[selinux-policy/f15/master] Update to upstream
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 8 12:45:13 UTC 2011
commit 8e0e7ee4613697decd3b5a4fcaff3c00818a44c3
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 8 13:45:04 2011 +0000
Update to upstream
policy-F15.patch | 1634 +++++++++++++++++++++++++-----------------------------
1 files changed, 766 insertions(+), 868 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index b77ec54..daa57e6 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1,13 +1,3 @@
-diff --git a/Changelog b/Changelog
-index 6f31b1e..e2cd6fb 100644
---- a/Changelog
-+++ b/Changelog
-@@ -1,3 +1,5 @@
-+- Cron pam_namespace and pam_loginuid support from Harry Ciao.
-+- Xserver update for startx from Sven Vermeulen.
- - Fix MLS constraint for contains permission from Harry Ciao.
- - Apache user webpages fix from Dominick Grift.
- - Change default build.conf to modular policy from Stephen Smalley.
diff --git a/Makefile b/Makefile
index b8486a0..bec48d7 100644
--- a/Makefile
@@ -271,73 +261,6 @@ index e66c296..61f738b 100644
+
+ dontaudit $1 acct_data_t:dir list_dir_perms;
+')
-diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 90d5203..1392679 100644
---- a/policy/modules/admin/alsa.if
-+++ b/policy/modules/admin/alsa.if
-@@ -21,6 +21,32 @@ interface(`alsa_domtrans',`
-
- ########################################
- ## <summary>
-+## Execute a domain transition to run
-+## Alsa, and allow the specified role
-+## the Alsa domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`alsa_run',`
-+ gen_require(`
-+ type alsa_t;
-+ ')
-+
-+ alsa_domtrans($1)
-+ role $2 types alsa_t;
-+')
-+
-+########################################
-+## <summary>
- ## Read and write Alsa semaphores.
- ## </summary>
- ## <param name="domain">
-diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
-index a7c7971..d073f49 100644
---- a/policy/modules/admin/alsa.te
-+++ b/policy/modules/admin/alsa.te
-@@ -11,7 +11,10 @@ init_system_domain(alsa_t, alsa_exec_t)
- role system_r types alsa_t;
-
- type alsa_etc_rw_t;
--files_type(alsa_etc_rw_t)
-+files_config_file(alsa_etc_rw_t)
-+
-+type alsa_tmp_t;
-+files_tmp_file(alsa_tmp_t)
-
- type alsa_var_lib_t;
- files_type(alsa_var_lib_t)
-@@ -39,6 +42,13 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
-
- can_exec(alsa_t, alsa_exec_t)
-
-+manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
-+manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
-+files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
-+userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
-+userdom_dontaudit_setattr_user_tmp(alsa_t)
-+
-+
- manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
- manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
- files_search_var_lib(alsa_t)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 46d467c..d841424 100644
--- a/policy/modules/admin/amanda.te
@@ -1464,10 +1387,10 @@ index 7077413..56d1ecb 100644
+
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
-index 47c4723..4866a08 100644
+index 47c4723..ca58272 100644
--- a/policy/modules/admin/readahead.if
+++ b/policy/modules/admin/readahead.if
-@@ -1 +1,20 @@
+@@ -1 +1,40 @@
## <summary>Readahead, read files into page cache for improved performance</summary>
+
+########################################
@@ -1488,6 +1411,26 @@ index 47c4723..4866a08 100644
+ corecmd_search_bin($1)
+ domtrans_pattern($1, readahead_exec_t, readahead_t)
+')
++
++########################################
++## <summary>
++## Manage readahead var_run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`readahead_manage_pid_files',`
++ gen_require(`
++ type readahead_var_run_t;
++ ')
++
++ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
++ files_search_pids($1)
++')
++
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index b4ac57e..d3b51b7 100644
--- a/policy/modules/admin/readahead.te
@@ -1756,7 +1699,7 @@ index d33daa8..c76708e 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..f5a60bd 100644
+index 47a8f7d..bca3b72 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -1808,7 +1751,7 @@ index 47a8f7d..f5a60bd 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -173,6 +181,7 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+@@ -173,11 +181,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
@@ -1816,7 +1759,13 @@ index 47a8f7d..f5a60bd 100644
files_exec_etc_files(rpm_t)
-@@ -207,6 +216,7 @@ optional_policy(`
+ init_domtrans_script(rpm_t)
+ init_use_script_ptys(rpm_t)
++init_signull_script(rpm_t)
+
+ libs_exec_ld_so(rpm_t)
+ libs_exec_lib_files(rpm_t)
+@@ -207,6 +217,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -1824,7 +1773,7 @@ index 47a8f7d..f5a60bd 100644
')
optional_policy(`
-@@ -214,7 +224,7 @@ optional_policy(`
+@@ -214,7 +225,7 @@ optional_policy(`
')
optional_policy(`
@@ -1833,7 +1782,7 @@ index 47a8f7d..f5a60bd 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -261,6 +271,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
+@@ -261,6 +272,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
@@ -1841,7 +1790,7 @@ index 47a8f7d..f5a60bd 100644
kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
-@@ -308,6 +319,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
+@@ -308,6 +320,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
@@ -1850,7 +1799,7 @@ index 47a8f7d..f5a60bd 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -332,18 +345,18 @@ logging_send_syslog_msg(rpm_script_t)
+@@ -332,18 +346,18 @@ logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
@@ -1872,7 +1821,7 @@ index 47a8f7d..f5a60bd 100644
')
')
-@@ -368,6 +381,11 @@ optional_policy(`
+@@ -368,6 +382,11 @@ optional_policy(`
')
optional_policy(`
@@ -1884,7 +1833,7 @@ index 47a8f7d..f5a60bd 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,8 +395,9 @@ optional_policy(`
+@@ -377,8 +396,9 @@ optional_policy(`
')
optional_policy(`
@@ -2929,66 +2878,19 @@ index 0000000..0852151
+ fs_read_inherited_cifs_files(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
-diff --git a/policy/modules/apps/cpufreqselector.if b/policy/modules/apps/cpufreqselector.if
-index ed94975..e43186f 100644
---- a/policy/modules/apps/cpufreqselector.if
-+++ b/policy/modules/apps/cpufreqselector.if
-@@ -1 +1,42 @@
- ## <summary>Command-line CPU frequency settings.</summary>
-+
-+########################################
-+## <summary>
-+## Send a dbus message to
-+## cpufreq-selector.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cpufreqselector_dbus_send',`
-+ gen_require(`
-+ type cpufreqselector_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 cpufreqselector_t:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## cpufreq-selector over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cpufreqselector_dbus_chat',`
-+ gen_require(`
-+ type cpufreqselector_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 cpufreqselector_t:dbus send_msg;
-+ allow cpufreqselector_t $1:dbus send_msg;
-+')
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
-index 0457de1..b440acb 100644
+index e51e7f5..8e0405f 100644
--- a/policy/modules/apps/cpufreqselector.te
+++ b/policy/modules/apps/cpufreqselector.te
-@@ -16,6 +16,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
-
+@@ -17,6 +17,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+ allow cpufreqselector_t self:process getsched;
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
- files_read_etc_files(cpufreqselector_t)
- files_read_usr_files(cpufreqselector_t)
-@@ -24,10 +25,12 @@ corecmd_search_bin(cpufreqselector_t)
+ kernel_read_system_state(cpufreqselector_t)
+
+@@ -27,10 +28,12 @@ corecmd_search_bin(cpufreqselector_t)
dev_rw_sysfs(cpufreqselector_t)
@@ -3002,7 +2904,7 @@ index 0457de1..b440acb 100644
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-@@ -50,3 +53,7 @@ optional_policy(`
+@@ -53,3 +56,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
@@ -3376,10 +3278,10 @@ index 00a19e3..1354800 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..c9d74ee 100644
+index f5afe78..0c61d93 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,43 +1,519 @@
+@@ -1,43 +1,521 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -3475,9 +3377,10 @@ index f5afe78..c9d74ee 100644
+
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
++ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_$1_t)
++
+ allow gkeyringd_$1_t $3:dbus send_msg;
+ allow $3 gkeyringd_$1_t:dbus send_msg;
-+
+ optional_policy(`
+ dbus_session_domain(gkeyringd_$1_t, gkeyringd_exec_t)
+ dbus_session_bus_client(gkeyringd_$1_t)
@@ -3554,10 +3457,11 @@ index f5afe78..c9d74ee 100644
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
++ type gconf_tmp_t;
+ ')
+
++ allow $1 gconf_tmp_t:dir search_dir_perms;
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
-+ gnome_search_gconf_tmp_dirs($1)
+')
