[selinux-policy/f17] * Fri Apr 6 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-111 - Rename rdate port to time port, and
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Apr 6 07:26:21 UTC 2012
commit 403ed5d259526132cf80815203d064ef4ea5f91e
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Apr 6 09:26:04 2012 +0200
* Fri Apr 6 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-111
- Rename rdate port to time port, and allow gnomeclock to connec
- We no longer need to transition to ldconfig from rpm, rpm_scri
- /etc/auto.* should be labeled bin_t
- Add httpd_use_fusefs boolean
- Add fixes for heartbeat
- Allow sshd_t to signal processes that it transitions to
- Add condor policy
- Allow svirt to create monitors in ~/.libvirt
- Allow dovecot to domtrans sendmail to handle sieve scripts
- Lot of fixes for cfengine
modules-targeted.conf | 7 +
permissivedomains.pp | Bin 87258 -> 89502 bytes
permissivedomains.te | 17 +
policy-F16.patch | 1326 ++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 14 +-
5 files changed, 1082 insertions(+), 282 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index a26ebe1..d9d1f2c 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2522,3 +2522,10 @@ jockey = module
# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology
#
numad = module
+
+# Layer: services
+# Module: condor
+#
+# policy for condor
+#
+condor = module
diff --git a/permissivedomains.pp b/permissivedomains.pp
index d30be32..0b07d35 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/permissivedomains.te b/permissivedomains.te
index 3f7b35a..7e7f75c 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -119,3 +119,20 @@ optional_policy(`
permissive numad_t;
')
+
+optional_policy(`
+ gen_require(`
+ type condor_collector_t;
+ type condor_negotiator_t;
+ type condor_startd_t;
+ type condor_schedd_t;
+ type condor_procd_t;
+ type condor_master_t;
+ ')
+ permissive condor_collector_t;
+ permissive condor_negotiator_t;
+ permissive condor_schedd_t;
+ permissive condor_startd_t;
+ permissive condor_procd_t;
+ permissive condor_master_t;
+')
diff --git a/policy-F16.patch b/policy-F16.patch
index 2bcd13f..8e93f9c 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58629,11 +58629,15 @@ index 057abb0..c75e9e9 100644
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
-index e81bdbd..dd1522d 100644
+index e81bdbd..c3328eb 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
-@@ -26,10 +26,8 @@ libs_domtrans_ldconfig(anaconda_t)
+@@ -22,14 +22,10 @@ kernel_domtrans_to(anaconda_t, anaconda_exec_t)
+ init_domtrans_script(anaconda_t)
+
+-libs_domtrans_ldconfig(anaconda_t)
+-
logging_send_syslog_msg(anaconda_t)
-modutils_domtrans_insmod(anaconda_t)
@@ -58644,7 +58648,7 @@ index e81bdbd..dd1522d 100644
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-@@ -38,6 +36,10 @@ optional_policy(`
+@@ -38,6 +34,10 @@ optional_policy(`
')
optional_policy(`
@@ -58655,7 +58659,7 @@ index e81bdbd..dd1522d 100644
rpm_domtrans(anaconda_t)
rpm_domtrans_script(anaconda_t)
')
-@@ -51,7 +53,7 @@ optional_policy(`
+@@ -51,7 +51,7 @@ optional_policy(`
')
optional_policy(`
@@ -61152,7 +61156,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..b9c7b11 100644
+index 47a8f7d..a609a22 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -61235,7 +61239,7 @@ index 47a8f7d..b9c7b11 100644
domain_use_interactive_fds(rpm_t)
domain_dontaudit_getattr_all_pipes(rpm_t)
domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
-@@ -173,11 +192,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+@@ -173,23 +192,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
@@ -61249,7 +61253,7 @@ index 47a8f7d..b9c7b11 100644
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -185,11 +206,13 @@ libs_domtrans_ldconfig(rpm_t)
+-libs_domtrans_ldconfig(rpm_t)
logging_send_syslog_msg(rpm_t)
@@ -61264,7 +61268,7 @@ index 47a8f7d..b9c7b11 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -207,6 +230,7 @@ optional_policy(`
+@@ -207,6 +229,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -61272,7 +61276,7 @@ index 47a8f7d..b9c7b11 100644
')
optional_policy(`
-@@ -214,7 +238,7 @@ optional_policy(`
+@@ -214,7 +237,7 @@ optional_policy(`
')
optional_policy(`
@@ -61281,7 +61285,7 @@ index 47a8f7d..b9c7b11 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -225,7 +249,8 @@ optional_policy(`
+@@ -225,7 +248,8 @@ optional_policy(`
# rpm-script Local policy
#
@@ -61291,7 +61295,7 @@ index 47a8f7d..b9c7b11 100644
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
-@@ -257,12 +282,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -257,12 +281,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_script_t, rpm_script_tmpfs_t)
@@ -61310,7 +61314,7 @@ index 47a8f7d..b9c7b11 100644
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
-@@ -282,7 +313,6 @@ fs_unmount_xattr_fs(rpm_script_t)
+@@ -282,7 +312,6 @@ fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
mcs_killall(rpm_script_t)
@@ -61318,7 +61322,7 @@ index 47a8f7d..b9c7b11 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -299,19 +329,20 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -299,19 +328,20 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -61343,7 +61347,12 @@ index 47a8f7d..b9c7b11 100644
domain_use_interactive_fds(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t)
-@@ -331,23 +362,24 @@ libs_domtrans_ldconfig(rpm_script_t)
+@@ -326,28 +356,28 @@ init_telinit(rpm_script_t)
+
+ libs_exec_ld_so(rpm_script_t)
+ libs_exec_lib_files(rpm_script_t)
+-libs_domtrans_ldconfig(rpm_script_t)
+
logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
@@ -61372,7 +61381,7 @@ index 47a8f7d..b9c7b11 100644
allow rpm_script_t self:process execmem;
')
-@@ -356,6 +388,10 @@ optional_policy(`
+@@ -356,6 +386,10 @@ optional_policy(`
')
optional_policy(`
@@ -61383,7 +61392,7 @@ index 47a8f7d..b9c7b11 100644
dbus_system_bus_client(rpm_script_t)
')
-@@ -368,6 +404,11 @@ optional_policy(`
+@@ -368,6 +402,11 @@ optional_policy(`
')
optional_policy(`
@@ -61395,7 +61404,7 @@ index 47a8f7d..b9c7b11 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,7 +418,7 @@ optional_policy(`
+@@ -377,7 +416,7 @@ optional_policy(`
')
optional_policy(`
