[selinux-policy/f16] - Turn on allow_domain_fd_use boolean on F16 - Allow syslog to manage all log files - Add use_fusefs
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Aug 11 14:42:39 UTC 2011
commit 24f58d74f7900781062cd2c102373b59c6b81f46
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Aug 11 16:42:14 2011 +0200
- Turn on allow_domain_fd_use boolean on F16
- Allow syslog to manage all log files
- Add use_fusefs_home_dirs boolean for chrome
- Make vdagent working with confined users
- Add abrt_handle_event_t domain for ABRT event scripts
- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change
- Allow httpd_git_script_t to read passwd data
- Allow openvpn to set its process priority when the nice parameter is used
policy-F16.patch | 1331 +++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 12 +-
2 files changed, 977 insertions(+), 366 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 5fd713e..02d58d6 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1966,7 +1966,7 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index b206bf6..bbd902f 100644
+index b206bf6..b11df05 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -7,6 +7,7 @@
@@ -1977,9 +1977,11 @@ index b206bf6..bbd902f 100644
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -25,8 +26,12 @@ ifdef(`distro_redhat', `
+@@ -24,9 +25,14 @@ ifdef(`distro_redhat', `
+ /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1990,7 +1992,7 @@ index b206bf6..bbd902f 100644
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-@@ -36,6 +41,8 @@ ifdef(`distro_redhat', `
+@@ -36,6 +42,8 @@ ifdef(`distro_redhat', `
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
@@ -2196,7 +2198,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..fdbf07c 100644
+index 47a8f7d..0d42e00 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -2212,16 +2214,17 @@ index 47a8f7d..fdbf07c 100644
type debuginfo_exec_t;
domain_entry_file(rpm_t, debuginfo_exec_t)
-@@ -76,6 +77,8 @@ allow rpm_t self:shm create_shm_perms;
+@@ -76,6 +77,9 @@ allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
++allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -101,13 +104,16 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+@@ -101,13 +105,16 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
@@ -2239,7 +2242,7 @@ index 47a8f7d..fdbf07c 100644
corecmd_exec_all_executables(rpm_t)
-@@ -127,6 +133,18 @@ corenet_sendrecv_all_client_packets(rpm_t)
+@@ -127,6 +134,18 @@ corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -2258,7 +2261,7 @@ index 47a8f7d..fdbf07c 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -154,8 +172,8 @@ storage_raw_read_fixed_disk(rpm_t)
+@@ -154,8 +173,8 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
@@ -2269,7 +2272,7 @@ index 47a8f7d..fdbf07c 100644
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
-@@ -173,11 +191,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+@@ -173,11 +192,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
@@ -2283,7 +2286,7 @@ index 47a8f7d..fdbf07c 100644
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -189,7 +209,7 @@ logging_send_syslog_msg(rpm_t)
+@@ -189,7 +210,7 @@ logging_send_syslog_msg(rpm_t)
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
@@ -2292,7 +2295,7 @@ index 47a8f7d..fdbf07c 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -207,6 +227,7 @@ optional_policy(`
+@@ -207,6 +228,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -2300,7 +2303,7 @@ index 47a8f7d..fdbf07c 100644
')
optional_policy(`
-@@ -214,7 +235,7 @@ optional_policy(`
+@@ -214,7 +236,7 @@ optional_policy(`
')
optional_policy(`
@@ -2309,15 +2312,26 @@ index 47a8f7d..fdbf07c 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -261,6 +282,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
+@@ -257,12 +279,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ can_exec(rpm_script_t, rpm_script_tmpfs_t)
+
++allow rpm_script_t rpm_t:netlink_route_socket { read write };
++
+ kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
+kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
++# needed by rhn_check
++corenet_tcp_connect_http_port(rpm_script_t)
++
dev_list_sysfs(rpm_script_t)
-@@ -299,15 +321,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
+
+ # ideally we would not need this
+@@ -299,15 +327,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -2338,7 +2352,7 @@ index 47a8f7d..fdbf07c 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -332,18 +356,18 @@ logging_send_syslog_msg(rpm_script_t)
+@@ -332,18 +362,18 @@ logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
@@ -2360,7 +2374,7 @@ index 47a8f7d..fdbf07c 100644
')
')
-@@ -368,6 +392,11 @@ optional_policy(`
+@@ -368,6 +398,11 @@ optional_policy(`
')
optional_policy(`
@@ -2372,7 +2386,7 @@ index 47a8f7d..fdbf07c 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,8 +406,9 @@ optional_policy(`
+@@ -377,8 +412,9 @@ optional_policy(`
')
optional_policy(`
@@ -3692,10 +3706,10 @@ index 0000000..bacc639
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..9f6478c
+index 0000000..22ddda5
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,124 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3810,6 +3824,13 @@ index 0000000..9f6478c
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_search_fusefs(chrome_sandbox_t)
++ fs_read_fusefs_files(chrome_sandbox_t)
++ fs_exec_fusefs_files(chrome_sandbox_t)
++ fs_read_fusefs_symlinks(chrome_sandbox_t)
++')
++
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
@@ -13610,7 +13631,7 @@ index 6a1e4d1..cf3d50b 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..da927bb 100644
+index fae1ab1..1c54937 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -13623,7 +13644,7 @@ index fae1ab1..da927bb 100644
+## </p>
+## </desc>
+#
-+gen_tunable(allow_domain_fd_use, false)
++gen_tunable(allow_domain_fd_use, true)
+
+## <desc>
+## <p>
@@ -13908,7 +13929,7 @@ index c19518a..b630279c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..367d234 100644
+index ff006ea..ff0c14f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -14048,7 +14069,32 @@ index ff006ea..367d234 100644
')
########################################
-@@ -1848,7 +1934,7 @@ interface(`files_boot_filetrans',`
+@@ -1660,6 +1746,24 @@ interface(`files_delete_root_dir_entry',`
+
+ ########################################
+ ## <summary>