+
+########################################
@@ -3916,7 +3820,7 @@ index f5afe78..c9d74ee 100644
## in the caller domain.
## </summary>
## <param name="domain">
-@@ -56,27 +532,26 @@ interface(`gnome_exec_gconf',`
+@@ -56,27 +534,26 @@ interface(`gnome_exec_gconf',`
########################################
## <summary>
@@ -3952,7 +3856,7 @@ index f5afe78..c9d74ee 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +559,41 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +561,41 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -4005,7 +3909,7 @@ index f5afe78..c9d74ee 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +601,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +603,13 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -4022,7 +3926,7 @@ index f5afe78..c9d74ee 100644
')
########################################
-@@ -151,40 +631,258 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +633,258 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -5481,7 +5385,7 @@ index 9a6d67d..d88c02c 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..26f1ff3 100644
+index 2a91fa8..9b22659 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -5563,7 +5467,7 @@ index 2a91fa8..26f1ff3 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,180 @@ optional_policy(`
+@@ -266,3 +291,183 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -5620,6 +5524,7 @@ index 2a91fa8..26f1ff3 100644
+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
++corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
@@ -5632,6 +5537,8 @@ index 2a91fa8..26f1ff3 100644
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
++# for nvidia driver
++dev_rw_xserver_misc(mozilla_plugin_t)
+dev_dontaudit_rw_dri(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
@@ -7721,10 +7628,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..f114a5d
+index 0000000..2280381
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,473 @@
+@@ -0,0 +1,474 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -7954,6 +7861,8 @@ index 0000000..f114a5d
+miscfiles_read_localization(sandbox_x_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
++mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
++
+selinux_get_fs_mount(sandbox_x_domain)
+selinux_validate_context(sandbox_x_domain)
+selinux_compute_access_vector(sandbox_x_domain)
@@ -7962,7 +7871,6 @@ index 0000000..f114a5d
+selinux_compute_user_contexts(sandbox_x_domain)
+seutil_read_default_contexts(sandbox_x_domain)
+
-+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+term_search_ptys(sandbox_x_domain)
@@ -8614,10 +8522,10 @@ index 0000000..6878d68
+
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..d4e5e9e
+index 0000000..db7941f
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,331 @@
+@@ -0,0 +1,333 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -8685,6 +8593,7 @@ index 0000000..d4e5e9e
+corenet_tcp_connect_mmcc_port(telepathy_msn_t)
+corenet_tcp_connect_msnp_port(telepathy_msn_t)
+corenet_tcp_connect_sametime_port(telepathy_msn_t)
++corenet_tcp_connect_ssdp_port(telepathy_msn_t)
+
+corecmd_exec_bin(telepathy_msn_t)
+corecmd_exec_shell(telepathy_msn_t)
@@ -8781,6 +8690,7 @@ index 0000000..d4e5e9e
+allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms;
+
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
++corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
+corenet_tcp_connect_ircd_port(telepathy_idle_t)
+
+dev_read_rand(telepathy_idle_t)
@@ -9528,7 +9438,7 @@ index 5a07a43..e97e47f 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..791a227 100644
+index 0757523..6795999 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -9682,7 +9592,7 @@ index 0757523..791a227 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,24 +213,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -177,24 +213,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -9707,6 +9617,7 @@ index 0757523..791a227 100644
network_port(speech, tcp,8036,s0)
-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
++network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
@@ -9715,7 +9626,7 @@ index 0757523..791a227 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -205,16 +245,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,16 +246,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -9736,7 +9647,7 @@ index 0757523..791a227 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -276,5 +317,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+@@ -276,5 +318,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -9744,42 +9655,19 @@ index 0757523..791a227 100644
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 8ac94e4..c02f095 100644
+index 6cf8784..286aec1 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -18,6 +18,7 @@
- /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
- /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
- /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -159,6 +160,7 @@ ifdef(`distro_suse', `
-
- /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-
-+/dev/mqueue(/.*)? <<none>>
- /dev/pts(/.*)? <<none>>
-
- /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -178,13 +180,12 @@ ifdef(`distro_suse', `
-
- /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
-
--/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
-+/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
-
--ifdef(`distro_gentoo',`
- # used by init scripts to initally populate udev /dev
-+/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+@@ -187,8 +187,6 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
--')
+-/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
+-
ifdef(`distro_redhat',`
# originally from named.fc
-@@ -193,3 +194,8 @@ ifdef(`distro_redhat',`
+ /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
+@@ -196,3 +194,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -9789,7 +9677,7 @@ index 8ac94e4..c02f095 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index efaf808..d1ceca8 100644
+index e9313fb..8083a5b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -9853,132 +9741,73 @@ index efaf808..d1ceca8 100644
## Add entries to directories in /dev.
## </summary>
## <param name="domain">
-@@ -336,6 +373,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
+@@ -715,7 +752,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
########################################
## <summary>
-+## read generic files in /dev.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_generic_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ read_files_pattern($1, device_t, device_t)
-+')
-+
-+########################################
-+## <summary>
- ## Read and write generic files in /dev.
+-## Read symbolic links in device directories.
++## Create symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -516,6 +571,24 @@ interface(`dev_getattr_generic_chr_files',`
+ ## <summary>
+@@ -723,17 +760,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_read_generic_symlinks',`
++interface(`dev_create_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
- ########################################
- ## <summary>
-+## Allow relablefrom for generic character device files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_relabelfrom_generic_chr_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ allow $1 device_t:chr_file relabelfrom;
-+')
-+
-+########################################
-+## <summary>
- ## Dontaudit getattr for generic character device files.
- ## </summary>
- ## <param name="domain">
-@@ -552,6 +625,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+- allow $1 device_t:lnk_file read_lnk_file_perms;
++ create_lnk_files_pattern($1, device_t, device_t)
+ ')
########################################
## <summary>
-+## Read generic character device files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_generic_chr_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ allow $1 device_t:chr_file read_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Read and write generic character device files.
+-## Create symbolic links in device directories.
++## Delete symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -570,6 +661,24 @@ interface(`dev_rw_generic_chr_files',`
+ ## <summary>
+@@ -741,17 +778,17 @@ interface(`dev_read_generic_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_create_generic_symlinks',`
++interface(`dev_delete_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
- ########################################
- ## <summary>
-+## Read and write generic block device files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rw_generic_blk_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ allow $1 device_t:blk_file rw_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Dontaudit attempts to read/write generic character device files.
- ## </summary>
- ## <param name="domain">
-@@ -679,6 +788,24 @@ interface(`dev_delete_generic_symlinks',`
+- create_lnk_files_pattern($1, device_t, device_t)
++ delete_lnk_files_pattern($1, device_t, device_t)
+ ')
########################################
## <summary>
+-## Delete symbolic links in device directories.
+## Read symbolic links in device directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_generic_symlinks',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ allow $1 device_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1088,6 +1215,42 @@ interface(`dev_create_all_chr_files',`
+ ## <summary>
+@@ -759,12 +796,12 @@ interface(`dev_create_generic_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_delete_generic_symlinks',`
++interface(`dev_read_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+- delete_lnk_files_pattern($1, device_t, device_t)
++ allow $1 device_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -1178,6 +1215,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -10021,82 +9850,7 @@ index efaf808..d1ceca8 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1350,6 +1513,24 @@ interface(`dev_getattr_autofs_dev',`
-
- ########################################
- ## <summary>
-+## Relable the autofs device node.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_relabel_autofs_dev',`
-+ gen_require(`
-+ type autofs_device_t;
-+ ')
-+
-+ allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to get the attributes of
- ## the autofs device node.
- ## </summary>
-@@ -1597,6 +1778,24 @@ interface(`dev_rw_cpu_microcode',`
-
- ########################################
- ## <summary>
-+## Read the kernel crash device
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_crash',`
-+ gen_require(`
-+ type device_t, crash_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, crash_device_t)
-+')
-+
-+########################################
-+## <summary>
- ## Read and write the the hardware SSL accelerator.
- ## </summary>
- ## <param name="domain">
-@@ -1979,6 +2178,24 @@ interface(`dev_read_kmsg',`
-
- ########################################
- ## <summary>
-+## Do not audit attempts to read the kernel messages
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_read_kmsg',`
-+ gen_require(`
-+ type kmsg_device_t;
-+ ')
-+
-+ dontaudit $1 kmsg_device_t:chr_file read;
-+')
-+
-+########################################
-+## <summary>
- ## Write to the kernel messages device
- ## </summary>
- ## <param name="domain">
-@@ -3048,24 +3265,6 @@ interface(`dev_rw_printer',`
+@@ -3192,24 +3265,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -10121,32 +9875,33 @@ index efaf808..d1ceca8 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3613,6 +3812,24 @@ interface(`dev_manage_smartcard',`
+@@ -3884,25 +3939,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
-+## Associate a file to a sysfs filesystem.
-+## </summary>
-+## <param name="file_type">
-+## <summary>
-+## The type of the file to be associated to sysfs.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_associate_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of sysfs directories.
+-## Create, read, write, and delete sysfs
+-## directories.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dev_manage_sysfs_dirs',`
+- gen_require(`
+- type sysfs_t;
+- ')
+-
+- manage_dirs_pattern($1, sysfs_t, sysfs_t)
+-')
+-
+-########################################
+-## <summary>
+ ## Read hardware state information.
