[selinux-policy/f15/master] - A lot of fixes making /run change working - Add subs file to equate /var/run with /run and /var/lo
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Mar 31 21:08:24 UTC 2011
commit 143c3c644e7f8dfdcfed561317a679ddec857dd6
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Mar 31 23:08:45 2011 +0000
- A lot of fixes making /run change working
- Add subs file to equate /var/run with /run and /var/lock with /run/lock
- Allow rgmanager to send the kill signal to all users
- Allow ssh_t to search /root/.ssh and create it if it does not exist
- dontaudit read of user_tmp_t from load_policy
- Allow abrt fowner capability
- Allow audit daemons to change the run level in MLS environments
- Since /var/lock is moving to /run/lock. We need to allow all interfaces for lock files to search var_run_t
- Add file labelfor MathKernel
- Add label for /dev/dlm*
- Allow systemd_tmpfiles_t to manage sandbox data
- More /run directories labels
- rlogind sends kill signal to chkpwd_t
- systemd is now mounting on /var/lock
policy-F15.patch | 762 +++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 15 +-
2 files changed, 571 insertions(+), 206 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 873d343..716da52 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1,12 +1,12 @@
diff --git a/Makefile b/Makefile
-index b8486a0..72a53cc 100644
+index b8486a0..6153c8b 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
-+SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen
++#SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
SETFILES ?= $(tc_sbindir)/setfiles
XMLLINT ?= $(BINDIR)/xmllint
@@ -20,14 +20,14 @@ index b8486a0..72a53cc 100644
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --git a/Rules.modular b/Rules.modular
-index 168a14f..c2bf491 100644
+index 168a14f..cc1f793 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -207,6 +207,7 @@ validate: $(base_pkg) $(mod_pkgs)
@echo "Validating policy linking."
$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
-+ $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output
++# $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output
@echo "Success."
########################################
@@ -1426,10 +1426,10 @@ index 7077413..56d1ecb 100644
+
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
-index 47c4723..c1bed2b 100644
+index 47c4723..1f57c34 100644
--- a/policy/modules/admin/readahead.if
+++ b/policy/modules/admin/readahead.if
-@@ -1 +1,42 @@
+@@ -1 +1,43 @@
## <summary>Readahead, read files into page cache for improved performance</summary>
+
+########################################
@@ -1470,10 +1470,11 @@ index 47c4723..c1bed2b 100644
+ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
+ dev_filetrans($1, readahead_var_run_t, { dir file })
+ files_search_pids($1)
++ init_search_pid_dirs($1)
+')
+
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
-index b4ac57e..9702e8c 100644
+index b4ac57e..275323b 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -1492,7 +1493,7 @@ index b4ac57e..9702e8c 100644
dontaudit readahead_t self:capability { net_admin sys_tty_config };
allow readahead_t self:process { setsched signal_perms };
-@@ -31,7 +32,9 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+@@ -31,7 +32,10 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
files_search_var_lib(readahead_t)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
@@ -1500,10 +1501,11 @@ index b4ac57e..9702e8c 100644
+manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
+dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
++init_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
-@@ -53,10 +56,18 @@ domain_read_all_domains_state(readahead_t)
+@@ -53,10 +57,18 @@ domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
@@ -1522,7 +1524,7 @@ index b4ac57e..9702e8c 100644
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-@@ -66,12 +77,14 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,12 +78,14 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -2987,10 +2989,10 @@ index e51e7f5..8e0405f 100644
+')
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
-index 0000000..09f0673
+index 0000000..4540090
--- /dev/null
+++ b/policy/modules/apps/execmem.fc
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,50 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -3040,6 +3042,7 @@ index 0000000..09f0673
+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
index 0000000..1bc60f7
@@ -3358,10 +3361,10 @@ index 00a19e3..55075f9 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..8df829d 100644
+index f5afe78..b1b6bf6 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,43 +1,524 @@
+@@ -1,43 +1,523 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -3431,11 +3434,10 @@ index f5afe78..8df829d 100644
+ ')
+
+ type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
-+ typealias $1_gkeyringd_t alias gkeyrind_$1_t;
++ typealias $1_gkeyringd_t alias gkeyringd_$1_t;
+ application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+ ubac_constrained($1_gkeyringd_t)
+ domain_user_exemption_target($1_gkeyringd_t)
-+ permissive $1_gkeyringd_t;
+
+ role $2 types $1_gkeyringd_t;
