[selinux-policy/f16] - Add support for Clustered Samba commands - Allow ricci_modrpm_t to send log msgs - move permissiv
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Sep 29 14:04:27 UTC 2011
commit 972757ab44af314660d00063a3454bb87c463ec9
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Sep 29 16:04:04 2011 +0200
- Add support for Clustered Samba commands
- Allow ricci_modrpm_t to send log msgs
- move permissive virt_qmf_t from virt.te to permissivedomains.te
- Allow ssh_t to use kernel keyrings
- Add policy for libvirt-qmf and more fixes for linux containers
- Initial Polipo
- Sanlock needs to run ranged in order to kill svirt processes
- Allow smbcontrol to stream connect to ctdbd
modules-mls.conf | 7 +
modules-targeted.conf | 7 +
policy-F16.patch | 3768 +++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 12 +-
4 files changed, 2915 insertions(+), 879 deletions(-)
---
diff --git a/modules-mls.conf b/modules-mls.conf
index 184dd7e..aeabab9 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -2107,3 +2107,10 @@ unlabelednet = module
# policy for namespace.init script
#
namespace = module
+
+# Layer: services
+# Module: polipo
+#
+# polipo
+#
+polipo = module
diff --git a/modules-targeted.conf b/modules-targeted.conf
index c39e9c5..6fc771d 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2465,3 +2465,10 @@ sblim = module
# cfengine
#
cfengine = module
+
+# Layer: services
+# Module: polipo
+#
+# polipo
+#
+polipo = module
diff --git a/policy-F16.patch b/policy-F16.patch
index ce2d8d9..922b4d2 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -483,6 +483,24 @@ index 0bfc958..af95b7a 100644
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
+diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
+index 7a6f06f..e117271 100644
+--- a/policy/modules/admin/bootloader.fc
++++ b/policy/modules/admin/bootloader.fc
+@@ -1,9 +1,11 @@
+-
++/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+ /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+ /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sbin/installkernel -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sbin/new-kernel-pkg -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+ /usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 63eb96b..17a9f6d 100644
--- a/policy/modules/admin/bootloader.if
@@ -965,11 +983,54 @@ index c4d8998..f808287 100644
xserver_unconfined(firstboot_t)
+ xserver_stream_connect(firstboot_t)
')
+diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc
+index c66934f..1aa1205 100644
+--- a/policy/modules/admin/kdump.fc
++++ b/policy/modules/admin/kdump.fc
+@@ -1,5 +1,7 @@
+ /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+ /etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+
++/lib/systemd/system/kdump.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
+ /sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+ /sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
-index 4198ff5..df3f4d6 100644
+index 4198ff5..a296bfa 100644
--- a/policy/modules/admin/kdump.if
+++ b/policy/modules/admin/kdump.if
-@@ -56,6 +56,24 @@ interface(`kdump_read_config',`
+@@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',`
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ ')
+
++########################################
++## <summary>
++## Execute kdump server in the kdump domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`kdump_systemctl',`
++ gen_require(`
++ type kdump_unit_file_t;
++ type kdump_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 kdump_unit_file_t:file read_file_perms;
++ allow $1 kdump_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, kdump_t)
++')
++
+ #####################################
+ ## <summary>
+ ## Read kdump configuration file.
+@@ -56,6 +80,24 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@@ -994,6 +1055,20 @@ index 4198ff5..df3f4d6 100644
####################################
## <summary>
## Manage kdump configuration file.
+diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te
+index b29d8e2..bcd9273 100644
+--- a/policy/modules/admin/kdump.te
++++ b/policy/modules/admin/kdump.te
+@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
+ type kdump_initrc_exec_t;
+ init_script_file(kdump_initrc_exec_t)
+
++type kdump_unit_file_t;
++systemd_unit_file(kdump_unit_file_t)
++
+ #####################################
+ #
+ # kdump local policy
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index 9dd6880..4b7fa27 100644
--- a/policy/modules/admin/kismet.te
@@ -1048,7 +1123,7 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..c4bbe69 100644
+index 7090dae..b80d4c6 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
@@ -1098,7 +1173,18 @@ index 7090dae..c4bbe69 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -162,10 +163,20 @@ optional_policy(`
+@@ -154,6 +155,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ awstats_domtrans(logrotate_t)
++')
++
++optional_policy(`
+ asterisk_domtrans(logrotate_t)
+ ')
+
+@@ -162,10 +167,20 @@ optional_policy(`
')
optional_policy(`
@@ -1119,15 +1205,21 @@ index 7090dae..c4bbe69 100644
cups_domtrans(logrotate_t)
')
-@@ -203,7 +214,6 @@ optional_policy(`
- psad_domtrans(logrotate_t)
+@@ -200,9 +215,12 @@ optional_policy(`
')
--
optional_policy(`
- samba_exec_log(logrotate_t)
+- psad_domtrans(logrotate_t)
++ polipo_named_filetrans_log_files(logrotate_t)
')
-@@ -228,3 +238,14 @@ optional_policy(`
+
++optional_policy(`
++ psad_domtrans(logrotate_t)
++')
+
+ optional_policy(`
+ samba_exec_log(logrotate_t)
+@@ -228,3 +246,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -1370,7 +1462,7 @@ index 75ee31d..a28ab46 100644
+ allow $2 ncftool_t:process signal;
+')
diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
-index ec29391..41b58fd 100644
+index ec29391..b25d59a 100644
--- a/policy/modules/admin/ncftool.te
+++ b/policy/modules/admin/ncftool.te
@@ -18,9 +18,13 @@ role system_r types ncftool_t;
@@ -1411,6 +1503,14 @@ index ec29391..41b58fd 100644
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
+@@ -66,6 +76,7 @@ optional_policy(`
+
+ optional_policy(`
+ iptables_initrc_domtrans(ncftool_t)
++ iptables_systemctl(ncftool_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 407078f..a818e14 100644
--- a/policy/modules/admin/netutils.fc
@@ -1663,14 +1763,30 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..3008c85
+index 0000000..a6beb8f
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,268 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
+ gen_require(`
++ type polipo_t;
++ ')
++
++ permissive polipo_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type bootloader_t;
++ ')
++
++ permissive bootloader_t;
++')
++
++optional_policy(`
++ gen_require(`
+ type systemd_logger_t;
+ ')
+
@@ -1903,6 +2019,22 @@ index 0000000..3008c85
+ permissive glance_api_t;
+')
+
++optional_policy(`
++ gen_require(`
++ type thumb_t;
++ ')
++
++ permissive thumb_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type virt_qmf_t;
++ ')
++
++ permissive virt_qmf_t;
++')
++
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -3837,9 +3969,19 @@ index 441cf22..4779a8d 100644
apache_manage_all_user_content(useradd_t)
')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
-index ebf4b26..453a827 100644
+index ebf4b26..b58c822 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
+@@ -7,8 +7,8 @@ policy_module(vpn, 1.14.0)
+
+ type vpnc_t;
+ type vpnc_exec_t;
++init_system_domain(vpnc_t, vpnc_exec_t)
+ application_domain(vpnc_t, vpnc_exec_t)
+-role system_r types vpnc_t;
+
+ type vpnc_tmp_t;
+ files_tmp_file(vpnc_tmp_t)
@@ -21,7 +21,7 @@ files_pid_file(vpnc_var_run_t)
# Local policy
#
@@ -3901,6 +4043,36 @@ index 48cf11b..9787bd4 100644
-/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
+/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
+diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if
+index 283ff0d..53f9ba1 100644
+--- a/policy/modules/apps/awstats.if
++++ b/policy/modules/apps/awstats.if
+@@ -5,6 +5,25 @@
+
+ ########################################
+ ## <summary>
++## Execute the awstats program in the awstats domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`awstats_domtrans',`
++ gen_require(`
++ type awstats_t, awstats_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, awstats_exec_t, awstats_t)
++')
++
++########################################
++## <summary>
+ ## Read and write awstats unnamed pipes.
+ ## </summary>
+ ## <param name="domain">
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index 46ea44f..f7183ef 100644
--- a/policy/modules/apps/cdrecord.te
@@ -4603,10 +4775,10 @@ index 0000000..2bd5790
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
-index 0000000..5e96d3d
+index 0000000..86b640d
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,72 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
@@ -4669,6 +4841,7 @@ index 0000000..5e96d3d
+optional_policy(`
+ iptables_domtrans(firewallgui_t)
+ iptables_initrc_domtrans(firewallgui_t)
++ iptables_systemctl(firewallgui_t)
+')
+
+optional_policy(`
@@ -4744,7 +4917,7 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..8136040 100644
+index f5afe78..19f3c30 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,731 @@
@@ -5404,11 +5577,10 @@ index f5afe78..8136040 100644
+## Search gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+#
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+ gen_require(`
@@ -5423,22 +5595,18 @@ index f5afe78..8136040 100644
+## <summary>
+## search gconf homedir (.local)
+## </summary>
- ## <param name="domain">
++## <param name="domain">
## <summary>
--## User domain for the role
+-## Role allowed access
+## Domain allowed access.
## </summary>
## </param>
- #
--interface(`gnome_role',`
++#
+interface(`gnome_search_gconf',`
- gen_require(`
-- type gconfd_t, gconfd_exec_t;
-- type gconf_tmp_t;
++ gen_require(`
+ type gconf_home_t;
- ')
-
-- role $1 types gconfd_t;
++ ')
++
+ allow $1 gconf_home_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
@@ -5447,17 +5615,23 @@ index f5afe78..8136040 100644
+## <summary>
+## Set attributes of Gnome config dirs.
+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_role',`
+interface(`gnome_setattr_config_dirs',`
-+ gen_require(`
+ gen_require(`
+- type gconfd_t, gconfd_exec_t;
+- type gconf_tmp_t;
+ type gnome_home_t;
-+ ')
+ ')
+- role $1 types gconfd_t;
+-
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
@@ -5546,7 +5720,7 @@ index f5afe78..8136040 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +770,42 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +770,60 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -5568,66 +5742,84 @@ index f5afe78..8136040 100644
-## gconf connection template.
+## Connect to gnome over an unix stream socket.
## </summary>
--## <param name="user_domain">
+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <param name="user_domain">
+## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+ ## <param name="user_domain">
+ ## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
++#
++interface(`gnome_stream_connect',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ # Connect to pulseaudit server
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
++')
++
++########################################
++## <summary>
++## list gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
#
-interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_stream_connect',`
++interface(`gnome_list_home_config',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
-+ attribute gnome_home_type;
++ type config_home_t;
')
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-+ # Connect to pulseaudit server
-+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
++ allow $1 config_home_t:dir list_dir_perms;
')
########################################
## <summary>
-## Run gconfd in gconfd domain.
-+## list gnome homedir content (.config)
++## Set attributes of gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +813,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +831,18 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
-interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_list_home_config',`
++interface(`gnome_setattr_home_config',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
+ type config_home_t;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+ allow $1 config_home_t:dir list_dir_perms;
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
++ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Set attributes of Gnome config dirs.
-+## Set attributes of gnome homedir content (.config)
++## read gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +831,356 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +850,355 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
-interface(`gnome_setattr_config_dirs',`
-+interface(`gnome_setattr_home_config',`
++interface(`gnome_read_home_config',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
@@ -5635,14 +5827,15 @@ index f5afe78..8136040 100644
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
- files_search_home($1)
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
-+ userdom_search_user_home_dirs($1)
++ list_dirs_pattern($1, config_home_t, config_home_t)
++ read_files_pattern($1, config_home_t, config_home_t)
++ read_lnk_files_pattern($1, config_home_t, config_home_t)
')
########################################
## <summary>
-## Read gnome homedir content (.config)
-+## read gnome homedir content (.config)
++## manage gnome homedir content (.config)
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -5652,7 +5845,7 @@ index f5afe78..8136040 100644
## </param>
#
-template(`gnome_read_config',`
-+interface(`gnome_read_home_config',`
++interface(`gnome_manage_home_config',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
@@ -5661,9 +5854,7 @@ index f5afe78..8136040 100644
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
- read_files_pattern($1, gnome_home_t, gnome_home_t)
- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
-+ list_dirs_pattern($1, config_home_t, config_home_t)
-+ read_files_pattern($1, config_home_t, config_home_t)
-+ read_lnk_files_pattern($1, config_home_t, config_home_t)
++ manage_files_pattern($1, config_home_t, config_home_t)
')
########################################
@@ -5678,12 +5869,12 @@ index f5afe78..8136040 100644
## </param>
#
-interface(`gnome_manage_config',`
-+interface(`gnome_manage_home_config',`
++interface(`gnome_manage_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
-+ manage_files_pattern($1, config_home_t, config_home_t)
++ manage_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
@@ -6937,7 +7128,7 @@ index 0000000..6d0c9e3
+')
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
-index 2dde73a..e4ccac2 100644
+index 2dde73a..8ebd16b 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
@@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
@@ -6962,6 +7153,14 @@ index 2dde73a..e4ccac2 100644
optional_policy(`
consoletype_exec(kdumpgui_t)
')
+@@ -58,6 +66,7 @@ optional_policy(`
+ optional_policy(`
+ kdump_manage_config(kdumpgui_t)
+ kdump_initrc_domtrans(kdumpgui_t)
++ kdump_systemctl(kdumpgui_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
index b2e27ec..c324f94 100644
--- a/policy/modules/apps/livecd.if
@@ -7296,7 +7495,7 @@ index fbb5c5a..83fc139 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..68929b9 100644
+index 2e9318b..d1b1280 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -7320,15 +7519,17 @@ index 2e9318b..68929b9 100644
files_tmpfs_file(mozilla_plugin_tmpfs_t)
ubac_constrained(mozilla_plugin_tmpfs_t)
-@@ -111,6 +114,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
+@@ -111,7 +114,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
+corenet_tcp_connect_flash_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
++corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
-@@ -156,6 +160,8 @@ fs_rw_tmpfs_files(mozilla_t)
+ corenet_tcp_connect_http_cache_port(mozilla_t)
+@@ -156,6 +161,8 @@ fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -7337,7 +7538,7 @@ index 2e9318b..68929b9 100644
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-@@ -165,7 +171,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,7 +172,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -7346,7 +7547,7 @@ index 2e9318b..68929b9 100644
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -262,6 +268,7 @@ optional_policy(`
+@@ -262,6 +269,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -7354,7 +7555,7 @@ index 2e9318b..68929b9 100644
')
optional_policy(`
-@@ -278,7 +285,8 @@ optional_policy(`
+@@ -278,7 +286,8 @@ optional_policy(`
')
optional_policy(`
@@ -7364,7 +7565,7 @@ index 2e9318b..68929b9 100644
')
optional_policy(`
-@@ -297,15 +305,18 @@ optional_policy(`
+@@ -297,15 +306,18 @@ optional_policy(`
#
dontaudit mozilla_plugin_t self:capability { sys_ptrace };
@@ -7386,7 +7587,7 @@ index 2e9318b..68929b9 100644
can_exec(mozilla_plugin_t, mozilla_home_t)
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-@@ -313,8 +324,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+@@ -313,8 +325,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -7399,7 +7600,7 @@ index 2e9318b..68929b9 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -332,11 +345,9 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -332,11 +346,9 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -7413,7 +7614,7 @@ index 2e9318b..68929b9 100644
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +355,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,6 +356,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
@@ -7423,7 +7624,7 @@ index 2e9318b..68929b9 100644
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
-@@ -385,13 +399,19 @@ term_getattr_all_ttys(mozilla_plugin_t)
+@@ -385,13 +400,19 @@ term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -7443,7 +7644,7 @@ index 2e9318b..68929b9 100644
tunable_policy(`allow_execmem',`
allow mozilla_plugin_t self:process { execmem execstack };
-@@ -425,7 +445,13 @@ optional_policy(`
+@@ -425,7 +446,13 @@ optional_policy(`
')
optional_policy(`
@@ -7457,7 +7658,7 @@ index 2e9318b..68929b9 100644
')
optional_policy(`
-@@ -438,7 +464,14 @@ optional_policy(`
+@@ -438,7 +465,14 @@ optional_policy(`
')
optional_policy(`
@@ -7473,7 +7674,7 @@ index 2e9318b..68929b9 100644
')
optional_policy(`
-@@ -446,10 +479,27 @@ optional_policy(`
+@@ -446,10 +480,27 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -8203,7 +8404,7 @@ index 0000000..1925bd9
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..3700bcb
+index 0000000..9bf1dd8
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
@@ -0,0 +1,338 @@
@@ -8498,24 +8699,24 @@ index 0000000..3700bcb
+ fs_getattr_nfs(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
-+ fs_read_nfs_symlinks(nsplugin_t)
++ fs_manage_nfs_symlinks(nsplugin_t)
+ fs_manage_nfs_named_pipes(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_config_t)
+ fs_manage_nfs_files(nsplugin_config_t)
+ fs_manage_nfs_named_pipes(nsplugin_config_t)
-+ fs_read_nfs_symlinks(nsplugin_config_t)
++ fs_manage_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
-+ fs_read_cifs_symlinks(nsplugin_t)
++ fs_manage_cifs_symlinks(nsplugin_t)
+ fs_manage_cifs_named_pipes(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_config_t)
+ fs_manage_cifs_files(nsplugin_config_t)
+ fs_manage_cifs_named_pipes(nsplugin_config_t)
-+ fs_read_cifs_symlinks(nsplugin_config_t)
++ fs_manage_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
@@ -9119,7 +9320,7 @@ index 4c091ca..a58f123 100644
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index f594e12..340c389 100644
+index f594e12..c4ee834 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
@@ -27,6 +27,7 @@ corecmd_exec_bin(sambagui_t)
@@ -9130,6 +9331,14 @@ index f594e12..340c389 100644
files_read_etc_files(sambagui_t)
files_search_var_lib(sambagui_t)
files_read_usr_files(sambagui_t)
+@@ -56,6 +57,7 @@ optional_policy(`
+ samba_manage_var_files(sambagui_t)
+ samba_read_secrets(sambagui_t)
+ samba_initrc_domtrans(sambagui_t)
++ samba_systemctl(sambagui_t)
+ samba_domtrans_smbd(sambagui_t)
+ samba_domtrans_nmbd(sambagui_t)
+ ')
diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc
new file mode 100644
index 0000000..6caef63
@@ -9510,10 +9719,10 @@ index 0000000..809784d
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..31c02d2
+index 0000000..e9d2bc3
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,483 @@
+@@ -0,0 +1,484 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -9898,6 +10107,7 @@ index 0000000..31c02d2
+corenet_tcp_connect_squid_port(sandbox_web_type)
+corenet_tcp_connect_flash_port(sandbox_web_type)
+corenet_tcp_connect_ftp_port(sandbox_web_type)
++corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
+corenet_tcp_connect_streaming_port(sandbox_web_type)
+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
@@ -10573,7 +10783,7 @@ index 3cfb128..609921d 100644
+ ')
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..7c8de51 100644
+index 2533ea0..11187e0 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -67,6 +67,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
@@ -10620,7 +10830,7 @@ index 2533ea0..7c8de51 100644
+optional_policy(`
+# ~/.config/dconf/user
-+ gnome_read_home_config(telepathy_logger_t)
++ gnome_manage_home_config(telepathy_logger_t)
+')
+
#######################################
@@ -10710,6 +10920,149 @@ index 2533ea0..7c8de51 100644
+
+ role unconfined_r types telepathy_domain;
+')
+diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
+new file mode 100644
+index 0000000..a4be758
+--- /dev/null
++++ b/policy/modules/apps/thumb.fc
+@@ -0,0 +1,4 @@
++
++/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if
+new file mode 100644
+index 0000000..b78aa77
+--- /dev/null
++++ b/policy/modules/apps/thumb.if
+@@ -0,0 +1,79 @@
++
++## <summary>policy for thumb</summary>
++
++
++########################################
++## <summary>
++## Transition to thumb.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`thumb_domtrans',`
++ gen_require(`
++ type thumb_t, thumb_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, thumb_exec_t, thumb_t)
++')
++
++
++########################################
++## <summary>
++## Execute thumb in the thumb domain, and
++## allow the specified role the thumb domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the thumb domain.
++## </summary>
++## </param>
++#
++interface(`thumb_run',`
++ gen_require(`
++ type thumb_t;
++ ')
++
++ thumb_domtrans($1)
++ role $2 types thumb_t;
++
++ allow $1 thumb_t:process signal;
++')
++
++########################################
++## <summary>
++## Role access for thumb
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`thumb_role',`
++ gen_require(`
++ type thumb_t;
++ ')
++
++ role $1 types thumb_t;
++
++ thumb_domtrans($2)
++
++ ps_process_pattern($2, thumb_t)
++ allow $2 thumb_t:process signal;
++')
++
+diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
+new file mode 100644
+index 0000000..7eba136
+--- /dev/null
++++ b/policy/modules/apps/thumb.te
+@@ -0,0 +1,42 @@
++policy_module(thumb, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type thumb_t;
++type thumb_exec_t;
++application_domain(thumb_t, thumb_exec_t)
++role system_r types thumb_t;
++
++type thumb_tmp_t;
++files_tmp_file(thumb_tmp_t)
++
++########################################
++#
++# thumb local policy
++#
++
++allow thumb_t self:process { setsched signal setrlimit };
++
++allow thumb_t self:fifo_file manage_fifo_file_perms;
++allow thumb_t self:unix_stream_socket create_stream_socket_perms;
++
++domain_use_interactive_fds(thumb_t)
++
++kernel_read_system_state(thumb_t)
++
++files_read_etc_files(thumb_t)
++files_read_usr_files(thumb_t)
++
++manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
++
++miscfiles_read_fonts(thumb_t)
++miscfiles_read_localization(thumb_t)
++
++userdom_read_user_tmp_files(thumb_t)
++userdom_read_user_home_content_files(thumb_t)
++userdom_dontaudit_write_user_tmp_files(thumb_t)
++userdom_use_inherited_user_ptys(thumb_t)
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 11fe4f2..98bfbf3 100644
--- a/policy/modules/apps/tvtime.te
@@ -11559,7 +11912,7 @@ index 9e9263a..59c2125 100644
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..5a41e58 100644
+index 4f3b542..54e4c81 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
@@ -12210,7 +12563,7 @@ index 4f3b542..5a41e58 100644
')
########################################
-@@ -1874,10 +2261,28 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+@@ -1874,10 +2261,64 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
#
interface(`corenet_udp_bind_all_unreserved_ports',`
gen_require(`
@@ -12223,7 +12576,7 @@ index 4f3b542..5a41e58 100644
+
+########################################
+## <summary>
-+## Connect DCCP sockets to reserved ports.