++## Set attributes of the root directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_root_dirs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir setattr_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Unmount a rootfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1848,7 +1952,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -14057,7 +14103,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -2372,6 +2458,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2476,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -14082,7 +14128,7 @@ index ff006ea..367d234 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2451,7 +2555,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2573,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -14091,7 +14137,7 @@ index ff006ea..367d234 100644
## </summary>
## </param>
#
-@@ -2525,6 +2629,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2647,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -14116,7 +14162,7 @@ index ff006ea..367d234 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2624,7 +2746,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2764,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -14125,7 +14171,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -2680,24 +2802,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2820,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -14150,7 +14196,7 @@ index ff006ea..367d234 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2738,6 +2842,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2860,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -14175,7 +14221,7 @@ index ff006ea..367d234 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2897,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2915,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -14183,7 +14229,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -3364,7 +3487,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3505,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -14192,7 +14238,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -3502,20 +3625,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3643,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -14236,7 +14282,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -3900,6 +4041,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4059,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -14336,7 +14382,7 @@ index ff006ea..367d234 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3945,7 +4179,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4197,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -14345,7 +14391,7 @@ index ff006ea..367d234 100644
## </summary>
## </param>
#
-@@ -4017,7 +4251,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4269,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -14354,7 +14400,7 @@ index ff006ea..367d234 100644
## </summary>
## </param>
#
-@@ -4029,6 +4263,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4281,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -14379,7 +14425,7 @@ index ff006ea..367d234 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4337,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4355,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -14412,11 +14458,79 @@ index ff006ea..367d234 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,6 +4417,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,7 +4435,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
+-## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4147,17 +4443,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir { search_dir_perms setattr };
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List all tmp directories.
++## Relabel a file from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4165,33 +4461,69 @@ interface(`files_setattr_all_tmp_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel to and from all temporary
+-## directory types.
++## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+- type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
++ allow $1 tmpfile:dir { search_dir_perms setattr };
++')
++
++########################################
++## <summary>
++## List all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14424,38 +14538,37 @@ index ff006ea..367d234 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabelfrom_tmp_dirs',`
++interface(`files_list_all_tmp',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
+ ')
+
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Relabel a file from the type used in /tmp.
++## Relabel to and from all temporary
++## directory types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
++ type var_t;
+ ')
+
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
- ## Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4202,7 +4516,7 @@ interface(`files_relabel_all_tmp_dirs',`
++ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
+
+@@ -4202,7 +4534,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -14464,7 +14577,7 @@ index ff006ea..367d234 100644
## </summary>
## </param>
#
-@@ -4262,7 +4576,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4594,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -14473,7 +14586,7 @@ index ff006ea..367d234 100644
## </summary>
## </param>
#
-@@ -4318,7 +4632,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4650,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -14482,7 +14595,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -4342,6 +4656,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4674,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -14499,7 +14612,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -4681,7 +5005,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5023,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -14508,7 +14621,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5084,7 +5408,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5426,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -14517,7 +14630,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5219,7 +5543,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5561,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14526,11 +14639,10 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5304,7 +5628,26 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5646,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
--## Search the locks directory (/var/lock).