+
@@ -3904,7 +3906,7 @@ index f5afe78..8df829d 100644
## in the caller domain.
## </summary>
## <param name="domain">
-@@ -56,27 +537,26 @@ interface(`gnome_exec_gconf',`
+@@ -56,27 +536,26 @@ interface(`gnome_exec_gconf',`
########################################
## <summary>
@@ -3940,7 +3942,7 @@ index f5afe78..8df829d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +564,43 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +563,43 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -3995,7 +3997,7 @@ index f5afe78..8df829d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +608,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +607,13 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -4012,7 +4014,7 @@ index f5afe78..8df829d 100644
')
########################################
-@@ -151,40 +638,328 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +637,328 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -7980,10 +7982,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..26d0f56
+index 0000000..4f96196
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,476 @@
+@@ -0,0 +1,475 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8182,7 +8184,7 @@ index 0000000..26d0f56
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
-+files_dontaudit_list_tmp(sandbox_x_domain)
++files_dontaudit_list_all_mountpoints(sandbox_x_domain)
+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
@@ -8381,7 +8383,6 @@ index 0000000..26d0f56
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
-+files_dontaudit_list_mnt(sandbox_web_type)
+
+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
@@ -9853,7 +9854,7 @@ index 5a07a43..99c7564 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..6346e86 100644
+index 0757523..47f11a4 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -9952,7 +9953,7 @@ index 0757523..6346e86 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -126,43 +150,57 @@ network_port(iscsi, tcp,3260,s0)
+@@ -126,43 +150,58 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -9995,6 +9996,7 @@ index 0757523..6346e86 100644
+network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
@@ -10016,7 +10018,7 @@ index 0757523..6346e86 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,24 +215,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -177,24 +216,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -10050,7 +10052,7 @@ index 0757523..6346e86 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -205,16 +248,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,16 +249,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -10071,7 +10073,7 @@ index 0757523..6346e86 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -276,5 +320,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+@@ -276,5 +321,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -10079,10 +10081,18 @@ index 0757523..6346e86 100644
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..286aec1 100644
+index 6cf8784..5b25039 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -187,8 +187,6 @@ ifdef(`distro_suse', `
+@@ -20,6 +20,7 @@
+ /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
+ /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
+ /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -187,8 +188,6 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -10091,7 +10101,7 @@ index 6cf8784..286aec1 100644
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +194,8 @@ ifdef(`distro_redhat',`
+@@ -196,3 +195,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -10861,7 +10871,7 @@ index 16108f6..0f1470f 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..32a3f1d 100644
+index 958ca84..a595aa7 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -11546,7 +11556,7 @@ index 958ca84..32a3f1d 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5071,6 +5538,24 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5538,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11563,6 +11573,7 @@ index 958ca84..32a3f1d 100644
+ type var_t, var_lock_t;
+ ')
+
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_lock_t)
+')
+
@@ -11571,7 +11582,58 @@ index 958ca84..32a3f1d 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5156,12 +5641,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5084,6 +5570,7 @@ interface(`files_search_locks',`
+ type var_t, var_lock_t;
+ ')
+
++ files_search_pids($1)
+ search_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+@@ -5108,6 +5595,26 @@ interface(`files_dontaudit_search_locks',`
+
+ ########################################
+ ## <summary>
++## create a directory in the /var/lock
++## directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_lock_dirs',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:dir create_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Add and remove entries in the /var/lock
+ ## directories.
+ ## </summary>
+@@ -5122,6 +5629,7 @@ interface(`files_rw_lock_dirs',`
+ type var_t, var_lock_t;
+ ')
+
++ files_search_pids($1)
+ rw_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+@@ -5142,6 +5650,7 @@ interface(`files_getattr_generic_locks',`
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:dir list_dir_perms;
++ files_search_pids($1)
+ getattr_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+@@ -5156,12 +5665,13 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11584,11 +11646,20 @@ index 958ca84..32a3f1d 100644
- allow $1 var_t:dir search_dir_perms;
- delete_files_pattern($1, var_lock_t, var_lock_t)
+ allow $1 var_t:dir search_dir_perms;
++ files_search_pids($1)
+ delete_files_pattern($1, var_lock_t, var_lock_t)
')
########################################
-@@ -5207,6 +5692,27 @@ interface(`files_delete_all_locks',`
+@@ -5181,6 +5691,7 @@ interface(`files_manage_generic_locks',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
++ files_search_pids($1)
+ manage_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+@@ -5207,6 +5718,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -11616,7 +11687,31 @@ index 958ca84..32a3f1d 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5335,6 +5841,43 @@ interface(`files_search_pids',`
+@@ -5224,6 +5756,7 @@ interface(`files_read_all_locks',`
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
++ files_search_pids($1)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+ ')
+
+@@ -5244,6 +5777,7 @@ interface(`files_manage_all_locks',`
+ ')
+
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_pids($1)
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5276,6 +5810,7 @@ interface(`files_lock_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
++ files_search_pids($1)
+ filetrans_pattern($1, var_lock_t, $2, $3)
+ ')
+
+@@ -5335,6 +5870,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -11660,7 +11755,7 @@ index 958ca84..32a3f1d 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5542,6 +6085,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6114,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -11723,7 +11818,7 @@ index 958ca84..32a3f1d 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6158,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6187,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -11768,7 +11863,7 @@ index 958ca84..32a3f1d 100644
')
########################################
-@@ -5844,3 +6481,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6510,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12054,7 +12149,7 @@ index 958ca84..32a3f1d 100644
+ dontaudit $1 file_type:dir_file_class_set write;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 6e01635..212a736 100644
+index 6e01635..207d34a 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -11,6 +11,7 @@ attribute lockfile;
@@ -12088,6 +12183,14 @@ index 6e01635..212a736 100644
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
+@@ -167,6 +177,7 @@ files_mountpoint(var_lib_t)
+ #
+ type var_lock_t;
+ files_lock_file(var_lock_t)
++files_mountpoint(var_lock_t)
+
+ #
+ # var_run_t is the type of /var/run, usually
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index 59bae6a..2e55e71 100644
--- a/policy/modules/kernel/filesystem.fc
@@ -13613,7 +13716,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..093b48d 100644
+index 2be17d2..9440b5f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -13665,7 +13768,7 @@ index 2be17d2..093b48d 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +63,137 @@ optional_policy(`
+@@ -27,25 +63,138 @@ optional_policy(`
')
optional_policy(`
@@ -13688,6 +13791,7 @@ index 2be17d2..093b48d 100644
+optional_policy(`
+ gnome_role(staff_r, staff_t)
+ gnome_role_gkeyringd(staff, staff_r, staff_t)
++ permissive staff_gkeyringd_t;
+')
+
+optional_policy(`
@@ -13805,7 +13909,7 @@ index 2be17d2..093b48d 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -89,10 +237,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +238,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -13816,7 +13920,7 @@ index 2be17d2..093b48d 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +281,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +282,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -13827,7 +13931,7 @@ index 2be17d2..093b48d 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +312,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +313,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -15801,7 +15905,7 @@ index 0b827c5..9a82e8d 100644
admin_pattern($1, abrt_tmp_t)
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..d3996c8 100644
+index 30861ec..de61315 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -15819,9 +15923,12 @@ index 30861ec..d3996c8 100644
type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -50,7 +58,7 @@ ifdef(`enable_mcs',`
+@@ -48,9 +56,9 @@ ifdef(`enable_mcs',`
+ # abrt local policy
+ #
- allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+-allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
++allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override };
dontaudit abrt_t self:capability sys_rawio;
-allow abrt_t self:process { signal signull setsched getsched };
+allow abrt_t self:process { sigkill signal signull setsched getsched };
@@ -18350,7 +18457,7 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..99f98ff 100644
+index b3b0176..51cb893 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
@@ -18366,11 +18473,12 @@ index b3b0176..99f98ff 100644
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -108,6 +109,7 @@ corenet_tcp_bind_generic_port(asterisk_t)
+@@ -108,6 +109,8 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_festival_port(asterisk_t)
++corenet_tcp_connect_pktcable_port(asterisk_t)
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
@@ -18569,10 +18677,10 @@ index 44a1e3d..7e9d2fb 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..42aa033 100644
+index 4deca04..a2bf2dc 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
-@@ -6,10 +6,10 @@ policy_module(bind, 1.11.0)
+@@ -6,10 +6,17 @@ policy_module(bind, 1.11.0)
#
## <desc>
@@ -18580,6 +18688,13 @@ index 4deca04..42aa033 100644
-## Allow BIND to write the master zone files.