## </summary>
- ## <param name="domain">
-@@ -3773,6 +3990,24 @@ interface(`dev_rw_sysfs',`
+ ## <desc>
+@@ -3954,6 +3990,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -10171,63 +9926,11 @@ index efaf808..d1ceca8 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -3960,6 +4195,24 @@ interface(`dev_read_usbmon_dev',`
-
- ########################################
- ## <summary>
-+## Write USB monitor devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_write_usbmon_dev',`
-+ gen_require(`
-+ type device_t, usbmon_device_t;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, usbmon_device_t)
-+')
-+
-+########################################
-+## <summary>
- ## Mount a usbfs filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -4270,11 +4523,10 @@ interface(`dev_write_video_dev',`
- #
- interface(`dev_rw_vhost',`
- gen_require(`
-- type vhost_device_t;
-+ type device_t, vhost_device_t;
- ')
-
-- list_dirs_pattern($1, vhost_device_t, vhost_device_t)
-- rw_files_pattern($1, vhost_device_t, vhost_device_t)
-+ rw_chr_files_pattern($1, device_t, vhost_device_t)
- ')
-
- ########################################
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index c03e21b..2942d8d 100644
+index 3ff4f60..89ffda6 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
-@@ -56,6 +56,12 @@ dev_node(clock_device_t)
- type cpu_device_t;
- dev_node(cpu_device_t)
-
-+#
-+# Type for /dev/crash
-+#
-+type crash_device_t;
-+dev_node(crash_device_t)
-+
- # for the IBM zSeries z90crypt hardware ssl accelorator
- type crypt_device_t;
- dev_node(crypt_device_t)
-@@ -102,6 +108,7 @@ dev_node(ksm_device_t)
+@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
#
type kvm_device_t;
dev_node(kvm_device_t)
@@ -10235,7 +9938,7 @@ index c03e21b..2942d8d 100644
#
# Type for /dev/lirc
-@@ -304,5 +311,5 @@ files_associate_tmp(device_node)
+@@ -310,5 +311,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -10523,7 +10226,7 @@ index bc534c1..b70ea07 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 3517db2..f798a69 100644
+index 16108f6..2abd3eb 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -10534,9 +10237,9 @@ index 3517db2..f798a69 100644
')
ifdef(`distro_suse',`
-@@ -64,6 +65,13 @@ ifdef(`distro_suse',`
- /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -58,6 +59,13 @@ ifdef(`distro_suse',`
+ /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
@@ -10548,7 +10251,7 @@ index 3517db2..f798a69 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
-@@ -74,7 +82,10 @@ ifdef(`distro_suse',`
+@@ -68,7 +76,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -10560,7 +10263,7 @@ index 3517db2..f798a69 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -95,7 +106,7 @@ ifdef(`distro_suse',`
+@@ -89,7 +100,7 @@ ifdef(`distro_suse',`
# HOME_ROOT
# expanded by genhomedircon
#
@@ -10569,7 +10272,7 @@ index 3517db2..f798a69 100644
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
-@@ -159,6 +170,12 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -153,6 +164,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
@@ -10582,7 +10285,7 @@ index 3517db2..f798a69 100644
#
# /selinux
#
-@@ -172,12 +189,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -166,12 +183,6 @@ HOME_ROOT/lost\+found/.* <<none>>
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
@@ -10595,7 +10298,7 @@ index 3517db2..f798a69 100644
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-@@ -217,7 +228,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -211,7 +222,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -10603,7 +10306,7 @@ index 3517db2..f798a69 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -233,6 +243,8 @@ ifndef(`distro_redhat',`
+@@ -227,6 +237,8 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -10612,7 +10315,7 @@ index 3517db2..f798a69 100644
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-@@ -249,7 +261,7 @@ ifndef(`distro_redhat',`
+@@ -243,7 +255,7 @@ ifndef(`distro_redhat',`
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -10621,7 +10324,7 @@ index 3517db2..f798a69 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -258,3 +270,7 @@ ifndef(`distro_redhat',`
+@@ -252,3 +264,7 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -10630,7 +10333,7 @@ index 3517db2..f798a69 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ed203b2..0a4f89a 100644
+index 958ca84..d451c3f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -11821,7 +11524,7 @@ index ed203b2..0a4f89a 100644
+ dontaudit $1 file_type:file_class_set write;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index e8a6b1d..fd53860 100644
+index 6e01635..212a736 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -11,6 +11,7 @@ attribute lockfile;
@@ -13319,7 +13022,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..e4d46e9 100644
+index 2be17d2..d519104 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -13371,7 +13074,7 @@ index 2be17d2..e4d46e9 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +63,130 @@ optional_policy(`
+@@ -27,25 +63,134 @@ optional_policy(`
')
optional_policy(`
@@ -13380,6 +13083,10 @@ index 2be17d2..e4d46e9 100644
+')
+
+optional_policy(`
++ colord_dbus_chat(staff_t)
++')
++
++optional_policy(`
+ gnomeclock_dbus_chat(staff_t)
+')
+
@@ -13504,7 +13211,7 @@ index 2be17d2..e4d46e9 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -89,10 +230,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +234,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -13515,7 +13222,7 @@ index 2be17d2..e4d46e9 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +274,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +278,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -13526,7 +13233,7 @@ index 2be17d2..e4d46e9 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +305,8 @@ ifndef(`distro_redhat',`
+@@ -172,3 +309,8 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -15085,10 +14792,10 @@ index 0000000..77c513d
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..54ea4f5 100644
+index e5bfdd4..10d03a3 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,63 @@ role user_r;
+@@ -12,15 +12,67 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -15107,6 +14814,10 @@ index e5bfdd4..54ea4f5 100644
')
optional_policy(`
++ colord_dbus_chat(user_t)
++')
++
++optional_policy(`
+ gnome_role(user_r, user_t)
+')
+
@@ -15152,7 +14863,7 @@ index e5bfdd4..54ea4f5 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +110,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +114,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -15163,7 +14874,7 @@ index e5bfdd4..54ea4f5 100644
gpg_role(user_r, user_t)
')
-@@ -118,7 +162,7 @@ ifndef(`distro_redhat',`
+@@ -118,7 +166,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -15172,7 +14883,7 @@ index e5bfdd4..54ea4f5 100644
')
optional_policy(`
-@@ -157,3 +201,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +205,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -18113,10 +17824,18 @@ index 61c74bc..c6b0498 100644
allow avahi_t $1:dbus send_msg;
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
-index a7a0e71..15686e9 100644
+index a7a0e71..5352ef6 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
-@@ -46,6 +46,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
+@@ -17,6 +17,7 @@ files_pid_file(avahi_var_lib_t)
+
+ type avahi_var_run_t;
+ files_pid_file(avahi_var_run_t)
++init_sock_file(avahi_var_run_t)
+
+ ########################################
+ #
+@@ -46,6 +47,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
kernel_read_system_state(avahi_t)
kernel_read_kernel_sysctls(avahi_t)
kernel_read_network_state(avahi_t)
@@ -18124,7 +17843,7 @@ index a7a0e71..15686e9 100644
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
-@@ -104,6 +105,10 @@ optional_policy(`
+@@ -104,6 +106,10 @@ optional_policy(`
')
optional_policy(`
@@ -20683,8 +20402,140 @@ index 0258b48..8fde016 100644
+list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
+new file mode 100644
+index 0000000..7a01ff6
+--- /dev/null
++++ b/policy/modules/services/colord.fc
+@@ -0,0 +1,4 @@
++
++/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
++
++/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
+new file mode 100644
+index 0000000..38cb883
+--- /dev/null
++++ b/policy/modules/services/colord.if
+@@ -0,0 +1,42 @@
++
++## <summary>policy for colord</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run colord.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`colord_domtrans',`
++ gen_require(`
++ type colord_t, colord_exec_t;
++ ')
++
++ domtrans_pattern($1, colord_exec_t, colord_t)
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## colord over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`colord_dbus_chat',`
++ gen_require(`
++ type colord_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 colord_t:dbus send_msg;
++ allow colord_t $1:dbus send_msg;
++')
++
+diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
+new file mode 100644
+index 0000000..0ecb72e
+--- /dev/null
++++ b/policy/modules/services/colord.te
+@@ -0,0 +1,68 @@
++policy_module(colord,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type colord_t;
++type colord_exec_t;
++dbus_system_domain(colord_t, colord_exec_t)
++
++type colord_var_lib_t;
++files_type(colord_var_lib_t)
++
++type colord_tmp_t;
++files_tmp_file(colord_tmp_t)
++
++permissive colord_t;
++
++########################################
++#
++# colord local policy
++#
++allow colord_t self:fifo_file rw_fifo_file_perms;
++allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow colord_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
++manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
++files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
++
++manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
++manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
++files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
++
++kernel_read_device_sysctls(colord_t)
++
++corenet_udp_bind_generic_node(colord_t)
++corenet_udp_bind_ipp_port(colord_t)
++
++dev_read_raw_memory(colord_t)
++dev_write_raw_memory(colord_t)
++dev_read_video_dev(colord_t)
++dev_write_video_dev(colord_t)
++dev_read_rand(colord_t)
++dev_read_sysfs(colord_t)
++dev_read_urand(colord_t)
++dev_list_sysfs(colord_t)
++dev_read_generic_usb_dev(colord_t)
++
++domain_use_interactive_fds(colord_t)
++
++files_read_etc_files(colord_t)
++files_read_usr_files(colord_t)
++
++miscfiles_read_localization(colord_t)
++
++sysnet_dns_name_resolve(colord_t)
++
++optional_policy(`
++ cups_read_rw_config(colord_t)
++ cups_stream_connect(colord_t)
++ cups_dbus_chat(colord_t)
++')
++
++optional_policy(`
++ udev_read_db(colord_t)
++')
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
-index 42c6bd7..8f23087 100644
+index fd15dfe..ad224fa 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -5,9 +5,9 @@