+## List generic lock directories.
+## </summary>
+## <param name="domain">
@@ -14550,11 +14662,10 @@ index ff006ea..367d234 100644
+
+########################################
+## <summary>
-+## Search the locks directory (/var/lock).
+ ## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
- ## <summary>
-@@ -5317,6 +5660,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5678,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -14563,7 +14674,7 @@ index ff006ea..367d234 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5681,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5699,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -14579,7 +14690,7 @@ index ff006ea..367d234 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5696,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5714,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -14591,8 +14702,7 @@ index ff006ea..367d234 100644
+ files_search_locks($1)
+ allow $1 var_lock_t:dir create_dir_perms;
+')
-
-- list_dirs_pattern($1, var_t, var_lock_t)
++
+########################################
+## <summary>
+## Set the attributes of the /var/lock directory.
@@ -14607,12 +14717,13 @@ index ff006ea..367d234 100644
+ gen_require(`
+ type var_lock_t;
+ ')
-+
+
+- list_dirs_pattern($1, var_t, var_lock_t)
+ allow $1 var_lock_t:dir setattr;
')
########################################
-@@ -5373,6 +5738,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5756,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -14620,7 +14731,7 @@ index ff006ea..367d234 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5751,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5769,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -14628,7 +14739,7 @@ index ff006ea..367d234 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5777,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5795,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -14637,7 +14748,7 @@ index ff006ea..367d234 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5793,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5811,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -14654,7 +14765,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5452,7 +5817,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5835,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -14663,7 +14774,7 @@ index ff006ea..367d234 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5858,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5876,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -14672,7 +14783,7 @@ index ff006ea..367d234 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5880,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5898,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -14681,7 +14792,7 @@ index ff006ea..367d234 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5912,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +5930,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -14692,7 +14803,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5608,6 +5973,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +5991,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -14736,7 +14847,7 @@ index ff006ea..367d234 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5736,7 +6138,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6156,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14745,190 +14856,380 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5815,6 +6217,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6235,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
+-## Read all process ID files.
+## Relable all pid directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_read_all_pids',`
+interface(`files_relabel_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t;
+ ')
+
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
+ relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Delete all pid sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5845,42 +6261,35 @@ interface(`files_read_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_pid_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
+## Create all pid sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
+interface(`files_create_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
+## Create all pid named pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5888,20 +6297,17 @@ interface(`files_delete_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
+interface(`files_create_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of generic spool
+-## directories (/var/spool).
+## Delete all pid named pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5909,56 +6315,59 @@ interface(`files_delete_all_pid_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
+interface(`files_delete_all_pid_pipes',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search generic
+-## spool directories.
+## manage all pidfile directories
+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_spool',`
+interface(`files_manage_all_pid_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
+ ')
+
+
-+########################################
-+## <summary>
- ## Read all process ID files.
+ ########################################
+ ## <summary>
+-## List the contents of generic spool
+-## (/var/spool) directories.
++## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6344,62 @@ interface(`files_read_all_pids',`
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_list_spool',`
++interface(`files_read_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
++ type var_t;
+ ')
- list_dirs_pattern($1, var_t, pidfile)
- read_files_pattern($1, pidfile, pidfile)
+- list_dirs_pattern($1, var_t, var_spool_t)
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
+## Relable all pid files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5966,18 +6375,17 @@ interface(`files_list_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
+interface(`files_relabel_all_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
+## Execute generic programs in /var/run in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5985,19 +6393,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_exec_generic_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ type var_run_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
+## manage all pidfiles
+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6005,104 +6412,61 @@ interface(`files_read_generic_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool',`
+interface(`files_manage_all_pids',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
+ manage_files_pattern($1,pidfile,pidfile)
')
########################################
-@@ -5900,6 +6468,90 @@ interface(`files_delete_all_pid_dirs',`
+ ## <summary>
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Mount filesystems on all polyinstantiation
++## member directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file">
+-## <summary>
+-## Type to which the created node will be transitioned.
+-## </summary>
+-## </param>
+-## <param name="class">
+-## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-## </summary>
+-## </param>
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute polymember;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3)
++ allow $1 polymember:dir mounton;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
++## Delete all process IDs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_pids',`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+-
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+- ')
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ ')
########################################
## <summary>
+-## Unconfined access to files.