++## Bind TCP sockets to all ports > 32768.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12231,17 +12584,53 @@ index 4f3b542..5a41e58 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_dccp_connect_all_reserved_ports',`
++interface(`corenet_tcp_bind_all_ephemeral_ports',`
+ gen_require(`
-+ attribute reserved_port_type;
++ attribute ephemeral_port_type;
')
- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++ allow $1 ephemeral_port_type:tcp_socket name_bind;
++')
++
++########################################
++## <summary>
++## Bind UDP sockets to all ports > 32768.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_udp_bind_all_ephemeral_ports',`
++ gen_require(`
++ attribute ephemeral_port_type;
++ ')
++
++ allow $1 ephemeral_port_type:udp_socket name_bind;
++')
++
++########################################
++## <summary>
++## Connect DCCP sockets to reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_dccp_connect_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
+ allow $1 reserved_port_type:dccp_socket name_connect;
')
########################################
-@@ -1900,6 +2305,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+@@ -1900,6 +2341,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
########################################
## <summary>
@@ -12266,7 +12655,7 @@ index 4f3b542..5a41e58 100644
## Connect TCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
-@@ -1910,10 +2333,29 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+@@ -1910,10 +2369,47 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
#
interface(`corenet_tcp_connect_all_unreserved_ports',`
gen_require(`
@@ -12280,6 +12669,24 @@ index 4f3b542..5a41e58 100644
+
+########################################
+## <summary>
++## Connect TCP sockets to all ports > 32768.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_tcp_connect_all_ephemeral_ports',`
++ gen_require(`
++ attribute ephemeral_port_type;
++ ')
++
++ allow $1 ephemeral_port_type:tcp_socket name_connect;
++')
++
++########################################
++## <summary>
+## Do not audit attempts to connect DCCP sockets
+## all reserved ports.
+## </summary>
@@ -12298,7 +12705,7 @@ index 4f3b542..5a41e58 100644
')
########################################
-@@ -1937,6 +2379,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+@@ -1937,6 +2433,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
########################################
## <summary>
@@ -12323,7 +12730,7 @@ index 4f3b542..5a41e58 100644
## Connect TCP sockets to rpc ports.
## </summary>
## <param name="domain">
-@@ -1955,6 +2415,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+@@ -1955,6 +2469,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
########################################
## <summary>
@@ -12349,7 +12756,7 @@ index 4f3b542..5a41e58 100644
## Do not audit attempts to connect TCP sockets
## all rpc ports.
## </summary>
-@@ -1993,6 +2472,24 @@ interface(`corenet_rw_tun_tap_dev',`
+@@ -1993,6 +2526,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
@@ -12374,7 +12781,7 @@ index 4f3b542..5a41e58 100644
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
-@@ -2049,6 +2546,25 @@ interface(`corenet_rw_ppp_dev',`
+@@ -2049,6 +2600,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
## <summary>
@@ -12400,7 +12807,7 @@ index 4f3b542..5a41e58 100644
## Bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2068,6 +2584,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2638,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
## <summary>
@@ -12425,7 +12832,7 @@ index 4f3b542..5a41e58 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2194,6 +2728,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2782,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
## <summary>
@@ -12451,7 +12858,7 @@ index 4f3b542..5a41e58 100644
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
-@@ -2213,6 +2766,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,6 +2820,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -12483,7 +12890,7 @@ index 4f3b542..5a41e58 100644
## Receive TCP packets from an unlabled connection.
## </summary>
## <param name="domain">
-@@ -2222,9 +2800,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2222,9 +2854,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </param>
#
interface(`corenet_tcp_recvfrom_unlabeled',`
@@ -12498,7 +12905,7 @@ index 4f3b542..5a41e58 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2249,6 +2832,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2886,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
## <summary>
@@ -12525,7 +12932,7 @@ index 4f3b542..5a41e58 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
-@@ -2269,6 +2872,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2926,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -12553,7 +12960,7 @@ index 4f3b542..5a41e58 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2533,6 +3157,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,6 +3211,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -12561,7 +12968,7 @@ index 4f3b542..5a41e58 100644
kernel_tcp_recvfrom_unlabeled($1)
kernel_udp_recvfrom_unlabeled($1)
kernel_raw_recvfrom_unlabeled($1)
-@@ -2571,7 +3196,31 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2571,7 +3250,31 @@ interface(`corenet_all_recvfrom_netlabel',`
')
allow $1 netlabel_peer_t:peer recv;
@@ -12594,7 +13001,7 @@ index 4f3b542..5a41e58 100644
')
########################################
-@@ -2585,6 +3234,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3288,7 @@ interface(`corenet_all_recvfrom_netlabel',`
## </param>
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -12602,7 +13009,7 @@ index 4f3b542..5a41e58 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3263,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3317,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -12639,7 +13046,7 @@ index 4f3b542..5a41e58 100644
')
########################################
-@@ -2727,6 +3405,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3459,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
@@ -12648,16 +13055,17 @@ index 4f3b542..5a41e58 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..5287f7a 100644
+index 99b71cb..67c5d0f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
-@@ -11,11 +11,14 @@ attribute netif_type;
+@@ -11,11 +11,15 @@ attribute netif_type;
attribute node_type;
attribute packet_type;
attribute port_type;
+attribute defined_port_type;
attribute reserved_port_type;
+attribute unreserved_port_type;
++attribute ephemeral_port_type;
attribute rpc_port_type;
attribute server_packet_type;
@@ -12666,7 +13074,7 @@ index 99b71cb..5287f7a 100644
type ppp_device_t;
dev_node(ppp_device_t)
-@@ -25,6 +28,7 @@ dev_node(ppp_device_t)
+@@ -25,6 +29,7 @@ dev_node(ppp_device_t)
#
type tun_tap_device_t;
dev_node(tun_tap_device_t)
@@ -12674,7 +13082,7 @@ index 99b71cb..5287f7a 100644
########################################
#
-@@ -34,6 +38,18 @@ dev_node(tun_tap_device_t)
+@@ -34,6 +39,18 @@ dev_node(tun_tap_device_t)
#
# client_packet_t is the default type of IPv4 and IPv6 client packets.
#
@@ -12693,19 +13101,25 @@ index 99b71cb..5287f7a 100644
type client_packet_t, packet_type, client_packet_type;
#
-@@ -50,6 +66,11 @@ type port_t, port_type;
+@@ -50,6 +67,17 @@ type port_t, port_type;
sid port gen_context(system_u:object_r:port_t,s0)
#
-+# port_t is the default type of INET port numbers.
++# unreserved_port_t is the default type of port numbers > 1024 and non ephemeral
+#
+type unreserved_port_t, port_type, unreserved_port_type;
+
+#
++# ephemeral_port_t is the default type of ephemeral port numbers.
++# cat /proc/sys/net/ipv4/ip_local_port_range
++#
++type ephemeral_port_t, port_type, ephemeral_port_type;
++
++#
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -65,30 +86,37 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -65,30 +93,37 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -12744,7 +13158,7 @@ index 99b71cb..5287f7a 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,14 +127,20 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,14 +134,20 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -12765,7 +13179,7 @@ index 99b71cb..5287f7a 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -115,11 +149,12 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -115,11 +156,12 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -12779,7 +13193,7 @@ index 99b71cb..5287f7a 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +164,25 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +171,25 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -12808,7 +13222,7 @@ index 99b71cb..5287f7a 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,16 +192,25 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,16 +199,25 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -12835,7 +13249,7 @@ index 99b71cb..5287f7a 100644
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -179,30 +228,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,30 +235,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -12875,7 +13289,7 @@ index 99b71cb..5287f7a 100644
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -215,7 +269,7 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,7 +276,7 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -12884,7 +13298,7 @@ index 99b71cb..5287f7a 100644
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
-@@ -229,6 +283,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +290,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -12892,16 +13306,21 @@ index 99b71cb..5287f7a 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +293,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,7 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
-+portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
-+portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
-
+-
++portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
++portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
++portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
########################################
#
-@@ -282,9 +339,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+ # Network nodes
+@@ -282,9 +349,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -12915,19 +13334,25 @@ index 99b71cb..5287f7a 100644
+allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
+allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
-index 35fed4f..49f27ca 100644
+index 35fed4f..e0c8f51 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
-@@ -81,7 +81,7 @@ declare_nodes($1_node_t,shift($*))
+@@ -81,7 +81,13 @@ declare_nodes($1_node_t,shift($*))
define(`declare_ports',`dnl
ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
-',`dnl')
-+',`typeattribute $1 unreserved_port_type;')
++',`
++ifelse(eval(range_start($3) < 32768),1,`typeattribute $1 unreserved_port_type;',`
++ ifelse(eval(range_start($3) > 61001),1,`typeattribute $1 unreserved_port_type;',`
++ typeattribute $1 ephemeral_port_type;
++ ')
++ ')
++')
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
')
-@@ -90,7 +90,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+@@ -90,7 +96,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
#
define(`network_port',`
@@ -12937,7 +13362,7 @@ index 35fed4f..49f27ca 100644
type $1_server_packet_t, packet_type, server_packet_type;
declare_ports($1_port_t,shift($*))dnl
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..a9038b9 100644
+index 6cf8784..935a96c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -20,6 +20,7 @@
@@ -12948,15 +13373,26 @@ index 6cf8784..a9038b9 100644
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -57,6 +58,7 @@
+@@ -57,8 +58,10 @@
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
++/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-@@ -187,8 +189,6 @@ ifdef(`distro_suse', `
+ /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -126,6 +129,7 @@ ifdef(`distro_suse', `
+ /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
++/dev/cdc-wdm[0-1] -c gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
+ /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+@@ -187,8 +191,6 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -12965,7 +13401,7 @@ index 6cf8784..a9038b9 100644
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +196,8 @@ ifdef(`distro_redhat',`
+@@ -196,3 +198,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -12975,7 +13411,7 @@ index 6cf8784..a9038b9 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..2429787 100644
+index f820f3b..7139ab3 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -13375,6 +13811,15 @@ index f820f3b..2429787 100644
## </summary>
## </param>
#
+@@ -2932,7 +3168,7 @@ interface(`dev_dontaudit_write_mtrr',`
+ ')
+
+ dontaudit $1 mtrr_device_t:file write;
+- dontaudit $1 mtrr_device_t:chr_file write;
++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
+ ')
+
+ ########################################
@@ -3210,24 +3446,6 @@ interface(`dev_rw_printer',`
########################################
@@ -13563,7 +14008,7 @@ index f820f3b..2429787 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4784,3 +5092,772 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5092,794 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -13776,6 +14221,16 @@ index f820f3b..2429787 100644
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event7")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event8")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event9")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event10")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event11")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event12")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event13")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event14")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event15")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event16")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
@@ -14074,6 +14529,8 @@ index f820f3b..2429787 100644
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1")
+ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2")
@@ -14176,6 +14633,16 @@ index f820f3b..2429787 100644
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2")
@@ -14429,7 +14896,7 @@ index 6a1e4d1..cf3d50b 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..1c54937 100644
+index fae1ab1..00e20f7 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -14522,7 +14989,7 @@ index fae1ab1..1c54937 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,90 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,91 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -14585,6 +15052,7 @@ index fae1ab1..1c54937 100644
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
+ dontaudit domain domain:socket_class_set { read write };
++ dontaudit domain self:capability sys_module;
+')
+
+optional_policy(`
@@ -18425,10 +18893,10 @@ index 1700ef2..6b7eabb 100644
+ dev_filetrans($1, removable_device_t, chr_file, "rio500")
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..6d27fb3 100644
+index 7d45d15..eeb5889 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,11 @@
+@@ -14,11 +14,12 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
@@ -18437,18 +18905,19 @@ index 7d45d15..6d27fb3 100644
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +41,5 @@ ifdef(`distro_gentoo',`
+@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 01dd2f1..ea0ff94 100644
+index 01dd2f1..7a8e118 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -18579,17 +19048,37 @@ index 01dd2f1..ea0ff94 100644
## </summary>
## </param>
#
-@@ -1240,7 +1302,8 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1240,7 +1302,28 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ init_dontaudit_use_fds($1)
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++## <summary>
++## Read and write USB tty character
++## device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_use_usb_ttys',`
++ gen_require(`
++ type usbtty_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 usbtty_device_t:chr_file rw_chr_file_perms;
')
########################################
-@@ -1256,11 +1319,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1256,11 +1339,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -18603,7 +19092,7 @@ index 01dd2f1..ea0ff94 100644
')
########################################
-@@ -1277,10 +1342,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1277,10 +1362,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -18616,7 +19105,7 @@ index 01dd2f1..ea0ff94 100644
')
########################################
-@@ -1358,7 +1425,27 @@ interface(`term_use_all_ttys',`
+@@ -1358,7 +1445,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -18645,7 +19134,7 @@ index 01dd2f1..ea0ff94 100644
')
########################################
-@@ -1377,7 +1464,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1377,7 +1484,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -18654,7 +19143,7 @@ index 01dd2f1..ea0ff94 100644
')
########################################
-@@ -1485,7 +1572,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1485,7 +1592,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@@ -18663,7 +19152,7 @@ index 01dd2f1..ea0ff94 100644
## </summary>
## </param>
#
-@@ -1493,3 +1580,416 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1493,3 +1600,426 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -19058,6 +19547,16 @@ index 01dd2f1..ea0ff94 100644
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG7")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG8")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG9")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p0")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p1")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p2")
@@ -19216,7 +19715,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..afb3532 100644
+index 2be17d2..31a210f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0)
@@ -19273,7 +19772,7 @@ index 2be17d2..afb3532 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,19 +68,103 @@ optional_policy(`
+@@ -27,19 +68,113 @@ optional_policy(`
')
optional_policy(`
@@ -19343,10 +19842,20 @@ index 2be17d2..afb3532 100644
+')
+
+optional_policy(`
++ mta_role(staff_r, staff_t)
++')
++
++optional_policy(`
+ mysql_exec(staff_t)
+')
+
+optional_policy(`
++ polipo_role(staff_r, staff_t)
++ polipo_named_filetrans_cache_home_dirs(staff_t)
++ polipo_named_filetrans_config_home_files(staff_t)
++')
++
++optional_policy(`
postgresql_role(staff_r, staff_t)
')
@@ -19379,7 +19888,7 @@ index 2be17d2..afb3532 100644
')
optional_policy(`
-@@ -48,10 +173,48 @@ optional_policy(`
+@@ -48,10 +183,48 @@ optional_policy(`
')
optional_policy(`
@@ -19428,7 +19937,7 @@ index 2be17d2..afb3532 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,18 +252,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +262,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19447,7 +19956,18 @@ index 2be17d2..afb3532 100644
java_role(staff_r, staff_t)
')
-@@ -137,10 +292,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +286,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ pyzor_role(staff_r, staff_t)
+ ')
+
+@@ -137,10 +298,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19458,7 +19978,7 @@ index 2be17d2..afb3532 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +323,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +329,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -19467,7 +19987,7 @@ index 2be17d2..afb3532 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..483aea4 100644
+index e14b961..c464d3b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,51 @@ ifndef(`enable_mls',`
@@ -19552,7 +20072,15 @@ index e14b961..483aea4 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -114,7 +150,7 @@ optional_policy(`
+@@ -110,11 +146,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ cron_admin_role(sysadm_r, sysadm_t)
++')
++
++optional_policy(`
+ consoletype_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -19561,7 +20089,7 @@ index e14b961..483aea4 100644
')
optional_policy(`
-@@ -124,6 +160,10 @@ optional_policy(`
+@@ -124,6 +164,10 @@ optional_policy(`
')
optional_policy(`
@@ -19572,7 +20100,7 @@ index e14b961..483aea4 100644
ddcprobe_run(sysadm_t, sysadm_r)
')
-@@ -163,6 +203,13 @@ optional_policy(`
+@@ -163,6 +207,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -19586,7 +20114,7 @@ index e14b961..483aea4 100644
')
optional_policy(`
-@@ -170,15 +217,20 @@ optional_policy(`
+@@ -170,15 +221,20 @@ optional_policy(`
')
optional_policy(`
@@ -19610,7 +20138,7 @@ index e14b961..483aea4 100644
')
optional_policy(`
-@@ -198,22 +250,19 @@ optional_policy(`
+@@ -198,22 +254,19 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -19638,7 +20166,7 @@ index e14b961..483aea4 100644
')
optional_policy(`
-@@ -225,21 +274,37 @@ optional_policy(`
+@@ -225,25 +278,47 @@ optional_policy(`
')
optional_policy(`
@@ -19676,7 +20204,17 @@ index e14b961..483aea4 100644
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
-@@ -253,19 +318,19 @@ optional_policy(`
+ optional_policy(`
++ polipo_role(sysadm_r, sysadm_t)
++ polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
++ polipo_named_filetrans_admin_config_home_files(sysadm_t)
++')
++
++optional_policy(`
+ portage_run(sysadm_t, sysadm_r)
+ portage_run_gcc_config(sysadm_t, sysadm_r)
+ ')
+@@ -253,19 +328,19 @@ optional_policy(`
')
optional_policy(`
@@ -19700,7 +20238,7 @@ index e14b961..483aea4 100644
')
optional_policy(`
-@@ -274,10 +339,7 @@ optional_policy(`
+@@ -274,10 +349,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -19712,7 +20250,7 @@ index e14b961..483aea4 100644
')
optional_policy(`
-@@ -302,12 +364,18 @@ optional_policy(`
+@@ -302,12 +374,18 @@ optional_policy(`
')
optional_policy(`
@@ -19732,7 +20270,7 @@ index e14b961..483aea4 100644
')
optional_policy(`
-@@ -332,7 +400,10 @@ optional_policy(`
+@@ -332,7 +410,10 @@ optional_policy(`
')
optional_policy(`
@@ -19744,7 +20282,7 @@ index e14b961..483aea4 100644
')
optional_policy(`
-@@ -343,19 +414,15 @@ optional_policy(`
+@@ -343,19 +424,15 @@ optional_policy(`
')
optional_policy(`
@@ -19766,7 +20304,7 @@ index e14b961..483aea4 100644
')
optional_policy(`
-@@ -367,45 +434,45 @@ optional_policy(`
+@@ -367,45 +444,45 @@ optional_policy(`
')
optional_policy(`
@@ -19823,7 +20361,18 @@ index e14b961..483aea4 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,6 +506,7 @@ ifndef(`distro_redhat',`
+@@ -418,10 +495,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- cron_admin_role(sysadm_r, sysadm_t)
+- ')
+-
+- optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+@@ -439,6 +512,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -19831,7 +20380,7 @@ index e14b961..483aea4 100644
')
optional_policy(`
-@@ -446,11 +514,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +520,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19846,8 +20395,9 @@ index e14b961..483aea4 100644
+
+ optional_policy(`
+ mock_admin(sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
@@ -19870,9 +20420,8 @@ index e14b961..483aea4 100644
+
+ optional_policy(`
+ spamassassin_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
+ ')
@@ -21117,10 +21666,10 @@ index 0000000..1105ff5
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..42c1458 100644
+index e5bfdd4..476f1dc 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,82 @@ role user_r;
+@@ -12,15 +12,92 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -21167,11 +21716,21 @@ index e5bfdd4..42c1458 100644
+')
+
+optional_policy(`
++ mta_role(user_r, user_t)
++')
++
++optional_policy(`
+ netutils_run_ping_cond(user_t, user_r)
+ netutils_run_traceroute_cond(user_t, user_r)
+')
+
+optional_policy(`
++ polipo_role(user_r, user_t)
++ polipo_named_filetrans_cache_home_dirs(user_t)
++ polipo_named_filetrans_config_home_files(user_t)
++')
++
++optional_policy(`
+ rpm_dontaudit_dbus_chat(user_t)
+')
+
@@ -21203,7 +21762,7 @@ index e5bfdd4..42c1458 100644
vlock_run(user_t, user_r)
')
-@@ -62,19 +129,11 @@ ifndef(`distro_redhat',`
+@@ -62,19 +139,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21224,7 +21783,18 @@ index e5bfdd4..42c1458 100644
')
optional_policy(`
-@@ -118,11 +177,7 @@ ifndef(`distro_redhat',`
+@@ -98,10 +167,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(user_r, user_t)
+- ')
+-
+- optional_policy(`
+ postgresql_role(user_r, user_t)
+ ')
+
