyd policy module Changes to the evolution policy module Changes to the exim policy module and relevant dependencies Changes to the cron policy module Changes to the fail2ban policy module fcoemon XML clean up Changes to the fetchmail policy module Changes to the fingerd policy module Initial firewalld policy module Changes to the firstboot policy module Changes to the fprint policy module and relevant dependencies Changes to the ftp module Changes to the games policy module Clean up evolution and cdrecord XML Changes to the gatekeeper policy module Changes to the gift policy module Changes to the git policy module Changes to the gitosis policy module Changes to the glance policy module Initial glusterfs policy module Add gatekeeper newline Deprecate glusterd_admin() use glusterfs_admin() instead Portage module version bump for autofs support by Matthew Thode and clean up cfengine: This location is now labeled with a cfengine private type Changes to the slpd policy module Changes to the gnomeclock policy module and relevant dependencies Changes to the gpg policy module Changes to the gpm policy module Changes to the gpsd policy module and relevant dependencies changes to the guest policy module Changes to the gnomeclock policy module Deprecate various DBUS interfaces and relevant dependencies Changes to the cachefilesd policy module Remove file context specification for kgpg which is a GUI frontend to GPG. Domain transition to gpg_t will happen when kgpg runs gpg. (rhbz#862229) Initial mandb policy module Changes to the hadoop policy module Changes to the hald policy module Changes to the hddtemp policy module Changes to the howl policy module changes to the mandb policy module Changes to the dbus policy module Changes to the rpm policy module Changes to the i18n_input policy module Changes to the icecast policy module Changes to the ifplugd policy module Changes to the imaze policy module Changes to the inetd policy module and relevant dependencies Changes to the innd policy module Changes to the irc policy module Changes to the ircd policy module Changes to the irc policy module Changes to the dbus policy module Changes to the avahi policy module Changes to the bluetooth policy module Changes to the aiccu policy module Changes to the bacula policy module Changes to the boinc policy module Changes to the bugzilla policy module Changes to the ccs policy module Changes to the clamav policy module Changes to the cobbler policy module Changes to the cyphesis policy module Changes to the dante policy module Changes to the dbskk policy module Changes to the ddclient policy module Changes to the denyhosts policy module Changes to the dnssectrigger policy module Changes to the dovecot policy module Changes to the drbd policy module Changes to the evolution policy module Changes to the fail2ban policy module Changes to the firewalld policy module Changes to the firstboot policy module Changes to the games policy module Changes to the gift policy module Changes to the glance policy module Changes to the hald policy module Changes to the dbus policy module Changes to the git policy module Changes to the polipo policy module Changes to the firewalld policy module Changes to the gpg policy module Tab clean up in ircbalance file context file Changes to the irqbalance policy module Tab clean up in iscsi file context file Changes to the iscsi policy module Tab clean up in jabber file context file Changes to the jabberd policy module Changes to the pyicqt policy module Tab clean up in java file context file Changes to the java policy module Changes to the dbus policy module Changes to the gnome policy module Changes to the apache policy module Changes to the accountsd policy module Changes to the alsa policy module Changes to the evolution policy module Changes to the bluetooth policy module Changes to the games policy module Changes to the gift policy module Changes to the gpg policy module Changes to the hadoop policy module Tab clean up in kdump file context file Changes to the kdump policy module Changes to the gpg policy module Changes to the dbus policy module Changes to the evolution policy module Changes to the gpm policy module Version bump for evolution file context fixes by Laurent Bigonville Version bump for nut file context fixes by Laurent Bigonville Changes to the kdumpgui policy module Tab clean up in kerberos file context file Changes to the kerberos policy module and relevant dependencies Changes to the kerneloops policy module Tab clean up in kerberos file context file Changes to the kismet policy module Clean up amavis XML header Initial keyboardd policy module Tab clean up in ksmtuned file context file Changes to the ksmtuned policy module Tab clean up in ktalk file context file Changes to the ktalk policy module Changes to the kudzu policy module Initial iodine policy module Initial dirmngr policy module Changes to the iodine policy module Changes to the kerberos policy module Changes to the kdumpgui