@@ -20752,8 +20603,8 @@ index 42c6bd7..8f23087 100644
## Read consolekit log files.
## </summary>
## <param name="domain">
-@@ -95,3 +134,22 @@ interface(`consolekit_read_pid_files',`
- files_search_pids($1)
+@@ -96,3 +135,22 @@ interface(`consolekit_read_pid_files',`
+ allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
+
@@ -20776,7 +20627,7 @@ index 42c6bd7..8f23087 100644
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index daf151d..070e4cc 100644
+index e67a003..894d4e0 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
@@ -21380,15 +21231,9 @@ index 35241ed..b6402c9 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..9941737 100644
+index f7583ab..9941737 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
-@@ -1,4 +1,4 @@
--policy_module(cron, 2.2.0)
-+policy_module(cron, 2.2.1)
-
- gen_require(`
- class passwd rootok;
@@ -10,18 +10,18 @@ gen_require(`
#
@@ -21528,7 +21373,7 @@ index f35b243..9941737 100644
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -203,12 +220,18 @@ files_list_usr(crond_t)
+@@ -203,11 +220,16 @@ files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
@@ -21543,11 +21388,9 @@ index f35b243..9941737 100644
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
-+logging_set_loginuid(crond_t)
+ logging_set_loginuid(crond_t)
- seutil_read_config(crond_t)
- seutil_read_default_contexts(crond_t)
-@@ -219,8 +242,10 @@ miscfiles_read_localization(crond_t)
+@@ -220,8 +242,10 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -21558,7 +21401,7 @@ index f35b243..9941737 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -232,7 +257,7 @@ ifdef(`distro_debian',`
+@@ -233,7 +257,7 @@ ifdef(`distro_debian',`
')
')
@@ -21567,16 +21410,7 @@ index f35b243..9941737 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -240,16 +265,39 @@ ifdef(`distro_redhat', `
- ')
- ')
-
-+tunable_policy(`allow_polyinstantiation',`
-+ files_polyinstantiate_all(crond_t)
-+')
-+
- tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file manage_file_perms;
+@@ -250,11 +274,30 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -21607,7 +21441,7 @@ index f35b243..9941737 100644
amanda_search_var_lib(crond_t)
')
-@@ -259,6 +307,8 @@ optional_policy(`
+@@ -264,6 +307,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -21616,7 +21450,7 @@ index f35b243..9941737 100644
')
optional_policy(`
-@@ -284,12 +334,18 @@ optional_policy(`
+@@ -289,12 +334,18 @@ optional_policy(`
udev_read_db(crond_t)
')
@@ -21635,7 +21469,7 @@ index f35b243..9941737 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -301,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -21656,7 +21490,7 @@ index f35b243..9941737 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -324,6 +389,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +389,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -21664,7 +21498,7 @@ index f35b243..9941737 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -335,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -21679,7 +21513,7 @@ index f35b243..9941737 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -360,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -21687,7 +21521,7 @@ index f35b243..9941737 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -386,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -21695,7 +21529,7 @@ index f35b243..9941737 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -408,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -21707,7 +21541,7 @@ index f35b243..9941737 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -434,6 +508,8 @@ optional_policy(`
+@@ -439,6 +508,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -21716,7 +21550,7 @@ index f35b243..9941737 100644
')
optional_policy(`
-@@ -441,6 +517,14 @@ optional_policy(`
+@@ -446,6 +517,14 @@ optional_policy(`
')
optional_policy(`
@@ -21731,7 +21565,7 @@ index f35b243..9941737 100644
ftp_read_log(system_cronjob_t)
')
-@@ -451,15 +535,24 @@ optional_policy(`
+@@ -456,15 +535,24 @@ optional_policy(`
')
optional_policy(`
@@ -21756,7 +21590,7 @@ index f35b243..9941737 100644
')
optional_policy(`
-@@ -475,7 +568,7 @@ optional_policy(`
+@@ -480,7 +568,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -21765,7 +21599,7 @@ index f35b243..9941737 100644
')
optional_policy(`
-@@ -490,6 +583,7 @@ optional_policy(`
+@@ -495,6 +583,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -21773,7 +21607,7 @@ index f35b243..9941737 100644
')
optional_policy(`
-@@ -497,7 +591,13 @@ optional_policy(`
+@@ -502,7 +591,13 @@ optional_policy(`
')
optional_policy(`
@@ -21787,7 +21621,7 @@ index f35b243..9941737 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -590,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -22210,7 +22044,7 @@ index a8b93c0..831ce70 100644
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..bbc1a8f 100644
+index 0d5711c..2f38c31 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -22388,7 +22222,7 @@ index 0d5711c..bbc1a8f 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +552,22 @@ interface(`dbus_unconfined',`
+@@ -497,3 +552,23 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -22411,20 +22245,32 @@ index 0d5711c..bbc1a8f 100644
+ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
++
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 98e5af6..a7472fc 100644
+index 86d09b4..1c0dd9b 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
-@@ -52,7 +52,7 @@ ifdef(`enable_mls',`
+@@ -33,6 +33,7 @@ files_tmp_file(system_dbusd_tmp_t)
+
+ type system_dbusd_var_lib_t;
+ files_type(system_dbusd_var_lib_t)
++init_sock_file(system_dbusd_var_lib_t)
+
+ type system_dbusd_var_run_t;
+ files_pid_file(system_dbusd_var_run_t)
+@@ -52,9 +53,9 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
- allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
+-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
++allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
-@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+ allow system_dbusd_t self:dbus { send_msg acquire_svc };
+ allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+@@ -74,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@@ -22436,7 +22282,7 @@ index 98e5af6..a7472fc 100644
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -111,6 +112,8 @@ auth_read_pam_console_data(system_dbusd_t)
+@@ -111,6 +113,8 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -22445,7 +22291,7 @@ index 98e5af6..a7472fc 100644
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
-@@ -121,7 +124,9 @@ files_read_usr_files(system_dbusd_t)
+@@ -121,7 +125,9 @@ files_read_usr_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -22455,7 +22301,7 @@ index 98e5af6..a7472fc 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,6 +146,14 @@ optional_policy(`
+@@ -141,10 +147,18 @@ optional_policy(`
')
optional_policy(`
@@ -22463,6 +22309,10 @@ index 98e5af6..a7472fc 100644
+')
+
+optional_policy(`
+ cpufreqselector_dbus_chat(system_dbusd_t)
+ ')
+
+ optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
@@ -22470,7 +22320,7 @@ index 98e5af6..a7472fc 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -158,5 +171,12 @@ optional_policy(`
+@@ -162,5 +176,12 @@ optional_policy(`
#
# Unconfined access to this module
#
@@ -32523,10 +32373,18 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index fb8dc84..57fcfe1 100644
+index 06e217d..179e320 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
-@@ -19,6 +19,9 @@ files_type(plymouthd_spool_t)
+@@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1)
+ type plymouth_t;
+ type plymouth_exec_t;
+ application_domain(plymouth_t, plymouth_exec_t)
++role system_r types plymouth_t;
+
+ type plymouthd_t;
+ type plymouthd_exec_t;
+@@ -19,6 +20,9 @@ files_type(plymouthd_spool_t)
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
@@ -32536,7 +32394,7 @@ index fb8dc84..57fcfe1 100644
type plymouthd_var_run_t;
files_pid_file(plymouthd_var_run_t)
-@@ -42,6 +45,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+@@ -42,6 +46,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
@@ -32547,7 +32405,7 @@ index fb8dc84..57fcfe1 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +67,22 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +68,22 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -32570,7 +32428,7 @@ index fb8dc84..57fcfe1 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +93,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +94,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -32578,7 +32436,7 @@ index fb8dc84..57fcfe1 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +107,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +108,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -38240,7 +38098,7 @@ index 22dac1f..b6781d5 100644
+ unconfined_domain_noaudit(unconfined_sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
-index 22dfeb4..d9f5dbc 100644
+index bcdd16c..7c379a8 100644
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
@@ -38392,11 +38250,11 @@ index adea9f9..d5b2d93 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 4804f14..761df2d 100644
+index 606a098..8b74d10 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
-@@ -72,16 +72,21 @@ files_exec_etc_files(fsdaemon_t)
- files_read_etc_runtime_files(fsdaemon_t)
+@@ -73,16 +73,21 @@ files_read_etc_runtime_files(fsdaemon_t)
+ files_read_usr_files(fsdaemon_t)
# for config
files_read_etc_files(fsdaemon_t)
+files_read_usr_files(fsdaemon_t)
@@ -39682,7 +39540,7 @@ index 22adaca..2cfaf93 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..9a289e2 100644
+index 2dad3c8..f5c37de 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -39845,65 +39703,23 @@ index 2dad3c8..9a289e2 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +211,57 @@ optional_policy(`
- xserver_domtrans_xauth(ssh_t)
+@@ -196,10 +207,15 @@ tunable_policy(`user_tcp_server',`
')
-+########################################
-+#
-+# ssh_keygen local policy
-+#
-+
-+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
-+# and by sysadm_t
-+
-+dontaudit ssh_keygen_t self:capability sys_tty_config;
-+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
-+
-+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
-+
-+kernel_read_kernel_sysctls(ssh_keygen_t)
-+
-+fs_search_auto_mountpoints(ssh_keygen_t)
-+
-+dev_read_sysfs(ssh_keygen_t)
-+dev_read_urand(ssh_keygen_t)
-+
-+term_dontaudit_use_console(ssh_keygen_t)
-+
-+domain_use_interactive_fds(ssh_keygen_t)
-+
-+files_read_etc_files(ssh_keygen_t)
-+
-+init_use_fds(ssh_keygen_t)
-+init_use_script_ptys(ssh_keygen_t)
-+
-+logging_send_syslog_msg(ssh_keygen_t)
-+
-+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-+
-+optional_policy(`
-+ nscd_socket_use(ssh_keygen_t)
-+')
-+
-+optional_policy(`
-+ seutil_sigchld_newrole(ssh_keygen_t)
+ optional_policy(`
++ gnome_stream_connect_all_gkeyringd(ssh_t)
+')
+
+optional_policy(`
-+ udev_read_db(ssh_keygen_t)
-+')
+ xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
+ xserver_domtrans_xauth(ssh_t)
+ ')
+
+
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +271,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +225,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -39912,7 +39728,7 @@ index 2dad3c8..9a289e2 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +294,43 @@ optional_policy(`
+@@ -232,33 +248,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -39965,7 +39781,7 @@ index 2dad3c8..9a289e2 100644
')
optional_policy(`
-@@ -266,11 +338,24 @@ optional_policy(`
+@@ -266,11 +292,24 @@ optional_policy(`
')
optional_policy(`
@@ -39991,7 +39807,7 @@ index 2dad3c8..9a289e2 100644
')
optional_policy(`
-@@ -284,6 +369,11 @@ optional_policy(`
+@@ -284,6 +323,11 @@ optional_policy(`
')
optional_policy(`
@@ -40003,7 +39819,7 @@ index 2dad3c8..9a289e2 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +382,26 @@ optional_policy(`
+@@ -292,26 +336,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -40049,7 +39865,7 @@ index 2dad3c8..9a289e2 100644
') dnl endif TODO
########################################
-@@ -324,7 +414,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,12 +368,15 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -40057,17 +39873,24 @@ index 2dad3c8..9a289e2 100644
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +442,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+ files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
++manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++
+ kernel_read_kernel_sysctls(ssh_keygen_t)
+
+ fs_search_auto_mountpoints(ssh_keygen_t)
+@@ -353,7 +400,7 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
- nscd_socket_use(ssh_keygen_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(ssh_keygen_t)
++ nscd_socket_use(ssh_keygen_t)
')
+ optional_policy(`
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..6dbfc01 100644
--- a/policy/modules/services/sssd.if
@@ -42459,7 +42282,7 @@ index 6f1e3c7..ecfe665 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..572b693 100644
+index 130ced9..33c8170 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -42474,10 +42297,10 @@ index da2601a..572b693 100644
')
role $1 types { xserver_t xauth_t iceauth_t };
-@@ -31,12 +32,13 @@ interface(`xserver_restricted_role',`
+@@ -30,12 +31,13 @@ interface(`xserver_restricted_role',`
+ allow xserver_t $2:fd use;
allow xserver_t $2:shm rw_shm_perms;
- domtrans_pattern($2, xserver_exec_t, xserver_t)
- allow xserver_t $2:process signal;
+ allow xserver_t $2:process { getpgid signal };
@@ -42489,7 +42312,7 @@ index da2601a..572b693 100644
allow $2 user_fonts_config_t:dir list_dir_perms;
allow $2 user_fonts_config_t:file read_file_perms;
-@@ -45,6 +47,8 @@ interface(`xserver_restricted_role',`
+@@ -44,6 +46,8 @@ interface(`xserver_restricted_role',`
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -42498,7 +42321,7 @@ index da2601a..572b693 100644
files_search_tmp($2)