+@@ -118,11 +183,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21237,7 +21807,7 @@ index e5bfdd4..42c1458 100644
')
optional_policy(`
-@@ -157,3 +212,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +218,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -22516,7 +23086,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..83dbd34 100644
+index 9e39aa5..8002a1f 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -22543,7 +23113,7 @@ index 9e39aa5..83dbd34 100644
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
++/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -22655,7 +23225,7 @@ index 9e39aa5..83dbd34 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..1b928cb 100644
+index 6480167..e12bbc0 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -23025,7 +23595,7 @@ index 6480167..1b928cb 100644
+ ')
+
+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
-+ can_exec($1, httpd_sys_script_exec_t;
++ can_exec($1, httpd_sys_script_exec_t)
+')
+
########################################
@@ -23212,7 +23782,7 @@ index 6480167..1b928cb 100644
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
- type httpd_initrc_exec_t;
-+ type httpd_unit_t;
++ type httpd_unit_file_t;
')
- allow $1 httpd_t:process { getattr ptrace signal_perms };
@@ -23252,7 +23822,7 @@ index 6480167..1b928cb 100644
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
-+ allow $1 httpd_unit_t:service all_service_perms;
++ allow $1 httpd_unit_file_t:service all_service_perms;
+
+ ifdef(`TODO',`
+ apache_set_booleans($1, $2, $3, httpd_bool_t)
@@ -23309,10 +23879,10 @@ index 6480167..1b928cb 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..fddb752 100644
+index 3136c6a..f165efd 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
+@@ -18,130 +18,203 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -23471,6 +24041,14 @@ index 3136c6a..fddb752 100644
-## Allow httpd to read home directories
-## </p>
+## <p>
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
++## </p>
++## </desc>
++gen_tunable(httpd_can_connect_ftp, false)
++
++## <desc>
++## <p>
+## Allow httpd to read home directories
+## </p>
## </desc>
@@ -23564,7 +24142,7 @@ index 3136c6a..fddb752 100644
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -166,7 +231,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +239,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -23573,17 +24151,17 @@ index 3136c6a..fddb752 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +242,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +250,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
-+type httpd_unit_t;
-+systemd_unit_file(httpd_unit_t)
++type httpd_unit_file_t;
++systemd_unit_file(httpd_unit_file_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +284,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +292,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -23602,7 +24180,7 @@ index 3136c6a..fddb752 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +304,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +312,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -23613,7 +24191,7 @@ index 3136c6a..fddb752 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +315,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +323,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -23621,7 +24199,7 @@ index 3136c6a..fddb752 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +337,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +345,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -23645,7 +24223,7 @@ index 3136c6a..fddb752 100644
########################################
#
# Apache server local policy
-@@ -281,11 +373,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +381,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -23659,7 +24237,7 @@ index 3136c6a..fddb752 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +423,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +431,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -23670,7 +24248,7 @@ index 3136c6a..fddb752 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +450,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +458,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -23680,7 +24258,7 @@ index 3136c6a..fddb752 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +463,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +471,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -23697,7 +24275,7 @@ index 3136c6a..fddb752 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +480,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +488,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -23713,7 +24291,7 @@ index 3136c6a..fddb752 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +493,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +501,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -23721,7 +24299,7 @@ index 3136c6a..fddb752 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +505,100 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +513,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -23805,6 +24383,7 @@ index 3136c6a..fddb752 100644
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_sendrecv_squid_client_packets(httpd_t)
++ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_execmem',`
@@ -23824,7 +24403,7 @@ index 3136c6a..fddb752 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +611,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +620,47 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -23835,8 +24414,17 @@ index 3136c6a..fddb752 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +625,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ ')
+
++tunable_policy(`httpd_can_connect_ftp',`
++ corenet_tcp_connect_ftp_port(httpd_t)
++ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
++')
++
+ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
++ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
@@ -23865,7 +24453,7 @@ index 3136c6a..fddb752 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +655,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +670,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -23882,7 +24470,7 @@ index 3136c6a..fddb752 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +679,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +694,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -23903,7 +24491,7 @@ index 3136c6a..fddb752 100644
')
optional_policy(`
-@@ -513,7 +703,13 @@ optional_policy(`
+@@ -513,7 +718,13 @@ optional_policy(`
')
optional_policy(`
@@ -23918,7 +24506,7 @@ index 3136c6a..fddb752 100644
')
optional_policy(`
-@@ -528,7 +724,19 @@ optional_policy(`
+@@ -528,7 +739,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -23939,7 +24527,7 @@ index 3136c6a..fddb752 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +745,13 @@ optional_policy(`
+@@ -537,8 +760,13 @@ optional_policy(`
')
optional_policy(`
@@ -23954,7 +24542,7 @@ index 3136c6a..fddb752 100644
')
')
-@@ -556,7 +769,13 @@ optional_policy(`
+@@ -556,7 +784,13 @@ optional_policy(`
')
optional_policy(`
@@ -23968,7 +24556,7 @@ index 3136c6a..fddb752 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +786,7 @@ optional_policy(`
+@@ -567,6 +801,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -23976,7 +24564,7 @@ index 3136c6a..fddb752 100644
')
optional_policy(`
-@@ -577,6 +797,20 @@ optional_policy(`
+@@ -577,6 +812,20 @@ optional_policy(`
')
optional_policy(`
@@ -23997,7 +24585,7 @@ index 3136c6a..fddb752 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +825,11 @@ optional_policy(`
+@@ -591,6 +840,11 @@ optional_policy(`
')
optional_policy(`
@@ -24009,7 +24597,7 @@ index 3136c6a..fddb752 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +842,12 @@ optional_policy(`
+@@ -603,6 +857,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -24022,7 +24610,7 @@ index 3136c6a..fddb752 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +861,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +876,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -24035,7 +24623,7 @@ index 3136c6a..fddb752 100644
########################################
#
-@@ -654,28 +903,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +918,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -24079,7 +24667,7 @@ index 3136c6a..fddb752 100644
')
########################################
-@@ -685,6 +936,8 @@ optional_policy(`
+@@ -685,6 +951,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -24088,7 +24676,7 @@ index 3136c6a..fddb752 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +952,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +967,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -24114,7 +24702,7 @@ index 3136c6a..fddb752 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +998,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1013,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -24147,7 +24735,7 @@ index 3136c6a..fddb752 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1045,25 @@ optional_policy(`
+@@ -769,6 +1060,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -24173,7 +24761,7 @@ index 3136c6a..fddb752 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1084,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1099,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -24191,7 +24779,7 @@ index 3136c6a..fddb752 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1103,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1118,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -24248,7 +24836,7 @@ index 3136c6a..fddb752 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1154,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1169,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -24279,7 +24867,7 @@ index 3136c6a..fddb752 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1189,20 @@ optional_policy(`
+@@ -842,10 +1204,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -24300,7 +24888,7 @@ index 3136c6a..fddb752 100644
')
########################################
-@@ -891,11 +1248,48 @@ optional_policy(`
+@@ -891,11 +1263,48 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -24584,7 +25172,7 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..7cc09e8 100644
+index b3b0176..8e66610 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -19,10 +19,11 @@ type asterisk_log_t;
@@ -24624,16 +25212,19 @@ index b3b0176..7cc09e8 100644
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -108,6 +110,8 @@ corenet_tcp_bind_generic_port(asterisk_t)
+@@ -108,14 +110,19 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_festival_port(asterisk_t)
++corenet_tcp_connect_jabber_client_port(asterisk_t)
+corenet_tcp_connect_pktcable_port(asterisk_t)
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
-@@ -116,6 +120,7 @@ dev_rw_generic_usb_dev(asterisk_t)
++corenet_tcp_connect_jabber_client_port(asterisk_t)
+
+ dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)
@@ -24641,7 +25232,7 @@ index b3b0176..7cc09e8 100644
dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
-@@ -125,6 +130,7 @@ files_search_spool(asterisk_t)
+@@ -125,6 +132,7 @@ files_search_spool(asterisk_t)
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
files_read_usr_files(asterisk_t)
@@ -24649,7 +25240,7 @@ index b3b0176..7cc09e8 100644
fs_getattr_all_fs(asterisk_t)
fs_list_inotifyfs(asterisk_t)
-@@ -141,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+@@ -141,6 +149,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
@@ -24787,11 +25378,55 @@ index a7a0e71..5352ef6 100644
seutil_sigchld_newrole(avahi_t)
')
+diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
+index 59aa54f..f944a65 100644
+--- a/policy/modules/services/bind.fc
++++ b/policy/modules/services/bind.fc
+@@ -5,6 +5,8 @@
+ /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+
++/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
++
+ /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+ /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+ /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..7e9d2fb 100644
+index 44a1e3d..f5c476a 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
-@@ -186,7 +186,7 @@ interface(`bind_write_config',`
+@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute bind server in the bind domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bind_systemctl',`
++ gen_require(`
++ type named_unit_file_t;
++ type named_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 named_unit_file_t:file read_file_perms;
++ allow $1 named_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, named_t)
++')
++
++########################################
++## <summary>
+ ## Execute ndc in the ndc domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -186,7 +210,7 @@ interface(`bind_write_config',`
')
write_files_pattern($1, named_conf_t, named_conf_t)
@@ -24800,7 +25435,7 @@ index 44a1e3d..7e9d2fb 100644
')
########################################
-@@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',`
+@@ -266,7 +290,7 @@ interface(`bind_setattr_pid_dirs',`
type named_var_run_t;
')
@@ -24809,7 +25444,7 @@ index 44a1e3d..7e9d2fb 100644
')
########################################
-@@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',`
+@@ -284,7 +308,7 @@ interface(`bind_setattr_zone_dirs',`
type named_zone_t;
')
@@ -24818,7 +25453,7 @@ index 44a1e3d..7e9d2fb 100644
')
########################################
-@@ -308,6 +308,27 @@ interface(`bind_read_zone',`
+@@ -308,6 +332,27 @@ interface(`bind_read_zone',`
########################################
## <summary>
@@ -24846,7 +25481,7 @@ index 44a1e3d..7e9d2fb 100644
## Manage BIND zone files.
## </summary>
## <param name="domain">
-@@ -359,10 +380,9 @@ interface(`bind_udp_chat_named',`
+@@ -359,10 +404,9 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -24860,7 +25495,7 @@ index 44a1e3d..7e9d2fb 100644
')
allow $1 named_t:process { ptrace signal_perms };
-@@ -391,8 +411,7 @@ interface(`bind_admin',`
+@@ -391,9 +435,10 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -24870,8 +25505,11 @@ index 44a1e3d..7e9d2fb 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
++
++ named_systemctl($1)
+ ')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..5f387b2 100644
+index 4deca04..8d81308 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
@@ -24912,7 +25550,17 @@ index 4deca04..5f387b2 100644
files_mountpoint(named_conf_t)
# for secondary zone files
-@@ -89,9 +97,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -37,6 +45,9 @@ files_type(named_cache_t)
+ type named_initrc_exec_t;
+ init_script_file(named_initrc_exec_t)
+
++type named_unit_file_t;
++systemd_unit_file(named_unit_file_t)
++
+ type named_log_t;
+ logging_log_file(named_log_t)
+
+@@ -89,9 +100,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -24924,7 +25572,7 @@ index 4deca04..5f387b2 100644
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
-@@ -147,6 +156,10 @@ miscfiles_read_generic_certs(named_t)
+@@ -147,6 +159,10 @@ miscfiles_read_generic_certs(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
@@ -24935,7 +25583,7 @@ index 4deca04..5f387b2 100644
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -198,18 +211,18 @@ allow ndc_t self:process { fork signal_perms };
+@@ -198,18 +214,18 @@ allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
allow ndc_t self:tcp_socket create_socket_perms;
@@ -24957,7 +25605,7 @@ index 4deca04..5f387b2 100644
kernel_read_kernel_sysctls(ndc_t)
corenet_all_recvfrom_unlabeled(ndc_t)
-@@ -228,6 +241,8 @@ files_search_pids(ndc_t)
+@@ -228,6 +244,8 @@ files_search_pids(ndc_t)
fs_getattr_xattr_fs(ndc_t)
@@ -24966,7 +25614,7 @@ index 4deca04..5f387b2 100644
init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
-@@ -235,24 +250,13 @@ logging_send_syslog_msg(ndc_t)
+@@ -235,24 +253,13 @@ logging_send_syslog_msg(ndc_t)
miscfiles_read_localization(ndc_t)
@@ -26871,14 +27519,14 @@ index dad226c..7617c53 100644
miscfiles_read_localization(cgred_t)
diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
-index fd8cd0b..3d61138 100644
+index fd8cd0b..45096d8 100644
--- a/policy/modules/services/chronyd.fc
+++ b/policy/modules/services/chronyd.fc
@@ -2,8 +2,12 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
-+/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
++/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
@@ -26888,7 +27536,7 @@ index fd8cd0b..3d61138 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..5383054 100644
+index 9a0da94..fecceac 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -26991,13 +27639,13 @@ index 9a0da94..5383054 100644
+interface(`chronyd_systemctl',`
+ gen_require(`
+ type chronyd_t;
-+ type chronyd_unit_t;
++ type chronyd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
-+ allow $1 chronyd_unit_t:file read_file_perms;
-+ allow $1 chronyd_unit_t:service all_service_perms;
++ allow $1 chronyd_unit_file_t:file read_file_perms;
++ allow $1 chronyd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, chronyd_t)
+')
@@ -27083,7 +27731,7 @@ index 9a0da94..5383054 100644
+ chronyd_systemctl($1)
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
-index fa82327..4b32348 100644
+index fa82327..1a486b0 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
@@ -27093,8 +27741,8 @@ index fa82327..4b32348 100644
+type chronyd_tmpfs_t;
+files_tmpfs_file(chronyd_tmpfs_t)
+
-+type chronyd_unit_t;
-+systemd_unit_file(chronyd_unit_t)
++type chronyd_unit_file_t;
++systemd_unit_file(chronyd_unit_file_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -27717,7 +28365,7 @@ index 116d60f..82306eb 100644
+ ')
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..8535cc6 100644
+index 0258b48..c6dcdfe 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -27817,13 +28465,14 @@ index 0258b48..8535cc6 100644
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
-@@ -65,26 +107,77 @@ corenet_tcp_bind_generic_node(cobblerd_t)
+@@ -65,44 +107,111 @@ corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
+corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
+corenet_tcp_connect_ftp_port(cobblerd_t)
++corenet_tcp_connect_all_ephemeral_ports(cobblerd_t)
+corenet_tcp_sendrecv_ftp_port(cobblerd_t)
+corenet_sendrecv_ftp_client_packets(cobblerd_t)
+corenet_tcp_connect_http_port(cobblerd_t)
@@ -27897,7 +28546,11 @@ index 0258b48..8535cc6 100644
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
-@@ -95,6 +188,10 @@ optional_policy(`
+ bind_domtrans_ndc(cobblerd_t)
+ bind_domtrans(cobblerd_t)
+ bind_initrc_domtrans(cobblerd_t)
++ bind_systemctl(cobblerd_t)
+ bind_manage_zone(cobblerd_t)
')
optional_policy(`
@@ -27907,20 +28560,26 @@ index 0258b48..8535cc6 100644
+optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
- ')
-@@ -106,16 +203,32 @@ optional_policy(`
++ dhcpd_systemctl(cobblerd_t)
')
optional_policy(`
-+ gnome_dontaudit_search_config(cobblerd_t)
+ dnsmasq_domtrans(cobblerd_t)
+ dnsmasq_initrc_domtrans(cobblerd_t)
+ dnsmasq_write_config(cobblerd_t)
++ dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
-+ puppet_domtrans_puppetca(cobblerd_t)
++ gnome_dontaudit_search_config(cobblerd_t)
+')
+
+optional_policy(`
- rpm_exec(cobblerd_t)
++ puppet_domtrans_puppetca(cobblerd_t)
+ ')
+
+ optional_policy(`
+@@ -110,12 +219,20 @@ optional_policy(`
')
optional_policy(`
@@ -27944,7 +28603,7 @@ index 0258b48..8535cc6 100644
')
########################################
-@@ -124,5 +237,6 @@ optional_policy(`
+@@ -124,5 +241,6 @@ optional_policy(`
#
apache_content_template(cobbler)
@@ -28798,10 +29457,18 @@ index 13d2f63..861fad7 100644
')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..34ab5ce 100644
+index 2eefc08..b0cdf28 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
-@@ -14,9 +14,10 @@
+@@ -2,6 +2,7 @@
+
+ /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+
+ /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+ /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+@@ -14,9 +15,10 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -28813,14 +29480,14 @@ index 2eefc08..34ab5ce 100644
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-@@ -45,3 +46,5 @@ ifdef(`distro_suse', `
+@@ -45,3 +47,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..92acfae 100644
+index 35241ed..d972767 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -29035,7 +29702,38 @@ index 35241ed..92acfae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -377,6 +386,47 @@ interface(`cron_read_pipes',`
+@@ -322,6 +331,30 @@ interface(`cron_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute crond server in the crond domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cron_systemctl',`
++ gen_require(`
++ type crond_unit_file_t;
++ type crond_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 crond_unit_file_t:file read_file_perms;
++ allow $1 crond_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, crond_t)
++')
++
++########################################
++## <summary>
+ ## Inherit and use a file descriptor
+ ## from the cron daemon.
+ ## </summary>
+@@ -377,6 +410,47 @@ interface(`cron_read_pipes',`
########################################
## <summary>
@@ -29083,7 +29781,7 @@ index 35241ed..92acfae 100644
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
-@@ -390,6 +440,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +464,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
@@ -29091,7 +29789,7 @@ index 35241ed..92acfae 100644
dontaudit $1 crond_t:fifo_file write;
')
-@@ -408,7 +459,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +483,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -29136,7 +29834,7 @@ index 35241ed..92acfae 100644
')
########################################
-@@ -468,6 +555,25 @@ interface(`cron_search_spool',`
+@@ -468,6 +579,25 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -29162,7 +29860,7 @@ index 35241ed..92acfae 100644
## Manage pid files used by cron
## </summary>
## <param name="domain">
-@@ -481,6 +587,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +611,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -29170,7 +29868,7 @@ index 35241ed..92acfae 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +643,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +667,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -29179,7 +29877,7 @@ index 35241ed..92acfae 100644
')
########################################
-@@ -554,7 +661,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +685,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -29188,7 +29886,7 @@ index 35241ed..92acfae 100644
')
########################################
-@@ -587,11 +694,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +718,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -29204,7 +29902,7 @@ index 35241ed..92acfae 100644
')
########################################
-@@ -627,7 +737,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +761,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -29253,7 +29951,7 @@ index 35241ed..92acfae 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..ee001c7 100644
+index f7583ab..86ea0ba 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -29300,8 +29998,13 @@ index f7583ab..ee001c7 100644
# var/log files
type cron_log_t;
-@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
+@@ -61,11 +61,17 @@ domain_cron_exemption_source(crond_t)
+ type crond_initrc_exec_t;
+ init_script_file(crond_initrc_exec_t)
++type crond_unit_file_t;
++systemd_unit_file(crond_unit_file_t)
++
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
@@ -29313,7 +30016,7 @@ index f7583ab..ee001c7 100644
type crontab_exec_t;
application_executable_file(crontab_exec_t)
-@@ -79,14 +82,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+@@ -79,14 +85,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
@@ -29331,7 +30034,7 @@ index f7583ab..ee001c7 100644
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
-@@ -94,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
+@@ -94,10 +102,6 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
@@ -29342,7 +30045,7 @@ index f7583ab..ee001c7 100644
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
-@@ -106,8 +107,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
+@@ -106,8 +110,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
type user_cron_spool_t, cron_spool_type;
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
@@ -29364,7 +30067,7 @@ index f7583ab..ee001c7 100644
########################################
#
-@@ -115,7 +128,7 @@ ubac_constrained(user_cron_spool_t)
+@@ -115,7 +131,7 @@ ubac_constrained(user_cron_spool_t)