++## Delete all process ID directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6110,10 +6474,597 @@ interface(`files_polyinstantiate_all',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_unconfined',`
++interface(`files_delete_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ type var_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
+## Make the specified type a file
+## used for spool files.
+## </summary>
@@ -15013,19 +15314,220 @@ index ff006ea..367d234 100644
+
+########################################
+## <summary>
- ## Search the contents of generic spool
- ## directories (/var/spool).
- ## </summary>
-@@ -6042,7 +6694,7 @@ interface(`files_spool_filetrans',`
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3)
++## Search the contents of generic spool
++## directories (/var/spool).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search generic
++## spool directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++
++ dontaudit $1 var_spool_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## List the contents of generic spool
++## (/var/spool) directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_spool_dirs',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Read generic spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create objects in the spool directory
++## with a private type with a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file">
++## <summary>
++## Type to which the created node will be transitioned.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++## </summary>
++## </param>
++#
++interface(`files_spool_filetrans',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
- ')
-
- ########################################
-@@ -6117,3 +6769,284 @@ interface(`files_unconfined',`
++')
++
++########################################
++## <summary>
++## Allow access to manage all polyinstantiated
++## directories on the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_polyinstantiate_all',`
++ gen_require(`
++ attribute polydir, polymember, polyparent;
++ type poly_t;
++ ')
++
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
++')
++
++########################################
++## <summary>
++## Unconfined access to files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_unconfined',`
+ gen_require(`
+ attribute files_unconfined_type;
+ ')
typeattribute $1 files_unconfined_type;
')
@@ -19987,10 +20489,10 @@ index e88b95f..0eb55db 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..b3631d6 100644
+index 1bd5812..0d7d8d1 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -1,11 +1,9 @@
+@@ -1,13 +1,13 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -20002,8 +20504,12 @@ index 1bd5812..b3631d6 100644
-
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
++
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-@@ -15,6 +13,19 @@
+ /var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+@@ -15,6 +15,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -20212,10 +20718,10 @@ index 0b827c5..e03a970 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..d141931 100644
+index 30861ec..e96a565 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
-@@ -5,7 +5,17 @@ policy_module(abrt, 1.2.0)
+@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
# Declarations
#
@@ -20228,13 +20734,21 @@ index 30861ec..d141931 100644
+## </desc>
+gen_tunable(abrt_anon_write, false)
+
++## <desc>
++## <p>
++## Allow ABRT to run in abrt_handle_event_t domain
++## to handle ABRT event scripts
++## </p>
++## </desc>
++gen_tunable(abrt_handle_event, false)
++
+attribute abrt_domain;
+
+type abrt_t, abrt_domain;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -32,9 +42,15 @@ files_type(abrt_var_cache_t)
+@@ -32,9 +50,24 @@ files_type(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -20244,6 +20758,15 @@ index 30861ec..d141931 100644
+
+permissive abrt_dump_oops_t;
+
++# type for abrt-handle-event to handle
++# ABRT event scripts
++type abrt_handle_event_t, abrt_domain;
++type abrt_handle_event_exec_t;
++application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
++role system_r types abrt_handle_event_t;
++
++permissive abrt_handle_event_t;
++
# type needed to allow all domains
# to handle /var/cache/abrt
-type abrt_helper_t;
@@ -20251,7 +20774,7 @@ index 30861ec..d141931 100644
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,14 +59,37 @@ ifdef(`enable_mcs',`
+@@ -43,14 +76,37 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -20291,7 +20814,7 @@ index 30861ec..d141931 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +98,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +115,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -20299,7 +20822,7 @@ index 30861ec..d141931 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -69,6 +109,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -69,6 +126,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -20307,7 +20830,7 @@ index 30861ec..d141931 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +123,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +140,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -20319,7 +20842,7 @@ index 30861ec..d141931 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +144,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +161,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -20327,7 +20850,7 @@ index 30861ec..d141931 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +154,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -20337,7 +20860,7 @@ index 30861ec..d141931 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +163,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +180,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -20346,7 +20869,7 @@ index 30861ec..d141931 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,15 +175,23 @@ fs_read_nfs_files(abrt_t)