@@ -63184,7 +63193,7 @@ index 0000000..efebae7
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..6f05817
+index 0000000..27363a4
--- /dev/null
+++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,183 @@
@@ -63365,7 +63374,7 @@ index 0000000..6f05817
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
-+userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+
+optional_policy(`
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
@@ -71509,7 +71518,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..d0282f6 100644
+index 3fae11a..73fd79f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -71524,7 +71533,15 @@ index 3fae11a..d0282f6 100644
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -71,6 +72,13 @@ ifdef(`distro_redhat',`
+@@ -46,6 +47,7 @@ ifdef(`distro_redhat',`
+ /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
+
++/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -71,6 +73,13 @@ ifdef(`distro_redhat',`
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -71538,7 +71555,7 @@ index 3fae11a..d0282f6 100644
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -97,8 +105,6 @@ ifdef(`distro_redhat',`
+@@ -97,8 +106,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -71547,7 +71564,7 @@ index 3fae11a..d0282f6 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,18 +136,14 @@ ifdef(`distro_debian',`
+@@ -130,18 +137,14 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -71568,7 +71585,7 @@ index 3fae11a..d0282f6 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -152,7 +154,7 @@ ifdef(`distro_gentoo',`
+@@ -152,7 +155,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -71577,7 +71594,7 @@ index 3fae11a..d0282f6 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +170,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +171,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -71585,7 +71602,7 @@ index 3fae11a..d0282f6 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,67 +182,93 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +183,93 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -71724,7 +71741,7 @@ index 3fae11a..d0282f6 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +276,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +277,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -71744,7 +71761,7 @@ index 3fae11a..d0282f6 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +303,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +304,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -71755,7 +71772,7 @@ index 3fae11a..d0282f6 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +326,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +327,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -71776,7 +71793,7 @@ index 3fae11a..d0282f6 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +350,12 @@ ifdef(`distro_redhat', `
+@@ -306,10 +351,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -71787,11 +71804,11 @@ index 3fae11a..d0282f6 100644
-/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/tuned/powersave/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +365,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +366,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -71803,7 +71820,7 @@ index 3fae11a..d0282f6 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +411,21 @@ ifdef(`distro_redhat', `
+@@ -363,20 +412,21 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -71829,7 +71846,7 @@ index 3fae11a..d0282f6 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +434,13 @@ ifdef(`distro_suse', `
+@@ -385,3 +435,13 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -73372,7 +73389,7 @@ index 4f3b542..63f4e1c 100644
+ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..949b72f 100644
+index 99b71cb..a8962b5 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -73436,7 +73453,7 @@ index 99b71cb..949b72f 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -65,30 +93,38 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -65,30 +93,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -73471,12 +73488,13 @@ index 99b71cb..949b72f 100644
network_port(cobbler, tcp,25151,s0)
+network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
network_port(comsat, udp,512,s0)
++network_port(condor, tcp, 9618,s0, udp, 9618,s0)
+network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,14 +135,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,14 +136,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -73500,7 +73518,7 @@ index 99b71cb..949b72f 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -115,11 +160,13 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -115,11 +161,13 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -73516,7 +73534,7 @@ index 99b71cb..949b72f 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +176,28 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +177,28 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -73548,7 +73566,7 @@ index 99b71cb..949b72f 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +207,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +208,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -73581,7 +73599,7 @@ index 99b71cb..949b72f 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -175,38 +240,46 @@ network_port(pulseaudio, tcp,4713,s0)
+@@ -175,38 +241,46 @@ network_port(pulseaudio, tcp,4713,s0)
network_port(puppet, tcp, 8140, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
@@ -73590,7 +73608,7 @@ index 99b71cb..949b72f 100644
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
-+network_port(rdate, tcp,37,s0, udp,37,s0)
++network_port(time, tcp,37,s0, udp,37,s0)
+network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -73634,7 +73652,7 @@ index 99b71cb..949b72f 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +288,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +289,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -73648,7 +73666,7 @@ index 99b71cb..949b72f 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +305,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +306,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -73656,7 +73674,7 @@ index 99b71cb..949b72f 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +315,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +316,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -73669,7 +73687,7 @@ index 99b71cb..949b72f 100644
