[selinux-policy] Make nvidia* to be labeled correctly Fix abrt_manage_cache() interface Make filetrans rules optional
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Nov 2 20:02:15 UTC 2011
commit a7f0027cf7cdf50d8e4e63d55ebc41574a2eaa89
Author: dwalsh <dwalsh at redhat.com>
Date: Wed Nov 2 16:01:43 2011 -0400
Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
policy-F16.patch | 876 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 11 +-
2 files changed, 572 insertions(+), 315 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 9083cd5..b066667 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1937,10 +1937,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..c66d190
+index 0000000..0bd2028
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,343 @@
+@@ -0,0 +1,349 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
@@ -2283,7 +2283,13 @@ index 0000000..c66d190
+ permissive chrome_sandbox_nacl_t;
+')
+
++optional_policy(`
++ gen_require(`
++ type matahari_sysconfigd_t;
++ ')
+
++ permissive matahari_sysconfigd_t;
++')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -3859,10 +3865,10 @@ index 975af1a..634c47a 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 2731fa1..22beabf 100644
+index 2731fa1..11212f2 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,110 @@ attribute sudodomain;
+@@ -7,3 +7,111 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
@@ -3919,7 +3925,7 @@ index 2731fa1..22beabf 100644
+files_list_tmp(sudodomain)
+
+fs_search_auto_mountpoints(sudodomain)
-+fs_getattr_xattr_fs(sudodomain)
++fs_getattr_all_fs(sudodomain)
+
+selinux_validate_context(sudodomain)
+selinux_compute_relabel_context(sudodomain)
@@ -3940,6 +3946,7 @@ index 2731fa1..22beabf 100644
+
+logging_send_audit_msgs(sudodomain)
+logging_send_syslog_msg(sudodomain)
++logging_set_audit_parameters(sudodomain)
+
+miscfiles_read_localization(sudodomain)
+
@@ -4664,10 +4671,10 @@ index 0000000..5901e21
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..7cbe3a7
+index 0000000..1553356
--- /dev/null
+++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,133 @@
+
+## <summary>policy for chrome</summary>
+
@@ -4755,6 +4762,8 @@ index 0000000..7cbe3a7
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
++ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
++ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
@@ -4801,10 +4810,10 @@ index 0000000..7cbe3a7
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..0eb3c23
+index 0000000..859eb9f
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,177 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -4889,6 +4898,7 @@ index 0000000..0eb3c23
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
++userdom_search_user_home_content(chrome_sandbox_t)
+
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
@@ -4950,6 +4960,8 @@ index 0000000..0eb3c23
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
++allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
@@ -4963,6 +4975,7 @@ index 0000000..0eb3c23
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
++ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
@@ -7174,7 +7187,7 @@ index 40e0a2a..93d212c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..b5d4ca3 100644
+index 9050e8c..401a4ec 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -7249,7 +7262,7 @@ index 9050e8c..b5d4ca3 100644
mta_write_config(gpg_t)
-@@ -142,6 +161,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -142,20 +161,33 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -7265,22 +7278,29 @@ index 9050e8c..b5d4ca3 100644
mozilla_read_user_home_files(gpg_t)
mozilla_write_user_home_files(gpg_t)
')
-@@ -151,10 +179,10 @@ optional_policy(`
- xserver_rw_xdm_pipes(gpg_t)
+
+ optional_policy(`
+- xserver_use_xdm_fds(gpg_t)
+- xserver_rw_xdm_pipes(gpg_t)
++ spamassassin_read_spamd_tmp_files(gpg_t)
')
--optional_policy(`
+ optional_policy(`
- cron_system_entry(gpg_t, gpg_exec_t)
- cron_read_system_job_tmp_files(gpg_t)
--')
++ xserver_use_xdm_fds(gpg_t)
++ xserver_rw_xdm_pipes(gpg_t)
+ ')
+
+#optional_policy(`
+# cron_system_entry(gpg_t, gpg_exec_t)
+# cron_read_system_job_tmp_files(gpg_t)
+#')
-
++
########################################
#
-@@ -191,7 +219,7 @@ files_read_etc_files(gpg_helper_t)
+ # GPG helper local policy
+@@ -191,7 +223,7 @@ files_read_etc_files(gpg_helper_t)
auth_use_nsswitch(gpg_helper_t)
@@ -7289,7 +7309,7 @@ index 9050e8c..b5d4ca3 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -205,11 +233,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,11 +237,12 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -7303,7 +7323,7 @@ index 9050e8c..b5d4ca3 100644
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-@@ -239,19 +268,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+@@ -239,19 +272,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
@@ -7326,7 +7346,7 @@ index 9050e8c..b5d4ca3 100644
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
-@@ -332,6 +362,10 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -332,6 +366,10 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -7337,7 +7357,7 @@ index 9050e8c..b5d4ca3 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +376,21 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -342,11 +380,21 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -7359,7 +7379,7 @@ index 9050e8c..b5d4ca3 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +400,28 @@ optional_policy(`
+@@ -356,4 +404,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -8010,7 +8030,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..6c95832 100644
+index fbb5c5a..8fe4551 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -8048,7 +8068,14 @@ index fbb5c5a..6c95832 100644
')
########################################
-@@ -203,6 +213,15 @@ interface(`mozilla_domtrans_plugin',`
+@@ -197,12 +207,21 @@ interface(`mozilla_domtrans',`
+ #
+ interface(`mozilla_domtrans_plugin',`
+ gen_require(`
+- type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
++ type mozilla_plugin_t, mozilla_plugin_exec_t;
+ class dbus send_msg;
+ ')
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
allow mozilla_plugin_t $1:process signull;
@@ -14318,7 +14345,7 @@ index 6cf8784..12bd6fc 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..60394ec 100644
+index f820f3b..c2a334f 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -14610,7 +14637,34 @@ index f820f3b..60394ec 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -2358,7 +2504,97 @@ interface(`dev_filetrans_lirc',`
+@@ -1648,6 +1794,26 @@ interface(`dev_filetrans_cardmgr',`
+
+ ########################################
+ ## <summary>
++## Automatic type transition to the type
++## for xserver misc device nodes when
++## created in /dev.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_filetrans_xserver_misc',`
++ gen_require(`
++ type device_t, xserver_misc_device_t;
++ ')
++
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file )
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the CPU
+ ## microcode and id interfaces.