# Communicate via System V shared memory.
-@@ -70,17 +74,21 @@ interface(`xserver_restricted_role',`
+@@ -69,17 +73,21 @@ interface(`xserver_restricted_role',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -42524,7 +42347,7 @@ index da2601a..572b693 100644
dev_rw_xserver_misc($2)
dev_rw_power_management($2)
-@@ -89,14 +97,15 @@ interface(`xserver_restricted_role',`
+@@ -88,15 +96,17 @@ interface(`xserver_restricted_role',`
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
@@ -42538,11 +42361,13 @@ index da2601a..572b693 100644
+ miscfiles_read_hwdata($2)
xserver_common_x_domain_template(user, $2)
+ xserver_domtrans($2)
- xserver_unconfined($2)
++ #xserver_unconfined($2)
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -106,12 +115,25 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,25 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
@@ -42568,7 +42393,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -143,13 +165,15 @@ interface(`xserver_role',`
+@@ -143,13 +166,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -42586,7 +42411,7 @@ index da2601a..572b693 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +186,6 @@ interface(`xserver_role',`
+@@ -162,7 +187,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -42594,7 +42419,7 @@ index da2601a..572b693 100644
')
#######################################
-@@ -197,7 +220,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +221,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -42603,7 +42428,7 @@ index da2601a..572b693 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +250,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +251,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
@@ -42612,7 +42437,7 @@ index da2601a..572b693 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +279,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
@@ -42621,7 +42446,7 @@ index da2601a..572b693 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +314,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +315,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -42639,7 +42464,7 @@ index da2601a..572b693 100644
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -342,19 +365,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +366,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -42666,7 +42491,7 @@ index da2601a..572b693 100644
')
##############################
-@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +414,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -42682,7 +42507,7 @@ index da2601a..572b693 100644
')
#######################################
-@@ -444,8 +480,8 @@ template(`xserver_object_types_template',`
+@@ -444,8 +481,8 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -42693,7 +42518,7 @@ index da2601a..572b693 100644
')
allow $2 self:shm create_shm_perms;
-@@ -458,9 +494,9 @@ template(`xserver_user_x_domain_template',`
+@@ -458,9 +495,9 @@ template(`xserver_user_x_domain_template',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -42705,7 +42530,7 @@ index da2601a..572b693 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +508,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +509,25 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -42733,7 +42558,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -517,6 +558,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +559,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -42741,7 +42566,7 @@ index da2601a..572b693 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +587,28 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +588,28 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -42770,7 +42595,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -598,6 +662,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +663,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -42778,7 +42603,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -615,7 +680,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +681,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -42787,7 +42612,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -651,7 +716,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +717,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -42796,7 +42621,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -670,7 +735,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +736,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -42805,7 +42630,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -688,7 +753,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +754,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -42814,7 +42639,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -703,12 +768,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +769,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -42828,7 +42653,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -724,11 +788,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +789,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -42862,7 +42687,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -765,7 +849,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +850,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -42871,7 +42696,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -805,7 +889,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +890,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -42899,7 +42724,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -897,7 +1000,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1001,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -42908,7 +42733,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -916,7 +1019,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1020,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -42917,7 +42742,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -963,6 +1066,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1067,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -42963,7 +42788,7 @@ index da2601a..572b693 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1118,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1119,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -42972,7 +42797,7 @@ index da2601a..572b693 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1180,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1181,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -43015,7 +42840,7 @@ index da2601a..572b693 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1230,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1231,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -43024,7 +42849,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -1070,8 +1248,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1249,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -43036,7 +42861,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -1185,6 +1365,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1366,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -43063,7 +42888,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -1210,7 +1410,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1411,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -43072,7 +42897,7 @@ index da2601a..572b693 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1420,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1421,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -43097,7 +42922,7 @@ index da2601a..572b693 100644
')
########################################
-@@ -1243,10 +1453,392 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1454,392 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -43493,15 +43318,9 @@ index da2601a..572b693 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index edc58df..256a19a 100644
+index 6c01261..7add988 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
-@@ -1,4 +1,4 @@
--policy_module(xserver, 3.5.1)
-+policy_module(xserver, 3.5.2)
-
- gen_require(`
- class x_drawable all_x_drawable_perms;
@@ -26,27 +26,50 @@ gen_require(`
#
@@ -43561,13 +43380,7 @@ index edc58df..256a19a 100644
attribute x_domain;
# X Events
-@@ -104,26 +127,30 @@ typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xeven
-
- type remote_t;
- xserver_object_types_template(remote)
--xserver_common_x_domain_template(remote,remote_t)
-+xserver_common_x_domain_template(remote, remote_t)
-
+@@ -109,21 +132,25 @@ xserver_common_x_domain_template(remote, remote_t)
type user_fonts_t;
typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
@@ -43691,7 +43504,7 @@ index edc58df..256a19a 100644
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -234,9 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -234,10 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -43700,7 +43513,7 @@ index edc58df..256a19a 100644
fs_search_auto_mountpoints(iceauth_t)
userdom_use_user_terminals(iceauth_t)
-+userdom_read_user_tmp_files(iceauth_t)
+ userdom_read_user_tmp_files(iceauth_t)
+userdom_read_all_users_state(iceauth_t)
+
+tunable_policy(`use_fusefs_home_dirs',`
@@ -43709,7 +43522,7 @@ index edc58df..256a19a 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -246,50 +299,109 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,50 +299,109 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(iceauth_t)
')
@@ -43824,7 +43637,7 @@ index edc58df..256a19a 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -301,20 +413,33 @@ optional_policy(`
+@@ -302,20 +413,33 @@ optional_policy(`
# XDM Local policy
#
@@ -43862,7 +43675,7 @@ index edc58df..256a19a 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -322,43 +447,69 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -323,43 +447,62 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -43886,15 +43699,7 @@ index edc58df..256a19a 100644
manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
--fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
--manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-+fs_getattr_all_fs(xdm_t)
-+fs_list_inotifyfs(xdm_t)
-+fs_dontaudit_list_noxattr_fs(xdm_t)
-+fs_dontaudit_read_noxattr_fs_files(xdm_t)
-+fs_manage_cgroup_dirs(xdm_t)
-+fs_manage_cgroup_files(xdm_t)
+-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+
@@ -43902,8 +43707,8 @@ index edc58df..256a19a 100644
+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
-+
-+manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+
+ manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
@@ -43939,7 +43744,7 @@ index edc58df..256a19a 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -367,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -368,18 +511,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -43967,7 +43772,7 @@ index edc58df..256a19a 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -390,18 +549,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -391,18 +542,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -43991,7 +43796,7 @@ index edc58df..256a19a 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -410,18 +573,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -411,18 +566,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -44019,7 +43824,7 @@ index edc58df..256a19a 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -432,9 +601,17 @@ files_list_mnt(xdm_t)
+@@ -433,9 +594,22 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -44032,12 +43837,17 @@ index edc58df..256a19a 100644
fs_search_auto_mountpoints(xdm_t)
+fs_rw_anon_inodefs_files(xdm_t)
+fs_mount_tmpfs(xdm_t)
++fs_list_inotifyfs(xdm_t)
++fs_dontaudit_list_noxattr_fs(xdm_t)
++fs_dontaudit_read_noxattr_fs_files(xdm_t)
++fs_manage_cgroup_dirs(xdm_t)
++fs_manage_cgroup_files(xdm_t)
+
+mls_socket_write_to_clearance(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,28 +620,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -444,28 +618,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -44076,7 +43886,7 @@ index edc58df..256a19a 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,9 +658,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -474,9 +656,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -44107,7 +43917,7 @@ index edc58df..256a19a 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -491,6 +697,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -492,6 +695,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -44122,7 +43932,7 @@ index edc58df..256a19a 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -504,11 +718,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -505,11 +716,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -44144,10 +43954,11 @@ index edc58df..256a19a 100644
')
optional_policy(`
-@@ -516,12 +740,54 @@ optional_policy(`
+@@ -517,7 +738,37 @@ optional_policy(`
')
optional_policy(`
+- cpufreqselector_dbus_chat(xdm_t)
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
+
@@ -44164,7 +43975,7 @@ index edc58df..256a19a 100644
+ ')
+
+ optional_policy(`
-+ cpufreqselector_dbus_send(xdm_t)
++ cpufreqselector_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
@@ -44179,12 +43990,10 @@ index edc58df..256a19a 100644
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
-+')
-+
-+optional_policy(`
- # Talk to the console mouse server.