########################################
#
-@@ -282,9 +365,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +366,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -78010,7 +78028,7 @@ index cda5588..e89e4bf 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..e8f904f 100644
+index 97fcdac..cddd329 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -78281,7 +78299,7 @@ index 97fcdac..e8f904f 100644
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
## </summary>
-@@ -2025,6 +2185,24 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2025,6 +2185,68 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -78303,10 +78321,54 @@ index 97fcdac..e8f904f 100644
+
+########################################
+## <summary>
++## Execute a file on a FUSE filesystem
++## in the specified domain.
++## </summary>
++## <desc>
++## <p>
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## <p>
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`fs_fusefs_domtrans',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, fusefs_t, $2)
++')
++
++########################################
++## <summary>
## Get the attributes of an hugetlbfs
## filesystem.
## </summary>
-@@ -2080,6 +2258,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2302,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -78331,7 +78393,7 @@ index 97fcdac..e8f904f 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,6 +2344,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2388,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -78339,7 +78401,7 @@ index 97fcdac..e8f904f 100644
')
########################################
-@@ -2480,6 +2677,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2721,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -78347,7 +78409,7 @@ index 97fcdac..e8f904f 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2716,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2760,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -78355,7 +78417,7 @@ index 97fcdac..e8f904f 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2743,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2787,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -78381,7 +78443,7 @@ index 97fcdac..e8f904f 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2584,6 +2802,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2846,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -78424,7 +78486,7 @@ index 97fcdac..e8f904f 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +2852,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2896,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -78433,7 +78495,7 @@ index 97fcdac..e8f904f 100644
')
########################################
-@@ -2736,7 +2990,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +3034,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -78442,7 +78504,7 @@ index 97fcdac..e8f904f 100644
## </summary>
## </param>
#
-@@ -2772,7 +3026,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3070,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -78451,7 +78513,7 @@ index 97fcdac..e8f904f 100644
## </summary>
## </param>
#
-@@ -2965,6 +3219,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3263,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -78459,7 +78521,7 @@ index 97fcdac..e8f904f 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3260,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3304,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -78467,7 +78529,7 @@ index 97fcdac..e8f904f 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3301,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3345,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -78475,7 +78537,7 @@ index 97fcdac..e8f904f 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3258,6 +3515,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3258,6 +3559,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -78500,7 +78562,7 @@ index 97fcdac..e8f904f 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3810,6 +4085,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3810,6 +4129,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -78525,7 +78587,7 @@ index 97fcdac..e8f904f 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3958,6 +4251,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4295,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -78568,7 +78630,7 @@ index 97fcdac..e8f904f 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4059,7 +4388,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4059,7 +4432,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -78577,7 +78639,7 @@ index 97fcdac..e8f904f 100644
')
########################################
-@@ -4119,6 +4448,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4119,6 +4492,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -78602,7 +78664,7 @@ index 97fcdac..e8f904f 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4175,6 +4522,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4566,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -78627,7 +78689,7 @@ index 97fcdac..e8f904f 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4251,6 +4616,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4660,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -78653,7 +78715,7 @@ index 97fcdac..e8f904f 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4841,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4885,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -78662,7 +78724,7 @@ index 97fcdac..e8f904f 100644
')
########################################
-@@ -4503,7 +4889,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4933,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -78671,7 +78733,7 @@ index 97fcdac..e8f904f 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5252,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5296,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -84098,7 +84160,7 @@ index c0f858d..10a0cd6 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..1204d7f 100644