+@@ -131,15 +192,23 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -20373,7 +20896,7 @@ index 30861ec..d141931 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +202,11 @@ optional_policy(`
+@@ -150,6 +219,11 @@ optional_policy(`
')
optional_policy(`
@@ -20385,7 +20908,7 @@ index 30861ec..d141931 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +224,7 @@ optional_policy(`
+@@ -167,6 +241,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -20393,7 +20916,7 @@ index 30861ec..d141931 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +236,18 @@ optional_policy(`
+@@ -178,12 +253,35 @@ optional_policy(`
')
optional_policy(`
@@ -20406,6 +20929,23 @@ index 30861ec..d141931 100644
sssd_stream_connect(abrt_t)
')
++#######################################
++#
++# abrt-handle-event local policy
++#
++
++allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
++
++tunable_policy(`abrt_handle_event',`
++ domtrans_pattern(abrt_t, abrt_handle_event_exec_t, abrt_handle_event_t)
++',`
++ can_exec(abrt_t, abrt_handle_event_exec_t)
++')
++
++optional_policy(`
++ unconfined_domain(abrt_handle_event_t)
++')
++
########################################
#
-# abrt--helper local policy
@@ -20413,7 +20953,7 @@ index 30861ec..d141931 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +264,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +298,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -20442,7 +20982,7 @@ index 30861ec..d141931 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +287,126 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +321,126 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -20460,7 +21000,7 @@ index 30861ec..d141931 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
-+')
+ ')
+
+#######################################
+#
@@ -20495,7 +21035,7 @@ index 30861ec..d141931 100644
+ rpm_manage_pid_files(abrt_retrace_coredump_t)
+ rpm_read_db(abrt_retrace_coredump_t)
+ rpm_signull(abrt_retrace_coredump_t)
- ')
++')
+
+#######################################
+#
@@ -29829,7 +30369,7 @@ index f706b99..0d4a2ea 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..44d8969 100644
+index f231f17..4506fa3 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -29842,7 +30382,7 @@ index f231f17..44d8969 100644
########################################
#
# DeviceKit local policy
-@@ -75,10 +78,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -75,10 +78,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -29852,10 +30392,11 @@ index f231f17..44d8969 100644
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+kernel_list_unlabeled(devicekit_disk_t)
++kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -97,6 +102,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
+@@ -97,6 +103,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -29863,7 +30404,7 @@ index f231f17..44d8969 100644
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
-@@ -105,14 +111,17 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,14 +112,17 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -29882,7 +30423,7 @@ index f231f17..44d8969 100644
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
-@@ -127,7 +136,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -127,7 +137,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -29891,7 +30432,7 @@ index f231f17..44d8969 100644
auth_use_nsswitch(devicekit_disk_t)
-@@ -178,33 +187,53 @@ optional_policy(`
+@@ -178,33 +188,53 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -29948,7 +30489,7 @@ index f231f17..44d8969 100644
domain_read_all_domains_state(devicekit_power_t)
dev_read_input(devicekit_power_t)
-@@ -212,21 +241,29 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,21 +242,29 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -29979,7 +30520,7 @@ index f231f17..44d8969 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,6 +272,10 @@ optional_policy(`
+@@ -235,6 +273,10 @@ optional_policy(`
')
optional_policy(`
@@ -29990,7 +30531,7 @@ index f231f17..44d8969 100644
cron_initrc_domtrans(devicekit_power_t)
')
-@@ -261,14 +302,21 @@ optional_policy(`
+@@ -261,14 +303,21 @@ optional_policy(`
')
optional_policy(`
@@ -30013,7 +30554,7 @@ index f231f17..44d8969 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +324,25 @@ optional_policy(`
+@@ -276,9 +325,25 @@ optional_policy(`
')
optional_policy(`
@@ -33723,10 +34264,10 @@ index 458aac6..8e83609 100644
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
-index 7382f85..03dba61 100644
+index 7382f85..2ef543c 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
-@@ -1,8 +1,195 @@
+@@ -1,8 +1,197 @@
-policy_module(git, 1.0)
+policy_module(git, 1.0.3)
+
@@ -33750,9 +34291,10 @@ index 7382f85..03dba61 100644
+## </p>
+## </desc>
+gen_tunable(git_system_use_nfs, false)
-+
-+########################################
-+#
+
+ ########################################
+ #
+-# Declarations
+# Git daemon global private declarations.
+#
+
@@ -33766,7 +34308,7 @@ index 7382f85..03dba61 100644
+role git_shell_r;
+
+########################################
-+#
+ #
+# Git daemon system private declarations.