- gpm_stream_connect(xdm_t)
- gpm_setattr_gpmctl(xdm_t)
+ ')
+
+ optional_policy(`
+@@ -527,6 +778,14 @@ optional_policy(`
')
optional_policy(`
@@ -44199,7 +44008,7 @@ index edc58df..256a19a 100644
hostname_exec(xdm_t)
')
-@@ -539,28 +805,65 @@ optional_policy(`
+@@ -544,28 +803,65 @@ optional_policy(`
')
optional_policy(`
@@ -44274,10 +44083,14 @@ index edc58df..256a19a 100644
')
optional_policy(`
-@@ -572,6 +875,10 @@ optional_policy(`
+@@ -577,6 +873,14 @@ optional_policy(`
')
optional_policy(`
++ vdagent_stream_connect(xdm_t)
++')
++
++optional_policy(`
+ wm_exec(xdm_t)
+')
+
@@ -44285,7 +44098,7 @@ index edc58df..256a19a 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +903,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +905,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -44294,7 +44107,7 @@ index edc58df..256a19a 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,8 +917,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -44310,7 +44123,7 @@ index edc58df..256a19a 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -630,12 +944,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -44332,7 +44145,7 @@ index edc58df..256a19a 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -643,6 +964,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -44340,7 +44153,7 @@ index edc58df..256a19a 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -669,7 +991,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +993,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -44348,7 +44161,7 @@ index edc58df..256a19a 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -679,11 +1000,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1002,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -44366,7 +44179,7 @@ index edc58df..256a19a 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1021,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -44380,7 +44193,7 @@ index edc58df..256a19a 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,8 +1040,6 @@ init_getpgid(xserver_t)
+@@ -713,8 +1042,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -44389,7 +44202,7 @@ index edc58df..256a19a 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -717,15 +1047,17 @@ logging_send_audit_msgs(xserver_t)
+@@ -722,11 +1049,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -44404,12 +44217,7 @@ index edc58df..256a19a 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
- userdom_setattr_user_ttys(xserver_t)
-+userdom_read_user_tmp_files(xserver_t)
- userdom_rw_user_tmpfs_files(xserver_t)
-
- xserver_use_user_fonts(xserver_t)
-@@ -774,16 +1106,36 @@ optional_policy(`
+@@ -780,16 +1108,36 @@ optional_policy(`
')
optional_policy(`
@@ -44447,7 +44255,7 @@ index edc58df..256a19a 100644
unconfined_domtrans(xserver_t)
')
-@@ -792,6 +1144,10 @@ optional_policy(`
+@@ -798,6 +1146,10 @@ optional_policy(`
')
optional_policy(`
@@ -44458,7 +44266,7 @@ index edc58df..256a19a 100644
xfs_stream_connect(xserver_t)
')
-@@ -807,10 +1163,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1165,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -44472,7 +44280,7 @@ index edc58df..256a19a 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -818,7 +1174,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1176,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -44481,7 +44289,7 @@ index edc58df..256a19a 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -831,6 +1187,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1189,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -44491,7 +44299,7 @@ index edc58df..256a19a 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -838,6 +1197,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1199,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -44503,7 +44311,7 @@ index edc58df..256a19a 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -846,11 +1210,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1212,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -44520,7 +44328,7 @@ index edc58df..256a19a 100644
')
optional_policy(`
-@@ -858,6 +1225,10 @@ optional_policy(`
+@@ -864,6 +1227,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -44531,7 +44339,7 @@ index edc58df..256a19a 100644
########################################
#
# Rules common to all X window domains
-@@ -901,7 +1272,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1274,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -44540,7 +44348,7 @@ index edc58df..256a19a 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -955,11 +1326,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1328,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -44572,7 +44380,7 @@ index edc58df..256a19a 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -981,18 +1372,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1374,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -45211,7 +45019,7 @@ index 2952cef..4485fd5 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..a0feb45 100644
+index 42b4f0f..e6b751b 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -45600,10 +45408,10 @@ index bea0ade..a0feb45 100644
optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 54d122b..b86897f 100644
+index 66d13c4..66a0a25 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
+@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.1)
# Declarations
#
@@ -45637,16 +45445,7 @@ index 54d122b..b86897f 100644
type pam_var_run_t;
files_pid_file(pam_var_run_t)
-@@ -83,7 +98,7 @@ logging_log_file(wtmp_t)
-
- allow chkpwd_t self:capability { dac_override setuid };
- dontaudit chkpwd_t self:capability sys_tty_config;
--allow chkpwd_t self:process getattr;
-+allow chkpwd_t self:process { getattr signal };
-
- allow chkpwd_t shadow_t:file read_file_perms;
- files_list_etc(chkpwd_t)
-@@ -99,6 +114,8 @@ dev_read_urand(chkpwd_t)
+@@ -100,6 +115,8 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
@@ -45655,7 +45454,7 @@ index 54d122b..b86897f 100644
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
-@@ -394,3 +411,13 @@ optional_policy(`
+@@ -395,3 +412,13 @@ optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -46023,10 +45822,10 @@ index 882c6a2..d0ff4ec 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 6fed22c..06e5395 100644
+index 354ce93..f7cda1c 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
-@@ -33,7 +33,21 @@ ifdef(`distro_gentoo', `
+@@ -33,6 +33,19 @@ ifdef(`distro_gentoo', `
#
# /sbin
#
@@ -46044,11 +45843,9 @@ index 6fed22c..06e5395 100644
+# /sbin
+#
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-+/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-
- ifdef(`distro_gentoo', `
- /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -53,6 +67,9 @@ ifdef(`distro_gentoo', `
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+@@ -55,6 +68,9 @@ ifdef(`distro_gentoo', `
/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -46059,7 +45856,7 @@ index 6fed22c..06e5395 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..2657c0b 100644
+index cc83689..6a82950 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,40 @@ interface(`init_script_domain',`
@@ -46502,7 +46299,7 @@ index cc83689..2657c0b 100644
')
########################################
-@@ -1749,3 +1961,93 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +1961,120 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -46596,8 +46393,35 @@ index cc83689..2657c0b 100644
+
+ allow $1 init_t:unix_dgram_socket sendto;
+')
++
++########################################
++## <summary>
++## Create a file type used for init socket files.
++## </summary>
++## <desc>
++## <p>
++## This defines a type that init can create sock_file within for
++## impersonation purposes
++## </p>
++## </desc>
++## <param name="script_file">
++## <summary>
++## Type to be used for a sock file.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`init_sock_file',`
++ gen_require(`
++ attribute init_sock_file_type;
++ ')
++
++ typeattribute $1 init_sock_file_type;
++
++')
++
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 77e8ca8..5740175 100644
+index ea29513..2370758 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -46635,15 +46459,17 @@ index 77e8ca8..5740175 100644
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
-@@ -25,6 +53,7 @@ attribute direct_init_entry;
+@@ -25,6 +53,9 @@ attribute direct_init_entry;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
+attribute initrc_transition_domain;
++# Attribute used for systemd so domains can allow systemd to create sock_files
++attribute init_sock_file_type;
# Mark process types as daemons
attribute daemon;
-@@ -32,7 +61,7 @@ attribute daemon;
+@@ -32,7 +63,7 @@ attribute daemon;