+index 1632f10..15b7925 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -1,5 +1,9 @@
@@ -84156,7 +84218,13 @@ index 1632f10..1204d7f 100644
miscfiles_read_localization(accountsd_t)
-@@ -55,3 +70,9 @@ optional_policy(`
+@@ -50,8 +65,15 @@ usermanage_domtrans_passwd(accountsd_t)
+
+ optional_policy(`
+ consolekit_read_log(accountsd_t)
++ consolekit_dbus_chat(accountsd_t)
+ ')
+
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
@@ -85518,10 +85586,10 @@ index 6480167..4fc1968 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..639f834 100644
+index 3136c6a..80880c0 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,136 +18,247 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,254 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -85644,10 +85712,7 @@ index 3136c6a..639f834 100644
gen_tunable(httpd_can_sendmail, false)
+
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
+## <p>
+## Allow http daemon to connect to zabbix
+## </p>
@@ -85661,7 +85726,10 @@ index 3136c6a..639f834 100644
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
@@ -85785,6 +85853,13 @@ index 3136c6a..639f834 100644
-## Allow httpd to run gpg
-## </p>
+## <p>
++## Allow httpd to access cifs file systems
++## </p>
++## </desc>
++gen_tunable(httpd_use_fusefs, false)
++
++## <desc>
++## <p>
+## Allow httpd to run gpg in gpg-web domain
+## </p>
## </desc>
@@ -85825,7 +85900,7 @@ index 3136c6a..639f834 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -166,7 +277,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +284,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -85834,7 +85909,7 @@ index 3136c6a..639f834 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +288,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +295,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -85844,7 +85919,7 @@ index 3136c6a..639f834 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +330,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +337,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -85867,7 +85942,7 @@ index 3136c6a..639f834 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +354,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +361,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -85878,7 +85953,7 @@ index 3136c6a..639f834 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +365,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +372,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -85886,7 +85961,7 @@ index 3136c6a..639f834 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +387,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +394,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -85910,7 +85985,7 @@ index 3136c6a..639f834 100644
########################################
#
# Apache server local policy
-@@ -281,11 +423,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +430,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -85924,7 +85999,7 @@ index 3136c6a..639f834 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +473,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +480,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -85935,7 +86010,7 @@ index 3136c6a..639f834 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +484,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +491,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -85946,7 +86021,7 @@ index 3136c6a..639f834 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +501,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +508,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -85956,7 +86031,7 @@ index 3136c6a..639f834 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +514,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +521,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -85974,7 +86049,7 @@ index 3136c6a..639f834 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +532,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +539,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -85990,7 +86065,7 @@ index 3136c6a..639f834 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +545,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +552,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -85998,7 +86073,7 @@ index 3136c6a..639f834 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +557,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +564,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -86102,8 +86177,14 @@ index 3136c6a..639f834 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +664,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +669,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+ ')
++tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
++ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
++')
++
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
@@ -86160,7 +86241,7 @@ index 3136c6a..639f834 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +722,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +733,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -86174,10 +86255,16 @@ index 3136c6a..639f834 100644
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
++')
++
++tunable_policy(`httpd_use_fusefs',`
++ fs_manage_fusefs_dirs(httpd_t)
++ fs_manage_fusefs_files(httpd_t)
++ fs_manage_fusefs_symlinks(httpd_t)
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +746,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +763,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -86198,7 +86285,7 @@ index 3136c6a..639f834 100644
')
optional_policy(`
-@@ -513,7 +770,13 @@ optional_policy(`
+@@ -513,7 +787,13 @@ optional_policy(`
')
optional_policy(`
@@ -86213,7 +86300,7 @@ index 3136c6a..639f834 100644
')
optional_policy(`
-@@ -528,7 +791,19 @@ optional_policy(`
+@@ -528,7 +808,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -86234,7 +86321,7 @@ index 3136c6a..639f834 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +812,13 @@ optional_policy(`
+@@ -537,8 +829,13 @@ optional_policy(`
')
optional_policy(`
@@ -86249,7 +86336,7 @@ index 3136c6a..639f834 100644
')
')
-@@ -556,7 +836,21 @@ optional_policy(`
+@@ -556,7 +853,21 @@ optional_policy(`