+#
+
@@ -33836,7 +34378,8 @@ index 7382f85..03dba61 100644
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(git_domains)
+')
-+
+
+-apache_content_template(git)
+optional_policy(`
+ nis_use_ypbind(git_domains)
+')
@@ -33905,18 +34448,18 @@ index 7382f85..03dba61 100644
+ fs_list_cifs(git_session_t)
+ fs_read_cifs_files(git_session_t)
+')
-
- ########################################
- #
--# Declarations
++
++########################################
++#
+# cgi git Declarations
- #
-
--apache_content_template(git)
++#
++
+optional_policy(`
+ apache_content_template(git)
+ git_read_all_content_files(httpd_git_script_t)
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
++
++ auth_use_nsswitch(httpd_git_script_t)
+')
+
+########################################
@@ -53187,13 +53730,30 @@ index 0000000..71d9784
+
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
new file mode 100644
-index 0000000..83336ab
+index 0000000..7647279
--- /dev/null
+++ b/policy/modules/services/vdagent.if
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,128 @@
+
+## <summary>policy for vdagent</summary>
+
++#####################################
++## <summary>
++## Getattr on vdagent executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vdagent_getattr_exec',`
++ gen_require(`
++ type vdagent_exec_t;
++ ')
++
++ allow $1 vdagent_exec_t:file getattr;
++')
+
+########################################
+## <summary>
@@ -53213,6 +53773,24 @@ index 0000000..83336ab
+ domtrans_pattern($1, vdagent_exec_t, vdagent_t)
+')
+
++#######################################
++## <summary>
++## Get the attributes of vdagent logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vdagent_getattr_log',`
++ gen_require(`
++ type vdagent_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 vdagent_log_t:file getattr_file_perms;
++')
+
+########################################
+## <summary>
@@ -58530,10 +59108,19 @@ index a97a096..ab1e16a 100644
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index c28da1c..73883c4 100644
+index c28da1c..bf8ea27 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
-@@ -101,6 +101,8 @@ files_read_usr_files(fsadm_t)
+@@ -44,6 +44,8 @@ can_exec(fsadm_t, fsadm_exec_t)
+ allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
+ allow fsadm_t fsadm_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
++files_create_boot_flag(fsadm_t)
++files_setattr_root_dirs(fsadm_t)
+
+ # log files
+ allow fsadm_t fsadm_log_t:dir setattr;
+@@ -101,6 +103,8 @@ files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
@@ -58542,7 +59129,7 @@ index c28da1c..73883c4 100644
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,6 +122,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +124,9 @@ fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -58552,7 +59139,7 @@ index c28da1c..73883c4 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -133,10 +138,12 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,10 +140,12 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -58565,7 +59152,7 @@ index c28da1c..73883c4 100644
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
-@@ -147,13 +154,13 @@ miscfiles_read_localization(fsadm_t)
+@@ -147,13 +156,13 @@ miscfiles_read_localization(fsadm_t)
seutil_read_config(fsadm_t)
@@ -58585,7 +59172,7 @@ index c28da1c..73883c4 100644
optional_policy(`
amanda_rw_dumpdates_files(fsadm_t)
-@@ -166,6 +173,11 @@ optional_policy(`
+@@ -166,6 +175,11 @@ optional_policy(`
')
optional_policy(`
@@ -58597,7 +59184,7 @@ index c28da1c..73883c4 100644
hal_dontaudit_write_log(fsadm_t)
')
-@@ -192,6 +204,10 @@ optional_policy(`
+@@ -192,6 +206,10 @@ optional_policy(`
')
optional_policy(`
@@ -61858,7 +62445,7 @@ index 831b909..57064ad 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..2674701 100644
+index b6ec597..0c27f81 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -20,6 +20,7 @@ files_security_file(auditd_log_t)
@@ -62018,7 +62605,15 @@ index b6ec597..2674701 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -496,11 +535,20 @@ optional_policy(`
+@@ -459,6 +498,7 @@ init_use_fds(syslogd_t)
+
+ # cjp: this doesnt make sense
+ logging_send_syslog_msg(syslogd_t)
++logging_manage_all_logs(syslogd_t)
+
+ miscfiles_read_localization(syslogd_t)
+
+@@ -496,11 +536,20 @@ optional_policy(`
')
optional_policy(`
@@ -66000,7 +66595,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..4485816 100644
+index d88f7c3..6932809 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
@@ -66045,7 +66640,7 @@ index d88f7c3..4485816 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -62,17 +69,15 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -66054,7 +66649,9 @@ index d88f7c3..4485816 100644
-dev_filetrans(udev_t, udev_tbl_t, file)
-
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
- read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+-read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
++manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
++manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
@@ -66066,7 +66663,7 @@ index d88f7c3..4485816 100644
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -87,6 +92,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
@@ -66074,7 +66671,7 @@ index d88f7c3..4485816 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -97,6 +103,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -97,6 +104,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -66082,7 +66679,7 @@ index d88f7c3..4485816 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +112,28 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +113,28 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -66112,7 +66709,7 @@ index d88f7c3..4485816 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +158,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -66120,7 +66717,7 @@ index d88f7c3..4485816 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +185,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -66129,7 +66726,7 @@ index d88f7c3..4485816 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,15 +203,16 @@ ifdef(`distro_redhat',`