-## Generally this is used for dynamic DNS or zone transfers.
-## </p>
++## <p>
++## Allow BIND to bind apache port.
++## </p>
++## </desc>
++gen_tunable(named_bind_http_port, false)
++
++## <desc>
+## <p>
+## Allow BIND to write the master zone files.
+## Generally this is used for dynamic DNS or zone transfers.
@@ -18587,7 +18702,7 @@ index 4deca04..42aa033 100644
## </desc>
gen_tunable(named_write_master_zones, false)
-@@ -27,7 +27,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
+@@ -27,7 +34,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
# A type for configuration files of named.
type named_conf_t;
@@ -18596,7 +18711,7 @@ index 4deca04..42aa033 100644
files_mountpoint(named_conf_t)
# for secondary zone files
-@@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -89,9 +96,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -18608,7 +18723,18 @@ index 4deca04..42aa033 100644
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
-@@ -201,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
+@@ -147,6 +155,10 @@ miscfiles_read_generic_certs(named_t)
+ userdom_dontaudit_use_unpriv_user_fds(named_t)
+ userdom_dontaudit_search_user_home_dirs(named_t)
+
++tunable_policy(`named_bind_http_port',`
++ corenet_tcp_bind_http_port(named_t)
++')
++
+ tunable_policy(`named_write_master_zones',`
+ manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
+ manage_files_pattern(named_t, named_zone_t, named_zone_t)
+@@ -201,12 +213,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file read_file_perms;
@@ -18623,7 +18749,7 @@ index 4deca04..42aa033 100644
allow ndc_t named_zone_t:dir search_dir_perms;
-@@ -244,7 +245,7 @@ term_dontaudit_use_console(ndc_t)
+@@ -244,7 +256,7 @@ term_dontaudit_use_console(ndc_t)
# for /etc/rndc.key
ifdef(`distro_redhat',`
@@ -37051,7 +37177,7 @@ index 7dc38d1..9c2c963 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..1ef4cc6 100644
+index 00fa514..56ecadc 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -37136,16 +37262,16 @@ index 00fa514..1ef4cc6 100644
# needed by resources scripts
auth_read_all_files_except_shadow(rgmanager_t)
-@@ -100,8 +108,6 @@ logging_send_syslog_msg(rgmanager_t)
+@@ -100,7 +108,7 @@ logging_send_syslog_msg(rgmanager_t)
miscfiles_read_localization(rgmanager_t)
-mount_domtrans(rgmanager_t)
--
++userdom_kill_all_users(rgmanager_t)
+
tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t)
- ')
-@@ -118,6 +124,14 @@ optional_policy(`
+@@ -118,6 +126,14 @@ optional_policy(`
')
optional_policy(`
@@ -37160,7 +37286,7 @@ index 00fa514..1ef4cc6 100644
fstools_domtrans(rgmanager_t)
')
-@@ -140,6 +154,15 @@ optional_policy(`
+@@ -140,6 +156,15 @@ optional_policy(`
')
optional_policy(`
@@ -38062,7 +38188,7 @@ index 63e78c6..ffa4f37 100644
## </param>
#
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..cdfebe3 100644
+index 779fa44..13556c1 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -38091,15 +38217,18 @@ index 779fa44..cdfebe3 100644
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -71,6 +69,7 @@ fs_search_auto_mountpoints(rlogind_t)
+@@ -69,8 +67,10 @@ fs_getattr_xattr_fs(rlogind_t)
+ fs_search_auto_mountpoints(rlogind_t)
+
auth_domtrans_chk_passwd(rlogind_t)
++auth_signal_chk_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
+auth_login_pgm_domain(rlogind_t)
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,9 +87,9 @@ seutil_read_config(rlogind_t)
+@@ -88,9 +88,9 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -38112,7 +38241,7 @@ index 779fa44..cdfebe3 100644
rlogin_read_home_content(rlogind_t)
-@@ -112,5 +111,10 @@ optional_policy(`
+@@ -112,5 +112,10 @@ optional_policy(`
')
optional_policy(`
@@ -38624,7 +38753,7 @@ index 39015ae..5e7b7cf 100644
+
auth_can_read_shadow_passwords(rsync_t)
diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if
-index 46dad1f..d632bc0 100644
+index 46dad1f..6586da0 100644
--- a/policy/modules/services/rtkit.if
+++ b/policy/modules/services/rtkit.if
@@ -5,9 +5,9 @@
@@ -38639,7 +38768,7 @@ index 46dad1f..d632bc0 100644
## </param>
#
interface(`rtkit_daemon_domtrans',`
-@@ -41,6 +41,27 @@ interface(`rtkit_daemon_dbus_chat',`
+@@ -41,6 +41,28 @@ interface(`rtkit_daemon_dbus_chat',`
########################################
## <summary>
@@ -38660,6 +38789,7 @@ index 46dad1f..d632bc0 100644
+
+ dontaudit $1 rtkit_daemon_t:dbus send_msg;
+ dontaudit rtkit_daemon_t $1:dbus send_msg;
++ dontaudit rtkit_daemon_t $1:process { getsched setsched };
+')
+
+########################################
@@ -38667,7 +38797,7 @@ index 46dad1f..d632bc0 100644
## Allow rtkit to control scheduling for your process
## </summary>
## <param name="domain">
-@@ -54,6 +75,7 @@ interface(`rtkit_scheduled',`
+@@ -54,6 +76,7 @@ interface(`rtkit_scheduled',`
type rtkit_daemon_t;
')