#
# init_t is the domain of the init process.
#
@@ -46652,7 +46478,7 @@ index 77e8ca8..5740175 100644
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
-@@ -63,6 +92,8 @@ role system_r types initrc_t;
+@@ -63,6 +94,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -46661,7 +46487,7 @@ index 77e8ca8..5740175 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -87,7 +118,7 @@ ifdef(`enable_mls',`
+@@ -87,7 +120,7 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -46670,7 +46496,7 @@ index 77e8ca8..5740175 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -100,7 +131,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -100,7 +133,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -46681,7 +46507,7 @@ index 77e8ca8..5740175 100644
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -114,11 +147,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -114,11 +149,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -46695,7 +46521,7 @@ index 77e8ca8..5740175 100644
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
-@@ -127,9 +162,13 @@ domain_kill_all_domains(init_t)
+@@ -127,9 +164,13 @@ domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
@@ -46709,7 +46535,7 @@ index 77e8ca8..5740175 100644
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dirs(init_t)
files_manage_etc_runtime_files(init_t)
-@@ -151,6 +190,7 @@ mls_file_read_all_levels(init_t)
+@@ -151,6 +192,7 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -46717,7 +46543,7 @@ index 77e8ca8..5740175 100644
selinux_set_all_booleans(init_t)
-@@ -162,12 +202,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +204,15 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -46733,7 +46559,7 @@ index 77e8ca8..5740175 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +221,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +223,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -46742,7 +46568,7 @@ index 77e8ca8..5740175 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +229,103 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +231,105 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -46818,6 +46644,8 @@ index 77e8ca8..5740175 100644
+ # needs to remain
+ logging_create_devlog_dev(init_t)
+
++ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
++
+# miscfiles_delete_man_pages(init_t)
+# miscfiles_relabel_man_pages(init_t)
+
@@ -46846,7 +46674,7 @@ index 77e8ca8..5740175 100644
')
optional_policy(`
-@@ -199,10 +333,25 @@ optional_policy(`
+@@ -199,10 +337,25 @@ optional_policy(`
')
optional_policy(`
@@ -46872,7 +46700,7 @@ index 77e8ca8..5740175 100644
unconfined_domain(init_t)
')
-@@ -212,7 +361,7 @@ optional_policy(`
+@@ -212,7 +365,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -46881,7 +46709,7 @@ index 77e8ca8..5740175 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +390,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +394,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -46896,7 +46724,7 @@ index 77e8ca8..5740175 100644
init_write_initctl(initrc_t)
-@@ -258,11 +409,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +413,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -46920,7 +46748,7 @@ index 77e8ca8..5740175 100644
corecmd_exec_all_executables(initrc_t)
-@@ -279,6 +442,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +446,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -46928,7 +46756,7 @@ index 77e8ca8..5740175 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +455,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +459,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -46936,7 +46764,7 @@ index 77e8ca8..5740175 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +463,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +467,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -46952,7 +46780,7 @@ index 77e8ca8..5740175 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +488,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +492,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -46964,7 +46792,7 @@ index 77e8ca8..5740175 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +507,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +511,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -46978,7 +46806,7 @@ index 77e8ca8..5740175 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +522,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +526,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -46987,7 +46815,7 @@ index 77e8ca8..5740175 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +536,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +540,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -46995,7 +46823,7 @@ index 77e8ca8..5740175 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +548,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +552,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -47003,7 +46831,7 @@ index 77e8ca8..5740175 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +569,12 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +573,12 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -47019,7 +46847,7 @@ index 77e8ca8..5740175 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -478,7 +652,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +656,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -47028,7 +46856,7 @@ index 77e8ca8..5740175 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -524,6 +698,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +702,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -47052,7 +46880,7 @@ index 77e8ca8..5740175 100644
')
optional_policy(`
-@@ -531,10 +722,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +726,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -47070,7 +46898,7 @@ index 77e8ca8..5740175 100644
')
optional_policy(`
-@@ -549,6 +747,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +751,39 @@ ifdef(`distro_suse',`
')
')
@@ -47110,7 +46938,7 @@ index 77e8ca8..5740175 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +792,8 @@ optional_policy(`
+@@ -561,6 +796,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -47119,7 +46947,7 @@ index 77e8ca8..5740175 100644
')
optional_policy(`
-@@ -577,6 +810,7 @@ optional_policy(`
+@@ -577,6 +814,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -47127,7 +46955,7 @@ index 77e8ca8..5740175 100644
')
optional_policy(`
-@@ -589,6 +823,11 @@ optional_policy(`
+@@ -589,6 +827,11 @@ optional_policy(`
')
optional_policy(`
@@ -47139,7 +46967,7 @@ index 77e8ca8..5740175 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +844,13 @@ optional_policy(`
+@@ -605,9 +848,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -47153,7 +46981,7 @@ index 77e8ca8..5740175 100644
')
optional_policy(`
-@@ -649,6 +892,11 @@ optional_policy(`
+@@ -649,6 +896,11 @@ optional_policy(`
')
optional_policy(`
@@ -47165,7 +46993,7 @@ index 77e8ca8..5740175 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +954,13 @@ optional_policy(`
+@@ -706,7 +958,13 @@ optional_policy(`
')
optional_policy(`
@@ -47179,7 +47007,7 @@ index 77e8ca8..5740175 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +983,10 @@ optional_policy(`
+@@ -729,6 +987,10 @@ optional_policy(`
')
optional_policy(`
@@ -47190,7 +47018,7 @@ index 77e8ca8..5740175 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +996,20 @@ optional_policy(`
+@@ -738,10 +1000,20 @@ optional_policy(`
')
optional_policy(`
@@ -47211,7 +47039,7 @@ index 77e8ca8..5740175 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1018,10 @@ optional_policy(`
+@@ -750,6 +1022,10 @@ optional_policy(`
')
optional_policy(`
@@ -47222,7 +47050,7 @@ index 77e8ca8..5740175 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1043,6 @@ optional_policy(`
+@@ -771,8 +1047,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -47231,7 +47059,7 @@ index 77e8ca8..5740175 100644
')
optional_policy(`
-@@ -781,14 +1051,21 @@ optional_policy(`
+@@ -781,14 +1055,21 @@ optional_policy(`
')
optional_policy(`
@@ -47253,7 +47081,7 @@ index 77e8ca8..5740175 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1087,19 @@ optional_policy(`
+@@ -810,11 +1091,19 @@ optional_policy(`
')
optional_policy(`
@@ -47274,7 +47102,7 @@ index 77e8ca8..5740175 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1109,25 @@ optional_policy(`
+@@ -824,6 +1113,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -47300,7 +47128,7 @@ index 77e8ca8..5740175 100644
')
optional_policy(`
-@@ -849,3 +1153,37 @@ optional_policy(`
+@@ -849,3 +1157,37 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -48702,10 +48530,10 @@ index 9b5a9ed..7ea0ae3 100644
')
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..526d11c 100644
+index 879bb1e..7b22111 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -28,10 +28,13 @@ ifdef(`distro_gentoo',`
+@@ -28,20 +28,24 @@ ifdef(`distro_gentoo',`
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -48719,7 +48547,19 @@ index 879bb1e..526d11c 100644
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -97,5 +100,7 @@ ifdef(`distro_gentoo',`
+ /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
+-/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -97,5 +101,7 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -49179,7 +49019,7 @@ index 72c746e..3d0bc28 100644
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..83107f9 100644
+index 8b5c196..6dc92dd 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,16 @@ interface(`mount_domtrans',`
@@ -49199,7 +49039,7 @@ index 8b5c196..83107f9 100644
')
########################################
-@@ -45,8 +55,54 @@ interface(`mount_run',`
+@@ -45,12 +55,77 @@ interface(`mount_run',`
role $2 types mount_t;
optional_policy(`
@@ -49222,11 +49062,11 @@ index 8b5c196..83107f9 100644
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute fusermount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
@@ -49246,16 +49086,39 @@ index 8b5c196..83107f9 100644
+interface(`mount_run_fusermount',`
+ gen_require(`
+ type mount_t;
- ')
++ ')
+
+ mount_domtrans_fusermount($1)
+ role $2 types mount_t;
+
+ fstools_run(mount_t, $2)
- ')
-
- ########################################
-@@ -84,9 +140,11 @@ interface(`mount_exec',`
++')
++
++########################################
++## <summary>
++## Read mount PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mount_read_pid_files',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ allow $1 mount_var_run_t:file read_file_perms;
++ files_search_pids($1)
++')
++
++########################################
++## <summary>
+ ## Execute mount in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -84,9 +159,11 @@ interface(`mount_exec',`
interface(`mount_signal',`
gen_require(`
type mount_t;
@@ -49267,7 +49130,7 @@ index 8b5c196..83107f9 100644
')
########################################
-@@ -95,7 +153,7 @@ interface(`mount_signal',`
+@@ -95,7 +172,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
## <summary>
@@ -49276,7 +49139,7 @@ index 8b5c196..83107f9 100644
## </summary>
## </param>
#
-@@ -135,6 +193,24 @@ interface(`mount_send_nfs_client_request',`
+@@ -135,6 +212,24 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
@@ -49301,7 +49164,7 @@ index 8b5c196..83107f9 100644
## Execute mount in the unconfined mount domain.
## </summary>
## <param name="domain">
-@@ -176,4 +252,109 @@ interface(`mount_run_unconfined',`
+@@ -176,4 +271,110 @@ interface(`mount_run_unconfined',`
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
@@ -49331,6 +49194,7 @@ index 8b5c196..83107f9 100644
+ ')
+
+ domtrans_pattern($1, fusermount_exec_t, mount_t)
++ ps_process_pattern(mount_t, $1)
+')
+
+########################################
@@ -50744,7 +50608,7 @@ index 1447687..cdc0223 100644
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 726619b..ece1edf 100644
+index 694fd94..334e80e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -10,10 +10,10 @@
@@ -50768,7 +50632,7 @@ index 726619b..ece1edf 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 8e71fb7..065b98e 100644
+index ff80d0a..7f1a21c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@@ -50796,7 +50660,7 @@ index 8e71fb7..065b98e 100644
')