+@@ -186,15 +204,16 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -66150,7 +66747,7 @@ index d88f7c3..4485816 100644
')
optional_policy(`
-@@ -216,11 +234,16 @@ optional_policy(`
+@@ -216,11 +235,16 @@ optional_policy(`
')
optional_policy(`
@@ -66168,7 +66765,7 @@ index d88f7c3..4485816 100644
')
optional_policy(`
-@@ -230,10 +253,20 @@ optional_policy(`
+@@ -230,10 +254,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -66189,7 +66786,7 @@ index d88f7c3..4485816 100644
')
optional_policy(`
-@@ -259,6 +292,10 @@ optional_policy(`
+@@ -259,6 +293,10 @@ optional_policy(`
')
optional_policy(`
@@ -66200,7 +66797,7 @@ index d88f7c3..4485816 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +310,11 @@ optional_policy(`
+@@ -273,6 +311,11 @@ optional_policy(`
')
optional_policy(`
@@ -66987,7 +67584,7 @@ index db75976..cca4cd1 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..6bd7bd2 100644
+index 4b2878a..76d6c05 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -68129,7 +68726,7 @@ index 4b2878a..6bd7bd2 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,32 +1238,76 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1238,71 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -68156,17 +68753,13 @@ index 4b2878a..6bd7bd2 100644
+
+ tunable_policy(`user_setrlimit',`
+ allow $1_usertype self:process setrlimit;
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ cdrecord_role($1_r, $1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ cron_role($1_r, $1_t)
+ ')
+
@@ -68196,29 +68789,36 @@ index 4b2878a..6bd7bd2 100644
+
+ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
-+ ')
-+
-+ # Run pppd in pppd_t by default for user
-+ optional_policy(`
-+ ppp_run_cond($1_t, $1_r)
+ ')
+
+ # Run pppd in pppd_t by default for user
+@@ -1003,7 +1311,9 @@ template(`userdom_unpriv_user_template', `
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
++ vdagent_getattr_log($1_t)
++ vdagent_getattr_exec($1_t)
++ vdagent_stream_connect($1_t)
')
')
-@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1349,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -68227,7 +68827,7 @@ index 4b2878a..6bd7bd2 100644
')
##############################
-@@ -1066,6 +1370,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1376,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -68235,7 +68835,7 @@ index 4b2878a..6bd7bd2 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1379,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -68245,7 +68845,7 @@ index 4b2878a..6bd7bd2 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1396,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -68253,7 +68853,7 @@ index 4b2878a..6bd7bd2 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1414,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -68267,7 +68867,7 @@ index 4b2878a..6bd7bd2 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1431,37 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1437,37 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -68309,7 +68909,7 @@ index 4b2878a..6bd7bd2 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1471,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1477,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -68318,7 +68918,7 @@ index 4b2878a..6bd7bd2 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1532,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1538,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -68327,7 +68927,7 @@ index 4b2878a..6bd7bd2 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1546,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1552,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -68338,7 +68938,7 @@ index 4b2878a..6bd7bd2 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1559,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1565,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -68367,7 +68967,7 @@ index 4b2878a..6bd7bd2 100644
')
optional_policy(`
-@@ -1251,12 +1587,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1593,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -68383,7 +68983,7 @@ index 4b2878a..6bd7bd2 100644
')
optional_policy(`
-@@ -1279,54 +1615,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1621,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -68465,7 +69065,7 @@ index 4b2878a..6bd7bd2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1334,7 +1682,44 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,7 +1688,44 @@ interface(`userdom_setattr_user_ptys',`
## </summary>
## </param>
#
@@ -68511,7 +69111,7 @@ index 4b2878a..6bd7bd2 100644
gen_require(`
type user_devpts_t;
')
-@@ -1395,6 +1780,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1786,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -68519,7 +69119,7 @@ index 4b2878a..6bd7bd2 100644
files_search_home($1)
')
-@@ -1441,6 +1827,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1833,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -68534,7 +69134,7 @@ index 4b2878a..6bd7bd2 100644
')
########################################
-@@ -1456,9 +1850,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1856,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -68546,7 +69146,7 @@ index 4b2878a..6bd7bd2 100644
')
########################################
-@@ -1515,6 +1911,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1917,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -68589,7 +69189,7 @@ index 4b2878a..6bd7bd2 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2021,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2027,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -68598,7 +69198,7 @@ index 4b2878a..6bd7bd2 100644
')
########################################
-@@ -1603,10 +2037,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2043,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -68613,7 +69213,7 @@ index 4b2878a..6bd7bd2 100644
')
########################################