policy module Update deprecated interface calls ( gnome_read_config -> gnome_read_generic_home_content ) Changes to the mozilla policy module Changes to the thunderbird policy module Changes to the l2tp policy module Tab clean up in ldap file context file Changes to the ldap policy module Tab clean up in likewise file context file Changes to the likewise policy module Tab clean up in lircd file context file Changes to the lircd policy module Changes to the livecd policy module Tab clean up in loadkeys file context file Changes to the loadkeys policy module and relevant dependencies Tab clean up in lockdev file context file Changes to the lockdev policy module Tab clean up in logrotate file context file Changes to the logrotate policy module and relevant dependencies Tab clean up in logwatch file context file Changes to the logrotate policy module Changes to the logwatch policy module Tab clean up in lpd file context file Changes to the lpd policy module Tab clean up in cron policy module Changes to the lpd policy module Changes to the consolekit policy module Tab fix in cron policy module Tab clean up in mailman file context file Changes to the mailman policy module and relevant dependencies Tab clean up in mcelog file context file Changes to the mcelog policy module Tab clean up in mediawiki file context file Mediawiki XML clean up Tab clean up in memcached file context file Changes to the memcached policy module Changes to the apache policy module Tab clean up in milter file context file Changes to the milter policy module and relevant dependencies Changes to the modemmanager policy module Tab clean up in mojomojo file context file Changes to the mojomojo policy module and relevant dependencies Changes to the gpg policy module Changes to the mongodb policy module Changes to the mono policy module Changes to the monop policy module Tab clean up in mozilla file context file Changes to the mozilla policy module and relevant dependencies Changes to the mozilla policy module Changes to the apache policy module Tab clean up in mpd file context file Changes to the mpd policy module Tab clean up in mplayer file context file Changes to the evolution policy module Changes to the mplayer policy module Changes to the irc policy module Tab clean up in mrtg file context file Changes to the mrtg policy module Tab clean up in mta file context file Changes to the mta policy module and relevant dependencies Changes to the mta policy module and relevant dependencies Get rid of mozilla_conf_t as it is unused Changes to the logrotate policy module Changes to the logwatch policy module Changes to the java policy module Changes to the apache module and relevant dependencies Tab clean up in munin file context file Changes to the munin policy module and relevant dependencies Tab clean up in mysql file context file Changes to mysqld policy module Changes to various policy modules Changes to the munin policy module Changes to the dovecot policy module Changes to various policy modules Changes to the mta policy module Changes to the certmonger policy module and relavant dependencies Tab clean up in nagios file context file Changes to the nagios policy module and relevant dependencies Changes to the modutils policy module Tab cleanup in the nessus file context file Changes to the nessus policy module Tab clean up in the network manager file context file Changes to the networkmanager policy module and relevant dependencies Changes to the mozilla policy module Changes to the cobbler policy module Initial rngd policy module Tab clean up in the nis file context file Changes to the nis policy module Tab clean up in the nscd file context file Changes to the nscd policy module Tab clean up in the nsd file context file Changes to the nsd policy module Tab clean up in the nslcd file context file Changes to the nslcd policy module Tab clean up in the ntop file context file Changes to the ntop policy module Tab clean up in the ntp file context file Changes to the ntp policy module Changes to the numad policy module Tab clean up in the nut file context file Changes to the nut policy module Tab clean up in the nx file context file Changes to the nx policy module Changes to the oav policy module Initial obex policy module Tab clean up in the oddjob file context file Tab clean up in gpg policy module Changes to the oddjob policy module Changes to the mozilla policy module Initial pacemaker policy module Tab clean up in the oidentd file context file Changes to the oident policy module Tab clean up in the openca file context file Changes to the openca policy module Tab clean up in the openct file context file Changes to the openct policy module Tab clean up in the openvpn file context file Changes to the openvpn policy module Tab clean up in the pads file context file Changes to the pads policy module Tab clean up in the passenger file context file Changes to the passenger policy module and relevant dependencies Tab clean up in the pcmcia file