@@ -40960,7 +41090,7 @@ index 22adaca..d9913e0 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..92e24a9 100644
+index 2dad3c8..503a845 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -41055,11 +41185,13 @@ index 2dad3c8..92e24a9 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,20 +114,23 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -113,20 +114,25 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+userdom_stream_connect(ssh_t)
++userdom_search_admin_dir(sshd_t)
++userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
@@ -41082,7 +41214,7 @@ index 2dad3c8..92e24a9 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -138,6 +142,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,6 +144,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -41091,7 +41223,7 @@ index 2dad3c8..92e24a9 100644
dev_read_urand(ssh_t)
-@@ -162,6 +168,7 @@ logging_read_generic_logs(ssh_t)
+@@ -162,21 +170,28 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -41099,8 +41231,9 @@ index 2dad3c8..92e24a9 100644
seutil_read_config(ssh_t)
-@@ -169,14 +176,19 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+ userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
++userdom_search_admin_dir(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
-# needs to read krb tgt
@@ -41124,7 +41257,7 @@ index 2dad3c8..92e24a9 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +208,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +211,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@@ -41140,7 +41273,7 @@ index 2dad3c8..92e24a9 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +226,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +229,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -41149,7 +41282,7 @@ index 2dad3c8..92e24a9 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +249,43 @@ optional_policy(`
+@@ -232,33 +252,42 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -41175,7 +41308,6 @@ index 2dad3c8..92e24a9 100644
+userdom_read_user_home_content_files(sshd_t)
+userdom_read_user_home_content_symlinks(sshd_t)
-+userdom_search_admin_dir(sshd_t)
+userdom_manage_tmp_role(system_r, sshd_t)
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
@@ -41202,7 +41334,7 @@ index 2dad3c8..92e24a9 100644
')
optional_policy(`
-@@ -266,11 +293,24 @@ optional_policy(`
+@@ -266,11 +295,24 @@ optional_policy(`
')
optional_policy(`
@@ -41228,7 +41360,7 @@ index 2dad3c8..92e24a9 100644
')
optional_policy(`
-@@ -284,6 +324,11 @@ optional_policy(`
+@@ -284,6 +326,11 @@ optional_policy(`
')
optional_policy(`
@@ -41240,7 +41372,7 @@ index 2dad3c8..92e24a9 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +337,26 @@ optional_policy(`
+@@ -292,26 +339,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -41286,7 +41418,7 @@ index 2dad3c8..92e24a9 100644
') dnl endif TODO
########################################
-@@ -322,14 +367,18 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,14 +369,18 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -41306,7 +41438,7 @@ index 2dad3c8..92e24a9 100644
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -353,7 +402,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,7 +404,7 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -46533,7 +46665,7 @@ index 2952cef..d845132 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..bd258e2 100644
+index 42b4f0f..3c1892d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -46679,15 +46811,33 @@ index 42b4f0f..bd258e2 100644
')
########################################
-@@ -418,6 +475,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +475,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
+ auth_run_upd_passwd($1, $2)
++')
++
++########################################
++## <summary>
++## Send generic signals to chkpwd processes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_signal_chk_passwd',`
++ gen_require(`
++ type chkpwd_t;
++ ')
++
++ allow $1 chkpwd_t:process signal;
')
########################################
-@@ -694,7 +752,7 @@ interface(`auth_relabel_shadow',`
+@@ -694,7 +770,7 @@ interface(`auth_relabel_shadow',`
')
files_search_etc($1)
@@ -46696,7 +46846,7 @@ index 42b4f0f..bd258e2 100644
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -736,6 +794,46 @@ interface(`auth_rw_faillog',`
+@@ -736,6 +812,46 @@ interface(`auth_rw_faillog',`
allow $1 faillog_t:file rw_file_perms;
')
@@ -46743,7 +46893,7 @@ index 42b4f0f..bd258e2 100644
#######################################
## <summary>
## Read the last logins log.
-@@ -874,6 +972,46 @@ interface(`auth_exec_pam',`
+@@ -874,6 +990,46 @@ interface(`auth_exec_pam',`
########################################
## <summary>
@@ -46790,7 +46940,7 @@ index 42b4f0f..bd258e2 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -896,6 +1034,26 @@ interface(`auth_manage_var_auth',`