')
optional_policy(`
@@ -86271,7 +86358,7 @@ index 3136c6a..639f834 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +861,7 @@ optional_policy(`
+@@ -567,6 +878,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -86279,7 +86366,7 @@ index 3136c6a..639f834 100644
')
optional_policy(`
-@@ -577,6 +872,29 @@ optional_policy(`
+@@ -577,6 +889,29 @@ optional_policy(`
')
optional_policy(`
@@ -86309,7 +86396,7 @@ index 3136c6a..639f834 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +909,11 @@ optional_policy(`
+@@ -591,6 +926,11 @@ optional_policy(`
')
optional_policy(`
@@ -86321,7 +86408,7 @@ index 3136c6a..639f834 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +926,12 @@ optional_policy(`
+@@ -603,6 +943,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -86334,7 +86421,7 @@ index 3136c6a..639f834 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +945,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +962,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -86347,7 +86434,7 @@ index 3136c6a..639f834 100644
########################################
#
-@@ -654,28 +987,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1004,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -86391,7 +86478,7 @@ index 3136c6a..639f834 100644
')
########################################
-@@ -685,6 +1020,8 @@ optional_policy(`
+@@ -685,6 +1037,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -86400,7 +86487,7 @@ index 3136c6a..639f834 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1036,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1053,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -86426,7 +86513,7 @@ index 3136c6a..639f834 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1082,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1099,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -86459,7 +86546,7 @@ index 3136c6a..639f834 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1129,25 @@ optional_policy(`
+@@ -769,6 +1146,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -86485,7 +86572,7 @@ index 3136c6a..639f834 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1168,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1185,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -86503,7 +86590,7 @@ index 3136c6a..639f834 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1187,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1204,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -86560,7 +86647,7 @@ index 3136c6a..639f834 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1238,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1255,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -86588,10 +86675,20 @@ index 3136c6a..639f834 100644
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
++tunable_policy(`httpd_use_fusefs',`
++ fs_manage_fusefs_dirs(httpd_sys_script_t)
++ fs_manage_fusefs_files(httpd_sys_script_t)
++ fs_manage_fusefs_symlinks(httpd_sys_script_t)
++ fs_manage_fusefs_dirs(httpd_suexec_t)
++ fs_manage_fusefs_files(httpd_suexec_t)
++ fs_manage_fusefs_symlinks(httpd_suexec_t)
++ fs_exec_fusefs_files(httpd_suexec_t)
++')
++
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1273,20 @@ optional_policy(`
+@@ -842,10 +1300,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -86612,7 +86709,7 @@ index 3136c6a..639f834 100644
')
########################################
-@@ -891,11 +1332,135 @@ optional_policy(`
+@@ -891,11 +1359,135 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -90144,7 +90241,7 @@ index 7a6e5ba..e238dfd 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index c3e3f79..7d6e85e 100644
+index c3e3f79..4189861 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -18,12 +18,16 @@ files_pid_file(certmonger_var_run_t)
@@ -90200,7 +90297,7 @@ index c3e3f79..7d6e85e 100644
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-@@ -58,15 +72,57 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,15 +72,59 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
@@ -90256,14 +90353,16 @@ index c3e3f79..7d6e85e 100644
+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
+
++ init_domtrans_script(certmonger_unconfined_t)
++
+ unconfined_domain(certmonger_unconfined_t)
+')
diff --git a/policy/modules/services/cfengine.fc b/policy/modules/services/cfengine.fc
new file mode 100644
-index 0000000..4ec83df
+index 0000000..4c52fa3
--- /dev/null
+++ b/policy/modules/services/cfengine.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,12 @@
+
+/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
+/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
@@ -90274,15 +90373,43 @@ index 0000000..4ec83df
+/etc/rc\.d/init\.d/cf-execd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
+
+/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0)
++/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_var_log_t,s0)
++
diff --git a/policy/modules/services/cfengine.if b/policy/modules/services/cfengine.if
new file mode 100644
-index 0000000..883b697
+index 0000000..2972c77
--- /dev/null
+++ b/policy/modules/services/cfengine.if
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,143 @@
+
+## <summary>policy for cfengine</summary>
+
++######################################
++## <summary>
++## Creates types and rules for a basic
++## cfengine init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`cfengine_domain_template',`
++ gen_require(`
++ attribute cfengine_domain;
++ ')
++
++ ##############################
++ #
++ # Declarations
++ #
++
++ type cfengine_$1_t, cfengine_domain;
++ type cfengine_$1_exec_t;
++ init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
++
++')
+
+########################################
+## <summary>
@@ -90303,6 +90430,24 @@ index 0000000..883b697
+ domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t)
+')
+
++#######################################
++## <summary>
++## Search cfengine lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_search_lib_files',`
++ gen_require(`
++ type cfengine_var_lib_t;
++ ')
++
++ allow $1 cfengine_var_lib_t:dir search_dir_perms;
++')
++
+########################################
+## <summary>
+## Read cfengine lib files.