context file Changes to the pcmcia policy module Tab clean up in the pcscd file context file Changes to the pcscd policy module and relevant dependencies Tab clean up in the pegasus file context file Changes to the pegasus policy module Tab clean up in the perdition file context file Changes to the perdition policy module Tab clean up in the pingd file context file Changes to the pingd policy module Changes to the plymouthd policy module Changes to the mozilla policy module Changes to the plymouth policy module Tab clean up in the podsleuth file context file Changes to the podsleuth policy module Tab clean up in the policykit file context file Changes to the policykit policy module and relevant dependencies Tab clean up in the portage file context file Changes to the portage policy module Tab clean up in the portmap file context file Changes to the portmap policy module Tab clean up in the portreserve file context file Changes to the portreserve policy module Tab clean up in the portslave file context file Changes to the portslave policy module and relevant dependencies Tab clean up in the postfix file context file Changes to the postfix policy module and relevant dependencies Fixes to various policy modules Tab clean up in the postfixpolicyd file context file Changes to the postfixpolicyd policy module Tab clean up in the postgrey file context file Changes to the postgrey policy module Tab clean up in the ppp file context file Changes to the ppp policy module and relevant dependencies Tab clean up in the prelink file context file Changes to the prelink policy module and relevant dependencies Tab clean up in the prelude file context file Changes to the prelude policy module Tab clean up in the privoxy file context file Changes to the privoxy policy module Tab clean up in the procmail file context file Changes to the procmail policy module Tab clean up in the psad file context file Changes to the psad policy module Changes to the ptchown policy module Tab clean up in the publicfile file context file Changes to the publicfile policy module Fix a fatal syntax error in mozilla_plugin_role() Changes to the plymouth policy module Changes to the policykit policy module Module version bump for fixes in shorewall, fail2ban and portage policy modules by Sven Vermeulen Tab clean up in the puppet file context file Changes to ther puppet policy module and relevant dependencies Initial pwauth policy module Tab clean up in the pxe file context file Changes to the pxe policy module Tab clean up in the pyzor file context file Changes to the pyzor policy module Tab clean up in the qemu file context file Changes to the qemu policy module Tab clean up in the virt file context file Changes to the virt policy module and relevant depedencies Changes to the virt policy module Changes to the cron policy module Changes to the qemu policy module Changes to the virt policy module Epylog wants sys_nice and setsched Tab clean up in the qmail file context file Changes to the qmail policy module Tab clean up in the qpid file context file Changes to the qpid policy module Tab clean up in the quota file context file Changes to the quota policy module and relevant dependencies Initial rabbitmq policy module Tab clean up in the radius file context file Changes to the radius policy module Tab clean up in the radvd file context file Changes to the radvd policy module Changes to the raid policy module Tab clean up in the razor file context file Changes to the razor policy module and relevant dependencies Smokeping cgi needs to run ping with a domain transition Remove redundant socket create already provided by sysnet_dns_name_resolve() Changes to the virt policy module Changes to the apache policy module Changes to the gnome policy module Changes to the rdisc policy mpdule Changes to the readahead policy module Changes to the remotelogin policy module Tab clean up in the resmgr file context file Changes to the resmgr policy module Tab clean up in the rgmanager file context file Changes to the rgmanager policy module Initial Realmd policy module and relevant dependencies Fix resmgrd init script file context specification Changes to the cups policy module automount reads overcommit_memory Changes to the networkmanager policy module Freshclam manages amavis spool content Changes to the tftp policy module Changes to the cobbler policy module Tab clean up in the rhcs file context file Changes to the rhcs policy module and relevant dependencies Tab clean up in the rhgb file context file Changes to the rhgb policy module Tab clean up in the rhsmcertd file context file Changes to the rhsmcertd policy module Tab clean up in the ricci file context file Changes to the ricci policy module Tab clean up in the rlogin file context file Changes to the rlogin policy module Tab clean up in the roundup file context file Changes to the roundup policy module Changes to the remotelogin policy module Changes to the apache policy module Changes to the awstats policy module