+ ## </summary>
+@@ -2358,7 +2524,97 @@ interface(`dev_filetrans_lirc',`
########################################
## <summary>
@@ -14709,7 +14763,7 @@ index f820f3b..60394ec 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2681,7 +2917,7 @@ interface(`dev_write_misc',`
+@@ -2681,7 +2937,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -14718,7 +14772,7 @@ index f820f3b..60394ec 100644
## </summary>
## </param>
#
-@@ -2931,8 +3167,8 @@ interface(`dev_dontaudit_write_mtrr',`
+@@ -2931,8 +3187,8 @@ interface(`dev_dontaudit_write_mtrr',`
type mtrr_device_t;
')
@@ -14729,7 +14783,7 @@ index f820f3b..60394ec 100644
')
########################################
-@@ -3210,24 +3446,6 @@ interface(`dev_rw_printer',`
+@@ -3210,24 +3466,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -14754,7 +14808,7 @@ index f820f3b..60394ec 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3811,6 +4029,42 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3811,6 +4049,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -14797,7 +14851,7 @@ index f820f3b..60394ec 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3902,25 +4156,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3902,25 +4176,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -14823,7 +14877,7 @@ index f820f3b..60394ec 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -3972,6 +4207,42 @@ interface(`dev_rw_sysfs',`
+@@ -3972,6 +4227,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -14866,7 +14920,7 @@ index f820f3b..60394ec 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4069,6 +4340,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4360,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -14892,7 +14946,7 @@ index f820f3b..60394ec 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4495,6 +4785,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4805,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -14917,7 +14971,34 @@ index f820f3b..60394ec 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4784,3 +5092,794 @@ interface(`dev_unconfined',`
+@@ -4695,6 +5023,26 @@ interface(`dev_rw_xserver_misc',`
+
+ ########################################
+ ## <summary>
++## Read and write X server miscellaneous devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_manage_xserver_misc',`
++ gen_require(`
++ type device_t, xserver_misc_device_t;
++ ')
++
++ manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
++
++ dev_filetrans_xserver_named_dev($1)
++')
++
++########################################
++## <summary>
+ ## Read and write to the zero device (/dev/zero).
+ ## </summary>
+ ## <param name="domain">
+@@ -4784,3 +5132,812 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -14956,7 +15037,6 @@ index f820f3b..60394ec 100644
+gen_require(`
+ type device_t;
+ type usb_device_t;
-+ type xserver_misc_device_t;
+ type sound_device_t;
+ type apm_bios_t;
+ type mouse_device_t;
@@ -15000,7 +15080,6 @@ index f820f3b..60394ec 100644
+ type mtrr_device_t;
+')
+
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
@@ -15075,7 +15154,6 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep")
+ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
+ filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1")
@@ -15172,8 +15250,6 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
@@ -15291,16 +15367,6 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0")
@@ -15359,20 +15425,8 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9")
+ filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
+ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
@@ -15520,17 +15574,6 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1")
@@ -15587,16 +15630,6 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9")
+ filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt")
+ filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2")
@@ -15711,6 +15744,72 @@ index f820f3b..60394ec 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
++ dev_filetrans_xserver_named_dev($1)
++')
++
++########################################
++## <summary>
++## Create all named devices with the correct label
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_filetrans_xserver_named_dev',`
++
++ gen_require(`
++ type xserver_misc_device_t;
++ ')
++
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 08f01e7..1c2562c 100644
@@ -15840,7 +15939,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..b949cfb 100644
+index fae1ab1..a60d2f8 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -15933,11 +16032,104 @@ index fae1ab1..b949cfb 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,122 @@ allow unconfined_domain_type domain:key *;
+@@ -158,5 +195,215 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+ # act on all domains keys
+ allow unconfined_domain_type domain:key *;
++dev_filetrans_all_named_dev(unconfined_domain_type)
++
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
++storage_filetrans_all_named_dev(unconfined_domain_type)
++
++term_filetrans_all_named_dev(unconfined_domain_type)
++
++optional_policy(`
++ authlogin_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ alsa_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ apache_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ bootloader_filetrans_config(unconfined_domain_type)
++')
++
++optional_policy(`
++ gnome_filetrans_admin_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ devicekit_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ dnsmasq_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ kerberos_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ libs_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ miscfiles_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ mta_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ modules_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ networkmanager_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ nx_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ postfix_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ pulseaudio_filetrans_home_content(unconfined_domain_type)
++ pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ quota_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ sysnet_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
++')
++
++optional_policy(`
++ virt_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(unconfined_domain_type)
++')
++
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