#
# Allow our crontab domain to unlink a user cron spool file.
@@ -29373,7 +30076,7 @@ index f7583ab..ee001c7 100644
# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
-@@ -125,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
+@@ -125,7 +141,7 @@ selinux_compute_create_context(admin_crontab_t)
selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
@@ -29382,7 +30085,7 @@ index f7583ab..ee001c7 100644
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
-@@ -136,9 +149,9 @@ tunable_policy(`fcron_crond', `
+@@ -136,9 +152,9 @@ tunable_policy(`fcron_crond', `
# Cron daemon local policy
#
@@ -29394,7 +30097,7 @@ index f7583ab..ee001c7 100644
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -187,12 +200,16 @@ fs_list_inotifyfs(crond_t)
+@@ -187,12 +203,16 @@ fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -29411,7 +30114,7 @@ index f7583ab..ee001c7 100644
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -203,11 +220,17 @@ files_list_usr(crond_t)
+@@ -203,11 +223,17 @@ files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
@@ -29429,7 +30132,7 @@ index f7583ab..ee001c7 100644
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
-@@ -220,8 +243,11 @@ miscfiles_read_localization(crond_t)
+@@ -220,8 +246,11 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -29441,7 +30144,7 @@ index f7583ab..ee001c7 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -233,7 +259,7 @@ ifdef(`distro_debian',`
+@@ -233,7 +262,7 @@ ifdef(`distro_debian',`
')
')
@@ -29450,7 +30153,7 @@ index f7583ab..ee001c7 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -250,11 +276,30 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +279,30 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -29481,7 +30184,7 @@ index f7583ab..ee001c7 100644
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +309,8 @@ optional_policy(`
+@@ -264,6 +312,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -29490,7 +30193,7 @@ index f7583ab..ee001c7 100644
')
optional_policy(`
-@@ -286,15 +333,26 @@ optional_policy(`
+@@ -286,15 +336,26 @@ optional_policy(`
')
optional_policy(`
@@ -29517,7 +30220,7 @@ index f7583ab..ee001c7 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +364,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +367,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -29538,7 +30241,7 @@ index f7583ab..ee001c7 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -329,6 +396,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +399,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -29546,7 +30249,7 @@ index f7583ab..ee001c7 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +408,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +411,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -29561,7 +30264,7 @@ index f7583ab..ee001c7 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +437,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +440,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -29569,7 +30272,7 @@ index f7583ab..ee001c7 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +464,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +467,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -29577,7 +30280,7 @@ index f7583ab..ee001c7 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -413,8 +487,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +490,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -29589,7 +30292,7 @@ index f7583ab..ee001c7 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -439,6 +515,8 @@ optional_policy(`
+@@ -439,6 +518,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -29598,7 +30301,7 @@ index f7583ab..ee001c7 100644
')
optional_policy(`
-@@ -446,6 +524,14 @@ optional_policy(`
+@@ -446,6 +527,14 @@ optional_policy(`
')
optional_policy(`
@@ -29613,7 +30316,7 @@ index f7583ab..ee001c7 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,15 +542,24 @@ optional_policy(`
+@@ -456,15 +545,24 @@ optional_policy(`
')
optional_policy(`
@@ -29638,7 +30341,7 @@ index f7583ab..ee001c7 100644
')
optional_policy(`
-@@ -480,7 +575,7 @@ optional_policy(`
+@@ -480,7 +578,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -29647,7 +30350,7 @@ index f7583ab..ee001c7 100644
')
optional_policy(`
-@@ -495,6 +590,7 @@ optional_policy(`
+@@ -495,6 +593,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -29655,7 +30358,7 @@ index f7583ab..ee001c7 100644
')
optional_policy(`
-@@ -502,7 +598,13 @@ optional_policy(`
+@@ -502,7 +601,13 @@ optional_policy(`
')
optional_policy(`
@@ -29669,7 +30372,7 @@ index f7583ab..ee001c7 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +697,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +700,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -29709,7 +30412,7 @@ index 0000000..2db6b61
+
diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if
new file mode 100644
-index 0000000..1c3a90b
+index 0000000..1171f34
--- /dev/null
+++ b/policy/modules/services/ctdbd.if
@@ -0,0 +1,256 @@
@@ -29925,7 +30628,7 @@ index 0000000..1c3a90b
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
-+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
++ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
+')
+
+########################################
@@ -29971,10 +30674,10 @@ index 0000000..1c3a90b
+
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
new file mode 100644
-index 0000000..e6042d9
+index 0000000..5a15b82
--- /dev/null
+++ b/policy/modules/services/ctdbd.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,114 @@
+policy_module(ctdbd, 1.0.0)
+
+########################################
@@ -30083,6 +30786,7 @@ index 0000000..e6042d9
+ samba_initrc_domtrans(ctdbd_t)
+ samba_domtrans_net(ctdbd_t)
+ samba_rw_var_files(ctdbd_t)
++ samba_systemctl(ctdbd_t)
+')
+
+optional_policy(`
@@ -30891,7 +31595,7 @@ index 1a1becd..d4357ec 100644
')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..fbfc5db 100644
+index 1bff6ee..9540fee 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -30953,7 +31657,7 @@ index 1bff6ee..fbfc5db 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,6 +148,19 @@ optional_policy(`
+@@ -141,6 +148,20 @@ optional_policy(`
')
optional_policy(`
@@ -30967,13 +31671,14 @@ index 1bff6ee..fbfc5db 100644
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
++ networkmanager_systemctl(system_dbusd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +171,166 @@ optional_policy(`
+@@ -151,12 +172,166 @@ optional_policy(`
')
optional_policy(`
@@ -31629,7 +32334,7 @@ index f706b99..13d3a35 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..544ab05 100644
+index f231f17..c5244c8 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -31780,7 +32485,7 @@ index f231f17..544ab05 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,6 +273,10 @@ optional_policy(`
+@@ -235,7 +273,12 @@ optional_policy(`
')
optional_policy(`
@@ -31789,9 +32494,11 @@ index f231f17..544ab05 100644
+
+optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
++ cron_systemctl(devicekit_power_t)
')
-@@ -261,14 +303,21 @@ optional_policy(`
+ optional_policy(`
+@@ -261,14 +304,21 @@ optional_policy(`
')
optional_policy(`
@@ -31814,7 +32521,7 @@ index f231f17..544ab05 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +325,30 @@ optional_policy(`
+@@ -276,9 +326,30 @@ optional_policy(`
')
optional_policy(`
@@ -31846,12 +32553,14 @@ index f231f17..544ab05 100644
+ xserver_stream_connect(devicekit_power_t)
+')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
-index 767e0c7..7956248 100644
+index 767e0c7..4fbde9d 100644
--- a/policy/modules/services/dhcp.fc
+++ b/policy/modules/services/dhcp.fc
-@@ -1,8 +1,8 @@
+@@ -1,8 +1,10 @@
-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
++
++/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
@@ -31861,7 +32570,7 @@ index 767e0c7..7956248 100644
-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
-index 5e2cea8..7e129ff 100644
+index 5e2cea8..7a18800 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
@@ -31873,7 +32582,38 @@ index 5e2cea8..7e129ff 100644
')
########################################
-@@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',`
+@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute dhcpd server in the dhcpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dhcpd_systemctl',`
++ gen_require(`
++ type dhcpd_unit_file_t;
++ type dhcpd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 dhcpd_unit_file_t:file read_file_perms;
++ allow $1 dhcpd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, dhcpd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an dhcp environment
+ ## </summary>
+@@ -77,7 +101,7 @@ interface(`dhcpd_initrc_domtrans',`
#
interface(`dhcpd_admin',`
gen_require(`
@@ -31882,11 +32622,28 @@ index 5e2cea8..7e129ff 100644
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
')
+@@ -96,4 +120,6 @@ interface(`dhcpd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, dhcpd_var_run_t)
++
++ dhcpd_systemctl($1)
+ ')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
-index d4424ad..a809e38 100644
+index d4424ad..f90959a 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
-@@ -26,9 +26,9 @@ files_pid_file(dhcpd_var_run_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
+ type dhcpd_initrc_exec_t;
+ init_script_file(dhcpd_initrc_exec_t)
+
++type dhcpd_unit_file_t;
++systemd_unit_file(dhcpd_unit_file_t)
++
+ type dhcpd_state_t;
+ files_type(dhcpd_state_t)
+
+@@ -26,9 +29,9 @@ files_pid_file(dhcpd_var_run_t)
# Local policy
#
@@ -31898,7 +32655,7 @@ index d4424ad..a809e38 100644
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
-@@ -73,6 +73,8 @@ corenet_tcp_connect_all_ports(dhcpd_t)
+@@ -73,6 +76,8 @@ corenet_tcp_connect_all_ports(dhcpd_t)
corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
corenet_sendrecv_pxe_server_packets(dhcpd_t)
corenet_sendrecv_all_client_packets(dhcpd_t)
@@ -31907,7 +32664,7 @@ index d4424ad..a809e38 100644
dev_read_sysfs(dhcpd_t)
dev_read_rand(dhcpd_t)
-@@ -111,6 +113,10 @@ optional_policy(`
+@@ -111,6 +116,10 @@ optional_policy(`
')
optional_policy(`
@@ -32716,10 +33473,17 @@ index dc1056c..bd60100 100644
+
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
-index b886676..ad3210e 100644
+index b886676..ab3af9c 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
-@@ -6,7 +6,7 @@
+@@ -1,12 +1,14 @@
+ /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
+ /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+
++/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
++
+ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
@@ -32729,10 +33493,41 @@ index b886676..ad3210e 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..2385a2c 100644
+index 9bd812b..f3c2d82 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
-@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
+@@ -41,6 +41,30 @@ interface(`dnsmasq_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute dnsmasq server in the dnsmasq domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_systemctl',`
++ gen_require(`
++ type dnsmasq_unit_file_t;
++ type dnsmasq_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 dnsmasq_unit_file_t:file read_file_perms;
++ allow $1 dnsmasq_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, dnsmasq_t)
++')
++
++########################################
++## <summary>
+ ## Send dnsmasq a signal
+ ## </summary>
+ ## <param name="domain">
+@@ -101,9 +125,9 @@ interface(`dnsmasq_kill',`
## Read dnsmasq config files.
## </summary>
## <param name="domain">
@@ -32744,7 +33539,7 @@ index 9bd812b..2385a2c 100644
## </param>
#
interface(`dnsmasq_read_config',`
-@@ -120,9 +120,9 @@ interface(`dnsmasq_read_config',`
+@@ -120,9 +144,9 @@ interface(`dnsmasq_read_config',`
## Write to dnsmasq config files.
## </summary>
## <param name="domain">
@@ -32756,7 +33551,7 @@ index 9bd812b..2385a2c 100644
## </param>
#
interface(`dnsmasq_write_config',`
-@@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',`
+@@ -144,12 +168,12 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
@@ -32770,7 +33565,7 @@ index 9bd812b..2385a2c 100644
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -163,17 +163,80 @@ interface(`dnsmasq_delete_pid_files',`
+@@ -163,17 +187,80 @@ interface(`dnsmasq_delete_pid_files',`
## </summary>
## </param>
#
@@ -32852,11 +33647,28 @@ index 9bd812b..2385a2c 100644
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
+@@ -208,4 +295,6 @@ interface(`dnsmasq_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, dnsmasq_var_run_t)
++
++ dnsmasq_systemctl($1)
+ ')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..06021d4 100644
+index fdaeeba..8542225 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
-@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
+ type dnsmasq_var_run_t;
+ files_pid_file(dnsmasq_var_run_t)
+
++type dnsmasq_unit_file_t;
++systemd_unit_file(dnsmasq_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -48,11 +51,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
@@ -32871,7 +33683,7 @@ index fdaeeba..06021d4 100644
corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
-@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t)
+@@ -88,6 +93,8 @@ logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
@@ -32880,7 +33692,7 @@ index fdaeeba..06021d4 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +100,20 @@ optional_policy(`
+@@ -96,7 +103,20 @@ optional_policy(`
')
optional_policy(`
@@ -32901,7 +33713,7 @@ index fdaeeba..06021d4 100644
')
optional_policy(`
-@@ -114,4 +131,5 @@ optional_policy(`
+@@ -114,4 +134,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
@@ -34715,19 +35527,29 @@ index 7df52c7..899feaf 100644
+ policykit_dbus_chat_auth(fprintd_t)
')
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
-index 69dcd2a..a9a9116 100644
+index 69dcd2a..80eefd3 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
-@@ -29,3 +29,4 @@
+@@ -6,6 +6,9 @@
+ /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+
++/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
+ #
+ # /usr
+ #
+@@ -29,3 +32,4 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
-index 9d3201b..748cac5 100644
+index 9d3201b..a8ad41e 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
-@@ -1,5 +1,43 @@
+@@ -1,5 +1,67 @@
## <summary>File transfer protocol service</summary>
+######################################
@@ -34768,11 +35590,42 @@ index 9d3201b..748cac5 100644
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+')
+
++########################################
++## <summary>
++## Execute ftpd server in the ftpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ftp_systemctl',`
++ gen_require(`
++ type ftpd_unit_file_t;
++ type ftpd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 ftpd_unit_file_t:file read_file_perms;
++ allow $1 ftpd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, ftpd_t)
++')
++
#######################################
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
+@@ -203,4 +265,6 @@ interface(`ftp_admin',`
+
+ logging_list_logs($1)
+ admin_pattern($1, xferlog_t)
++
++ ftp_systemctl($1)
+ ')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..3283e90 100644
+index 8a74a83..3bc14c3 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -34804,7 +35657,17 @@ index 8a74a83..3283e90 100644
type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
-@@ -115,6 +130,10 @@ ifdef(`enable_mcs',`
+@@ -85,6 +100,9 @@ files_config_file(ftpd_etc_t)
+ type ftpd_initrc_exec_t;
+ init_script_file(ftpd_initrc_exec_t)
+
++type ftpd_unit_file_t;
++systemd_unit_file(ftpd_unit_file_t)
++
+ type ftpd_lock_t;
+ files_lock_file(ftpd_lock_t)
+
+@@ -115,6 +133,10 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')
@@ -34815,7 +35678,7 @@ index 8a74a83..3283e90 100644
########################################
#
# anon-sftp local policy
-@@ -122,6 +141,7 @@ ifdef(`enable_mcs',`
+@@ -122,6 +144,7 @@ ifdef(`enable_mcs',`
files_read_etc_files(anon_sftpd_t)
@@ -34823,7 +35686,7 @@ index 8a74a83..3283e90 100644
miscfiles_read_public_files(anon_sftpd_t)
tunable_policy(`sftpd_anon_write',`
-@@ -133,7 +153,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +156,7 @@ tunable_policy(`sftpd_anon_write',`
# ftpd local policy
#
@@ -34832,7 +35695,7 @@ index 8a74a83..3283e90 100644
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +171,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +174,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -34840,7 +35703,7 @@ index 8a74a83..3283e90 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +182,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +185,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -34856,7 +35719,27 @@ index 8a74a83..3283e90 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -219,6 +238,7 @@ auth_append_login_records(ftpd_t)
+@@ -196,9 +218,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
+ corenet_tcp_bind_ftp_port(ftpd_t)
+ corenet_tcp_bind_ftp_data_port(ftpd_t)
+ corenet_tcp_bind_generic_port(ftpd_t)
+-corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+-corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
+-corenet_tcp_connect_all_ports(ftpd_t)
++corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
++corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
+ corenet_sendrecv_ftp_server_packets(ftpd_t)
+
+ domain_use_interactive_fds(ftpd_t)
+@@ -212,13 +233,11 @@ fs_search_auto_mountpoints(ftpd_t)
+ fs_getattr_all_fs(ftpd_t)
+ fs_search_fusefs(ftpd_t)
+
+-auth_use_nsswitch(ftpd_t)
+-auth_domtrans_chk_passwd(ftpd_t)
+-# Append to /var/log/wtmp.
+-auth_append_login_records(ftpd_t)
++auth_use_pam(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
auth_rw_faillog(ftpd_t)
@@ -34864,7 +35747,7 @@ index 8a74a83..3283e90 100644
init_rw_utmp(ftpd_t)
-@@ -261,7 +281,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+@@ -261,7 +280,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
@@ -34873,7 +35756,7 @@ index 8a74a83..3283e90 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -270,10 +290,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +289,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -34891,7 +35774,7 @@ index 8a74a83..3283e90 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,6 +332,10 @@ optional_policy(`
+@@ -309,6 +331,10 @@ optional_policy(`
')
optional_policy(`
@@ -34902,7 +35785,7 @@ index 8a74a83..3283e90 100644
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
-@@ -316,6 +343,25 @@ optional_policy(`
+@@ -316,6 +342,25 @@ optional_policy(`
')
optional_policy(`
@@ -34928,7 +35811,7 @@ index 8a74a83..3283e90 100644
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -347,16 +393,17 @@ optional_policy(`
+@@ -347,16 +392,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -34948,7 +35831,7 @@ index 8a74a83..3283e90 100644
########################################
#
-@@ -365,18 +412,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +411,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -34985,7 +35868,7 @@ index 8a74a83..3283e90 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,7 +456,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,7 +455,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -38546,29 +39429,31 @@ index 0000000..4aac893
+
+sysnet_dns_name_resolve(l2tpd_t)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index c62f23e..92f3475 100644
+index c62f23e..f8a4301 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
-@@ -1,6 +1,8 @@
+@@ -1,6 +1,10 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++
++/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-@@ -15,3 +17,4 @@ ifdef(`distro_debian',`
+@@ -15,3 +19,4 @@ ifdef(`distro_debian',`
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..8fa74c3 100644
+index 3aa8fa7..2a407cd 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
-@@ -1,5 +1,41 @@
+@@ -1,5 +1,65 @@
## <summary>OpenLDAP directory server</summary>
+#######################################
@@ -38607,10 +39492,34 @@ index 3aa8fa7..8fa74c3 100644
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
++########################################
++## <summary>
++## Execute slapd server in the slapd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ldap_systemctl',`
++ gen_require(`
++ type slapd_unit_file_t;
++ type slapd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 slapd_unit_file_t:file read_file_perms;
++ allow $1 slapd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, slapd_t)
++')
++
########################################
## <summary>
## Read the contents of the OpenLDAP
-@@ -21,6 +57,25 @@ interface(`ldap_list_db',`
+@@ -21,6 +81,25 @@ interface(`ldap_list_db',`
########################################
## <summary>
@@ -38636,7 +39545,7 @@ index 3aa8fa7..8fa74c3 100644
## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
-@@ -69,8 +124,7 @@ interface(`ldap_stream_connect',`
+@@ -69,8 +148,7 @@ interface(`ldap_stream_connect',`
')
files_search_pids($1)
@@ -38646,7 +39555,7 @@ index 3aa8fa7..8fa74c3 100644
')
########################################
-@@ -110,6 +164,7 @@ interface(`ldap_admin',`
+@@ -110,6 +188,7 @@ interface(`ldap_admin',`
admin_pattern($1, slapd_lock_t)
@@ -38654,8 +39563,15 @@ index 3aa8fa7..8fa74c3 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
+@@ -117,4 +196,6 @@ interface(`ldap_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, slapd_var_run_t)
++
++ ldap_systemctl($1)
+ ')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
-index 64fd1ff..10c2d54 100644
+index 64fd1ff..211180e 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -38667,7 +39583,16 @@ index 64fd1ff..10c2d54 100644
type slapd_db_t;
files_type(slapd_db_t)
-@@ -27,9 +27,15 @@ files_lock_file(slapd_lock_t)
+@@ -21,15 +21,24 @@ files_config_file(slapd_etc_t)
+ type slapd_initrc_exec_t;
+ init_script_file(slapd_initrc_exec_t)
+
++type slapd_unit_file_t;
++systemd_unit_file(slapd_unit_file_t)
++
+ type slapd_lock_t;
+ files_lock_file(slapd_lock_t)
+
type slapd_replog_t;
files_type(slapd_replog_t)
@@ -38683,7 +39608,7 @@ index 64fd1ff..10c2d54 100644
type slapd_var_run_t;
files_pid_file(slapd_var_run_t)
-@@ -67,13 +73,21 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+@@ -67,13 +76,21 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
@@ -38754,7 +39679,7 @@ index 49e04e5..69db026 100644
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
-index 6a78de1..a32fbe8 100644
+index 6a78de1..8db7d14 100644
--- a/policy/modules/services/lircd.te
+++ b/policy/modules/services/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -38774,12 +39699,12 @@ index 6a78de1..a32fbe8 100644
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:unix_dgram_socket create_socket_perms;
allow lircd_t self:tcp_socket create_stream_socket_perms;
-@@ -44,13 +45,14 @@ corenet_tcp_bind_lirc_port(lircd_t)
+@@ -44,18 +45,20 @@ corenet_tcp_bind_lirc_port(lircd_t)
corenet_tcp_sendrecv_all_ports(lircd_t)
corenet_tcp_connect_lirc_port(lircd_t)
-dev_read_generic_usb_dev(lircd_t)
-+dev_rw_generic_usb_dev(lircd_t)
++dev_rw_generic_usb_dev(lircd_t) # this needs to be reproduced. might not be right
dev_read_mouse(lircd_t)
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
@@ -38791,6 +39716,12 @@ index 6a78de1..a32fbe8 100644
files_list_var(lircd_t)
files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
+
+ term_use_ptmx(lircd_t)
++term_use_usb_ttys(lircd_t)
+
+ logging_send_syslog_msg(lircd_t)
+
diff --git a/policy/modules/services/lldpad.fc b/policy/modules/services/lldpad.fc
new file mode 100644
index 0000000..83a4348
@@ -40545,7 +41476,7 @@ index 0000000..0615cc5
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..1b9893a
+index 0000000..b7e5bcc
--- /dev/null
+++ b/policy/modules/services/mock.te
@@ -0,0 +1,250 @@
@@ -40638,7 +41569,7 @@ index 0000000..1b9893a
+
+corenet_tcp_connect_http_port(mock_t)
+corenet_tcp_connect_ftp_port(mock_t)
-+corenet_tcp_connect_all_unreserved_ports(mock_t)
++corenet_tcp_connect_all_ephemeral_ports(mock_t)
+
+dev_read_urand(mock_t)
+dev_read_sysfs(mock_t)
@@ -42601,10 +43532,10 @@ index 74da57f..b94bb3b 100644
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..984eefc 100644
+index 386543b..47e1b41 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
-@@ -1,6 +1,13 @@
+@@ -1,6 +1,15 @@
/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -42616,10 +43547,12 @@ index 386543b..984eefc 100644
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++
++/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-@@ -16,7 +23,8 @@
+@@ -16,7 +25,8 @@
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
@@ -42630,7 +43563,7 @@ index 386543b..984eefc 100644
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
-index 2324d9e..eebf5a7 100644
+index 2324d9e..ac2e779 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -42646,7 +43579,38 @@ index 2324d9e..eebf5a7 100644
## </param>
#
interface(`networkmanager_attach_tun_iface',`
-@@ -137,6 +137,28 @@ interface(`networkmanager_dbus_chat',`
+@@ -116,6 +116,30 @@ interface(`networkmanager_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute NetworkManager server in the NetworkManager domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`networkmanager_systemctl',`
++ gen_require(`
++ type NetworkManager_unit_file_t;
++ type NetworkManager_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 NetworkManager_unit_file_t:file read_file_perms;
++ allow $1 NetworkManager_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, NetworkManager_t)
++')
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## NetworkManager over dbus.