fix puppet_admin() need to require types that it uses Replace wrong type in puppet_admin() Fix a syntax error in ricci_domtrans() Catch all rpcbind content in /var/run Changes to the cups policy module Tab clean up in the rpc file context file Changes to the rpc policy module Tab clean up in the rpcbind file context file Changes to the rpcbind policy module Tab clean up in the rpm file context file Changes to the rpm policy module and depedencies Changes to the rshd policy module Changes to the virt policy module Changes to the rssh policy module Tab clean up in the rsync file context file Fix a typo in apache XML Changes to the rsync policy module Changes to the rtkit policy module Tab clean up in the rwho file context file Changes to the rwho policy module Reads /proc/sys/kernel/random/poolsize Tab clean up in the samba file context file Changes to the samba policy module and relevant dependencies Tab clean up in the sambagui file context file Changes to the sambagui policy module Initial firewallgui policy module Tab clean up in the samhain file context file Changes to the samhain policy module Tab clean up in the sanlock file context file Changes to the sanlock policy module and relevant dependencies Tab clean up in the sasl file context file Changes to the sasl policy module Chnages to the sblim policy module Tab clean up in the screen file context file Changes to the screen policy module Tab clean up in the sectoolm file context file Changes to firewallgui policy module Changes to the sectoolm policy module Tab clean up in the sendmail file context file Changes to the sendmail policy module and relevant dependencies Tab clean up in the setroubleshoot file context file Changes to the setroubleshoot policy module Tab clean up in the shorewall file context file Changes to the shorewall policy module Tab clean up in the shutdown file context file Changes to the shutdown policy module and relevant dependencies Tab clean up in the slocate file context file Changes to the slocate policy module and relevant dependencies These domains transition to shutdown domain now so they no longer need direct access Re-add missing network rule in screen policy module fail2ban server sets scheduler shutdown XML clean up libvirtd sets kernel scheduler mongod reads cpuinfo_max_freq Changes to the slrnpull policy module Tab clean up in the smartmon file context file Changes to the smartmon policy module Tab clean up in the smokeping file context file Changes to the smokeping policy module Tab clean up in the smoltclient file context file Changes to the smoltclient policy module Tab clean up in the snmp file context file Changes to the snmp policy module Tab clean up in the snort file context file Changes to the snort policy module Changes to the sosreport policy module and relevant dependencies Tab clean up in the soundserver file context file Changes to the soundserver policy module Tab clean up in the spamassassin file context file Changes to the spamassassin policy module and relevant dependendies spamassassin_role callers create ~/.spamd with the spamd_home_t user home type instead Re-add sys_admin capability that was lost with porting from Fedora Move mailscanner content to mailscanner module Changes to the speedtouch policy module Tab clean up in the squid file context file Changes to the squid policy module Changes to the sssd policy module Tab clean up in the stunnel file context file Changes to the stunnel policy module Tab clean up in the sxid file context file Changes to the sxid policy module Tab clean up in the sysstat file context file Changes to the sysstat policy module Tab clean up in the tcpd file context file Changes to the tcpd policy module Changes to the tcsd policy module Tab clean up in the telepathy file context file Changes to the telepathy policy module Tab clean up in the telnet file context file Changes to the telnet policy module Tab clean up in the tftp file context file Changes to the tftp policy module Tab clean up in the tgtd file context file Changes to the tgtd policy module Tab clean up in the thunderbird file context file Changes to the thunderbird policy module Catch /var/log/cron directory as well Dovecot module version bump for fixes by Sven Vermeulen Portage module version bump for fixes by Sven Vermeulen Cron module version bump for fixes by Sven Vermeulen Changes to the exim policy module Entropyd reads /proc/meminfo Blueman reads tmp_t directories Do not audit attempts by cups config to read tmp_t directories Do not audit attempts by fail2ban to read tmp_t directories Do not audit attempts by firewalld to read tmp_t directories Gnomeclock reads urandom and realtime clock Kdumpctl needs sys_chroot capability Various kdumpgui fixes from Fedora Do not audit attempts by logwatch to read tmp_t directories Catch all alias files Refine aliases file transition with names Realmd dbus chat policykit and networkmanager from Fedora Do not audit attempts by tuned to read tmp_t directories