@@ -21006,7 +21198,7 @@ index 2be17d2..b172ab4 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..2d6db89 100644
+index e14b961..c6aa0bc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
@@ -21150,14 +21342,14 @@ index e14b961..2d6db89 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
++ kudzu_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -21239,43 +21431,47 @@ index e14b961..2d6db89 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,19 +334,19 @@ optional_policy(`
+@@ -253,31 +334,32 @@ optional_policy(`
')
optional_policy(`
- pyzor_role(sysadm_r, sysadm_t)
-+ prelink_run(sysadm_t, sysadm_r)
++ postfix_filetrans_named_content(sysadm_t)
')
optional_policy(`
- quota_run(sysadm_t, sysadm_r)
-+ puppet_run_puppetca(sysadm_t, sysadm_r)
++ prelink_run(sysadm_t, sysadm_r)
')
optional_policy(`
- raid_run_mdadm(sysadm_r, sysadm_t)
-+ quota_run(sysadm_t, sysadm_r)
++ puppet_run_puppetca(sysadm_t, sysadm_r)
')
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
++ quota_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- rpc_domtrans_nfsd(sysadm_t)
+ raid_domtrans_mdadm(sysadm_t)
')
optional_policy(`
-@@ -274,10 +355,7 @@ optional_policy(`
+- rpm_run(sysadm_t, sysadm_r)
++ rpc_domtrans_nfsd(sysadm_t)
+ ')
optional_policy(`
- rpm_run(sysadm_t, sysadm_r)
--')
--
--optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
++ rpm_run(sysadm_t, sysadm_r)
+ rpm_dbus_chat(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -302,12 +380,18 @@ optional_policy(`
+@@ -302,12 +384,18 @@ optional_policy(`
')
optional_policy(`
@@ -21295,7 +21491,7 @@ index e14b961..2d6db89 100644
')
optional_policy(`
-@@ -332,7 +416,10 @@ optional_policy(`
+@@ -332,7 +420,10 @@ optional_policy(`
')
optional_policy(`
@@ -21307,7 +21503,7 @@ index e14b961..2d6db89 100644
')
optional_policy(`
-@@ -343,19 +430,15 @@ optional_policy(`
+@@ -343,19 +434,15 @@ optional_policy(`
')
optional_policy(`
@@ -21329,7 +21525,7 @@ index e14b961..2d6db89 100644
')
optional_policy(`
-@@ -367,45 +450,45 @@ optional_policy(`
+@@ -367,45 +454,45 @@ optional_policy(`
')
optional_policy(`
@@ -21386,7 +21582,7 @@ index e14b961..2d6db89 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +501,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +505,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21397,7 +21593,7 @@ index e14b961..2d6db89 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +518,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +522,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -21405,7 +21601,7 @@ index e14b961..2d6db89 100644
')
optional_policy(`
-@@ -446,11 +526,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +530,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22184,10 +22380,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..b1e60db
+index 0000000..4163dc5
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,499 @@
+@@ -0,0 +1,442 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -22271,20 +22467,6 @@ index 0000000..b1e60db
+files_create_default_dir(unconfined_t)
+files_root_filetrans_default(unconfined_t, dir)
+
-+dev_filetrans_all_named_dev(unconfined_t)
-+storage_filetrans_all_named_dev(unconfined_t)
-+term_filetrans_all_named_dev(unconfined_t)
-+
-+authlogin_filetrans_named_content(unconfined_t)
-+
-+miscfiles_filetrans_named_content(unconfined_t)
-+
-+sysnet_filetrans_named_content(unconfined_t)
-+
-+optional_policy(`
-+ ssh_filetrans_admin_home_content(unconfined_t)
-+')
-+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+mls_file_write_all_levels(unconfined_t)
@@ -22293,8 +22475,6 @@ index 0000000..b1e60db
+init_domtrans_script(unconfined_t)
+init_telinit(unconfined_t)
+
-+lib_filetrans_named_content(unconfined_t)
-+
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
@@ -22307,8 +22487,6 @@ index 0000000..b1e60db
+
+unconfined_domain_noaudit(unconfined_t)
+
-+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
-+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
@@ -22361,7 +22539,6 @@ index 0000000..b1e60db
+ devicekit_dbus_chat(unconfined_usertype)
+ devicekit_dbus_chat_disk(unconfined_usertype)
+ devicekit_dbus_chat_power(unconfined_usertype)
-+ devicekit_filetrans_named_content(unconfined_usertype)
+ ')
+
+ optional_policy(`
@@ -22370,7 +22547,6 @@ index 0000000..b1e60db
+
+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
-+ networkmanager_filetrans_named_content(unconfined_usertype)
+ ')
+
+ optional_policy(`
@@ -22415,12 +22591,7 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ alsa_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ apache_run_helper(unconfined_t, unconfined_r)
-+ apache_filetrans_home_content(unconfined_t)
+')
+
+optional_policy(`
@@ -22428,10 +22599,6 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ bootloader_filetrans_config(unconfined_t)
-+')
-+
-+optional_policy(`
+ chrome_role_notrans(unconfined_r, unconfined_usertype)
+
+ tunable_policy(`unconfined_chrome_sandbox_transition',`
@@ -22475,7 +22642,6 @@ index 0000000..b1e60db
+ optional_policy(`
+ gnomeclock_dbus_chat(unconfined_usertype)
+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
-+ gnome_filetrans_admin_home_content(unconfined_usertype)
+ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
+ ')
+
@@ -22505,10 +22671,6 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ dnsmasq_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ firstboot_run(unconfined_t, unconfined_r)
+')
+
@@ -22525,10 +22687,6 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ kerberos_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ livecd_run(unconfined_t, unconfined_r)
+')
+
@@ -22542,7 +22700,6 @@ index 0000000..b1e60db
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
-+ modules_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
@@ -22561,18 +22718,10 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ mta_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ ncftool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
-+ nx_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
@@ -22585,15 +22734,6 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ pulseaudio_filetrans_admin_home_content(unconfined_usertype)
-+ pulseaudio_filetrans_home_content(unconfined_usertype)
-+')
-+
-+optional_policy(`
-+ quota_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
@@ -22622,7 +22762,6 @@ index 0000000..b1e60db
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
-+ virt_filetrans_home_content(unconfined_t)