+ ## </summary>
+@@ -137,6 +161,28 @@ interface(`networkmanager_dbus_chat',`
########################################
## <summary>
@@ -42675,7 +43639,7 @@ index 2324d9e..eebf5a7 100644
## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
-@@ -191,3 +213,77 @@ interface(`networkmanager_read_pid_files',`
+@@ -191,3 +237,77 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -42754,13 +43718,16 @@ index 2324d9e..eebf5a7 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..8785eef 100644
+index 0619395..c985b07 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
-@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
type NetworkManager_initrc_exec_t;
init_script_file(NetworkManager_initrc_exec_t)
++type NetworkManager_unit_file_t;
++systemd_unit_file(NetworkManager_unit_file_t)
++
+type NetworkManager_etc_t;
+files_config_file(NetworkManager_etc_t)
+
@@ -42770,7 +43737,7 @@ index 0619395..8785eef 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -35,16 +41,21 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -35,16 +44,21 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -42794,7 +43761,7 @@ index 0619395..8785eef 100644
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -52,9 +63,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+@@ -52,9 +66,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
can_exec(NetworkManager_t, NetworkManager_exec_t)
@@ -42815,7 +43782,7 @@ index 0619395..8785eef 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -100,6 +122,7 @@ dev_read_rand(NetworkManager_t)
+@@ -100,6 +125,7 @@ dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
@@ -42823,7 +43790,7 @@ index 0619395..8785eef 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,7 +136,7 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,7 +139,7 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
@@ -42832,7 +43799,7 @@ index 0619395..8785eef 100644
files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
-@@ -133,30 +156,37 @@ logging_send_syslog_msg(NetworkManager_t)
+@@ -133,30 +159,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -42872,7 +43839,7 @@ index 0619395..8785eef 100644
')
optional_policy(`
-@@ -172,14 +202,21 @@ optional_policy(`
+@@ -172,14 +205,21 @@ optional_policy(`
')
optional_policy(`
@@ -42895,7 +43862,15 @@ index 0619395..8785eef 100644
')
')
-@@ -202,10 +239,25 @@ optional_policy(`
+@@ -191,6 +231,7 @@ optional_policy(`
+ dnsmasq_kill(NetworkManager_t)
+ dnsmasq_signal(NetworkManager_t)
+ dnsmasq_signull(NetworkManager_t)
++ dnsmasq_systemctl(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -202,23 +243,45 @@ optional_policy(`
')
optional_policy(`
@@ -42921,19 +43896,35 @@ index 0619395..8785eef 100644
nscd_domtrans(NetworkManager_t)
nscd_signal(NetworkManager_t)
nscd_signull(NetworkManager_t)
-@@ -219,6 +271,11 @@ optional_policy(`
+ nscd_kill(NetworkManager_t)
+ nscd_initrc_domtrans(NetworkManager_t)
++ nscd_systemctl(NetworkManager_t)
')
optional_policy(`
-+ modutils_domtrans_insmod(NetworkManager_t)
+ # Dispatcher starting and stoping ntp
+ ntp_initrc_domtrans(NetworkManager_t)
++ ntp_systemctl(NetworkManager_t)
+')
+
+optional_policy(`
++ modutils_domtrans_insmod(NetworkManager_t)
+ ')
+
+ optional_policy(`
+ openvpn_read_config(NetworkManager_t)
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +320,7 @@ optional_policy(`
+@@ -241,6 +304,7 @@ optional_policy(`
+ ppp_signal(NetworkManager_t)
+ ppp_signull(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
++ ppp_systemctl(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -263,6 +327,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -42942,7 +43933,7 @@ index 0619395..8785eef 100644
########################################
diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
-index 15448d5..b6b42c1 100644
+index 15448d5..3587f6a 100644
--- a/policy/modules/services/nis.fc
+++ b/policy/modules/services/nis.fc
@@ -1,5 +1,5 @@
@@ -42969,12 +43960,12 @@ index 15448d5..b6b42c1 100644
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
-+/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0)
-+/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
-+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
-+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
++/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
++/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..2de87de 100644
+index abe3f7f..9e96501 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -43042,14 +44033,14 @@ index abe3f7f..2de87de 100644
+#
+interface(`nis_systemctl_ypbind',`
+ gen_require(`
-+ type ypbind_unit_t;
++ type ypbind_unit_file_t;
+ type ypbind_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
-+ allow $1 ypbind_unit_t:file read_file_perms;
-+ allow $1 ypbind_unit_t:service all_service_perms;
++ allow $1 ypbind_unit_file_t:file read_file_perms;
++ allow $1 ypbind_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+')
@@ -43066,14 +44057,14 @@ index abe3f7f..2de87de 100644
+#
+interface(`nis_systemctl',`
+ gen_require(`
-+ type nis_unit_t;
++ type nis_unit_file_t;
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
-+ allow $1 nis_unit_t:file read_file_perms;
-+ allow $1 nis_unit_t:service all_service_perms;
++ allow $1 nis_unit_file_t:file read_file_perms;
++ allow $1 nis_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+ ps_process_pattern($1, yppasswdd_t)
@@ -43114,15 +44105,15 @@ index abe3f7f..2de87de 100644
+ nis_systemctl($1)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..dccdc78 100644
+index 4876cae..eabed96 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t)
type ypbind_var_run_t;
files_pid_file(ypbind_var_run_t)
-+type ypbind_unit_t;
-+systemd_unit_file(ypbind_unit_t)
++type ypbind_unit_file_t;
++systemd_unit_file(ypbind_unit_file_t)
+
type yppasswdd_t;
type yppasswdd_exec_t;
@@ -43140,8 +44131,8 @@ index 4876cae..dccdc78 100644
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
-+type nis_unit_t;
-+systemd_unit_file(nis_unit_t)
++type nis_unit_file_t;
++systemd_unit_file(nis_unit_file_t)
+
########################################
#
@@ -43187,7 +44178,7 @@ index 4876cae..dccdc78 100644
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
-index 85188dc..76f26dd 100644
+index 85188dc..891d4ab 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
@@ -43253,8 +44244,46 @@ index 85188dc..76f26dd 100644
#
interface(`nscd_run',`
gen_require(`
+@@ -254,6 +277,30 @@ interface(`nscd_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute nscd server in the nscd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`nscd_systemctl',`
++ gen_require(`
++ type nscd_unit_file_t;
++ type nscd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 nscd_unit_file_t:file read_file_perms;
++ allow $1 nscd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, nscd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an nscd environment
+ ## </summary>
+@@ -288,4 +335,6 @@ interface(`nscd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, nscd_var_run_t)
++
++ nscd_systemctl($1)
+ ')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
-index 7936e09..6b54db7 100644
+index 7936e09..812f966 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,9 +1,16 @@
@@ -43275,7 +44304,17 @@ index 7936e09..6b54db7 100644
########################################
#
# Declarations
-@@ -30,7 +37,7 @@ logging_log_file(nscd_log_t)
+@@ -22,6 +29,9 @@ init_daemon_domain(nscd_t, nscd_exec_t)
+ type nscd_initrc_exec_t;
+ init_script_file(nscd_initrc_exec_t)
+
++type nscd_unit_file_t;
++systemd_unit_file(nscd_unit_file_t)
++
+ type nscd_log_t;
+ logging_log_file(nscd_log_t)
+
+@@ -30,7 +40,7 @@ logging_log_file(nscd_log_t)
# Local policy
#
@@ -43284,7 +44323,7 @@ index 7936e09..6b54db7 100644
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
-@@ -47,9 +54,10 @@ allow nscd_t self:nscd { admin getstat };
+@@ -47,9 +57,10 @@ allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
@@ -43296,7 +44335,7 @@ index 7936e09..6b54db7 100644
corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
-@@ -90,6 +98,7 @@ selinux_compute_create_context(nscd_t)
+@@ -90,6 +101,7 @@ selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
@@ -43304,7 +44343,7 @@ index 7936e09..6b54db7 100644
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
-@@ -112,6 +121,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
@@ -43315,7 +44354,7 @@ index 7936e09..6b54db7 100644
cron_read_system_job_tmp_files(nscd_t)
')
-@@ -127,3 +140,17 @@ optional_policy(`
+@@ -127,3 +143,17 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -43437,7 +44476,7 @@ index e79dccc..50202ef 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..4b93b29 100644
+index e80f8c0..c58528f 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -98,6 +98,49 @@ interface(`ntp_initrc_domtrans',`
@@ -43475,14 +44514,14 @@ index e80f8c0..4b93b29 100644
+#
+interface(`ntp_systemctl',`
+ gen_require(`
-+ type ntpd_unit_t;
++ type ntpd_unit_file_t;
+ type ntpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
-+ allow $1 ntpd_unit_t:file read_file_perms;
-+ allow $1 ntpd_unit_t:service all_service_perms;
++ allow $1 ntpd_unit_file_t:file read_file_perms;
++ allow $1 ntpd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, ntpd_t)
+')
@@ -44608,10 +45647,10 @@ index 0000000..548d0a2
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..2321872
+index 0000000..9c4df9f
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,296 @@
+@@ -0,0 +1,299 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -44828,6 +45867,7 @@ index 0000000..2321872
+optional_policy(`
+ ftp_domtrans(piranha_pulse_t)
+ ftp_initrc_domtrans(piranha_pulse_t)
++ ftp_systemctl(piranha_pulse_t)
+')
+
+optional_policy(`
@@ -44835,6 +45875,7 @@ index 0000000..2321872
+')
+
+optional_policy(`
++ ldap_systemctl(piranha_pulse_t)
+ ldap_initrc_domtrans(piranha_pulse_t)
+ ldap_domtrans(piranha_pulse_t)
+')
@@ -44856,6 +45897,7 @@ index 0000000..2321872
+
+optional_policy(`
+ samba_initrc_domtrans(piranha_pulse_t)
++ samba_systemctl(piranha_pulse_t)
+ samba_domtrans_smbd(piranha_pulse_t)
+ samba_domtrans_nmbd(piranha_pulse_t)
+ samba_manage_var_files(piranha_pulse_t)
@@ -45572,6 +46614,382 @@ index 1e7169d..05409ab 100644
hal_read_state(policykit_resolve_t)
')
-
+diff --git a/policy/modules/services/polipo.fc b/policy/modules/services/polipo.fc
+new file mode 100644
+index 0000000..8a06f66
+--- /dev/null
++++ b/policy/modules/services/polipo.fc
+@@ -0,0 +1,14 @@
++HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
++HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
++
++/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0)
++
++/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
++
++/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
++
++/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
++
++/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
++
++/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
+diff --git a/policy/modules/services/polipo.if b/policy/modules/services/polipo.if
+new file mode 100644
+index 0000000..b11f37a
+--- /dev/null
++++ b/policy/modules/services/polipo.if
+@@ -0,0 +1,185 @@
++## <summary>Caching web proxy.</summary>
++
++########################################
++## <summary>
++## Role access for polipo session.
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`polipo_role',`
++ gen_require(`
++ type polipo_session_t, polipo_exec_t;
++ ')
++
++ ########################################
++ #
++ # Declarations
++ #
++
++ role $1 types polipo_session_t;
++
++ ########################################
++ #
++ # Policy
++ #
++
++ allow $2 polipo_session_t:process { ptrace signal_perms };
++ ps_process_pattern($2, polipo_session_t)
++
++ tunable_policy(`polipo_session_users',`
++ domtrans_pattern($2, polipo_exec_t, polipo_session_t)
++ ',`
++ can_exec($2, polipo_exec_t)
++ ')
++')
++
++########################################
++## <summary>
++## Create configuration files in user
++## home directories with a named file
++## type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`polipo_named_filetrans_config_home_files',`
++ gen_require(`
++ type polipo_config_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
++')
++
++########################################
++## <summary>
++## Create cache directories in user
++## home directories with a named file
++## type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`polipo_named_filetrans_cache_home_dirs',`
++ gen_require(`
++ type polipo_cache_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
++')
++
++########################################
++## <summary>
++## Create configuration files in admin
++## home directories with a named file
++## type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`polipo_named_filetrans_admin_config_home_files',`
++ gen_require(`
++ type polipo_config_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
++')
++
++########################################
++## <summary>
++## Create cache directories in admin
++## home directories with a named file
++## type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`polipo_named_filetrans_admin_cache_home_dirs',`
++ gen_require(`
++ type polipo_cache_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
++')
++
++########################################
++## <summary>
++## Create log files with a named file
++## type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`polipo_named_filetrans_log_files',`
++ gen_require(`
++ type polipo_log_t;
++ ')
++
++ logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
++')
++
++########################################
++## <summary>
++## Administrate an polipo environment.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`polipo_admin',`
++ gen_require(`
++ type polipo_t, polipo_pid_t, polipo_cache_t;
++ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
++ ')
++
++ allow $1 polipo_t:process { ptrace signal_perms };
++ ps_process_pattern($1, polipo_t)
++
++ init_labeled_script_domtrans($1, polipo_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 polipo_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_etc($1)
++ admin_pattern($1, polipo_etc_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, polipo_log_t)
++
++ files_list_var($1)
++ admin_pattern($1, polipo_cache_t)
++
++ files_list_pids($1)
++ admin_pattern($1, polipo_pid_t)
++')
+diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
+new file mode 100644
+index 0000000..89ab1b6
+--- /dev/null
++++ b/policy/modules/services/polipo.te
+@@ -0,0 +1,159 @@
++policy_module(polipo, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Determine whether polipo can
++## access cifs file systems.
++## </p>
++## </desc>
++gen_tunable(polipo_use_cifs, false)
++
++## <desc>
++## <p>
++## Determine whether Polipo can
++## access nfs file systems.
++## </p>
++## </desc>
++gen_tunable(polipo_use_nfs, false)
++
++## <desc>
++## <p>
++## Determine whether Polipo session daemon
++## can bind tcp sockets to all unreserved ports.
++## </p>
++## </desc>
++gen_tunable(polipo_session_bind_all_unreserved_ports, false)
++
++## <desc>
++## <p>
++## Determine whether calling user domains
++## can execute Polipo daemon in the
++## polipo_session_t domain.
++## </p>
++## </desc>
++gen_tunable(polipo_session_users, false)
++
++## <desc>
++## <p>
++## Determine whether Polipo session daemon
++## can send syslog messages.
++## </p>
++## </desc>
++gen_tunable(polipo_session_send_syslog_msg, false)
++
++attribute polipo_daemon;
++
++type polipo_t, polipo_daemon;
++type polipo_exec_t;
++init_daemon_domain(polipo_t, polipo_exec_t)
++
++type polipo_initrc_exec_t;
++init_script_file(polipo_initrc_exec_t)
++
++type polipo_etc_t;
++files_config_file(polipo_etc_t)
++
++type polipo_cache_t;
++files_type(polipo_cache_t)
++
++type polipo_log_t;
++logging_log_file(polipo_log_t)
++
++type polipo_pid_t;
++files_pid_file(polipo_pid_t)
++
++type polipo_session_t, polipo_daemon;
++application_domain(polipo_session_t, polipo_exec_t)
++ubac_constrained(polipo_session_t)
++
++type polipo_config_home_t;
++userdom_user_home_content(polipo_config_home_t)
++
++type polipo_cache_home_t;
++userdom_user_home_content(polipo_cache_home_t)
++
++########################################
++#
++# Global local policy
++#
++
++allow polipo_daemon self:fifo_file rw_fifo_file_perms;
++allow polipo_daemon self:tcp_socket { listen accept };
++
++corenet_all_recvfrom_netlabel(polipo_daemon)
++corenet_all_recvfrom_unlabeled(polipo_daemon)
++corenet_tcp_bind_generic_node(polipo_daemon)
++corenet_tcp_sendrecv_generic_if(polipo_daemon)
++corenet_tcp_sendrecv_generic_node(polipo_daemon)
++corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
++corenet_tcp_bind_http_cache_port(polipo_daemon)
++corenet_sendrecv_http_cache_server_packets(polipo_daemon)
++
++files_read_usr_files(polipo_daemon)
++
++fs_search_auto_mountpoints(polipo_daemon)
++
++miscfiles_read_localization(polipo_daemon)
++
++########################################
++#
++# Polipo local policy
++#
++
++read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
++
++manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++
++append_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
++
++manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
++
++auth_use_nsswitch(polipo_t)
++
++logging_send_syslog_msg(polipo_t)
++
++tunable_policy(`polipo_use_cifs',`
++ fs_manage_cifs_files(polipo_t)
++')
++
++tunable_policy(`polipo_use_nfs',`
++ fs_manage_nfs_files(polipo_t)
++')
++
++########################################
++#
++# Polipo session local policy
++#
++
++read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
++manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
++
++auth_use_nsswitch(polipo_session_t)
++
++userdom_use_user_terminals(polipo_session_t)
++
++tunable_policy(`polipo_session_bind_all_unreserved_ports',`
++ corenet_tcp_sendrecv_all_ports(polipo_session_t)
++ corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
++')
++
++tunable_policy(`polipo_session_send_syslog_msg',`
++ logging_send_syslog_msg(polipo_session_t)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(polipo_session_t)
++',`
++ fs_dontaudit_manage_nfs_files(polipo_session_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files(polipo_session_t)
++',`
++ fs_dontaudit_manage_cifs_files(polipo_session_t)
++')
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index 333a1fe..e599723 100644
--- a/policy/modules/services/portmap.te
@@ -46062,7 +47480,7 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..4f41f4e 100644
+index a32c4b3..ef34196 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -46190,7 +47608,7 @@ index a32c4b3..4f41f4e 100644
term_dontaudit_search_ptys(postfix_master_t)
-@@ -220,13 +241,15 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -46202,12 +47620,14 @@ index a32c4b3..4f41f4e 100644
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
-+allow postfix_bounce_t postfix_spool_maildrop_t:dir search_dir_perms;
++manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -249,6 +272,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+@@ -249,6 +274,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
@@ -46218,7 +47638,7 @@ index a32c4b3..4f41f4e 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,8 +291,8 @@ optional_policy(`
+@@ -264,8 +293,8 @@ optional_policy(`
# Postfix local local policy
#
@@ -46228,7 +47648,7 @@ index a32c4b3..4f41f4e 100644
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +300,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -46237,7 +47657,7 @@ index a32c4b3..4f41f4e 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +315,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -46256,7 +47676,7 @@ index a32c4b3..4f41f4e 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +331,10 @@ optional_policy(`
+@@ -297,6 +333,10 @@ optional_policy(`
')
optional_policy(`
@@ -46267,7 +47687,7 @@ index a32c4b3..4f41f4e 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +342,22 @@ optional_policy(`
+@@ -304,9 +344,22 @@ optional_policy(`
')
optional_policy(`
@@ -46290,7 +47710,7 @@ index a32c4b3..4f41f4e 100644
########################################
#
# Postfix map local policy
-@@ -372,6 +423,7 @@ optional_policy(`
+@@ -372,6 +425,7 @@ optional_policy(`
# Postfix pickup local policy
#
@@ -46298,7 +47718,7 @@ index a32c4b3..4f41f4e 100644
allow postfix_pickup_t self:tcp_socket create_socket_perms;
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -379,19 +431,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,19 +433,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -46326,7 +47746,7 @@ index a32c4b3..4f41f4e 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +460,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -46335,7 +47755,7 @@ index a32c4b3..4f41f4e 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +481,7 @@ optional_policy(`
+@@ -420,6 +483,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -46343,7 +47763,7 @@ index a32c4b3..4f41f4e 100644
')
optional_policy(`
-@@ -436,11 +498,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +500,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -46361,7 +47781,7 @@ index a32c4b3..4f41f4e 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +555,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +557,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -46372,7 +47792,7 @@ index a32c4b3..4f41f4e 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +575,8 @@ optional_policy(`
+@@ -507,6 +577,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -46381,7 +47801,7 @@ index a32c4b3..4f41f4e 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +589,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +591,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -46394,7 +47814,7 @@ index a32c4b3..4f41f4e 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +613,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +615,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -46405,7 +47825,7 @@ index a32c4b3..4f41f4e 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +641,14 @@ optional_policy(`
+@@ -565,6 +643,14 @@ optional_policy(`
')
optional_policy(`
@@ -46420,7 +47840,7 @@ index a32c4b3..4f41f4e 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +674,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -46437,7 +47857,7 @@ index a32c4b3..4f41f4e 100644
')
optional_policy(`
-@@ -611,8 +701,8 @@ optional_policy(`
+@@ -611,8 +703,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -46447,7 +47867,7 @@ index a32c4b3..4f41f4e 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +720,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +722,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -46754,10 +48174,17 @@ index db843e2..4389e81 100644
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
-index 2d82c6d..dd05493 100644
+index 2d82c6d..adf5731 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
-@@ -16,6 +16,7 @@
+@@ -11,11 +11,14 @@
+ # Fix /etc/ppp {up,down} family scripts (see man pppd)
+ /etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
++/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
+ /root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
+
#
# /sbin
#
@@ -46765,7 +48192,7 @@ index 2d82c6d..dd05493 100644
/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
#
-@@ -34,5 +35,7 @@
+@@ -34,5 +37,7 @@
# Fix pptp sockets
/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
@@ -46775,7 +48202,7 @@ index 2d82c6d..dd05493 100644
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
-index b524673..9d90fb3 100644
+index b524673..d3f932f 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
@@ -46814,7 +48241,38 @@ index b524673..9d90fb3 100644
allow $1 pppd_var_run_t:file manage_file_perms;
')
-@@ -348,21 +348,27 @@ interface(`ppp_initrc_domtrans',`
+@@ -340,6 +340,30 @@ interface(`ppp_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute pppd server in the pppd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ppp_systemctl',`
++ gen_require(`
++ type pppd_unit_file_t;
++ type pppd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 pppd_unit_file_t:file read_file_perms;
++ allow $1 pppd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, pppd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an ppp environment
+ ## </summary>
+@@ -348,21 +372,27 @@ interface(`ppp_initrc_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -46847,7 +48305,7 @@ index b524673..9d90fb3 100644
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pppd_initrc_exec_t system_r;
-@@ -374,6 +380,7 @@ interface(`ppp_admin',`
+@@ -374,6 +404,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
@@ -46855,7 +48313,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
-@@ -386,9 +393,6 @@ interface(`ppp_admin',`
+@@ -386,10 +417,9 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
@@ -46865,8 +48323,11 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_log_t)
admin_pattern($1, pptp_var_run_t)
++
++ ppp_systemctl($1)
+ ')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..0d51fe4 100644
+index 2af42e7..392bc4b 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -46892,7 +48353,17 @@ index 2af42e7..0d51fe4 100644
## </desc>
gen_tunable(pppd_for_user, false)
-@@ -70,9 +70,9 @@ files_pid_file(pptp_var_run_t)
+@@ -39,6 +39,9 @@ files_type(pppd_etc_rw_t)
+ type pppd_initrc_exec_t alias pppd_script_exec_t;
+ init_script_file(pppd_initrc_exec_t)
+
++type pppd_unit_file_t;
++systemd_unit_file(pppd_unit_file_t)
++
+ # pppd_secret_t is the type of the pap and chap password files
+ type pppd_secret_t;
+ files_type(pppd_secret_t)
+@@ -70,9 +73,9 @@ files_pid_file(pptp_var_run_t)
# PPPD Local policy
#
@@ -46904,7 +48375,7 @@ index 2af42e7..0d51fe4 100644
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
-@@ -84,28 +84,29 @@ allow pppd_t self:packet_socket create_socket_perms;
+@@ -84,28 +87,29 @@ allow pppd_t self:packet_socket create_socket_perms;
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
@@ -46940,7 +48411,7 @@ index 2af42e7..0d51fe4 100644
allow pppd_t pptp_t:process signal;
-@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t)
+@@ -166,6 +170,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -46949,7 +48420,7 @@ index 2af42e7..0d51fe4 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -176,7 +179,7 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,7 +182,7 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -46958,7 +48429,7 @@ index 2af42e7..0d51fe4 100644
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
-@@ -187,13 +190,15 @@ optional_policy(`
+@@ -187,13 +193,15 @@ optional_policy(`
')
optional_policy(`
@@ -46975,7 +48446,7 @@ index 2af42e7..0d51fe4 100644
')
optional_policy(`
-@@ -243,14 +248,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +251,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -47206,7 +48677,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..e1ae545 100644
+index 29b9295..6451f82 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -47228,12 +48699,14 @@ index 29b9295..e1ae545 100644
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -75,10 +78,18 @@ files_search_pids(procmail_t)
+@@ -75,10 +78,20 @@ files_search_pids(procmail_t)
# for spamassasin
files_read_usr_files(procmail_t)
+application_exec_all(procmail_t)
+
++init_read_utmp(procmail_t)
++
logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
@@ -47247,7 +48720,7 @@ index 29b9295..e1ae545 100644
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
userdom_manage_user_home_content_files(procmail_t)
-@@ -87,8 +98,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
@@ -47258,7 +48731,7 @@ index 29b9295..e1ae545 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -125,6 +136,11 @@ optional_policy(`
+@@ -125,6 +138,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -47479,7 +48952,7 @@ index 2f1e529..8c0b242 100644
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
-index 2855a44..9bc56ee 100644
+index 2855a44..58bb459 100644
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@@ -8,6 +8,53 @@
@@ -47536,7 +49009,7 @@ index 2855a44..9bc56ee 100644
################################################
## <summary>
## Read / Write to Puppet temp files. Puppet uses
-@@ -21,7 +68,7 @@
+@@ -21,11 +68,87 @@
## </summary>
## </param>
#
@@ -47545,8 +49018,9 @@ index 2855a44..9bc56ee 100644
gen_require(`
type puppet_tmp_t;
')
-@@ -29,3 +76,79 @@ interface(`puppet_rw_tmp', `
- allow $1 puppet_tmp_t:file rw_file_perms;
+
+- allow $1 puppet_tmp_t:file rw_file_perms;
++ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
files_search_tmp($1)
')
+
@@ -47626,7 +49100,7 @@ index 2855a44..9bc56ee 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..7041ad9 100644
+index 64c5f95..5f6e7b8 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -47682,7 +49156,18 @@ index 64c5f95..7041ad9 100644
')
optional_policy(`
-@@ -162,7 +174,60 @@ optional_policy(`
+@@ -144,6 +156,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mount_domtrans(puppet_t)
++')
++
++optional_policy(`
+ files_rw_var_files(puppet_t)
+
+ rpm_domtrans(puppet_t)
+@@ -162,7 +178,60 @@ optional_policy(`