Changes to the timidity policy module Tab clean up in the tmpreaper file context file Changes to the tmpreaper policy module and relevant dependencies Tab clean up in the tor file context file Changes to the tor policy module Changes to the transproxy policy module Tab clean up in the tripwire file context file Changes to the tripwire policy module Tab clean up in the tuned file context file Changes to the tuned policy module Tab clean up in the tvtime file context file Changes to the tvtime policy module Changes to the tzdata policy module Changes to the ucspitcp policy module Tab clean up in the ulogd file context file Changes to the ulogd policy module Tab clean up in the uml file context file Changes to the uml policy module Make it so that irc clients can also get attributes of cifs, nfs, fuse and other file systems Changes to the updfstab policy module Changes to the uptime policy module Tab clean up in the usbmodules file context file Changes to the usbmodule policy module Changes to the usbmuxd policy module Tab clean up in the userhelper file context file Screen sends child terminated signals to all interactive fd domains Changes to the userhelper policy module and relevant dependencies Changes to the virt policy module Module version bump for fail2ban changes by Sven Vermeulen Changes to the rpm policy module fix smartmon init script file context specification Changes to the usernetctl policy module Tab clean up in the uucp file context file Changes to the uucp policy module Changes to the virt policy module Tab clean up in the uuid file context file Changes to the uuidd policy module Tab clean up in the uwimap file context file Changes to the uwimap policy module Tab clean up in the varnishd file context file Changes to the varnishd policy module Changes to the vbetool policy module Tab clean up in the vdagent file context file Changes to the vdagent policy module Tab clean up in the vhostmd file context file Changes to the vhostmd policy module Changes to the vlock policy module Tab clean up in the vmware file context file Changes to the vmware policy module Tab clean up in the vnstatd file context file Changes to the vnstatd policy module Tab clean up in the vpn file context file Changes to the vpnc policy module Tab clean up in the w3c file context file Changes to the w3c policy module Tab clean up in the watchdog file context file Changes to the watchdog policy module Changes to the wdmd policy module Changes to the webadm policy modules Changes to the webalizer policy module White space fix in apache policy module Changes to the wine policy module Tab clean up in the wireshark file context file Changes to the wireshark policy module Tab clean up in the wm file context file Changes to the wm policy module Changes to the inn policy module Move man cache file type to miscfiles Changes to the inn policy module More accurate dbadm boolean descriptions mysql_admin() has access to ~/.my.cnf files Tab clean up in the xen file context file Changes to the xen policy module and relevant dependencies Tab clean up in the xfs file context file Changes to the xfs policy module Changes to the xguest policy module and relevant dependencies Changes to the xprint policy module Changes to the xscreensaver policy module Tab clean up in the yam file context file Changes to the yam policy module Tab clean up in the zabbix file context file Changes to the zabbix policy module Tab clean up in the zarafa file context file Changes to the zarafa policy module Tab clean up in the zebra file context file Changes to the zebra policy module Changes to the zosremote policy module Changes to the mysql policy module Tab clean up in the pulseaudio file context file Changes to the pulseaudio policy module and relevant dependencies Changes to the pulseaudio policy module One chown too many Changes to the mplayer policy module The prelink cron script now runs in its own domain Initial smstools policy module Initial openvswitch policy module and relevant dependencies Reads pcsd pid files Reads random device winbind manages smbd pid sock files from Fedora Changes to the bind policy module CG rules daemon reads all sysctls Runs consoletype and searches nfs state data from Fedora Support munin unbound plugin from Fedora Zabbix sends signals from Fedora Blueman sets scheduler and sends signals from Fedora pcscd_read_pub_files is deprecated, use pcscd_read_pid_files instead Module version bumps for fixes in portage and virt modules by Sven Vermeulen Policy module version bumps for various changes by Sven Vermeulen Changes to the openvpn policy module Module version bumps for various fixes by Sven Vermeulen Changes to the mandb policy module Changes to the tmpreaper policy module Changes to the munin policy module Changes to the rngd policy module Changes to the awstats policy module and relevant dependencies Changes to the apache policy module Changes to various policy modules Changes to the abrt policy module Changes to the passenger