+')
+
+optional_policy(`
@@ -23069,7 +23208,7 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..6b739e6 100644
+index 0b827c5..b2d6129 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -23090,7 +23229,7 @@ index 0b827c5..6b739e6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -169,12 +169,51 @@ interface(`abrt_run_helper',`
+@@ -169,12 +169,52 @@ interface(`abrt_run_helper',`
## </summary>
## </param>
#
@@ -23139,11 +23278,12 @@ index 0b827c5..6b739e6 100644
')
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
')
####################################
-@@ -253,6 +292,24 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +293,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -23168,7 +23308,7 @@ index 0b827c5..6b739e6 100644
#####################################
## <summary>
## All of the rules required to administrate
-@@ -286,18 +343,116 @@ interface(`abrt_admin',`
+@@ -286,18 +344,116 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -24127,7 +24267,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..8002a1f 100644
+index 9e39aa5..a9959fa 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -24139,8 +24279,8 @@ index 9e39aa5..8002a1f 100644
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
@@ -24191,8 +24331,8 @@ index 9e39aa5..8002a1f 100644
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -24217,7 +24357,7 @@ index 9e39aa5..8002a1f 100644
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -29165,10 +29305,10 @@ index 6077339..d10acd2 100644
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
new file mode 100644
-index 0000000..2c745ea
+index 0000000..b5058ac
--- /dev/null
+++ b/policy/modules/services/cloudform.fc
-@@ -0,0 +1,16 @@
+@@ -0,0 +1,23 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -29177,6 +29317,8 @@ index 0000000..2c745ea
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
+
++/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
++
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
@@ -29185,6 +29327,11 @@ index 0000000..2c745ea
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+
++/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
++
++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
++
++
diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
new file mode 100644
index 0000000..917f8d4
@@ -29216,10 +29363,10 @@ index 0000000..917f8d4
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..1852397
+index 0000000..c7ee7dd
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,207 @@
+policy_module(cloudform, 1.0)
+
+########################################
@@ -29355,14 +29502,11 @@ index 0000000..1852397
+# mongod local policy
+#
+
-+#WHY?
-+allow mongod_t self:process execmem;
-+
-+allow mongod_t self:process setsched;
-+
-+allow mongod_t self:process { fork signal };
++allow mongod_t self:process { setsched signal };
+
++allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
++allow mongod_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
@@ -29377,12 +29521,21 @@ index 0000000..1852397
+
+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++#needed by dbomatic
++files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
+
+corenet_tcp_bind_generic_node(mongod_t)
-+#temporary
+corenet_tcp_bind_generic_port(mongod_t)
+
-+domain_use_interactive_fds(mongod_t)
++files_read_usr_files(mongod_t)
++
++optional_policy(`
++ mysql_stream_connect(mongod_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(mongod_t)
++')
+
+optional_policy(`
+ sysnet_dns_name_resolve(mongod_t)
@@ -33521,7 +33674,7 @@ index 418a5a0..c25fbdc 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..afb61c9 100644
+index f706b99..5001351 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -33645,7 +33798,7 @@ index f706b99..afb61c9 100644
+ type devicekit_var_log_t;
+ ')
+
-+ dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
++ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
+')
+
+########################################
@@ -35304,7 +35457,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..87949e8 100644
+index acf6d4f..2fbb869 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -35395,15 +35548,17 @@ index acf6d4f..87949e8 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -180,7 +196,7 @@ optional_policy(`
+@@ -180,8 +196,8 @@ optional_policy(`
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
-+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid };
- allow dovecot_auth_t self:process { signal_perms getcap setcap };
+-allow dovecot_auth_t self:process { signal_perms getcap setcap };
++allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
++allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+ allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -190,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -38642,10 +38797,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..86ba356 100644
+index 4fde46b..4978f18 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -38653,14 +38808,17 @@ index 4fde46b..86ba356 100644
+allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
-
-+kernel_read_system_state(gnomeclock_t)
++allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
+
++kernel_read_system_state(gnomeclock_t)
+
corecmd_exec_bin(gnomeclock_t)
+corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
++
++dev_read_sysfs(gnomeclock_t)
- files_read_etc_files(gnomeclock_t)
+-files_read_etc_files(gnomeclock_t)
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
@@ -38672,7 +38830,7 @@ index 4fde46b..86ba356 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -41059,7 +41217,7 @@ index 3aa8fa7..40b10fa 100644
+ ldap_systemctl($1)
')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
-index 64fd1ff..211180e 100644
+index 64fd1ff..0f5d0b7 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -41119,6 +41277,14 @@ index 64fd1ff..211180e 100644
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
+@@ -106,6 +123,7 @@ files_read_usr_files(slapd_t)
+ files_list_var_lib(slapd_t)
+
+ auth_use_nsswitch(slapd_t)
++auth_rw_cache(slapd_t)
+
+ logging_send_syslog_msg(slapd_t)
+
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 771e04b..81d98b3 100644
--- a/policy/modules/services/likewise.if
@@ -41984,13 +42150,14 @@ index 0000000..5b84980
+')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
-index 0000000..ac84e59
+index 0000000..7f36870
--- /dev/null
+++ b/policy/modules/services/matahari.fc