########################################
#
@@ -47744,7 +49229,7 @@ index 64c5f95..7041ad9 100644
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +236,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +240,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@@ -47783,7 +49268,7 @@ index 64c5f95..7041ad9 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +277,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +281,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
@@ -47799,11 +49284,11 @@ index 64c5f95..7041ad9 100644
+domain_obj_id_change_exemption(puppetmaster_t)
+
+files_read_usr_files(puppetmaster_t)
-+
-+selinux_validate_context(puppetmaster_t)
-files_read_etc_files(puppetmaster_t)
-files_search_var_lib(puppetmaster_t)
++selinux_validate_context(puppetmaster_t)
++
+auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
@@ -47833,7 +49318,7 @@ index 64c5f95..7041ad9 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +327,9 @@ optional_policy(`
+@@ -231,3 +331,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -49197,7 +50682,7 @@ index 7dc38d1..9c2c963 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..e605105 100644
+index 00fa514..bac3e66 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -49312,11 +50797,12 @@ index 00fa514..e605105 100644
fstools_domtrans(rgmanager_t)
')
-@@ -140,6 +158,15 @@ optional_policy(`
+@@ -140,6 +158,16 @@ optional_policy(`
')
optional_policy(`
+ ldap_initrc_domtrans(rgmanager_t)
++ ldap_systemctl(rgmanager_t)
+ ldap_domtrans(rgmanager_t)
+')
+
@@ -49328,11 +50814,20 @@ index 00fa514..e605105 100644
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
+@@ -165,6 +193,8 @@ optional_policy(`
+ optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
++ rpc_systemctl_nfsd(rgmanager_t)
++ rpc_systemctl_rpcd(rgmanager_t)
+
+ rpc_domtrans_nfsd(rgmanager_t)
+ rpc_domtrans_rpcd(rgmanager_t)
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
-index c2ba53b..853eeb5 100644
+index c2ba53b..1f935bf 100644
--- a/policy/modules/services/rhcs.fc
+++ b/policy/modules/services/rhcs.fc
-@@ -1,14 +1,18 @@
+@@ -1,20 +1,25 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
@@ -49351,6 +50846,13 @@ index c2ba53b..853eeb5 100644
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+ /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+
+ /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+ /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+ /var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+ /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
index de37806..a21e737 100644
--- a/policy/modules/services/rhcs.if
@@ -50643,7 +52145,7 @@ index f7826f9..679d185 100644
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..ffc0c12 100644
+index 33e72e8..28d2775 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -50782,7 +52284,16 @@ index 33e72e8..ffc0c12 100644
corecmd_exec_bin(ricci_modclusterd_t)
-@@ -394,8 +414,6 @@ files_search_usr(ricci_modservice_t)
+@@ -363,6 +383,8 @@ corecmd_exec_bin(ricci_modrpm_t)
+ files_search_usr(ricci_modrpm_t)
+ files_read_etc_files(ricci_modrpm_t)
+
++logging_send_syslog_msg(ricci_modrpm_t)
++
+ miscfiles_read_localization(ricci_modrpm_t)
+
+ optional_policy(`
+@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t)
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)
@@ -50791,7 +52302,7 @@ index 33e72e8..ffc0c12 100644
init_domtrans_script(ricci_modservice_t)
miscfiles_read_localization(ricci_modservice_t)
-@@ -405,6 +423,10 @@ optional_policy(`
+@@ -405,6 +425,10 @@ optional_policy(`
')
optional_policy(`
@@ -50802,7 +52313,7 @@ index 33e72e8..ffc0c12 100644
nscd_dontaudit_search_pid(ricci_modservice_t)
')
-@@ -444,22 +466,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -444,22 +468,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -50832,7 +52343,7 @@ index 33e72e8..ffc0c12 100644
optional_policy(`
aisexec_stream_connect(ricci_modstorage_t)
corosync_stream_connect(ricci_modstorage_t)
-@@ -471,12 +493,24 @@ optional_policy(`
+@@ -471,12 +495,24 @@ optional_policy(`
')
optional_policy(`
@@ -50971,17 +52482,27 @@ index 779fa44..4bcaacc 100644
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 5c70c0c..6842295 100644
+index 5c70c0c..f9f0f54 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
-@@ -29,3 +29,5 @@
+@@ -6,6 +6,9 @@
+ /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+
++/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
++/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
++
+ #
+ # /sbin
+ #
+@@ -29,3 +32,5 @@
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
-index cda37bb..484e552 100644
+index cda37bb..41b106f 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
@@ -51015,7 +52536,38 @@ index cda37bb..484e552 100644
')
########################################
-@@ -246,6 +250,32 @@ interface(`rpc_domtrans_rpcd',`
+@@ -229,6 +233,30 @@ interface(`rpc_initrc_domtrans_nfsd',`
+
+ ########################################
+ ## <summary>
++## Execute nfsd server in the nfsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rpc_systemctl_nfsd',`
++ gen_require(`
++ type nfsd_unit_file_t;
++ type nfsd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 nfsd_unit_file_t:file read_file_perms;
++ allow $1 nfsd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, nfsd_t)
++')
++
++########################################
++## <summary>
+ ## Execute domain in rpcd domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -246,6 +274,32 @@ interface(`rpc_domtrans_rpcd',`
allow rpcd_t $1:process signal;
')
@@ -51048,7 +52600,38 @@ index cda37bb..484e552 100644
#######################################
## <summary>
## Execute domain in rpcd domain.
-@@ -282,7 +312,7 @@ interface(`rpc_read_nfs_content',`
+@@ -266,6 +320,30 @@ interface(`rpc_initrc_domtrans_rpcd',`
+
+ ########################################
+ ## <summary>
++## Execute rpcd server in the rpcd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rpc_systemctl_rpcd',`
++ gen_require(`
++ type rpcd_unit_file_t;
++ type rpcd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 rpcd_unit_file_t:file read_file_perms;
++ allow $1 rpcd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, rpcd_t)
++')
++
++########################################
++## <summary>
+ ## Read NFS exported content.
+ ## </summary>
+ ## <param name="domain">
+@@ -282,7 +360,7 @@ interface(`rpc_read_nfs_content',`
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
@@ -51057,7 +52640,7 @@ index cda37bb..484e552 100644
')
########################################
-@@ -375,7 +405,7 @@ interface(`rpc_search_nfs_state_data',`
+@@ -375,7 +453,7 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -51066,14 +52649,14 @@ index cda37bb..484e552 100644
')
########################################
-@@ -414,4 +444,5 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -414,4 +492,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..4bd5e3c 100644
+index b1468ed..372f918 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -51103,7 +52686,25 @@ index b1468ed..4bd5e3c 100644
## </desc>
gen_tunable(allow_nfsd_anon_write, false)
-@@ -62,9 +62,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+@@ -39,11 +39,17 @@ rpc_domain_template(rpcd)
+ type rpcd_initrc_exec_t;
+ init_script_file(rpcd_initrc_exec_t)
+
++type rpcd_unit_file_t;
++systemd_unit_file(rpcd_unit_file_t)
++
+ rpc_domain_template(nfsd)
+
+ type nfsd_initrc_exec_t;
+ init_script_file(nfsd_initrc_exec_t)
+
++type nfsd_unit_file_t;
++systemd_unit_file(nfsd_unit_file_t)
++
+ type nfsd_rw_t;
+ files_type(nfsd_rw_t)
+
+@@ -62,9 +68,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
@@ -51116,7 +52717,7 @@ index b1468ed..4bd5e3c 100644
# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
-@@ -87,6 +88,7 @@ fs_read_rpc_files(rpcd_t)
+@@ -87,6 +94,7 @@ fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
fs_get_all_fs_quotas(rpcd_t)
@@ -51124,7 +52725,7 @@ index b1468ed..4bd5e3c 100644
fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
-@@ -97,15 +99,26 @@ miscfiles_read_generic_certs(rpcd_t)
+@@ -97,15 +105,26 @@ miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -51151,7 +52752,7 @@ index b1468ed..4bd5e3c 100644
########################################
#
# NFSD local policy
-@@ -120,9 +133,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,9 +139,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -51166,7 +52767,7 @@ index b1468ed..4bd5e3c 100644
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
-@@ -148,6 +166,8 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,6 +172,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -51175,7 +52776,7 @@ index b1468ed..4bd5e3c 100644
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
-@@ -158,7 +178,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +184,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -51183,7 +52784,7 @@ index b1468ed..4bd5e3c 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +189,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +195,7 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -51193,7 +52794,7 @@ index b1468ed..4bd5e3c 100644
')
########################################
-@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +205,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -51202,7 +52803,7 @@ index b1468ed..4bd5e3c 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +223,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -51210,7 +52811,7 @@ index b1468ed..4bd5e3c 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +235,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -51227,7 +52828,7 @@ index b1468ed..4bd5e3c 100644
')
optional_policy(`
-@@ -229,6 +248,10 @@ optional_policy(`
+@@ -229,6 +254,10 @@ optional_policy(`
')
optional_policy(`
@@ -51609,10 +53210,19 @@ index a07b2f4..ee39810 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
-index 69a6074..73db5ba 100644
+index 69a6074..c79b415 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
-@@ -51,3 +51,7 @@
+@@ -11,6 +11,8 @@
+ /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
+ /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+
++/lib/systemd/system/smb.service -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++
+ #
+ # /usr
+ #
+@@ -51,3 +53,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -51621,10 +53231,41 @@ index 69a6074..73db5ba 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..9e72970 100644
+index 82cb169..87d1eec 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
-@@ -79,6 +79,25 @@ interface(`samba_domtrans_net',`
+@@ -60,6 +60,30 @@ interface(`samba_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute samba server in the samba domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`samba_systemctl',`
++ gen_require(`
++ type samba_unit_file_t;
++ type smbd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 samba_unit_file_t:file read_file_perms;
++ allow $1 samba_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, smbd_t)
++')
++
++########################################
++## <summary>
+ ## Execute samba net in the samba_net domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -79,6 +103,25 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
@@ -51650,7 +53291,7 @@ index 82cb169..9e72970 100644
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -103,6 +122,51 @@ interface(`samba_run_net',`
+@@ -103,6 +146,51 @@ interface(`samba_run_net',`
role $2 types samba_net_t;
')
@@ -51702,7 +53343,7 @@ index 82cb169..9e72970 100644
########################################
## <summary>
## Execute smbmount in the smbmount domain.
-@@ -327,7 +391,6 @@ interface(`samba_search_var',`
+@@ -327,7 +415,6 @@ interface(`samba_search_var',`
type samba_var_t;
')
@@ -51710,7 +53351,7 @@ index 82cb169..9e72970 100644
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
-@@ -348,7 +411,6 @@ interface(`samba_read_var_files',`
+@@ -348,7 +435,6 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
@@ -51718,7 +53359,7 @@ index 82cb169..9e72970 100644
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -388,7 +450,6 @@ interface(`samba_rw_var_files',`
+@@ -388,7 +474,6 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
@@ -51726,7 +53367,7 @@ index 82cb169..9e72970 100644
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -409,9 +470,9 @@ interface(`samba_manage_var_files',`
+@@ -409,9 +494,9 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
@@ -51737,7 +53378,7 @@ index 82cb169..9e72970 100644
')
########################################
-@@ -419,15 +480,14 @@ interface(`samba_manage_var_files',`
+@@ -419,15 +504,14 @@ interface(`samba_manage_var_files',`
## Execute a domain transition to run smbcontrol.
## </summary>
## <param name="domain">
@@ -51756,7 +53397,7 @@ index 82cb169..9e72970 100644
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
-@@ -564,6 +624,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -564,6 +648,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -51764,7 +53405,7 @@ index 82cb169..9e72970 100644
')
########################################
-@@ -644,6 +705,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +729,37 @@ interface(`samba_stream_connect_winbind',`
########################################
## <summary>
@@ -51802,7 +53443,7 @@ index 82cb169..9e72970 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -661,21 +753,12 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,21 +777,12 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -51830,7 +53471,7 @@ index 82cb169..9e72970 100644
')
allow $1 smbd_t:process { ptrace signal_perms };
-@@ -684,6 +767,9 @@ interface(`samba_admin',`
+@@ -684,6 +791,9 @@ interface(`samba_admin',`
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
@@ -51840,7 +53481,7 @@ index 82cb169..9e72970 100644
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
-@@ -709,9 +795,6 @@ interface(`samba_admin',`
+@@ -709,9 +819,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -51850,17 +53491,29 @@ index 82cb169..9e72970 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +810,5 @@ interface(`samba_admin',`
+@@ -727,4 +834,7 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
++
++ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..be3f853 100644
+index e30bb63..fed972d 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
-@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
+ type samba_initrc_exec_t;
+ init_script_file(samba_initrc_exec_t)
+
++type samba_unit_file_t;
++systemd_unit_file(samba_unit_file_t)
++
+ type samba_log_t;
+ logging_log_file(samba_log_t)
+
+@@ -152,9 +155,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
type winbind_log_t;
logging_log_file(winbind_log_t)
@@ -51870,7 +53523,7 @@ index e30bb63..be3f853 100644
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
-@@ -215,7 +212,7 @@ miscfiles_read_localization(samba_net_t)
+@@ -215,7 +215,7 @@ miscfiles_read_localization(samba_net_t)
samba_read_var_files(samba_net_t)
@@ -51879,7 +53532,7 @@ index e30bb63..be3f853 100644
userdom_list_user_home_dirs(samba_net_t)
optional_policy(`
-@@ -224,13 +221,14 @@ optional_policy(`
+@@ -224,13 +224,14 @@ optional_policy(`
optional_policy(`
kerberos_use(samba_net_t)
@@ -51895,7 +53548,7 @@ index e30bb63..be3f853 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -263,7 +261,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -263,7 +264,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -51904,7 +53557,7 @@ index e30bb63..be3f853 100644
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -279,7 +277,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -279,7 +280,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -51913,7 +53566,7 @@ index e30bb63..be3f853 100644
allow smbd_t swat_t:process signal;
-@@ -323,15 +321,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,15 +324,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -51932,7 +53585,7 @@ index e30bb63..be3f853 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +344,7 @@ files_read_usr_files(smbd_t)
+@@ -343,6 +347,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -51940,7 +53593,7 @@ index e30bb63..be3f853 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -385,12 +387,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +390,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -51954,7 +53607,7 @@ index e30bb63..be3f853 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +407,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +410,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -51965,7 +53618,7 @@ index e30bb63..be3f853 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -445,26 +446,25 @@ optional_policy(`
+@@ -445,26 +449,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -51999,7 +53652,7 @@ index e30bb63..be3f853 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +487,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52010,7 +53663,7 @@ index e30bb63..be3f853 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +564,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -52028,10 +53681,12 @@ index e30bb63..be3f853 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +575,13 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +578,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
++dev_read_urand(smbcontrol_t)
++
+term_use_console(smbcontrol_t)
+
files_read_etc_files(smbcontrol_t)
@@ -52040,10 +53695,14 @@ index e30bb63..be3f853 100644
-userdom_use_user_terminals(smbcontrol_t)
+userdom_use_inherited_user_terminals(smbcontrol_t)
++
++optional_policy(`
++ ctdbd_stream_connect(smbcontrol_t)
++')
########################################
#
-@@ -644,19 +647,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +656,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -52068,7 +53727,7 @@ index e30bb63..be3f853 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +682,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +691,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -52077,7 +53736,7 @@ index e30bb63..be3f853 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +697,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +706,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -52092,7 +53751,7 @@ index e30bb63..be3f853 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +717,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +726,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -52100,7 +53759,7 @@ index e30bb63..be3f853 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +762,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +771,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -52109,7 +53768,7 @@ index e30bb63..be3f853 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +816,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +825,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -52131,7 +53790,7 @@ index e30bb63..be3f853 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +844,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +853,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -52139,7 +53798,20 @@ index e30bb63..be3f853 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -904,7 +916,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -863,6 +884,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+ userdom_manage_user_home_content_sockets(winbind_t)
+ userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+
++
++optional_policy(`
++ ctdbd_stream_connect(winbind_t)
++ ctdbd_manage_lib_files(winbind_t)
++')
++
+ optional_policy(`
+ kerberos_use(winbind_t)
+ ')
+@@ -904,7 +931,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -52148,7 +53820,7 @@ index e30bb63..be3f853 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +934,18 @@ optional_policy(`
+@@ -922,6 +949,18 @@ optional_policy(`
#
optional_policy(`
@@ -52167,7 +53839,7 @@ index e30bb63..be3f853 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +956,12 @@ optional_policy(`
+@@ -932,9 +971,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -52326,10 +53998,10 @@ index 0000000..486d53d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..9edca43
+index 0000000..0c1e385
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,72 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -52350,6 +54022,14 @@ index 0000000..9edca43
+type sanlock_initrc_exec_t;
+init_script_file(sanlock_initrc_exec_t)
+
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
++')
++
++ifdef(`enable_mls',`
++ init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh)
++')
++
+########################################
+#
+# sanlock local policy
@@ -54185,7 +55865,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..3b7fec1 100644
+index 22adaca..040ec9b 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -54385,7 +56065,7 @@ index 22adaca..3b7fec1 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,7 +367,7 @@ template(`ssh_role_template',`
+@@ -327,17 +367,19 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -54394,7 +56074,11 @@ index 22adaca..3b7fec1 100644
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +378,7 @@ template(`ssh_role_template',`
+ allow ssh_t $3:unix_stream_socket connectto;
++ allow ssh_t $3:key manage_key_perms;
+
+ # user can manage the keys and config
+ manage_files_pattern($3, ssh_home_t, ssh_home_t)
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
@@ -54402,7 +56086,7 @@ index 22adaca..3b7fec1 100644
##############################
#
-@@ -359,7 +400,7 @@ template(`ssh_role_template',`
+@@ -359,7 +401,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -54411,7 +56095,7 @@ index 22adaca..3b7fec1 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +422,6 @@ template(`ssh_role_template',`
+@@ -381,7 +423,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -54419,7 +56103,7 @@ index 22adaca..3b7fec1 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +433,13 @@ template(`ssh_role_template',`
+@@ -393,14 +434,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -54437,7 +56121,7 @@ index 22adaca..3b7fec1 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +516,27 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +517,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -54466,7 +56150,7 @@ index 22adaca..3b7fec1 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +552,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +553,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -54475,7 +56159,7 @@ index 22adaca..3b7fec1 100644
')
########################################
-@@ -586,6 +644,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +645,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -54500,7 +56184,7 @@ index 22adaca..3b7fec1 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +694,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +695,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -54509,7 +56193,7 @@ index 22adaca..3b7fec1 100644
files_search_pids($1)
')
-@@ -680,6 +756,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +757,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -54542,7 +56226,7 @@ index 22adaca..3b7fec1 100644
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +797,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +798,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -54551,7 +56235,7 @@ index 22adaca..3b7fec1 100644
')
######################################
-@@ -735,3 +837,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +838,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -54634,7 +56318,7 @@ index 22adaca..3b7fec1 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..a6e2e1e 100644
+index 2dad3c8..d81a09f 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -54723,7 +56407,15 @@ index 2dad3c8..a6e2e1e 100644
##############################
#
-@@ -95,15 +112,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -88,6 +105,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+ allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow ssh_t self:fd use;
+ allow ssh_t self:fifo_file rw_fifo_file_perms;
++allow ssh_t self:key read;
+ allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow ssh_t self:shm create_shm_perms;
+@@ -95,15 +113,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -54740,10 +56432,11 @@ index 2dad3c8..a6e2e1e 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,20 +126,25 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -113,20 +127,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
++userdom_read_all_users_keys(ssh_t)
+userdom_stream_connect(ssh_t)
+userdom_search_admin_dir(sshd_t)
+userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -54769,7 +56462,7 @@ index 2dad3c8..a6e2e1e 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -138,7 +156,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,7 +158,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -54781,7 +56474,7 @@ index 2dad3c8..a6e2e1e 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -162,21 +184,28 @@ logging_read_generic_logs(ssh_t)
+@@ -162,21 +186,28 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -54816,7 +56509,7 @@ index 2dad3c8..a6e2e1e 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +225,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +227,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@@ -54832,7 +56525,7 @@ index 2dad3c8..a6e2e1e 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,19 +243,14 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +245,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -54854,7 +56547,7 @@ index 2dad3c8..a6e2e1e 100644
#################################
#
# sshd local policy
-@@ -232,33 +261,44 @@ optional_policy(`
+@@ -232,33 +263,44 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -54908,7 +56601,7 @@ index 2dad3c8..a6e2e1e 100644
')
optional_policy(`
-@@ -266,11 +306,24 @@ optional_policy(`
+@@ -266,11 +308,24 @@ optional_policy(`
')
optional_policy(`
@@ -54934,7 +56627,7 @@ index 2dad3c8..a6e2e1e 100644
')
optional_policy(`
-@@ -284,6 +337,15 @@ optional_policy(`
+@@ -284,6 +339,15 @@ optional_policy(`
')
optional_policy(`
@@ -54950,7 +56643,7 @@ index 2dad3c8..a6e2e1e 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +354,26 @@ optional_policy(`
+@@ -292,26 +356,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -54996,7 +56689,7 @@ index 2dad3c8..a6e2e1e 100644
') dnl endif TODO
########################################
-@@ -322,19 +384,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +386,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -55024,7 +56717,7 @@ index 2dad3c8..a6e2e1e 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,15 +420,83 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,15 +422,83 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -56438,10 +58131,10 @@ index 0000000..7647279
+
diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
new file mode 100644
-index 0000000..9fb3ea7
+index 0000000..4fd2377
--- /dev/null
+++ b/policy/modules/services/vdagent.te
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,54 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -56464,6 +58157,8 @@ index 0000000..9fb3ea7
+# vdagent local policy
+#
+
++dontaudit vdagent_t self:capability sys_admin;
++
+allow vdagent_t self:fifo_file rw_fifo_file_perms;
+allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -56477,6 +58172,10 @@ index 0000000..9fb3ea7
+logging_log_filetrans(vdagent_t, vdagent_log_t, { file })
+
+dev_rw_input_dev(vdagent_t)
++dev_read_sysfs(vdagent_t)
++dev_dontaudit_write_mtrr(vdagent_t)
++
++files_read_etc_files(vdagent_t)
+
+term_use_virtio_console(vdagent_t)
+
@@ -56589,7 +58288,7 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..55b5012 100644
+index 2124b6a..49d35d3 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -56601,12 +58300,13 @@ index 2124b6a..55b5012 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,29 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,30 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
-+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virt_lxc_exec_t,s0)
++/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+
++/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -56625,7 +58325,7 @@ index 2124b6a..55b5012 100644
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
-+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
++/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
@@ -56635,7 +58335,7 @@ index 2124b6a..55b5012 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..72e3065 100644
+index 7c5d8d8..d711fd5 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,44 @@
@@ -56745,7 +58445,33 @@ index 7c5d8d8..72e3065 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -164,13 +175,13 @@ interface(`virt_attach_tun_iface',`
+@@ -114,6 +125,25 @@ interface(`virt_domtrans',`
+ domtrans_pattern($1, virtd_exec_t, virtd_t)
+ ')
+
++########################################
++## <summary>
++## Transition to virt_qmf.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`virt_domtrans_qmf',`
++ gen_require(`
++ type virt_qmf_t, virt_qmf_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
++')
++
+ #######################################
+ ## <summary>
+ ## Connect to virt over an unix domain stream socket.