policy module and relevant depedencies Changes to the pegagus policy module Changes to the mta policy module Changes to the fetchmail policy module Changes to the bitlbee policy module Changes to the blueman policy module and relevant dependencies Changes to the amavis policy module Changes to the userhelper policy module Changes to the blueman policy module Changes to the squid policy module Changes to the sblim policy module Changes to the kdumpgui policy module Changes to the mailman policy module Changes to the realmd policy module Changes to the raid policy module Changes to the samba policy module Changes to the various policy modules Changes to the snmp policy module Changes to the spamassassin policy module Changes to the sssd policy module Changes to the l2tpd policy module Changes to the shorewall policy module Changes to the xen policy module Changes to the tftp policy modules Changes to the accountsd policy module Changes to the tgtd policy module Changes to the corosync policy module Changes to the kdump policy module Changes to the openvswitch policy module Changes to the mpd policy module Changes to the mozilla policy module Changes to the zarafa policy module Changes to the boinc policy module Changes to the setroubleshoot policy module Changes to the dspam policy module Changes to the rgrmanager policy module and relevant dependencies Changes to the svnserve policy module Changes to the virt policy module Changes to the prelink policy module Changes to the apache policy module Changes to the gnomeclock policy module Changes to various policy modules Changes to the pegagus policy module Changes to the shorewall policy module Changes to the kerberos policy module Changes to the rhcs policy module Changes to the irc policy module Changes to the clamav policy module Changes to the mrtg policy module Changes to the munin policy module Changes to the amavis policy module Changes to the ppp policy module Initial jockey policy module Module version bumps for "several named transition for directories created in /var/run by initscripts" in various modules by Laurent Bigonville Module version bumps for fixes in various modules by Laurent Bigonville Module version bump for changes to the consolekit policy module by Laurent Bigonville Changes to the stunnel policy module Module version bumps for fixes in various modules by Sven Vermeulen Changes to the virt policy module Changes to the apache policy module Changes to the wm policy module Changes to the samba policy module Changes to the certmonger policy module Changes to the mozilla policy module Changes to the corosync policy module Changes to the pacemaker policy module Changes to the tuned policy module Changes to the cups module and relevant dependencies Changes to the rhsmcertd policy module Changes to the lpd policy module Changes to the munin policy module Changes to the ntp policy module Changes to the tor policy module Changes to the firewalld policy module Changes to the dspam policy module Changes to the setroubleshoot policy module Changes to the condor policy module Changes to the kerberos policy module Changes to the passenger policy module Changes to the ppp policy module Changes to the the dkim policy module Changes to the abrt policy module Changes to the lircd policy module Changes to the dkim policy module Changes to the virt policy module Changes to the munin policy module Changes to the dovecot policy module Changes to the cobbler policy module Changes to the userhelper policy module Changes to the logwatch policy module Changes to the wdmd policy module and relevant dependencies Changes to the nscd policy module and relevant dependencies Changes to the dbus policy module Module version bumps for fixes in various policy modules by Laurent Bigonville Changes to the cups policy module Changes to the dbus policy module Changes to the apcupsd policy module Remove redundant net_bind_service capabilities in various modules Changes to the virt policy module Changes to the puppet policy module Module version bumps for fixes in various policy module by Sven Vermeulen Module version bumps for file context fixes in various policy modules by Laurent Bigonville Make httpd_manage_all_user_content() do what it advertises Add more networking rules to mplayer policy module for compatibility Fix fcronsighup file context. Should be crontab_exec_t as per previous spec Module version bumps for changes in various modules by Sven Vermeulen Move asterisk_exec() and modify XML header Consolekit creates /var/run/console directories with a type transition unconditionally Module version bump in consolekit policy module for changes by Sven Vermeulen The imaplogin executable file should be courier_pop_exec_t according to existing file context specification Module version bump for changes to the fail2ban policy module by Sven Vermeulen Modules version bumps for changes in various policy modules by Sven Vermeulen Laurent Bigonville (28): Add Debian locations