@@ -90322,12 +90467,69 @@ index 0000000..883b697
+ read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
+')
+
++######################################
++## <summary>
++## Allow the specified domain to read cfengine's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_read_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ files_search_var_lib($1)
++ cfengine_search_lib_files($1)
++ read_files_pattern($1, cfengine_var_log_t, cfengine_var_log_t)
++')
++
++#####################################
++## <summary>
++## Allow the specified domain to append cfengine's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_append_inherited_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ cfengine_search_lib_files($1)
++ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
++')
++
++####################################
++## <summary>
++## Dontaudit the specified domain to write cfengine's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_dontaudit_write_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ dontaudit $1 cfengine_var_log_t:file write;
++')
diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te
new file mode 100644
-index 0000000..1ba0484
+index 0000000..02d8a13
--- /dev/null
+++ b/policy/modules/services/cfengine.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,99 @@
+policy_module(cfengine, 1.0.0)
+
+########################################
@@ -90335,9 +90537,11 @@ index 0000000..1ba0484
+# Declarations
+#
+
-+type cfengine_serverd_t;
-+type cfengine_serverd_exec_t;
-+init_daemon_domain(cfengine_serverd_t, cfengine_serverd_exec_t)
++attribute cfengine_domain;
++
++cfengine_domain_template(serverd)
++cfengine_domain_template(execd)
++cfengine_domain_template(monitord)
+
+type cfengine_initrc_exec_t;
+init_script_file(cfengine_initrc_exec_t)
@@ -90345,116 +90549,86 @@ index 0000000..1ba0484
+type cfengine_var_lib_t;
+files_type(cfengine_var_lib_t)
+
-+type cfengine_execd_t;
-+type cfengine_execd_exec_t;
-+init_daemon_domain(cfengine_execd_t, cfengine_execd_exec_t)
++type cfengine_var_log_t;
++logging_log_file(cfengine_var_log_t)
+
-+type cfengine_monitord_t;
-+type cfengine_monitord_exec_t;
-+init_daemon_domain(cfengine_monitord_t, cfengine_monitord_exec_t)
-+
-+########################################
++#######################################
+#
-+# cfengine-server local policy
++# cfengine domain local policy
+#
-+allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_serverd_t self:process { fork setfscreate signal };
+
-+allow cfengine_serverd_t self:fifo_file rw_fifo_file_perms;
-+allow cfengine_serverd_t self:unix_stream_socket create_stream_socket_perms;
++allow cfengine_domain self:fifo_file rw_fifo_file_perms;
++allow cfengine_domain self:unix_stream_socket create_stream_socket_perms;
+
-+manage_dirs_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+files_var_lib_filetrans(cfengine_serverd_t, cfengine_var_lib_t, { dir file })
++manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, { dir file })
+
-+kernel_read_system_state(cfengine_serverd_t)
++manage_files_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
++manage_dirs_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
++logging_log_filetrans(cfengine_domain,cfengine_var_log_t,{ dir file })
+
-+corecmd_exec_bin(cfengine_serverd_t)
-+corecmd_exec_shell(cfengine_serverd_t)
++kernel_read_system_state(cfengine_domain)
+
-+dev_read_urand(cfengine_serverd_t)
-+dev_read_sysfs(cfengine_serverd_t)
++corecmd_exec_bin(cfengine_domain)
++corecmd_exec_shell(cfengine_domain)
+
-+domain_use_interactive_fds(cfengine_serverd_t)
++dev_read_urand(cfengine_domain)
++dev_read_sysfs(cfengine_domain)
+
-+files_read_etc_files(cfengine_serverd_t)
+
-+auth_use_nsswitch(cfengine_serverd_t)
++logging_send_syslog_msg(cfengine_domain)
+
-+logging_send_syslog_msg(cfengine_serverd_t)
++miscfiles_read_localization(cfengine_domain)
+
-+miscfiles_read_localization(cfengine_serverd_t)
++sysnet_dns_name_resolve(cfengine_domain)
++sysnet_domtrans_ifconfig(cfengine_domain)
+
-+sysnet_dns_name_resolve(cfengine_serverd_t)
-+sysnet_domtrans_ifconfig(cfengine_serverd_t)
++files_read_etc_files(cfengine_domain)
+
+########################################
+#
-+# cfengine_exec local policy
++# cfengine-server local policy
+#
-+allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_execd_t self:process { fork setfscreate signal };
-+
-+allow cfengine_execd_t self:fifo_file rw_fifo_file_perms;
-+allow cfengine_execd_t self:unix_stream_socket create_stream_socket_perms;
+
-+manage_dirs_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
++allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot };
++allow cfengine_serverd_t self:process { fork setfscreate signal };
+
-+domain_use_interactive_fds(cfengine_execd_t)
++domain_use_interactive_fds(cfengine_serverd_t)
+
-+files_read_etc_files(cfengine_execd_t)
++auth_use_nsswitch(cfengine_serverd_t)
+