+@@ -164,13 +194,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -56761,7 +58487,7 @@ index 7c5d8d8..72e3065 100644
')
########################################
-@@ -185,13 +196,13 @@ interface(`virt_read_config',`
+@@ -185,13 +215,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -56777,7 +58503,7 @@ index 7c5d8d8..72e3065 100644
')
########################################
-@@ -231,6 +242,24 @@ interface(`virt_read_content',`
+@@ -231,6 +261,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -56802,7 +58528,7 @@ index 7c5d8d8..72e3065 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -269,6 +298,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +317,36 @@ interface(`virt_manage_pid_files',`
########################################
## <summary>
@@ -56839,7 +58565,7 @@ index 7c5d8d8..72e3065 100644
## Search virt lib directories.
## </summary>
## <param name="domain">
-@@ -308,6 +367,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +386,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -56864,7 +58590,7 @@ index 7c5d8d8..72e3065 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +429,9 @@ interface(`virt_read_log',`
+@@ -352,9 +448,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -56876,7 +58602,7 @@ index 7c5d8d8..72e3065 100644
## </param>
#
interface(`virt_append_log',`
-@@ -424,6 +501,24 @@ interface(`virt_read_images',`
+@@ -424,6 +520,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -56901,7 +58627,7 @@ index 7c5d8d8..72e3065 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +528,15 @@ interface(`virt_read_images',`
+@@ -433,15 +547,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -56922,7 +58648,7 @@ index 7c5d8d8..72e3065 100644
')
########################################
-@@ -500,11 +595,16 @@ interface(`virt_manage_images',`
+@@ -500,11 +614,16 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -56939,7 +58665,7 @@ index 7c5d8d8..72e3065 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
-@@ -515,4 +615,188 @@ interface(`virt_admin',`
+@@ -515,4 +634,213 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -56977,7 +58703,7 @@ index 7c5d8d8..72e3065 100644
+ optional_policy(`
+ ptchown_run(svirt_t, $2)
+ ')
-+')
+ ')
+
+########################################
+## <summary>
@@ -57127,9 +58853,34 @@ index 7c5d8d8..72e3065 100644
+ ')
+
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
- ')
++')
++
++########################################
++## <summary>
++## Creates types and rules for a basic
++## virt_lxc process domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`virt_lxc_domain_template',`
++ gen_require(`
++ attribute svirt_lxc_domain;
++ ')
++
++ type $1_t, svirt_lxc_domain;
++ domain_type($1_t)
++ domain_user_exemption_target($1_t)
++ mls_rangetrans_target($1_t)
++ mcs_untrusted_proc($1_t)
++ role system_r types $1_t;
++')
++
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..1eb165e 100644
+index 3eca020..8ae6778 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@@ -57273,24 +59024,35 @@ index 3eca020..1eb165e 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -99,20 +130,29 @@ ifdef(`enable_mls',`
+@@ -97,6 +128,27 @@ ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
+ ')
- ########################################
- #
++type virt_qmf_t;
++type virt_qmf_exec_t;
++init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
++
++########################################
++#
+# Declarations
+#
++attribute svirt_lxc_domain;
+
-+type virt_lxc_t;
-+type virt_lxc_exec_t;
-+init_system_domain(virt_lxc_t, virt_lxc_exec_t)
++type virtd_lxc_t;
++type virtd_lxc_exec_t;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
-+type virt_lxc_var_run_t;
-+files_pid_file(virt_lxc_var_run_t)
++type virtd_lxc_var_run_t;
++files_pid_file(virtd_lxc_var_run_t)
+
-+########################################
-+#
- # svirt local policy
++# virt lxc container files
++type svirt_lxc_file_t;
++files_mountpoint(svirt_lxc_file_t)
++
+ ########################################
#
+ # svirt local policy
+@@ -104,15 +156,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -57307,7 +59069,7 @@ index 3eca020..1eb165e 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +170,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +179,13 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -57321,7 +59083,7 @@ index 3eca020..1eb165e 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +191,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +200,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -57337,7 +59099,7 @@ index 3eca020..1eb165e 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +208,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +217,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -57366,7 +59128,7 @@ index 3eca020..1eb165e 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +239,35 @@ optional_policy(`
+@@ -174,21 +248,36 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -57385,6 +59147,7 @@ index 3eca020..1eb165e 100644
-allow virtd_t self:tun_socket create_socket_perms;
+allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow virtd_t self:rawip_socket create_socket_perms;
++allow virtd_t self:packet_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
-manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
@@ -57408,7 +59171,7 @@ index 3eca020..1eb165e 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +279,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +289,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -57426,14 +59189,14 @@ index 3eca020..1eb165e 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +303,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +313,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
-+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virt_lxc_t)
++manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
++manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
++filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
++stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -57442,7 +59205,7 @@ index 3eca020..1eb165e 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +331,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +341,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -57475,7 +59238,7 @@ index 3eca020..1eb165e 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +363,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +373,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -57494,7 +59257,7 @@ index 3eca020..1eb165e 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +398,29 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +408,29 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -57524,7 +59287,7 @@ index 3eca020..1eb165e 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +439,10 @@ optional_policy(`
+@@ -313,6 +449,10 @@ optional_policy(`
')
optional_policy(`
@@ -57535,7 +59298,7 @@ index 3eca020..1eb165e 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,11 +459,17 @@ optional_policy(`
+@@ -329,16 +469,23 @@ optional_policy(`
')
optional_policy(`
@@ -57553,7 +59316,13 @@ index 3eca020..1eb165e 100644
')
optional_policy(`
-@@ -365,6 +501,12 @@ optional_policy(`
+ iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
++ iptables_systemctl(virtd_t)
+
+ # Manages /etc/sysconfig/system-config-firewall
+ iptables_manage_config(virtd_t)
+@@ -365,6 +512,12 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -57566,7 +59335,7 @@ index 3eca020..1eb165e 100644
')
optional_policy(`
-@@ -394,20 +536,36 @@ optional_policy(`
+@@ -394,20 +547,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -57605,7 +59374,7 @@ index 3eca020..1eb165e 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +576,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +587,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -57618,7 +59387,7 @@ index 3eca020..1eb165e 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +588,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +599,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -57631,7 +59400,7 @@ index 3eca020..1eb165e 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,14 +601,20 @@ files_search_all(virt_domain)
+@@ -440,14 +612,20 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -57639,12 +59408,12 @@ index 3eca020..1eb165e 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -57655,7 +59424,7 @@ index 3eca020..1eb165e 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +624,188 @@ optional_policy(`
+@@ -457,8 +635,315 @@ optional_policy(`
')
optional_policy(`
@@ -57779,71 +59548,198 @@ index 3eca020..1eb165e 100644
+#
+# virt_lxc local policy
+#
-+allow virt_lxc_t self:capability { net_admin net_raw setpcap chown sys_admin };
-+allow virt_lxc_t self:process { setsched getcap setcap signal_perms };
-+allow virt_lxc_t self:fifo_file rw_fifo_file_perms;
-+allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
-+allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms;
-+allow virt_lxc_t self:packet_socket create_socket_perms;
++allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin };
++allow virtd_lxc_t self:process { setsched getcap setcap signal_perms };
++allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
++allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
++allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
++allow virtd_lxc_t self:packet_socket create_socket_perms;
+
-+allow virt_lxc_t virt_image_type:dir mounton;
++allow virtd_lxc_t virt_image_type:dir mounton;
+
-+allow virt_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow virtd_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+
-+domtrans_pattern(virtd_t, virt_lxc_exec_t, virt_lxc_t)
-+allow virtd_t virt_lxc_t:process { signal signull sigkill };
++domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
++allow virtd_t virtd_lxc_t:process { signal signull sigkill };
+
-+manage_dirs_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+manage_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+manage_sock_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+files_pid_filetrans(virt_lxc_t, virt_lxc_var_run_t, { file dir })
++manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
++manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
++manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
++files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
+
-+kernel_read_network_state(virt_lxc_t)
-+kernel_search_network_sysctl(virt_lxc_t)
-+kernel_read_sysctl(virt_lxc_t)
++kernel_read_network_state(virtd_lxc_t)
++kernel_search_network_sysctl(virtd_lxc_t)
++kernel_read_sysctl(virtd_lxc_t)
++kernel_read_system_state(virtd_lxc_t)
+
-+dev_read_sysfs(virt_lxc_t)
++corecmd_exec_bin(virtd_lxc_t)
++corecmd_exec_shell(virtd_lxc_t)
+
-+domain_use_interactive_fds(virt_lxc_t)
++dev_read_sysfs(virtd_lxc_t)
+
-+files_read_etc_files(virt_lxc_t)
-+files_mounton_all_mountpoints(virt_lxc_t)
-+files_mount_all_file_type_fs(virt_lxc_t)
-+files_unmount_all_file_type_fs(virt_lxc_t)
-+files_list_isid_type_dirs(virt_lxc_t)
++domain_use_interactive_fds(virtd_lxc_t)
+
-+fs_manage_tmpfs_dirs(virt_lxc_t)
-+fs_manage_tmpfs_chr_files(virt_lxc_t)
-+fs_manage_tmpfs_symlinks(virt_lxc_t)
-+fs_manage_cgroup_dirs(virt_lxc_t)
-+fs_rw_cgroup_files(virt_lxc_t)
-+fs_remount_all_fs(virt_lxc_t)
++files_read_etc_files(virtd_lxc_t)
++files_read_usr_files(virtd_lxc_t)
++files_mounton_non_security(virtd_lxc_t)
++files_mount_all_file_type_fs(virtd_lxc_t)
++files_unmount_all_file_type_fs(virtd_lxc_t)
++files_list_isid_type_dirs(virtd_lxc_t)
+
-+selinux_mount_fs(virt_lxc_t)
-+selinux_unmount_fs(virt_lxc_t)
++fs_manage_tmpfs_dirs(virtd_lxc_t)
++fs_manage_tmpfs_chr_files(virtd_lxc_t)
++fs_manage_tmpfs_symlinks(virtd_lxc_t)
++fs_manage_cgroup_dirs(virtd_lxc_t)
++fs_rw_cgroup_files(virtd_lxc_t)
++fs_remount_all_fs(virtd_lxc_t)
++fs_unmount_xattr_fs(virtd_lxc_t)
+
-+term_use_generic_ptys(virt_lxc_t)
-+term_use_ptmx(virt_lxc_t)
++selinux_mount_fs(virtd_lxc_t)
++selinux_unmount_fs(virtd_lxc_t)
+
-+auth_use_nsswitch(virt_lxc_t)
++term_use_generic_ptys(virtd_lxc_t)
++term_use_ptmx(virtd_lxc_t)
+
-+logging_send_syslog_msg(virt_lxc_t)
++auth_use_nsswitch(virtd_lxc_t)
+
-+miscfiles_read_localization(virt_lxc_t)
++logging_send_syslog_msg(virtd_lxc_t)
+
-+sysnet_domtrans_ifconfig(virt_lxc_t)
++miscfiles_read_localization(virtd_lxc_t)
+
-+type lxc_t;
-+domain_type(lxc_t);
++sysnet_domtrans_ifconfig(virtd_lxc_t)
+
-+optional_policy(`
-+ unconfined_domain(lxc_t)
-+')
++#optional_policy(`
++# unconfined_shell_domtrans(virtd_lxc_t)
++# unconfined_signal(virtd_t)
++#')
+
-+optional_policy(`
-+ unconfined_shell_domtrans(virt_lxc_t)
-+ unconfined_signal(virtd_t)
-+')
++########################################
++#
++# virt_lxc_domain local policy
++#
++allow svirt_lxc_domain self:capability { setuid setgid dac_override };
++dontaudit svirt_lxc_domain self:capability sys_ptrace;
++
++allow virtd_t svirt_lxc_domain:process { signal_perms };
++allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow svirt_lxc_domain virtd_lxc_t:fd use;
++allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
++dontaudit svirt_lxc_domain virtd_lxc_t:unix_stream_socket { read write };
++
++allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid execstack execmem };
++allow svirt_lxc_domain self:fifo_file manage_file_perms;
++allow svirt_lxc_domain self:sem create_sem_perms;
++allow svirt_lxc_domain self:shm create_shm_perms;
++allow svirt_lxc_domain self:msgq create_msgq_perms;
++allow svirt_lxc_domain self:unix_stream_socket create_stream_socket_perms;
++allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
++dontaudit svirt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
++manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++
++manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++can_exec(svirt_lxc_domain, svirt_lxc_file_t)
++
++kernel_getattr_proc(svirt_lxc_domain)
++kernel_read_kernel_sysctls(svirt_lxc_domain)
++kernel_read_system_state(svirt_lxc_domain)
++kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
++
++corecmd_exec_all_executables(svirt_lxc_domain)
++
++dev_read_urand(svirt_lxc_domain)
++dev_dontaudit_read_rand(svirt_lxc_domain)
++dev_read_sysfs(svirt_lxc_domain)
++
++files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
++files_entrypoint_all_files(svirt_lxc_domain)
++files_search_all(svirt_lxc_domain)
++files_read_config_files(svirt_lxc_domain)
++files_read_usr_files(svirt_lxc_domain)
++files_read_usr_symlinks(svirt_lxc_domain)
++
++fs_getattr_tmpfs(svirt_lxc_domain)
++fs_getattr_xattr_fs(svirt_lxc_domain)
++fs_list_inotifyfs(svirt_lxc_domain)
++fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
++
++auth_dontaudit_read_login_records(svirt_lxc_domain)
++auth_dontaudit_write_login_records(svirt_lxc_domain)
++auth_search_pam_console_data(svirt_lxc_domain)
++
++init_read_utmp(svirt_lxc_domain)
++init_dontaudit_write_utmp(svirt_lxc_domain)
++
++libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
++
++miscfiles_read_localization(svirt_lxc_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
++
++mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
++selinux_get_fs_mount(svirt_lxc_domain)
++selinux_validate_context(svirt_lxc_domain)
++selinux_compute_access_vector(svirt_lxc_domain)
++selinux_compute_create_context(svirt_lxc_domain)
++selinux_compute_relabel_context(svirt_lxc_domain)
++selinux_compute_user_contexts(svirt_lxc_domain)
++seutil_read_default_contexts(svirt_lxc_domain)
++
++miscfiles_read_fonts(svirt_lxc_domain)
++
++virt_lxc_domain_template(svirt_lxc_net)
++
++allow svirt_lxc_net_t self:udp_socket create_socket_perms;
++allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
++allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
++allow svirt_lxc_net_t self:packet_socket create_socket_perms;
++allow svirt_lxc_net_t self:udp_socket create_socket_perms;
++
++corenet_tcp_bind_generic_node(svirt_lxc_net_t)
++corenet_udp_bind_generic_node(svirt_lxc_net_t)
++
++allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service };
++corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
++corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
++corenet_udp_bind_all_ports(svirt_lxc_net_t)
++corenet_tcp_bind_all_ports(svirt_lxc_net_t)
++corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++kernel_read_network_state(svirt_lxc_net_t)
++
++domain_entry_file(svirt_lxc_net_t, svirt_lxc_file_t)
++domtrans_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_net_t)
++
++########################################
++#
++# virt_qmf local policy
++#
++allow virt_qmf_t self:process signal;
++allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
++allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
++allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
++
++kernel_read_network_state(virt_qmf_t)
++
++dev_list_sysfs(virt_qmf_t)
++dev_read_sysfs(virt_qmf_t)
++
++corenet_tcp_connect_matahari_port(virt_qmf_t)
++
++domain_use_interactive_fds(virt_qmf_t)
++
++files_read_etc_files(virt_qmf_t)
++
++logging_send_syslog_msg(virt_qmf_t)
++
++miscfiles_read_localization(virt_qmf_t)
diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
index 11533cc..4d81b99 100644
--- a/policy/modules/services/vnstatd.fc
@@ -61016,7 +62912,7 @@ index 28ad538..59742f4 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..197fa07 100644
+index 73554ec..f05a80f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -61028,7 +62924,20 @@ index 73554ec..197fa07 100644
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
-@@ -95,9 +97,12 @@ interface(`auth_use_pam',`
+@@ -80,6 +82,12 @@ interface(`auth_use_pam',`
+ optional_policy(`
+ nis_authenticate($1)
+ ')
++
++ optional_policy(`
++ systemd_dbus_chat_logind($1)
++ systemd_use_fds_logind($1)
++ systemd_write_inherited_logind_sessions_pipes($1)
++ ')
+ ')
+
+ ########################################
+@@ -95,9 +103,12 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -61041,7 +62950,7 @@ index 73554ec..197fa07 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -105,14 +110,17 @@ interface(`auth_login_pgm_domain',`
+@@ -105,14 +116,17 @@ interface(`auth_login_pgm_domain',`
# Needed for pam_selinux_permit to cleanup properly
domain_read_all_domains_state($1)
@@ -61059,7 +62968,7 @@ index 73554ec..197fa07 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -123,13 +131,19 @@ interface(`auth_login_pgm_domain',`
+@@ -123,13 +137,19 @@ interface(`auth_login_pgm_domain',`
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
@@ -61080,7 +62989,7 @@ index 73554ec..197fa07 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +159,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +165,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -61089,7 +62998,7 @@ index 73554ec..197fa07 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,9 +171,90 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +177,84 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -61136,12 +63045,6 @@ index 73554ec..197fa07 100644
+ ssh_read_user_home_files($1)
+ userdom_read_user_home_content_files($1)
+ ')
-+
-+ optional_policy(`
-+ systemd_dbus_chat_logind($1)
-+ systemd_use_fds_logind($1)
-+ systemd_write_inherited_logind_sessions_pipes($1)
-+ ')
+')
+
+########################################
@@ -62905,7 +64808,7 @@ index 94fd8dd..b5e5c70 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..8c027c2 100644
+index 29a9565..53f3bfe 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -63084,7 +64987,7 @@ index 29a9565..8c027c2 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +247,137 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +247,138 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -63181,6 +65084,7 @@ index 29a9565..8c027c2 100644
+ seutil_read_file_contexts(init_t)
+
+ systemd_exec_systemctl(init_t)
++ systemd_manage_unit_dirs(init_t)
+ systemd_manage_all_unit_files(init_t)
+ systemd_logger_stream_connect(init_t)
+
@@ -63194,37 +65098,37 @@ index 29a9565..8c027c2 100644
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
++optional_policy(`
++ lvm_rw_pipes(init_t)
++')
++
optional_policy(`
- auth_rw_login_records(init_t)
-+ lvm_rw_pipes(init_t)
++ consolekit_manage_log(init_t)
')
optional_policy(`
-+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -203,6 +385,17 @@ optional_policy(`
+@@ -203,6 +386,17 @@ optional_policy(`
')
optional_policy(`
@@ -63242,7 +65146,7 @@ index 29a9565..8c027c2 100644
unconfined_domain(init_t)
')
-@@ -212,7 +405,7 @@ optional_policy(`
+@@ -212,7 +406,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -63251,7 +65155,7 @@ index 29a9565..8c027c2 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -63267,7 +65171,7 @@ index 29a9565..8c027c2 100644
init_write_initctl(initrc_t)
-@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -63304,7 +65208,7 @@ index 29a9565..8c027c2 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -63312,7 +65216,7 @@ index 29a9565..8c027c2 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -63323,7 +65227,7 @@ index 29a9565..8c027c2 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -63340,7 +65244,7 @@ index 29a9565..8c027c2 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -63348,7 +65252,7 @@ index 29a9565..8c027c2 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -63360,7 +65264,7 @@ index 29a9565..8c027c2 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -63374,7 +65278,7 @@ index 29a9565..8c027c2 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -63383,7 +65287,7 @@ index 29a9565..8c027c2 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -63391,7 +65295,7 @@ index 29a9565..8c027c2 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -63399,7 +65303,7 @@ index 29a9565..8c027c2 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -63421,7 +65325,7 @@ index 29a9565..8c027c2 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -63432,7 +65336,7 @@ index 29a9565..8c027c2 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +704,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +705,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -63441,7 +65345,7 @@ index 29a9565..8c027c2 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +719,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +720,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -63449,7 +65353,7 @@ index 29a9565..8c027c2 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +749,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +750,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -63483,7 +65387,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -531,10 +783,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +784,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -63506,7 +65410,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -549,6 +813,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +814,39 @@ ifdef(`distro_suse',`
')
')
@@ -63546,7 +65450,7 @@ index 29a9565..8c027c2 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +858,8 @@ optional_policy(`
+@@ -561,6 +859,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -63555,7 +65459,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -577,6 +876,7 @@ optional_policy(`
+@@ -577,6 +877,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -63563,7 +65467,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -589,6 +889,17 @@ optional_policy(`
+@@ -589,6 +890,17 @@ optional_policy(`
')
optional_policy(`
@@ -63581,7 +65485,7 @@ index 29a9565..8c027c2 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +916,13 @@ optional_policy(`
+@@ -605,9 +917,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -63595,7 +65499,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -632,6 +947,10 @@ optional_policy(`
+@@ -632,6 +948,10 @@ optional_policy(`
')
optional_policy(`
@@ -63606,7 +65510,7 @@ index 29a9565..8c027c2 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +968,11 @@ optional_policy(`
+@@ -649,6 +969,11 @@ optional_policy(`
')
optional_policy(`
@@ -63618,7 +65522,7 @@ index 29a9565..8c027c2 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1013,7 @@ optional_policy(`
+@@ -689,6 +1014,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -63626,7 +65530,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -706,7 +1031,13 @@ optional_policy(`
+@@ -706,7 +1032,13 @@ optional_policy(`
')
optional_policy(`
@@ -63640,7 +65544,7 @@ index 29a9565..8c027c2 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1060,10 @@ optional_policy(`
+@@ -729,6 +1061,10 @@ optional_policy(`
')
optional_policy(`
@@ -63651,7 +65555,7 @@ index 29a9565..8c027c2 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1073,20 @@ optional_policy(`
+@@ -738,10 +1074,20 @@ optional_policy(`
')
optional_policy(`
@@ -63672,7 +65576,7 @@ index 29a9565..8c027c2 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1095,10 @@ optional_policy(`
+@@ -750,6 +1096,10 @@ optional_policy(`
')
optional_policy(`
@@ -63683,7 +65587,7 @@ index 29a9565..8c027c2 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1120,6 @@ optional_policy(`
+@@ -771,8 +1121,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -63692,7 +65596,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -790,10 +1137,12 @@ optional_policy(`
+@@ -790,10 +1138,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -63705,7 +65609,7 @@ index 29a9565..8c027c2 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1154,6 @@ optional_policy(`
+@@ -805,7 +1155,6 @@ optional_policy(`
')
optional_policy(`
@@ -63713,7 +65617,7 @@ index 29a9565..8c027c2 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1163,26 @@ optional_policy(`
+@@ -815,11 +1164,26 @@ optional_policy(`
')
optional_policy(`