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,30 @@
+/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+
+/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+
@@ -41998,6 +42165,8 @@ index 0000000..ac84e59
+
+/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+
++/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
++
+/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+
+/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
@@ -42017,10 +42186,10 @@ index 0000000..ac84e59
+/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if
new file mode 100644
-index 0000000..0432f2e
+index 0000000..0d771fd
--- /dev/null
+++ b/policy/modules/services/matahari.if
-@@ -0,0 +1,247 @@
+@@ -0,0 +1,250 @@
+## <summary>policy for matahari</summary>
+
+######################################
@@ -42039,10 +42208,10 @@ index 0000000..0432f2e
+ attribute matahari_domain;
+ ')
+
-+ ##############################
-+ #
-+ # Declarations
-+ #
++ ##############################
++ #
++ # Declarations
++ #
+
+ type matahari_$1_t, matahari_domain;
+ type matahari_$1_exec_t;
@@ -42261,6 +42430,9 @@ index 0000000..0432f2e
+ allow $1 matahari_serviced_t:process { ptrace signal_perms };
+ ps_process_pattern($1, matahari_serviced_t)
+
++ allow $1 matahari_sysconfigd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, matahari_sysconfigd_t)
++
+ files_search_var_lib($1)
+ admin_pattern($1, matahari_var_lib_t)
+
@@ -42270,10 +42442,10 @@ index 0000000..0432f2e
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..19d82c3
+index 0000000..215407c
--- /dev/null
+++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,100 @@
+policy_module(matahari,1.0.0)
+
+########################################
@@ -42286,6 +42458,7 @@ index 0000000..19d82c3
+matahari_domain_template(hostd)
+matahari_domain_template(netd)
+matahari_domain_template(serviced)
++matahari_domain_template(sysconfigd)
+
+type matahari_initrc_exec_t;
+init_script_file(matahari_initrc_exec_t)
@@ -42330,9 +42503,25 @@ index 0000000..19d82c3
+#
+# matahari_serviced local policy
+#
++allow matahari_serviced_t self:process setpgid;
++
++kernel_read_network_state(matahari_serviced_t)
++
++dev_read_sysfs(matahari_serviced_t)
+
+domain_use_interactive_fds(matahari_serviced_t)
-+init_spec_domtrans_script(matahari_serviced_t)
++
++files_read_etc_runtime_files(matahari_serviced_t)
++
++init_domtrans_script(matahari_serviced_t)
++
++systemd_config_all_services(matahari_serviced_t)
++
++########################################
++#
++# matahari_sysconfigd local policy
++#
++dev_read_sysfs(matahari_sysconfigd_t)
+
+#######################################
+#
@@ -48079,7 +48268,7 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index 06e217d..4f9a575 100644
+index 06e217d..ab25c8c 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1)
@@ -48116,7 +48305,7 @@ index 06e217d..4f9a575 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +68,25 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +68,26 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -48135,6 +48324,7 @@ index 06e217d..4f9a575 100644
+
+optional_policy(`
+ xserver_xdm_manage_spool(plymouthd_t)
++ xserver_read_state_xdm(plymouthd_t)
+')
+
+term_use_unallocated_ttys(plymouthd_t)
@@ -48142,7 +48332,7 @@ index 06e217d..4f9a575 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +97,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +98,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -48150,7 +48340,7 @@ index 06e217d..4f9a575 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +111,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +112,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -49046,7 +49236,7 @@ index a3e85c9..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..c22af86 100644
+index 46bee12..ca32d30 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -49095,6 +49285,15 @@ index 46bee12..c22af86 100644
')
########################################
+@@ -215,7 +219,7 @@ interface(`postfix_config_filetrans',`
+ ')
+
+ files_search_etc($1)
+- filetrans_pattern($1, postfix_etc_t, $2, $3)
++ filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
+ ')
+
+ ########################################
@@ -272,7 +276,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
@@ -49282,7 +49481,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +701,125 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -49359,6 +49558,8 @@ index 46bee12..c22af86 100644
+ admin_pattern($1, postfix_prng_t)
+
+ admin_pattern($1, postfix_public_t)
++
++ postfix_filetrans_named_content($1)
+')
+
+########################################
@@ -49386,6 +49587,26 @@ index 46bee12..c22af86 100644
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
+')
++
++########################################
++## <summary>
++## Transition to postfix named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_filetrans_named_content',`
++ gen_require(`
++ type postfix_exec_t;
++ type postfix_prng_t;
++ ')
++
++ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
++ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
++')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index a32c4b3..3a59bac 100644
--- a/policy/modules/services/postfix.te
@@ -50251,7 +50472,7 @@ index b524673..921a60f 100644
+ ppp_systemctl($1)
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..399a452 100644
+index 2af42e7..20f5d6b 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -50378,7 +50599,7 @@ index 2af42e7..399a452 100644
')
optional_policy(`
-@@ -243,14 +252,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +252,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -50391,13 +50612,14 @@ index 2af42e7..399a452 100644
kernel_list_proc(pptp_t)
+kernel_signal(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
++kernel_read_network_state(pptp_t)
kernel_read_proc_symlinks(pptp_t)
kernel_read_system_state(pptp_t)
+kernel_signal(pptp_t)
dev_read_sysfs(pptp_t)
-@@ -265,9 +277,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
+@@ -265,9 +278,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_generic_node(pptp_t)
@@ -55588,7 +55810,7 @@ index 82cb169..0a29f68 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..f0f6907 100644
+index e30bb63..9010ac2 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -55632,7 +55854,7 @@ index e30bb63..f0f6907 100644
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -59626,7 +59848,7 @@ index 904f13e..464347f 100644
