Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy

Conflicts:
	policy/modules/system/iscsi.fc

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 26c13f295b27105bcfc8f4154e6b2415145d3378..2354089fe6eff2cd1f33cda7dbcfb4fce2eab1a0 100644 (file)
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -205,6 +205,7 @@ ifdef(`distro_redhat',`
 # /sys
 #
 /sys(/.*)?                     gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
 
 /usr/lib/udev/devices(/.*)?            gen_context(system_u:object_r:device_t,s0)
 /usr/lib/udev/devices/lp.*     -c      gen_context(system_u:object_r:printer_device_t,s0)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 112bebba737fc00c21a5b474263bd505b3d24392..8f727be38790be3beb2df815454de53f59023e7d 100644 (file)
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -226,8 +226,8 @@ fs_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
 type cpu_online_t;
-allow cpu_online_t sysfs_t:filesystem associate;
-genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
 
 #
 # Type for /dev/tpm

diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
index 7be4ddf74d1ad2d8a6637563e88bc3146a2a96b6..f7021a0083c2466cf254c9df7259e77aa345dbbc 100644 (file)
--- a/policy/modules/kernel/kernel.fc
+++ b/policy/modules/kernel/kernel.fc
@@ -1 +1,2 @@
-# This module currently does not have any file contexts.
+
+/sys/class/net/ib.*            gen_context(system_u:object_r:sysctl_net_t,s0)

diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index ec553147d92da2369a643285745801342d55ded4..3059bd2a94422e65e85cda57f35c561a4db82800 100644 (file)
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -76,6 +76,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
 
 # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
 term_use_unallocated_ttys(apcupsd_t)
+term_use_usb_ttys(apcupsd_t)
 
 #apcupsd runs shutdown, probably need a shutdown domain
 init_rw_utmp(apcupsd_t)

diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 4c188f9990259e4a98ae3eacc13023a55dd80716..999b986385fd5a0c65226c04b5abbfacbf7854bd 100644 (file)
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -117,6 +117,10 @@ optional_policy(`
        clamav_search_lib(procmail_t)
 ')
 
+optional_policy(`
+       gnome_manage_data(procmail_t)
+')
+
 optional_policy(`
        munin_dontaudit_search_lib(procmail_t)
 ')

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 372f91817791940ad28ada7d1d56c0defb4c3717..1896e202d65e395bc7a1bff4bc8f030bfc05afba 100644 (file)
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -131,6 +131,7 @@ optional_policy(`
 #
 
 allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+dontaudit nfsd_t self:capability sys_rawio;
 
 allow nfsd_t exports_t:file read_file_perms;
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;