-+kernel_read_system_state(cfengine_execd_t)
++########################################
++#
++# cfengine_exec local policy
++#
+
-+corecmd_exec_bin(cfengine_execd_t)
-+corecmd_exec_shell(cfengine_execd_t)
++allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
++allow cfengine_execd_t self:process { fork setfscreate signal };
+
-+dev_read_urand(cfengine_execd_t)
-+dev_read_sysfs(cfengine_execd_t)
++domain_read_all_domains_state(cfengine_execd_t)
++domain_use_interactive_fds(cfengine_execd_t)
+
+auth_use_nsswitch(cfengine_execd_t)
+
-+logging_send_syslog_msg(cfengine_execd_t)
-+
-+miscfiles_read_localization(cfengine_execd_t)
-+
-+sysnet_dns_name_resolve(cfengine_execd_t)
-+sysnet_domtrans_ifconfig(cfengine_execd_t)
-+
+########################################
+#
+# cfengine_monitord local policy
+#
++
+allow cfengine_monitord_t self:capability { chown kill setgid setuid sys_chroot };
+allow cfengine_monitord_t self:process { fork setfscreate signal };
+
-+allow cfengine_monitord_t self:fifo_file rw_fifo_file_perms;
-+allow cfengine_monitord_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+
-+corecmd_exec_bin(cfengine_monitord_t)
-+
-+dev_read_sysfs(cfengine_monitord_t)
-+dev_read_urand(cfengine_monitord_t)
++kernel_read_hotplug_sysctls(cfengine_monitord_t)
++kernel_read_network_state(cfengine_monitord_t)
+
++domain_read_all_domains_state(cfengine_monitord_t)
+domain_use_interactive_fds(cfengine_monitord_t)
+
-+files_read_etc_files(cfengine_monitord_t)
++fs_getattr_xattr_fs(cfengine_monitord_t)
+
+auth_use_nsswitch(cfengine_monitord_t)
-+
-+logging_send_syslog_msg(cfengine_monitord_t)
-+
-+miscfiles_read_localization(cfengine_monitord_t)
-+
-+sysnet_dns_name_resolve(cfengine_monitord_t)
-+sysnet_domtrans_ifconfig(cfengine_monitord_t)
diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
index b6bb46c..645d203 100644
--- a/policy/modules/services/cgroup.fc
@@ -92563,6 +92737,526 @@ index 74505cc..6d575af 100644
+optional_policy(`
+ zoneminder_rw_tmpfs_files(colord_t)
+')
+diff --git a/policy/modules/services/condor.fc b/policy/modules/services/condor.fc
+new file mode 100644
+index 0000000..a9ad037
+--- /dev/null
++++ b/policy/modules/services/condor.fc
+@@ -0,0 +1,20 @@
++/usr/lib/systemd/system/condor.service -- gen_context(system_u:object_r:condor_unit_file_t,s0)
++
++/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
++/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
++/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
++/usr/sbin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0)
++/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
++/usr/sbin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0)
++
++/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
++
++/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
++
++/var/lib/condor/spool(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
++
++/var/lock/condor(/.*)? gen_context(system_u:object_r:condor_var_lock_t,s0)
++
++/var/log/condor(/.*)? gen_context(system_u:object_r:condor_log_t,s0)
++
++/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0)
+diff --git a/policy/modules/services/condor.if b/policy/modules/services/condor.if
+new file mode 100644
+index 0000000..7b54001
+--- /dev/null
++++ b/policy/modules/services/condor.if
+@@ -0,0 +1,278 @@
++
++## <summary>policy for condor</summary>
++
++#####################################
++## <summary>
++## Creates types and rules for a basic
++## condor init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`condor_domain_template',`
++ gen_require(`
++ type condor_master_t;
++ attribute condor_domain;
++ ')
++
++ #############################
++ #
++ # Declarations
++ #
++
++ type condor_$1_t, condor_domain;
++ type condor_$1_exec_t;
++ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
++ role system_r types condor_$1_t;
++
++ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
++ allow condor_master_t condor_$1_exec_t:file ioctl;
++')
++
++########################################
++## <summary>
++## Transition to condor.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`condor_domtrans',`
++ gen_require(`
++ type condor_t, condor_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, condor_exec_t, condor_t)
++')
++########################################
++## <summary>
++## Read condor's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`condor_read_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, condor_log_t, condor_log_t)
++')
++
++########################################
++## <summary>
++## Append to condor log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_append_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, condor_log_t, condor_log_t)
++')
++
++########################################
++## <summary>
++## Manage condor log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_manage_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, condor_log_t, condor_log_t)