+@@ -896,6 +1052,26 @@ interface(`auth_manage_var_auth',`
########################################
## <summary>
@@ -46817,7 +46967,7 @@ index 42b4f0f..bd258e2 100644
## Read PAM PID files.
## </summary>
## <param name="domain">
-@@ -1093,6 +1251,24 @@ interface(`auth_delete_pam_console_data',`
+@@ -1093,6 +1269,24 @@ interface(`auth_delete_pam_console_data',`
########################################
## <summary>
@@ -46842,7 +46992,7 @@ index 42b4f0f..bd258e2 100644
## Read all directories on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1326,6 +1502,25 @@ interface(`auth_setattr_login_records',`
+@@ -1326,6 +1520,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -46868,7 +47018,7 @@ index 42b4f0f..bd258e2 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1500,28 +1695,36 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1713,36 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -46912,7 +47062,7 @@ index 42b4f0f..bd258e2 100644
optional_policy(`
kerberos_use($1)
')
-@@ -1531,7 +1734,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1752,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -47186,7 +47336,7 @@ index a97a096..ab1e16a 100644
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..8cc63f7 100644
+index a442acc..f7dcebe 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -47237,7 +47387,7 @@ index a442acc..8cc63f7 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -130,6 +138,7 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -130,10 +138,12 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -47245,7 +47395,12 @@ index a442acc..8cc63f7 100644
storage_swapon_fixed_disk(fsadm_t)
term_use_console(fsadm_t)
-@@ -142,12 +151,9 @@ logging_send_syslog_msg(fsadm_t)
+
++init_read_state(fsadm_t)
+ init_use_fds(fsadm_t)
+ init_use_script_ptys(fsadm_t)
+ init_dontaudit_getattr_initctl(fsadm_t)
+@@ -142,12 +152,9 @@ logging_send_syslog_msg(fsadm_t)
miscfiles_read_localization(fsadm_t)
@@ -47259,7 +47414,7 @@ index a442acc..8cc63f7 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +172,24 @@ optional_policy(`
+@@ -166,6 +173,24 @@ optional_policy(`
')
optional_policy(`
@@ -47284,7 +47439,7 @@ index a442acc..8cc63f7 100644
nis_use_ypbind(fsadm_t)
')
-@@ -175,6 +199,14 @@ optional_policy(`
+@@ -175,6 +200,14 @@ optional_policy(`
')
optional_policy(`
@@ -47369,7 +47524,7 @@ index 882c6a2..d0ff4ec 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 354ce93..f7cda1c 100644
+index 354ce93..f97fbb7 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -33,6 +33,19 @@ ifdef(`distro_gentoo', `
@@ -47402,8 +47557,13 @@ index 354ce93..f7cda1c 100644
#
# /var
+@@ -76,3 +92,4 @@ ifdef(`distro_suse', `
+ /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
+ ')
++/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..84c0fb7 100644
+index cc83689..05b4982 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -47611,10 +47771,20 @@ index cc83689..84c0fb7 100644
mls_rangetrans_target($1)
')
')
-@@ -525,6 +636,24 @@ interface(`init_stream_connect',`
- allow $1 init_t:unix_stream_socket connectto;
- ')
+@@ -519,10 +630,30 @@ interface(`init_sigchld',`
+ #
+ interface(`init_stream_connect',`
+ gen_require(`
+- type init_t;
++ type init_t, init_var_run_t;
+ ')
+- allow $1 init_t:unix_stream_socket connectto;
++ files_search_pids($1)
++ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
++
++')
++
+#######################################
+## <summary>
+## Dontaudit Connect to init with a unix socket.
@@ -47631,12 +47801,10 @@ index cc83689..84c0fb7 100644
+ ')
+
+ dontaudit $1 init_t:unix_stream_socket connectto;
-+')
-+
+ ')
+
########################################
- ## <summary>
- ## Inherit and use file descriptors from init.
-@@ -688,19 +817,24 @@ interface(`init_telinit',`
+@@ -688,19 +819,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -47662,7 +47830,7 @@ index cc83689..84c0fb7 100644
')
')
-@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +909,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -47686,7 +47854,7 @@ index cc83689..84c0fb7 100644
')
')
-@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +937,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -47709,11 +47877,11 @@ index cc83689..84c0fb7 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -47726,13 +47894,17 @@ index cc83689..84c0fb7 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +1027,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -47747,7 +47919,7 @@ index cc83689..84c0fb7 100644
files_search_etc($1)
')
-@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1243,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -47772,7 +47944,7 @@ index cc83689..84c0fb7 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1312,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -47786,7 +47958,7 @@ index cc83689..84c0fb7 100644
')
########################################
-@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1552,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -47814,7 +47986,7 @@ index cc83689..84c0fb7 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1659,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -47840,7 +48012,7 @@ index cc83689..84c0fb7 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1736,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -47865,7 +48037,7 @@ index cc83689..84c0fb7 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1674,7 +1907,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1909,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -47874,7 +48046,82 @@ index cc83689..84c0fb7 100644
')
########################################
-@@ -1749,3 +1982,120 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1715,6 +1950,74 @@ interface(`init_pid_filetrans_utmp',`
+ files_pid_filetrans($1, initrc_var_run_t, file)
+ ')
+
++######################################
++## <summary>
++## Allow search directory in the /run/systemd directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_search_pid_dirs',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:dir list_dir_perms;
++')
++
++#######################################
++## <summary>
++## Create a directory in the /run/systemd directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_create_pid_dirs',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:dir list_dir_perms;
++ create_dirs_pattern($1, init_var_run_t, init_var_run_t)
++')
++
++#######################################
++## <summary>
++## Create objects in /run/systemd directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`init_pid_filetrans',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ filetrans_pattern($1, init_var_run_t, $2, $3)
++ allow $1 init_var_run_t:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to connect to daemon with a tcp socket
+@@ -1749,3 +2052,120 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -47996,7 +48243,7 @@ index cc83689..84c0fb7 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..4283571 100644
+index ea29513..de61fb9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -48071,7 +48318,7 @@ index ea29513..4283571 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -100,7 +133,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -100,11 +133,15 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -48080,9 +48327,18 @@ index ea29513..4283571 100644
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
- # For /var/run/shutdown.pid.