@@ -63741,7 +65645,7 @@ index 29a9565..8c027c2 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1192,25 @@ optional_policy(`
+@@ -829,6 +1193,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -63767,7 +65671,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -844,6 +1226,10 @@ optional_policy(`
+@@ -844,6 +1227,10 @@ optional_policy(`
')
optional_policy(`
@@ -63778,7 +65682,7 @@ index 29a9565..8c027c2 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1240,149 @@ optional_policy(`
+@@ -854,3 +1241,160 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -63834,6 +65738,8 @@ index 29a9565..8c027c2 100644
+ allow init_t daemon:unix_dgram_socket create_socket_perms;
+ allow init_t daemon:tcp_socket create_stream_socket_perms;
+ allow daemon init_t:unix_dgram_socket sendto;
++ # need write to /var/run/systemd/notify
++ init_write_pid_socket(daemon)
+ dontaudit daemon init_t:unix_stream_socket { read ioctl getattr };
+')
+
@@ -63861,6 +65767,10 @@ index 29a9565..8c027c2 100644
+ nscd_socket_use(daemon)
+')
+
++optional_policy(`
++ puppet_rw_tmp(daemon)
++')
++
+allow direct_run_init daemon:process { noatsecure siginh rlimitinh };
+
+allow initrc_t systemprocess:process siginh;
@@ -63911,6 +65821,10 @@ index 29a9565..8c027c2 100644
+')
+
+optional_policy(`
++ puppet_rw_tmp(systemprocess)
++')
++
++optional_policy(`
+ xserver_dontaudit_append_xdm_home_files(systemprocess)
+')
+
@@ -63928,6 +65842,7 @@ index 29a9565..8c027c2 100644
+#ifdef(`enable_mls',`
+# mls_rangetrans_target(systemprocess)
+#')
++
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index fb09b9e..e25c6b6 100644
--- a/policy/modules/system/ipsec.fc
@@ -64140,19 +66055,21 @@ index 55a6cd8..fa17b89 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 05fb364..6b895d1 100644
+index 05fb364..c054118 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,7 +1,5 @@
+@@ -1,7 +1,7 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
++
++/lib/systemd/system/iptables6?.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -12,8 +10,4 @@
+@@ -12,8 +12,4 @@
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -64163,7 +66080,7 @@ index 05fb364..6b895d1 100644
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index 7ba53db..5c94dfe 100644
+index 7ba53db..227887f 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
@@ -64177,11 +66094,42 @@ index 7ba53db..5c94dfe 100644
')
########################################
+@@ -92,6 +88,30 @@ interface(`iptables_initrc_domtrans',`
+ init_labeled_script_domtrans($1, iptables_initrc_exec_t)
+ ')
+
++########################################
++## <summary>
++## Execute iptables server in the iptables domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`iptables_systemctl',`
++ gen_require(`
++ type iptables_unit_file_t;
++ type iptables_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 iptables_unit_file_t:file read_file_perms;
++ allow $1 iptables_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, iptables_t)
++')
++
+ #####################################
+ ## <summary>
+ ## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index f3e1b57..d6a93ac 100644
+index f3e1b57..d7fd7fb 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
-@@ -13,9 +13,6 @@ role system_r types iptables_t;
+@@ -13,15 +13,15 @@ role system_r types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -64191,7 +66139,16 @@ index f3e1b57..d6a93ac 100644
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
-@@ -34,8 +31,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+ type iptables_var_run_t;
+ files_pid_file(iptables_var_run_t)
+
++type iptables_unit_file_t;
++systemd_unit_file(iptables_unit_file_t)
++
+ ########################################
+ #
+ # Iptables local policy
+@@ -34,8 +34,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
@@ -64202,7 +66159,7 @@ index f3e1b57..d6a93ac 100644
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -46,6 +43,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+@@ -46,6 +46,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
@@ -64210,7 +66167,7 @@ index f3e1b57..d6a93ac 100644
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
-@@ -61,6 +59,9 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -61,6 +62,9 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -64220,7 +66177,7 @@ index f3e1b57..d6a93ac 100644
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -69,11 +70,13 @@ fs_list_inotifyfs(iptables_t)
+@@ -69,11 +73,13 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -64235,7 +66192,7 @@ index f3e1b57..d6a93ac 100644
auth_use_nsswitch(iptables_t)
-@@ -82,6 +85,7 @@ init_use_script_ptys(iptables_t)
+@@ -82,6 +88,7 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -64243,7 +66200,7 @@ index f3e1b57..d6a93ac 100644
logging_send_syslog_msg(iptables_t)
-@@ -90,7 +94,7 @@ miscfiles_read_localization(iptables_t)
+@@ -90,7 +97,7 @@ miscfiles_read_localization(iptables_t)
sysnet_domtrans_ifconfig(iptables_t)
sysnet_dns_name_resolve(iptables_t)
@@ -64252,7 +66209,7 @@ index f3e1b57..d6a93ac 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -99,6 +103,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -99,6 +106,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -64261,7 +66218,7 @@ index f3e1b57..d6a93ac 100644
')
optional_policy(`
-@@ -121,6 +127,7 @@ optional_policy(`
+@@ -121,6 +130,7 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -64269,7 +66226,7 @@ index f3e1b57..d6a93ac 100644
')
optional_policy(`
-@@ -134,6 +141,7 @@ optional_policy(`
+@@ -134,6 +144,7 @@ optional_policy(`
optional_policy(`
shorewall_read_tmp_files(iptables_t)
shorewall_rw_lib_files(iptables_t)
@@ -67462,7 +69419,7 @@ index 170e2c7..b85fc73 100644
+ ')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..f2b7643 100644
+index 7ed9819..3ee9ea8 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -67733,17 +69690,17 @@ index 7ed9819..f2b7643 100644
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
--
--allow semanage_t policy_config_t:file rw_file_perms;
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--allow semanage_t semanage_tmp_t:dir manage_dir_perms;
--allow semanage_t semanage_tmp_t:file manage_file_perms;
--files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-allow semanage_t policy_config_t:file rw_file_perms;
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+-allow semanage_t semanage_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
@@ -67772,13 +69729,13 @@ index 7ed9819..f2b7643 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
--
--locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
+-locallogin_use_fds(semanage_t)
+-
+-logging_send_syslog_msg(semanage_t)
+-
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -67795,7 +69752,7 @@ index 7ed9819..f2b7643 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -482,123 +493,85 @@ seutil_manage_default_contexts(semanage_t)
+@@ -482,6 +493,14 @@ seutil_manage_default_contexts(semanage_t)
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
@@ -67810,17 +69767,7 @@ index 7ed9819..f2b7643 100644
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
- ')
-
-+optional_policy(`
-+ setrans_initrc_domtrans(semanage_t)
-+ domain_system_change_exemption(semanage_t)
-+ consoletype_exec(semanage_t)
-+')
-+
- ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(semanage_t)
+@@ -493,112 +512,60 @@ ifdef(`distro_ubuntu',`
')
')
@@ -67873,23 +69820,23 @@ index 7ed9819..f2b7643 100644
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
+-
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
++init_dontaudit_use_fds(setsebool_t)
+
+-term_use_all_ttys(setfiles_t)
+-term_use_all_ptys(setfiles_t)
+-term_use_unallocated_ttys(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
--term_use_all_ttys(setfiles_t)
--term_use_all_ptys(setfiles_t)
--term_use_unallocated_ttys(setfiles_t)
--
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
@@ -68267,7 +70214,7 @@ index ff80d0a..be800df 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..7e4782d 100644
+index 34d0ec5..767ccbd 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -68404,7 +70351,7 @@ index 34d0ec5..7e4782d 100644
')
optional_policy(`
-@@ -192,7 +223,19 @@ optional_policy(`
+@@ -192,17 +223,31 @@ optional_policy(`
')
optional_policy(`
@@ -68424,7 +70371,19 @@ index 34d0ec5..7e4782d 100644
')
optional_policy(`
-@@ -213,6 +256,11 @@ optional_policy(`
+ nscd_initrc_domtrans(dhcpc_t)
++ nscd_systemctl(dhcpc_t)
+ nscd_domtrans(dhcpc_t)
+ nscd_read_pid(dhcpc_t)
+ ')
+
+ optional_policy(`
+ ntp_initrc_domtrans(dhcpc_t)
++ ntp_systemctl(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -213,6 +258,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -68436,7 +70395,7 @@ index 34d0ec5..7e4782d 100644
')
optional_policy(`
-@@ -255,6 +303,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +305,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -68444,7 +70403,7 @@ index 34d0ec5..7e4782d 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +325,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +327,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -68456,7 +70415,7 @@ index 34d0ec5..7e4782d 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,11 +353,12 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +355,12 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -68471,7 +70430,7 @@ index 34d0ec5..7e4782d 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +367,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +369,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -68490,7 +70449,7 @@ index 34d0ec5..7e4782d 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +389,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +391,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -68505,7 +70464,7 @@ index 34d0ec5..7e4782d 100644
')
optional_policy(`
-@@ -335,6 +405,18 @@ optional_policy(`
+@@ -335,6 +407,18 @@ optional_policy(`
')
optional_policy(`
@@ -68524,7 +70483,7 @@ index 34d0ec5..7e4782d 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +438,9 @@ optional_policy(`
+@@ -356,3 +440,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -68561,10 +70520,10 @@ index 0000000..9eaa38e
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..eb3673d
+index 0000000..46a3ec0
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,436 @@
+@@ -0,0 +1,456 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -68611,6 +70570,8 @@ index 0000000..eb3673d
+
+ corecmd_search_bin($1)
+ can_exec($1, systemd_systemctl_exec_t)
++
++ init_read_state($1)
+')
+
+#######################################
@@ -68945,6 +70906,24 @@ index 0000000..eb3673d
+
+########################################
+## <summary>
++## manage systemd unit dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_manage_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++## <summary>
+## manage all systemd unit files
+## </summary>
+## <param name="domain">
@@ -69003,10 +70982,10 @@ index 0000000..eb3673d
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..411793e
+index 0000000..ff4814a
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,360 @@
+@@ -0,0 +1,369 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -69140,6 +71119,11 @@ index 0000000..411793e
+')
+
+optional_policy(`
++ # we label /run/user/$USER/dconf as config_home_t
++ gnome_manage_home_config_dirs(systemd_logind_t)
++')
++
++optional_policy(`
+ # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
+ xserver_search_xdm_tmp_dirs(systemd_logind_t)
+')
@@ -69357,10 +71341,14 @@ index 0000000..411793e
+#
+# systemd_sysctl domains local policy
+#
++
++allow systemctl_domain systemd_unit_file_type:dir search_dir_perms;
++
+fs_list_cgroup_dirs(systemctl_domain)
+fs_read_cgroup_files(systemctl_domain)
+
+# needed by systemctl
++init_dgram_send(systemctl_domain)
+init_stream_connect(systemctl_domain)
+init_read_state(systemctl_domain)
+init_list_pid_dirs(systemctl_domain)
@@ -70559,7 +72547,7 @@ index db75976..494ec08 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..fe5913a 100644
+index 4b2878a..e7a65ae 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -71326,7 +73314,7 @@ index 4b2878a..fe5913a 100644
')
optional_policy(`
-@@ -650,41 +798,50 @@ template(`userdom_common_user_template',`
+@@ -650,40 +798,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -71383,12 +73371,14 @@ index 4b2878a..fe5913a 100644
optional_policy(`
- usernetctl_run($1_t, $1_r)
+ slrnpull_search_spool($1_usertype)
- ')
++ ')
+
++ optional_policy(`
++ thumb_role($1_r, $1_usertype)
+ ')
')
- #######################################
-@@ -712,13 +869,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +872,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -71402,7 +73392,9 @@ index 4b2878a..fe5913a 100644
- userdom_manage_tmpfs_role($1_r, $1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -71410,9 +73402,7 @@ index 4b2878a..fe5913a 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -71420,7 +73410,7 @@ index 4b2878a..fe5913a 100644
userdom_change_password_template($1)
-@@ -736,72 +906,76 @@ template(`userdom_login_user_template', `
+@@ -736,72 +909,76 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -71491,46 +73481,46 @@ index 4b2878a..fe5913a 100644
- seutil_read_config($1_t)
+ seutil_read_config($1_usertype)
-+
-+ optional_policy(`
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
-+ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ kerberos_use($1_usertype)
-+ kerberos_filetrans_home_content($1_usertype)
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ kerberos_use($1_usertype)
++ kerberos_filetrans_home_content($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
++ ')
++
++ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
-@@ -833,6 +1007,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -71540,7 +73530,7 @@ index 4b2878a..fe5913a 100644
##############################
#
# Local policy
-@@ -874,45 +1051,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -71670,7 +73660,7 @@ index 4b2878a..fe5913a 100644
')
')
-@@ -947,7 +1197,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -71679,7 +73669,7 @@ index 4b2878a..fe5913a 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1206,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -71697,7 +73687,7 @@ index 4b2878a..fe5913a 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1231,72 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1234,72 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -71732,9 +73722,11 @@ index 4b2878a..fe5913a 100644
+
+ optional_policy(`
+ cron_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ games_rw_data($1_usertype)
+ ')
+
@@ -71756,11 +73748,9 @@ index 4b2878a..fe5913a 100644
+
+ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
+ ')
+
@@ -71779,7 +73769,7 @@ index 4b2878a..fe5913a 100644
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1305,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1308,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -71790,7 +73780,7 @@ index 4b2878a..fe5913a 100644
')
')
-@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1346,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -71799,7 +73789,7 @@ index 4b2878a..fe5913a 100644
')
##############################
-@@ -1066,6 +1370,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1373,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -71807,7 +73797,7 @@ index 4b2878a..fe5913a 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1379,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1382,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -71817,7 +73807,7 @@ index 4b2878a..fe5913a 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1396,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1399,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -71825,7 +73815,7 @@ index 4b2878a..fe5913a 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1414,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1417,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -71839,7 +73829,7 @@ index 4b2878a..fe5913a 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1431,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1434,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -71882,7 +73872,7 @@ index 4b2878a..fe5913a 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1472,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1475,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -71891,7 +73881,7 @@ index 4b2878a..fe5913a 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1533,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1536,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -71900,7 +73890,7 @@ index 4b2878a..fe5913a 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1547,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1550,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -71911,7 +73901,7 @@ index 4b2878a..fe5913a 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1560,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1563,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -71940,7 +73930,7 @@ index 4b2878a..fe5913a 100644
')
optional_policy(`
-@@ -1251,12 +1588,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1591,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -71956,7 +73946,7 @@ index 4b2878a..fe5913a 100644
')
optional_policy(`
-@@ -1279,54 +1616,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1619,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -72038,14 +74028,13 @@ index 4b2878a..fe5913a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1334,9 +1683,46 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,7 +1686,44 @@ interface(`userdom_setattr_user_ptys',`
## </summary>
## </param>
#
-interface(`userdom_create_user_pty',`
+interface(`userdom_attach_admin_tun_iface',`
- gen_require(`
-- type user_devpts_t;
++ gen_require(`
+ attribute admindomain;
+ ')
+
@@ -72082,12 +74071,10 @@ index 4b2878a..fe5913a 100644
+## </param>
+#
+interface(`userdom_create_user_pty',`
-+ gen_require(`
-+ type user_devpts_t;
+ gen_require(`
+ type user_devpts_t;
')
-
- term_create_pty($1, user_devpts_t)
-@@ -1395,6 +1781,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -72095,7 +74082,7 @@ index 4b2878a..fe5913a 100644
files_search_home($1)
')
-@@ -1441,6 +1828,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1831,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -72110,7 +74097,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1456,9 +1851,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1854,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -72122,7 +74109,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1515,6 +1912,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1915,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -72165,7 +74152,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2022,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2025,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -72174,7 +74161,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1603,10 +2038,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2041,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -72189,7 +74176,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1649,6 +2086,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2089,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -72233,7 +74220,7 @@ index 4b2878a..fe5913a 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2142,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2145,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -72259,7 +74246,7 @@ index 4b2878a..fe5913a 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1700,12 +2193,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2196,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -72292,7 +74279,7 @@ index 4b2878a..fe5913a 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2229,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2232,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -72310,7 +74297,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1779,6 +2295,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2298,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -72371,7 +74358,7 @@ index 4b2878a..fe5913a 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2380,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2383,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -72381,7 +74368,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1827,20 +2396,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2399,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -72406,7 +74393,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
-@@ -1941,6 +2504,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2507,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -72431,7 +74418,7 @@ index 4b2878a..fe5913a 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2589,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2592,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -72440,7 +74427,7 @@ index 4b2878a..fe5913a 100644
files_search_home($1)
')
-@@ -2039,7 +2620,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2623,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -72449,7 +74436,7 @@ index 4b2878a..fe5913a 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2182,7 +2763,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2766,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -72458,7 +74445,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -2390,7 +2971,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2974,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -72467,7 +74454,7 @@ index 4b2878a..fe5913a 100644
files_search_tmp($1)
')
-@@ -2435,13 +3016,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3019,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -72483,7 +74470,7 @@ index 4b2878a..fe5913a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +3044,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3047,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -72510,7 +74497,7 @@ index 4b2878a..fe5913a 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,7 +3134,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3137,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -72519,7 +74506,7 @@ index 4b2878a..fe5913a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,70 +3142,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3145,138 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -72687,7 +74674,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
## Execute a shell in all user domains. This
-@@ -2713,6 +3343,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3346,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -72712,7 +74699,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2736,24 +3384,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3387,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -72737,7 +74724,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3402,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3405,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -72763,7 +74750,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3463,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3466,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -72772,7 +74759,7 @@ index 4b2878a..fe5913a 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3479,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3482,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -72806,7 +74793,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -2972,7 +3567,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3570,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -72815,7 +74802,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -3027,7 +3622,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3625,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -72862,7 +74849,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -3064,6 +3697,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3700,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -72870,7 +74857,7 @@ index 4b2878a..fe5913a 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3776,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3779,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -72895,7 +74882,32 @@ index 4b2878a..fe5913a 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3846,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3160,6 +3815,24 @@ interface(`userdom_sigchld_all_users',`
+
+ ########################################
+ ## <summary>
++## Read keys for all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key read;
++')
++
++########################################
++## <summary>
+ ## Create keys for all user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -3194,3 +3867,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dac1d3d..196be9c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 33%{?dist}
+Release: 34%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Sep 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-34
+- Add support for Clustered Samba commands
+- Allow ricci_modrpm_t to send log msgs
+- move permissive virt_qmf_t from virt.te to permissivedomains.te
+- Allow ssh_t to use kernel keyrings
+- Add policy for libvirt-qmf and more fixes for linux containers
+- Initial Polipo
+- Sanlock needs to run ranged in order to kill svirt processes
+- Allow smbcontrol to stream connect to ctdbd
+
* Fri Sep 23 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-33
- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
- Add SELinux support for ssh pre-auth net process in F17
More information about the scm-commits
mailing list