init_labeled_script_domtrans($1, tor_initrc_exec_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
-index c842cad..fe5deee 100644
+index c842cad..1136b10 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t)
@@ -59637,7 +59859,7 @@ index c842cad..fe5deee 100644
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -95,6 +96,7 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -95,9 +96,11 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -59645,6 +59867,10 @@ index c842cad..fe5deee 100644
# tor uses crypto and needs random
dev_read_urand(tor_t)
++dev_read_sysfs(tor_t)
+
+ domain_use_interactive_fds(tor_t)
+
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 54b8605..752697f 100644
--- a/policy/modules/services/tuned.if
@@ -60476,7 +60702,7 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..b944b61 100644
+index 2124b6a..49c15d1 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -60488,7 +60714,7 @@ index 2124b6a..b944b61 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,37 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,39 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -60521,8 +60747,10 @@ index 2124b6a..b944b61 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
+# support for AEOLUS project
++/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
++/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
@@ -61075,7 +61303,7 @@ index 7c5d8d8..d711fd5 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..d2d599b 100644
+index 3eca020..f6d46db 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@@ -61301,7 +61529,7 @@ index 3eca020..d2d599b 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +224,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +224,24 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -61323,14 +61551,10 @@ index 3eca020..d2d599b 100644
+')
+
+optional_policy(`
-+ xen_rw_image_files(svirt_t)
-+')
-+
-+optional_policy(`
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +255,36 @@ optional_policy(`
+@@ -174,21 +251,36 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -61373,9 +61597,11 @@ index 3eca020..d2d599b 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +296,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -199,9 +291,17 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
++manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-allow virtd_t virt_image_type:file { relabelfrom relabelto };
-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
@@ -61391,7 +61617,7 @@ index 3eca020..d2d599b 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +320,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +317,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -61407,7 +61633,7 @@ index 3eca020..d2d599b 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +348,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +345,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -61440,7 +61666,7 @@ index 3eca020..d2d599b 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +380,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +377,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -61459,14 +61685,14 @@ index 3eca020..d2d599b 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +415,29 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +412,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -61485,11 +61711,12 @@ index 3eca020..d2d599b 100644
+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
-+userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
++#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
++virt_filetrans_home_content(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +456,10 @@ optional_policy(`
+@@ -313,6 +454,10 @@ optional_policy(`
')
optional_policy(`
@@ -61500,7 +61727,7 @@ index 3eca020..d2d599b 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,16 +476,23 @@ optional_policy(`
+@@ -329,16 +474,23 @@ optional_policy(`
')
optional_policy(`
@@ -61524,7 +61751,7 @@ index 3eca020..d2d599b 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +514,12 @@ optional_policy(`
+@@ -360,11 +512,12 @@ optional_policy(`
')
optional_policy(`
@@ -61542,7 +61769,7 @@ index 3eca020..d2d599b 100644
')
optional_policy(`
-@@ -394,20 +549,36 @@ optional_policy(`
+@@ -394,20 +547,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -61582,7 +61809,7 @@ index 3eca020..d2d599b 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +589,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +587,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -61595,7 +61822,7 @@ index 3eca020..d2d599b 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +601,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +599,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -61608,7 +61835,7 @@ index 3eca020..d2d599b 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +614,359 @@ files_search_all(virt_domain)
+@@ -440,25 +612,362 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -61772,6 +61999,7 @@ index 3eca020..d2d599b 100644
+allow virtd_lxc_t self:packet_socket create_socket_perms;
+
+allow virtd_lxc_t virt_image_type:dir mounton;
++manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
+
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t virtd_lxc_t:process { signal signull sigkill };
@@ -61790,6 +62018,8 @@ index 3eca020..d2d599b 100644
+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
+
++storage_manage_fixed_disk(virtd_lxc_t)
++
+kernel_read_network_state(virtd_lxc_t)
+kernel_search_network_sysctl(virtd_lxc_t)
+kernel_read_sysctl(virtd_lxc_t)
@@ -63574,7 +63804,7 @@ index 130ced9..b6fb17a 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..c3e4d56 100644
+index 143c893..40e56f1 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -64438,7 +64668,7 @@ index 143c893..c3e4d56 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,7 +1018,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +1018,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -64446,8 +64676,13 @@ index 143c893..c3e4d56 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -682,11 +1027,17 @@ dev_wx_raw_memory(xserver_t)
- dev_rw_xserver_misc(xserver_t)
+ dev_read_raw_memory(xserver_t)
+ dev_wx_raw_memory(xserver_t)
+ # for other device nodes such as the NVidia binary-only driver
+-dev_rw_xserver_misc(xserver_t)
++dev_manage_xserver_misc(xserver_t)
++dev_filetrans_xserver_misc(xserver_t)
++
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
+dev_read_raw_memory(xserver_t)