- allow init_t init_var_run_t:file manage_file_perms;
-@@ -114,11 +149,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+-# For /var/run/shutdown.pid.
+-allow init_t init_var_run_t:file manage_file_perms;
+-files_pid_filetrans(init_t, init_var_run_t, file)
++manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
++files_pid_filetrans(init_t, init_var_run_t, { dir file })
+
+ allow init_t initctl_t:fifo_file manage_fifo_file_perms;
+ dev_filetrans(init_t, initctl_t, fifo_file)
+@@ -114,11 +151,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -48096,7 +48352,7 @@ index ea29513..4283571 100644
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
-@@ -127,11 +164,16 @@ domain_kill_all_domains(init_t)
+@@ -127,11 +166,16 @@ domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
@@ -48113,7 +48369,7 @@ index ea29513..4283571 100644
files_manage_etc_runtime_files(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
-@@ -151,6 +193,7 @@ mls_file_read_all_levels(init_t)
+@@ -151,6 +195,7 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -48121,7 +48377,7 @@ index ea29513..4283571 100644
selinux_set_all_booleans(init_t)
-@@ -162,12 +205,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +207,15 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -48137,7 +48393,7 @@ index ea29513..4283571 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +224,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +226,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -48146,7 +48402,7 @@ index ea29513..4283571 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +232,106 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +234,109 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -48192,8 +48448,11 @@ index ea29513..4283571 100644
+ files_mounton_all_mountpoints(init_t)
+ files_unmount_all_file_type_fs(init_t)
+ files_manage_all_pid_dirs(init_t)
++ files_relabel_all_pid_dirs(init_t)
++ files_relabel_all_pid_files(init_t)
+ files_unlink_all_pid_sockets(init_t)
+ files_manage_urandom_seed(init_t)
++ files_create_lock_dirs(init_t)
+
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
@@ -48253,7 +48512,7 @@ index ea29513..4283571 100644
')
optional_policy(`
-@@ -199,10 +339,25 @@ optional_policy(`
+@@ -199,10 +344,25 @@ optional_policy(`
')
optional_policy(`
@@ -48279,7 +48538,7 @@ index ea29513..4283571 100644
unconfined_domain(init_t)
')
-@@ -212,7 +367,7 @@ optional_policy(`
+@@ -212,7 +372,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -48288,11 +48547,12 @@ index ea29513..4283571 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +396,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +401,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+files_manage_generic_pids_symlinks(initrc_t)
++files_create_var_run_dirs(initrc_t)
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -48303,7 +48563,7 @@ index ea29513..4283571 100644
init_write_initctl(initrc_t)
-@@ -258,20 +415,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +421,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -48340,7 +48600,7 @@ index ea29513..4283571 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +448,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +454,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -48348,7 +48608,7 @@ index ea29513..4283571 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +461,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +467,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -48356,7 +48616,7 @@ index ea29513..4283571 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +469,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +475,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -48372,7 +48632,7 @@ index ea29513..4283571 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +487,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +493,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -48380,7 +48640,7 @@ index ea29513..4283571 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +495,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +501,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -48392,7 +48652,7 @@ index ea29513..4283571 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +514,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +520,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -48406,7 +48666,7 @@ index ea29513..4283571 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +529,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +535,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -48415,7 +48675,7 @@ index ea29513..4283571 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +543,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +549,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -48423,7 +48683,7 @@ index ea29513..4283571 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +555,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +561,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -48431,7 +48691,7 @@ index ea29513..4283571 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +576,12 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +582,12 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -48447,7 +48707,7 @@ index ea29513..4283571 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -478,7 +659,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +665,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -48456,7 +48716,15 @@ index ea29513..4283571 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -524,6 +705,23 @@ ifdef(`distro_redhat',`
+@@ -493,6 +680,7 @@ ifdef(`distro_redhat',`
+ files_create_boot_dirs(initrc_t)
+ files_create_boot_flag(initrc_t)
+ files_rw_boot_symlinks(initrc_t)
++
+ # wants to read /.fonts directory
+ files_read_default_files(initrc_t)
+ files_mountpoint(initrc_tmp_t)
+@@ -524,6 +712,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -48480,7 +48748,7 @@ index ea29513..4283571 100644
')
optional_policy(`
-@@ -531,10 +729,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +736,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -48498,7 +48766,7 @@ index ea29513..4283571 100644
')
optional_policy(`
-@@ -549,6 +754,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +761,39 @@ ifdef(`distro_suse',`
')
')
@@ -48538,7 +48806,7 @@ index ea29513..4283571 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +799,8 @@ optional_policy(`
+@@ -561,6 +806,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -48547,7 +48815,7 @@ index ea29513..4283571 100644
')
optional_policy(`
-@@ -577,6 +817,7 @@ optional_policy(`
+@@ -577,6 +824,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -48555,7 +48823,7 @@ index ea29513..4283571 100644
')
optional_policy(`