########################################
-@@ -249,6 +267,43 @@ interface(`sysnet_delete_dhcpc_state',`
+@@ -269,6 +287,43 @@ interface(`sysnet_delete_dhcpc_state',`
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
@@ -50840,7 +50704,7 @@ index 8e71fb7..065b98e 100644
#######################################
## <summary>
## Set the attributes of network config files.
-@@ -270,6 +325,44 @@ interface(`sysnet_setattr_config',`
+@@ -290,6 +345,44 @@ interface(`sysnet_setattr_config',`
#######################################
## <summary>
@@ -50885,7 +50749,7 @@ index 8e71fb7..065b98e 100644
## Read network config files.
## </summary>
## <desc>
-@@ -406,6 +499,7 @@ interface(`sysnet_manage_config',`
+@@ -426,6 +519,7 @@ interface(`sysnet_manage_config',`
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
@@ -50893,7 +50757,7 @@ index 8e71fb7..065b98e 100644
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -444,6 +538,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -464,6 +558,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -50901,7 +50765,7 @@ index 8e71fb7..065b98e 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -464,6 +559,9 @@ interface(`sysnet_domtrans_ifconfig',`
+@@ -484,6 +579,9 @@ interface(`sysnet_domtrans_ifconfig',`
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -50911,7 +50775,7 @@ index 8e71fb7..065b98e 100644
')
########################################
-@@ -534,6 +632,25 @@ interface(`sysnet_signal_ifconfig',`
+@@ -554,6 +652,25 @@ interface(`sysnet_signal_ifconfig',`
########################################
## <summary>
@@ -50937,7 +50801,7 @@ index 8e71fb7..065b98e 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -641,6 +758,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -661,6 +778,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -50946,7 +50810,7 @@ index 8e71fb7..065b98e 100644
sysnet_read_config($1)
optional_policy(`
-@@ -678,6 +797,9 @@ interface(`sysnet_use_ldap',`
+@@ -698,6 +817,9 @@ interface(`sysnet_use_ldap',`
corenet_sendrecv_ldap_client_packets($1)
sysnet_read_config($1)
@@ -50956,7 +50820,7 @@ index 8e71fb7..065b98e 100644
')
########################################
-@@ -711,3 +833,49 @@ interface(`sysnet_use_portmap',`
+@@ -731,3 +853,49 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -51007,10 +50871,10 @@ index 8e71fb7..065b98e 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index dfbe736..8b2297c 100644
+index df32316..6de83ef 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
-@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
+@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1)
# Declarations
#
@@ -51228,10 +51092,12 @@ index dfbe736..8b2297c 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..64fc1a5
+index 0000000..50aed3b
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,11 @@
++/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
++
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
@@ -51243,10 +51109,10 @@ index 0000000..64fc1a5
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..eed77d0
+index 0000000..1d17a7b
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,139 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -51285,6 +51151,23 @@ index 0000000..eed77d0
+ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+')
+
++########################################
++## <summary>
++## Execute a domain transition to run systemd_notify.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_notify_domtrans',`
++ gen_require(`
++ type systemd_notify_t, systemd_notify_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t)
++')
+
+########################################
+## <summary>
@@ -51371,10 +51254,10 @@ index 0000000..eed77d0
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..d09b523
+index 0000000..38f7fe1
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,134 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -51397,7 +51280,12 @@ index 0000000..d09b523
+type systemd_tmpfiles_exec_t;
+init_systemd_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
++type systemd_notify_t;
++type systemd_notify_exec_t;
++init_systemd_domain(systemd_notify_t, systemd_notify_exec_t)
++
+permissive systemd_tmpfiles_t;
++permissive systemd_notify_t;
+
+#
+# Type for systemd pipes in /dev/.systemd/ directory
@@ -51483,23 +51371,38 @@ index 0000000..d09b523
+ auth_rw_login_records(systemd_tmpfiles_t)
+')
+
++########################################
++#
++# systemd_notify local policy
++#
++allow systemd_notify_t self:capability { chown };
++allow systemd_notify_t self:process { fork setfscreate setsockcreate };
++
++allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
++allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
++
++domain_use_interactive_fds(systemd_notify_t)
++
++files_read_etc_files(systemd_notify_t)
++
++auth_use_nsswitch(systemd_notify_t)
++
++miscfiles_read_localization(systemd_notify_t)
++
++optional_policy(`
++ readahead_manage_pid_files(systemd_notify_t)
++')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index d1c22f3..44fe366 100644
+index 0291685..44fe366 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
-@@ -1,4 +1,4 @@
--/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
-+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
- /dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
- /dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
-
@@ -22,3 +22,4 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..ad5bfd8 100644
+index 025348a..8b50d5f 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -51584,7 +51487,7 @@ index 025348a..ad5bfd8 100644
+#
+interface(`udev_run',`
+ gen_require(`
-+ type iptables_t;
++ type udev_t;
+ ')
+
+ udev_domtrans($1)
@@ -51624,15 +51527,9 @@ index 025348a..ad5bfd8 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 8f852e5..d3c3938 100644
+index d88f7c3..d3c3938 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
-@@ -1,4 +1,4 @@
--policy_module(udev, 1.12.1)
-+policy_module(udev, 1.12.2)
-
- ########################################
- #
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -52530,7 +52427,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..e4b6f01 100644
+index 28b88de..774a8cc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -53574,7 +53471,7 @@ index 28b88de..e4b6f01 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1164,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1164,78 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -53666,6 +53563,7 @@ index 28b88de..e4b6f01 100644
optional_policy(`
- setroubleshoot_stream_connect($1_t)
+ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
@@ -53682,7 +53580,7 @@ index 28b88de..e4b6f01 100644
')
')
-@@ -1039,7 +1270,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1271,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -53691,7 +53589,7 @@ index 28b88de..e4b6f01 100644
')
##############################
-@@ -1066,6 +1297,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1298,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -53699,7 +53597,7 @@ index 28b88de..e4b6f01 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1306,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1307,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -53709,7 +53607,7 @@ index 28b88de..e4b6f01 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1323,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1324,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -53717,7 +53615,7 @@ index 28b88de..e4b6f01 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,6 +1341,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,6 +1342,8 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -53726,7 +53624,7 @@ index 28b88de..e4b6f01 100644
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
-@@ -1119,15 +1357,19 @@ template(`userdom_admin_user_template',`
+@@ -1119,15 +1358,19 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -53746,7 +53644,7 @@ index 28b88de..e4b6f01 100644
term_use_all_terms($1_t)
-@@ -1141,7 +1383,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1384,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -53758,7 +53656,7 @@ index 28b88de..e4b6f01 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1455,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1456,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -53767,7 +53665,7 @@ index 28b88de..e4b6f01 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1469,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1470,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -53775,7 +53673,7 @@ index 28b88de..e4b6f01 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1485,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1486,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -53783,7 +53681,7 @@ index 28b88de..e4b6f01 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1528,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1529,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -53821,7 +53719,7 @@ index 28b88de..e4b6f01 100644
ubac_constrained($1)
')
-@@ -1395,6 +1670,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1671,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -53829,7 +53727,7 @@ index 28b88de..e4b6f01 100644
files_search_home($1)
')
-@@ -1441,6 +1717,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1718,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -53844,7 +53742,7 @@ index 28b88de..e4b6f01 100644
')
########################################
-@@ -1456,9 +1740,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1741,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -53856,7 +53754,7 @@ index 28b88de..e4b6f01 100644
')
########################################
-@@ -1515,10 +1801,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1802,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -53869,7 +53767,7 @@ index 28b88de..e4b6f01 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,33 +1812,69 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,33 +1813,69 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -53959,7 +53857,7 @@ index 28b88de..e4b6f01 100644
## <summary>
## Domain allowed to transition.
## </summary>
-@@ -1589,6 +1911,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1912,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -53968,7 +53866,7 @@ index 28b88de..e4b6f01 100644
')
########################################
-@@ -1603,10 +1927,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1928,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -53983,7 +53881,7 @@ index 28b88de..e4b6f01 100644
')
########################################
-@@ -1649,6 +1975,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1976,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -54009,7 +53907,7 @@ index 28b88de..e4b6f01 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2045,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2046,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -54042,7 +53940,7 @@ index 28b88de..e4b6f01 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2081,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2082,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -54060,7 +53958,7 @@ index 28b88de..e4b6f01 100644
')
########################################
-@@ -1810,8 +2178,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2179,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -54070,7 +53968,7 @@ index 28b88de..e4b6f01 100644
')
########################################
-@@ -1827,21 +2194,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2195,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -54096,7 +53994,7 @@ index 28b88de..e4b6f01 100644
########################################
## <summary>
## Do not audit attempts to execute user home files.
-@@ -2182,7 +2543,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2544,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -54105,7 +54003,7 @@ index 28b88de..e4b6f01 100644
')
########################################
-@@ -2435,13 +2796,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2797,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -54121,7 +54019,7 @@ index 28b88de..e4b6f01 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2824,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2825,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -54148,7 +54046,7 @@ index 28b88de..e4b6f01 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3157,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3158,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -54157,7 +54055,7 @@ index 28b88de..e4b6f01 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3173,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3174,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -54173,7 +54071,7 @@ index 28b88de..e4b6f01 100644
')
########################################
-@@ -2917,7 +3261,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3262,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -54182,7 +54080,7 @@ index 28b88de..e4b6f01 100644
')
########################################
-@@ -2972,7 +3316,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3317,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -54229,7 +54127,7 @@ index 28b88de..e4b6f01 100644
')
########################################
-@@ -3009,6 +3391,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3392,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -54237,7 +54135,7 @@ index 28b88de..e4b6f01 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3522,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3523,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
More information about the scm-commits
mailing list