@@ -64464,7 +64699,7 @@ index 143c893..c3e4d56 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1048,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1050,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -64478,7 +64713,7 @@ index 143c893..c3e4d56 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1067,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1069,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -64487,7 +64722,7 @@ index 143c893..c3e4d56 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1074,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1076,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -64502,7 +64737,7 @@ index 143c893..c3e4d56 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1133,40 @@ optional_policy(`
+@@ -778,16 +1135,40 @@ optional_policy(`
')
optional_policy(`
@@ -64544,7 +64779,7 @@ index 143c893..c3e4d56 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1175,10 @@ optional_policy(`
+@@ -796,6 +1177,10 @@ optional_policy(`
')
optional_policy(`
@@ -64555,7 +64790,7 @@ index 143c893..c3e4d56 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1194,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1196,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -64569,7 +64804,7 @@ index 143c893..c3e4d56 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1205,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1207,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -64578,7 +64813,7 @@ index 143c893..c3e4d56 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,6 +1218,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1220,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -64588,7 +64823,7 @@ index 143c893..c3e4d56 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1228,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1230,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -64600,7 +64835,7 @@ index 143c893..c3e4d56 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1241,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1243,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -64617,7 +64852,7 @@ index 143c893..c3e4d56 100644
')
optional_policy(`
-@@ -862,6 +1256,10 @@ optional_policy(`
+@@ -862,6 +1258,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -64628,7 +64863,7 @@ index 143c893..c3e4d56 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1305,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -64637,7 +64872,7 @@ index 143c893..c3e4d56 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1357,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1359,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -64669,7 +64904,7 @@ index 143c893..c3e4d56 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1403,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1405,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -65592,7 +65827,7 @@ index 73554ec..6a25dd6 100644
+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..a53db2b 100644
+index b7a5f00..2c39af1 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1)
@@ -65635,7 +65870,7 @@ index b7a5f00..a53db2b 100644
seutil_dontaudit_use_newrole_fds(chkpwd_t)
-userdom_use_user_terminals(chkpwd_t)
-+userdom_use_inherited_user_terminals(chkpwd_t)
++userdom_dontaudit_use_user_ttys(chkpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -67045,7 +67280,7 @@ index 94fd8dd..b5e5c70 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..29930e4 100644
+index 29a9565..77fb967 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -67469,14 +67704,13 @@ index 29a9565..29930e4 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +512,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +512,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
-+dev_filetrans_all_named_dev(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -67486,7 +67720,7 @@ index 29a9565..29930e4 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +531,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -67494,7 +67728,7 @@ index 29a9565..29930e4 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +539,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +538,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -67506,7 +67740,7 @@ index 29a9565..29930e4 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +558,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +557,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -67520,7 +67754,7 @@ index 29a9565..29930e4 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +573,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +572,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -67529,7 +67763,7 @@ index 29a9565..29930e4 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +587,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +586,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -67537,7 +67771,7 @@ index 29a9565..29930e4 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +599,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +598,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -67545,7 +67779,7 @@ index 29a9565..29930e4 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +620,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +619,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -67567,7 +67801,7 @@ index 29a9565..29930e4 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +683,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +682,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -67578,7 +67812,7 @@ index 29a9565..29930e4 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +707,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +706,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -67587,7 +67821,7 @@ index 29a9565..29930e4 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +722,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +721,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -67595,7 +67829,7 @@ index 29a9565..29930e4 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +752,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +751,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -67629,7 +67863,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -531,10 +786,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +785,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -67652,7 +67886,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -549,6 +816,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +815,39 @@ ifdef(`distro_suse',`