-@@ -589,6 +830,11 @@ optional_policy(`
+@@ -589,6 +837,11 @@ optional_policy(`
')
optional_policy(`
@@ -48567,7 +48835,7 @@ index ea29513..4283571 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +851,13 @@ optional_policy(`
+@@ -605,9 +858,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -48581,7 +48849,7 @@ index ea29513..4283571 100644
')
optional_policy(`
-@@ -649,6 +899,11 @@ optional_policy(`
+@@ -649,6 +906,11 @@ optional_policy(`
')
optional_policy(`
@@ -48593,7 +48861,7 @@ index ea29513..4283571 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +961,13 @@ optional_policy(`
+@@ -706,7 +968,13 @@ optional_policy(`
')
optional_policy(`
@@ -48607,7 +48875,7 @@ index ea29513..4283571 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +990,10 @@ optional_policy(`
+@@ -729,6 +997,10 @@ optional_policy(`
')
optional_policy(`
@@ -48618,7 +48886,7 @@ index ea29513..4283571 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1003,20 @@ optional_policy(`
+@@ -738,10 +1010,20 @@ optional_policy(`
')
optional_policy(`
@@ -48639,7 +48907,7 @@ index ea29513..4283571 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1025,10 @@ optional_policy(`
+@@ -750,6 +1032,10 @@ optional_policy(`
')
optional_policy(`
@@ -48650,7 +48918,7 @@ index ea29513..4283571 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1050,6 @@ optional_policy(`
+@@ -771,8 +1057,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -48659,7 +48927,7 @@ index ea29513..4283571 100644
')
optional_policy(`
-@@ -781,14 +1058,21 @@ optional_policy(`
+@@ -781,14 +1065,21 @@ optional_policy(`
')
optional_policy(`
@@ -48681,7 +48949,7 @@ index ea29513..4283571 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1094,24 @@ optional_policy(`
+@@ -810,11 +1101,24 @@ optional_policy(`
')
optional_policy(`
@@ -48707,7 +48975,7 @@ index ea29513..4283571 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1121,25 @@ optional_policy(`
+@@ -824,6 +1128,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -48733,7 +49001,7 @@ index ea29513..4283571 100644
')
optional_policy(`
-@@ -849,3 +1165,37 @@ optional_policy(`
+@@ -849,3 +1172,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -48771,6 +49039,11 @@ index ea29513..4283571 100644
+')
+
+init_rw_stream_sockets(daemon)
++
++allow init_t var_run_t:dir relabelto;
++
++init_stream_connect(initrc_t)
++
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 07eba2b..942bea1 100644
--- a/policy/modules/system/ipsec.fc
@@ -50055,7 +50328,7 @@ index c7cfb62..6160239 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..4c9a5eb 100644
+index 9b5a9ed..d3522be 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -19,6 +19,11 @@ type auditd_log_t;
@@ -50084,7 +50357,7 @@ index 9b5a9ed..4c9a5eb 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -179,6 +185,8 @@ logging_send_syslog_msg(auditd_t)
+@@ -179,10 +185,13 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -50093,7 +50366,12 @@ index 9b5a9ed..4c9a5eb 100644
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
-@@ -234,7 +242,12 @@ domain_use_interactive_fds(audisp_t)
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
++mls_socket_write_all_levels(auditd_t)
+
+ seutil_dontaudit_read_config(auditd_t)
+
+@@ -234,7 +243,12 @@ domain_use_interactive_fds(audisp_t)
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
@@ -50106,7 +50384,7 @@ index 9b5a9ed..4c9a5eb 100644
logging_send_syslog_msg(audisp_t)
-@@ -244,14 +257,26 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -244,14 +258,26 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -50134,9 +50412,12 @@ index 9b5a9ed..4c9a5eb 100644
corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
-@@ -266,9 +291,16 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -265,10 +291,19 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+
files_read_etc_files(audisp_remote_t)
++mls_socket_write_all_levels(audisp_remote_t)
++
logging_send_syslog_msg(audisp_remote_t)
+logging_send_audit_msgs(audisp_remote_t)
+
@@ -50151,7 +50432,7 @@ index 9b5a9ed..4c9a5eb 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -338,11 +370,12 @@ optional_policy(`
+@@ -338,11 +373,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -50166,7 +50447,7 @@ index 9b5a9ed..4c9a5eb 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -360,6 +393,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -360,6 +396,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -50174,7 +50455,7 @@ index 9b5a9ed..4c9a5eb 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -369,9 +403,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -369,9 +406,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -50190,7 +50471,7 @@ index 9b5a9ed..4c9a5eb 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +452,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -412,6 +455,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
@@ -50200,7 +50481,15 @@ index 9b5a9ed..4c9a5eb 100644
domain_use_interactive_fds(syslogd_t)
-@@ -480,6 +523,10 @@ optional_policy(`
+@@ -432,6 +478,7 @@ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+ term_write_unallocated_ttys(syslogd_t)
+
++init_stream_connect(syslogd_t)
+ # for sending messages to logged in users
+ init_read_utmp(syslogd_t)
+ init_dontaudit_write_utmp(syslogd_t)
+@@ -480,6 +527,10 @@ optional_policy(`
')
optional_policy(`
@@ -50211,7 +50500,7 @@ index 9b5a9ed..4c9a5eb 100644
postgresql_stream_connect(syslogd_t)
')
-@@ -488,6 +535,10 @@ optional_policy(`
+@@ -488,6 +539,10 @@ optional_policy(`
')
optional_policy(`
@@ -50700,16 +50989,17 @@ index a0eef20..75e256f 100644
dev_rw_xserver_misc(insmod_t)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..3d0bc28 100644
+index 72c746e..9f9124f 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,14 @@
+@@ -1,4 +1,15 @@
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -51896,7 +52186,7 @@ index 170e2c7..540a936 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..293555e 100644
+index 7ed9819..1dc6876 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -51980,7 +52270,15 @@ index 7ed9819..293555e 100644
miscfiles_read_localization(load_policy_t)
-@@ -204,7 +222,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -183,6 +201,7 @@ seutil_libselinux_linked(load_policy_t)
+
+ userdom_use_user_terminals(load_policy_t)
+ userdom_use_all_users_fds(load_policy_t)
++userdom_dontaudit_read_user_tmp_files(load_policy_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -204,7 +223,7 @@ ifdef(`hide_broken_symptoms',`