for Telepathy connection managers Label telepathy-rakia as telepathy-sofiasip Allow smartd daemon to write in /var/lib/smartmontools directory Add Debian location for smartd daemon initscript Add Debian location for accounts-daemon daemon Add Debian location for rtkit-daemon daemon Add Debian location for tcsd init script Add Debian location for libvirtd init script Add Debian location for evolution executables Add Debian locationis for nut executables and configuration files Add several named transition for directories created in /var/run by initscripts Run packagekit under apt_t context on Debian distribution Add proper label for colord daemon in debian Allow the system dbus to search cgroup directories Allow virtd_t context to read sysctl_crypto_t Allow colord_t context to read sysctl_crypto_t Add proper label for gconfd-2 daemon in Debian Ensure that consolekit can create /var/run/console directory on Debian Properly label nm-dispatcher.action on Debian policykit.fc: Properly label polkit-agent-helper-1 on Debian cups.fc: Properly label cups-pk-helper-mechanism on Debian Allow pcscd the fsetid capability Allow networkmanager_t to read crypto_sysctl_t Allow virsh_t context to read sysctl_crypto_t Allow cupsd_t to read cupsd_log_t gnomeclock.fc: Properly label gsd-datetime-mechanism in Debian ptchown.fc: Properly label pt_chown executable in Debian Label /usr/bin/kvm as qemu_exec_t Matthew Thode (2): added autofs support and nsswitch support removing refrences to named_var_lib_t as it doesn't exist anymore for bind.if Mika Pflüger (3): Allow saslauthd_t to talk to mysqld via TCP Quota policy adjustments: * Allow quota_t to load kernel modules Debian locations for dovecot deliver and dovecot auth. Russell Coker (1): Fix djbdns ports Sven Vermeulen (75): Update with new substitutions Mark the pid directory as a pid directory Add in transitions for queue types when the queues are created Fix typo in interface postfix_exec_postqueue Allow maildelivery to use dotlock files in the mail spool Allow postfix local to change ownership of mailfiles Use libexec location for postfix binaries Allow initrc_t to create run dirs for contrib modules Update logwatch location in file context Sandbox is an inherent part of the portage inner workings Fix startup issue with fail2ban-client Be able to get output from fail2ban-client Ignore searches when ran from the user home directory Shorewall admins execute shorewall too Shorewall needs sys_admin capability for manipulating network stack Be able to display dovecot errors Remove transition to ldconfig Adding interfaces for handling cron log files Fail2ban client checks state of log files before telling the server Support mysql init script Support initial creation of mysql database files Portage fetch domain needs to access certificates Make samba domtrans optional in virt Fix typo in tunable declaration for fcron_crond Introducing cron_manage_log_files interface Introduce dontaudit interfaces for leaked fd and unix stream sockets Dontaudit attempts by system_mail_t to use leaked fd or stream sockets Support at service Additional postfix admin requirements Reintroduce postfix_var_run_t for pid directory and fowner capability Postfix deferred queue should not mark mails as postfix_spool_maildrop_t Running qemu with SDL support requires more xserver-related privileges Fix typo in clockspeed comment Support openvpn status file Asterisk voicemail messages are generated from tmp Make rtkit calls optional Gentoo installs dovecot certs in /etc/ssl/dovecot Moving sandbox code to sandbox section (v2) Allow sandbox to log violations Use rw_fifo_file_perms Apache should not depend on gpg Named init script creates rundir Add ~/.maildir as a valid maildir destination Support stunnel_read_config for startup Updates on stunnel policy More .maildir fixes Mark make.profile entry as portage_conf_t (v2) Move mta call (coding style) Changes to puppet domain Allow rpc admin to run exportfs Grant sys_admin capability to puppet Puppet module helper scripts are puppet_var_lib_t Support netlink_route_socket creation for puppet Puppet initscript creates /run/puppet Puppet runs statfs against selinuxfs mplayer streams HTTP resources fcron and fcronsighup binaries are moved Asterisk needs to search through logs Denial in mail log on node bind Fix typo in mcelog_admin (missing bracket) Add in contexts for fcron rm.systab and systab.tmp Remove pulseaudio filename_trans conflict Allow asterisk admins to execute asterisk binary directly Support tagfiles for consolekit ConsoleKit needs to read the dbus machine-id File context updates for courier-imap Update on file contexts for OpenLDAP Update on file contexts for wpa_supplicant Allow IRC clients to read certificates Allow reading /proc/self for fail2ban due to FAM support Update file contexts for puppet Support ~/.tmux.conf as tmux configuration file Add setuid/setgid capability to ulogd_t Support tmux control socket Postfix creates defer(red) queue locations