-@@ -1649,6 +2085,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2091,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -68657,7 +69257,7 @@ index 4b2878a..6bd7bd2 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2141,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2147,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -68683,7 +69283,7 @@ index 4b2878a..6bd7bd2 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1700,12 +2192,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2198,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -68716,7 +69316,7 @@ index 4b2878a..6bd7bd2 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2228,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2234,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -68734,7 +69334,7 @@ index 4b2878a..6bd7bd2 100644
')
########################################
-@@ -1779,6 +2294,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2300,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -68795,7 +69395,7 @@ index 4b2878a..6bd7bd2 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2379,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2385,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -68805,7 +69405,7 @@ index 4b2878a..6bd7bd2 100644
')
########################################
-@@ -1827,20 +2395,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2401,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -68830,7 +69430,7 @@ index 4b2878a..6bd7bd2 100644
########################################
## <summary>
-@@ -1941,6 +2503,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2509,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -68855,7 +69455,7 @@ index 4b2878a..6bd7bd2 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2588,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2594,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -68864,7 +69464,7 @@ index 4b2878a..6bd7bd2 100644
files_search_home($1)
')
-@@ -2182,7 +2762,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2768,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -68873,7 +69473,7 @@ index 4b2878a..6bd7bd2 100644
')
########################################
-@@ -2435,13 +3015,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3021,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -68889,7 +69489,7 @@ index 4b2878a..6bd7bd2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +3043,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3049,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -68916,7 +69516,7 @@ index 4b2878a..6bd7bd2 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,7 +3133,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3139,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -68925,7 +69525,7 @@ index 4b2878a..6bd7bd2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,70 +3141,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3147,138 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -68997,8 +69597,9 @@ index 4b2878a..6bd7bd2 100644
gen_require(`
- type user_tty_device_t, user_devpts_t;
+ type user_devpts_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
@@ -69065,9 +69666,9 @@ index 4b2878a..6bd7bd2 100644
+interface(`userdom_dontaudit_use_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
- ')
-
- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
++ ')
++
++ dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
@@ -69093,7 +69694,7 @@ index 4b2878a..6bd7bd2 100644
########################################
## <summary>
## Execute a shell in all user domains. This
-@@ -2736,24 +3365,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3371,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -69118,7 +69719,7 @@ index 4b2878a..6bd7bd2 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3383,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3389,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -69144,7 +69745,7 @@ index 4b2878a..6bd7bd2 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3444,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3450,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -69153,7 +69754,7 @@ index 4b2878a..6bd7bd2 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3460,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3466,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -69187,7 +69788,7 @@ index 4b2878a..6bd7bd2 100644
')
########################################
-@@ -2972,7 +3548,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3554,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -69196,7 +69797,7 @@ index 4b2878a..6bd7bd2 100644
')
########################################
-@@ -3027,7 +3603,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3609,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -69243,7 +69844,7 @@ index 4b2878a..6bd7bd2 100644
')
########################################
-@@ -3064,6 +3678,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3684,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -69251,7 +69852,7 @@ index 4b2878a..6bd7bd2 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3757,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3763,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -69276,7 +69877,7 @@ index 4b2878a..6bd7bd2 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3827,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3833,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9ef5e91..e97cc3a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Aug 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-18
+- Turn on allow_domain_fd_use boolean on F16
+- Allow syslog to manage all log files
+- Add use_fusefs_home_dirs boolean for chrome
+- Make vdagent working with confined users
+- Add abrt_handle_event_t domain for ABRT event scripts
+- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change
+- Allow httpd_git_script_t to read passwd data
+- Allow openvpn to set its process priority when the nice parameter is used
+
* Wed Aug 10 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-17
- livecd fixes
- spec file fixes
More information about the scm-commits
mailing list