# Newrole local policy
#
@@ -51989,7 +52287,7 @@ index 7ed9819..293555e 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -216,7 +234,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -216,7 +235,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -51998,7 +52296,7 @@ index 7ed9819..293555e 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -233,6 +251,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -233,6 +252,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@@ -52006,7 +52304,7 @@ index 7ed9819..293555e 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -260,25 +279,30 @@ term_relabel_all_ptys(newrole_t)
+@@ -260,25 +280,30 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -52043,7 +52341,7 @@ index 7ed9819..293555e 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -312,6 +336,8 @@ kernel_use_fds(restorecond_t)
+@@ -312,6 +337,8 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -52052,7 +52350,7 @@ index 7ed9819..293555e 100644
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -335,6 +361,8 @@ miscfiles_read_localization(restorecond_t)
+@@ -335,6 +362,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
@@ -52061,7 +52359,7 @@ index 7ed9819..293555e 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,7 +381,7 @@ optional_policy(`
+@@ -353,7 +382,7 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -52070,7 +52368,15 @@ index 7ed9819..293555e 100644
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -380,6 +408,8 @@ selinux_compute_create_context(run_init_t)
+@@ -363,6 +392,7 @@ dontaudit run_init_t self:capability { dac_override dac_read_search };
+ corecmd_exec_bin(run_init_t)
+ corecmd_exec_shell(run_init_t)
+
++dev_dontaudit_getattr_all(run_init_t)
+ dev_dontaudit_list_all_dev_nodes(run_init_t)
+
+ domain_use_interactive_fds(run_init_t)
+@@ -380,6 +410,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -52079,7 +52385,7 @@ index 7ed9819..293555e 100644
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -405,6 +435,15 @@ ifndef(`direct_sysadm_daemon',`
+@@ -405,6 +437,15 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -52095,7 +52401,7 @@ index 7ed9819..293555e 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,61 +459,22 @@ optional_policy(`
+@@ -420,61 +461,22 @@ optional_policy(`
# semodule local policy
#
@@ -52165,7 +52471,7 @@ index 7ed9819..293555e 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +487,69 @@ ifdef(`distro_debian',`
+@@ -487,118 +489,69 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
@@ -52842,10 +53148,10 @@ index df32316..e8d03fb 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..50aed3b
+index 0000000..266e9b0
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -52855,14 +53161,15 @@ index 0000000..50aed3b
+
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
++/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..1d17a7b
+index 0000000..aabfb0d
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,140 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -52995,6 +53302,7 @@ index 0000000..1d17a7b
+ dev_associate(systemd_$1_device_t)
+
+ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
+ allow $1_t systemd_$1_device_t:file manage_file_perms;
+ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
+
@@ -53004,10 +53312,10 @@ index 0000000..1d17a7b
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..6c68924
+index 0000000..a0f5414
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,153 @@
+@@ -0,0 +1,163 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -53054,6 +53362,7 @@ index 0000000..6c68924
+
+allow systemd_passwd_agent_t systemd_device_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
++init_pid_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
+
+kernel_stream_connect(systemd_passwd_agent_t)
+
@@ -53066,6 +53375,7 @@ index 0000000..6c68924
+auth_use_nsswitch(systemd_passwd_agent_t)
+
+init_read_utmp(systemd_passwd_agent_t)
++init_create_pid_dirs(systemd_passwd_agent_t)
+
+miscfiles_read_localization(systemd_passwd_agent_t)
+
@@ -53140,6 +53450,14 @@ index 0000000..6c68924
+ rpm_delete_db(systemd_tmpfiles_t)
+')
+
++optional_policy(`
++ sandbox_list(systemd_tmpfiles_t)
++ sandbox_delete_dirs(systemd_tmpfiles_t)
++ sandbox_delete_files(systemd_tmpfiles_t)
++ sandbox_delete_sock_files(systemd_tmpfiles_t)
++ sandbox_setattr_dirs(systemd_tmpfiles_t)
++')
++
+########################################
+#
+# systemd_notify local policy
@@ -53162,10 +53480,19 @@ index 0000000..6c68924
+ readahead_manage_pid_files(systemd_notify_t)
+')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..44fe366 100644
+index 0291685..9dcdfe7 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
-@@ -22,3 +22,4 @@
+@@ -11,6 +11,8 @@
+
+ /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+
++/run/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
++
+ /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+@@ -22,3 +24,4 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
@@ -54196,7 +54523,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..012c198 100644
+index 28b88de..8e51296 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -55905,7 +56232,32 @@ index 28b88de..012c198 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3543,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3087,6 +3491,24 @@ interface(`userdom_signal_all_users',`
+
+ ########################################
+ ## <summary>
++## Send kill signals to all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_kill_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process sigkill;
++')
++
++########################################
++## <summary>
+ ## Send a SIGCHLD signal to all user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -3139,3 +3561,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6075a5c..c971b22 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -471,8 +471,21 @@ exit 0
%endif
%changelog
-* Wed Mar 30 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-8
+* Thu Mar 31 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-8
+- A lot of fixes making /run change working
- Add subs file to equate /var/run with /run and /var/lock with /run/lock
+- Allow rgmanager to send the kill signal to all users
+- Allow ssh_t to search /root/.ssh and create it if it does not exist
+- dontaudit read of user_tmp_t from load_policy
+- Allow abrt fowner capability
+- Allow audit daemons to change the run level in MLS environments
+- Since /var/lock is moving to /run/lock. We need to allow all interfaces for lock files to search var_run_t
+- Add file labelfor MathKernel
+- Add label for /dev/dlm*
+- Allow systemd_tmpfiles_t to manage sandbox data
+- More /run directories labels
+- rlogind sends kill signal to chkpwd_t
+- systemd is now mounting on /var/lock
* Fri Mar 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-7
- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs
More information about the scm-commits
mailing list