')
')
@@ -67692,7 +67926,7 @@ index 29a9565..29930e4 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +861,8 @@ optional_policy(`
+@@ -561,6 +860,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -67701,7 +67935,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -577,6 +879,7 @@ optional_policy(`
+@@ -577,6 +878,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -67709,7 +67943,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -589,6 +892,17 @@ optional_policy(`
+@@ -589,6 +891,17 @@ optional_policy(`
')
optional_policy(`
@@ -67727,7 +67961,7 @@ index 29a9565..29930e4 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +919,13 @@ optional_policy(`
+@@ -605,9 +918,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -67741,7 +67975,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -632,6 +950,10 @@ optional_policy(`
+@@ -632,6 +949,10 @@ optional_policy(`
')
optional_policy(`
@@ -67752,7 +67986,7 @@ index 29a9565..29930e4 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +971,11 @@ optional_policy(`
+@@ -649,6 +970,11 @@ optional_policy(`
')
optional_policy(`
@@ -67764,7 +67998,7 @@ index 29a9565..29930e4 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1016,7 @@ optional_policy(`
+@@ -689,6 +1015,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -67772,7 +68006,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -706,7 +1034,13 @@ optional_policy(`
+@@ -706,7 +1033,13 @@ optional_policy(`
')
optional_policy(`
@@ -67786,7 +68020,7 @@ index 29a9565..29930e4 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1063,10 @@ optional_policy(`
+@@ -729,6 +1062,10 @@ optional_policy(`
')
optional_policy(`
@@ -67797,7 +68031,7 @@ index 29a9565..29930e4 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1076,20 @@ optional_policy(`
+@@ -738,10 +1075,20 @@ optional_policy(`
')
optional_policy(`
@@ -67818,7 +68052,7 @@ index 29a9565..29930e4 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1098,10 @@ optional_policy(`
+@@ -750,6 +1097,10 @@ optional_policy(`
')
optional_policy(`
@@ -67829,7 +68063,7 @@ index 29a9565..29930e4 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1123,6 @@ optional_policy(`
+@@ -771,8 +1122,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -67838,7 +68072,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -790,10 +1140,12 @@ optional_policy(`
+@@ -790,10 +1139,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -67851,7 +68085,7 @@ index 29a9565..29930e4 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1157,6 @@ optional_policy(`
+@@ -805,7 +1156,6 @@ optional_policy(`
')
optional_policy(`
@@ -67859,7 +68093,7 @@ index 29a9565..29930e4 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1166,26 @@ optional_policy(`
+@@ -815,11 +1165,26 @@ optional_policy(`
')
optional_policy(`
@@ -67887,7 +68121,7 @@ index 29a9565..29930e4 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1195,25 @@ optional_policy(`
+@@ -829,6 +1194,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -67913,7 +68147,7 @@ index 29a9565..29930e4 100644
')
optional_policy(`
-@@ -844,6 +1229,10 @@ optional_policy(`
+@@ -844,6 +1228,10 @@ optional_policy(`
')
optional_policy(`
@@ -67924,7 +68158,7 @@ index 29a9565..29930e4 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1243,160 @@ optional_policy(`
+@@ -854,3 +1242,160 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -68952,7 +69186,7 @@ index 560dc48..4986f1b 100644
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..8f5a243 100644
+index 808ba93..eb621fd 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -207,6 +207,23 @@ interface(`libs_search_lib',`
@@ -69050,7 +69284,7 @@ index 808ba93..8f5a243 100644
+## </summary>
+## </param>
+#
-+interface(`lib_filetrans_named_content',`
++interface(`libs_filetrans_named_content',`
+ gen_require(`
+ type ld_so_cache_t;
+ ')
@@ -72966,10 +73200,10 @@ index 0000000..db57bc7
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..79c358c
+index 0000000..5571350
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,503 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -73018,6 +73252,7 @@ index 0000000..79c358c
+ can_exec($1, systemd_systemctl_exec_t)
+
+ fs_list_cgroup_dirs($1)
++ fs_read_cgroup_files($1)
+ systemd_list_unit_dirs($1)
+ init_list_pid_dirs($1)
+ init_read_state($1)
@@ -75062,7 +75297,7 @@ index db75976..494ec08 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..af43357 100644
+index 4b2878a..9b49159 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -77186,10 +77421,16 @@ index 4b2878a..af43357 100644
')
########################################
-@@ -2644,6 +3313,25 @@ interface(`userdom_dontaudit_use_user_terminals',`
- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
- ')
+@@ -2640,8 +3309,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+ type user_tty_device_t, user_devpts_t;
+ ')
+- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
++ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
+
+########################################
+## <summary>
@@ -77207,11 +77448,9 @@ index 4b2878a..af43357 100644
+ ')
+
+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
-+')
-+
+ ')
+
########################################
- ## <summary>
- ## Execute a shell in all user domains. This
@@ -2713,6 +3401,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -77387,6 +77626,15 @@ index 4b2878a..af43357 100644
')
########################################
+@@ -3045,7 +3736,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+ type user_tty_device_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
@@ -3064,6 +3755,7 @@ interface(`userdom_read_all_users_state',`
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4033277..b3eedad 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 52%{?dist}
+Release: 53%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -483,6 +483,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Nov 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-53
+- Make nvidia* to be labeled correctly
+- Fix abrt_manage_cache() interface
+- Make filetrans rules optional so base policy will build
+- Dontaudit chkpwd_t access to inherited TTYS
+- Make sure postfix content gets created with the correct label
+- Allow gnomeclock to read cgroup
+- Fixes for cloudform policy
+
* Thu Oct 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-52
- Check in fixed for Chrome nacl support
More information about the scm-commits
mailing list