++ manage_files_pattern($1, condor_log_t, condor_log_t)
++ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
++')
++
++########################################
++## <summary>
++## Search condor lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_search_lib',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ allow $1 condor_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read condor lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_read_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage condor lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_manage_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage condor lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_manage_lib_dirs',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read condor PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_read_pid_files',`
++ gen_require(`
++ type condor_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 condor_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute condor server in the condor domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`condor_systemctl',`
++ gen_require(`
++ type condor_t;
++ type condor_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 condor_unit_file_t:file read_file_perms;
++ allow $1 condor_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, condor_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an condor environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`condor_admin',`
++ gen_require(`
++ type condor_t;
++ type condor_log_t;
++ type condor_var_lib_t;
++ type condor_var_run_t;
++ type condor_unit_file_t;
++ ')
++
++ allow $1 condor_t:process { ptrace signal_perms };
++ ps_process_pattern($1, condor_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, condor_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, condor_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, condor_var_run_t)
++
++ condor_systemctl($1)
++ admin_pattern($1, condor_unit_file_t)
++ allow $1 condor_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
+new file mode 100644
+index 0000000..0878667
+--- /dev/null
++++ b/policy/modules/services/condor.te
+@@ -0,0 +1,204 @@
++policy_module(condor, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow codnor domain to connect to the network using TCP.
++## </p>
++## </desc>
++gen_tunable(condor_domain_can_network_connect, false)
++
++attribute condor_domain;
++
++type condor_master_t, condor_domain;
++type condor_master_exec_t;
++init_daemon_domain(condor_master_t, condor_master_exec_t)
++
++condor_domain_template(collector)
++condor_domain_template(negotiator)
++condor_domain_template(schedd)
++condor_domain_template(startd)
++condor_domain_template(procd)
++
++type condor_startd_tmp_t;
++files_tmp_file(condor_startd_tmp_t)
++
++type condor_startd_tmpfs_t;
++files_tmpfs_file(condor_startd_tmpfs_t)
++
++type condor_log_t;
++logging_log_file(condor_log_t)
++
++type condor_var_lib_t;
++files_type(condor_var_lib_t)
++
++type condor_var_lock_t;
++files_lock_file(condor_var_lock_t)
++
++type condor_var_run_t;
++files_pid_file(condor_var_run_t)
++
++type condor_unit_file_t;
++systemd_unit_file(condor_unit_file_t)
++
++########################################
++#
++# condor domain local policy
++#
++
++allow condor_domain self:process signal_perms;
++allow condor_domain self:fifo_file rw_fifo_file_perms;
++
++allow condor_domain self:tcp_socket create_stream_socket_perms;
++allow condor_domain self:udp_socket create_socket_perms;
++allow condor_domain self:unix_stream_socket create_stream_socket_perms;
++
++allow condor_domain condor_master_t:process signull;
++allow condor_domain condor_master_t:tcp_socket getattr;
++
++manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
++manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
++logging_log_filetrans(condor_domain, condor_log_t, { dir file })
++
++manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
++manage_files_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
++files_var_lib_filetrans(condor_domain, condor_var_lib_t, { dir file })
++
++manage_files_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t)
++files_lock_filetrans(condor_domain, condor_var_lock_t, file)
++
++manage_dirs_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
++manage_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
++manage_fifo_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
++files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
++
++kernel_read_system_state(condor_domain)
++kernel_read_network_state(condor_domain)
++
++corecmd_exec_bin(condor_domain)
++corecmd_exec_shell(condor_domain)
++
++#corenet_tcp_connect_condor_port(condor_domain)
++corenet_tcp_connect_all_ephemeral_ports(condor_domain)
++
++domain_use_interactive_fds(condor_domain)
++
++dev_read_rand(condor_domain)
++dev_read_urand(condor_domain)
++dev_read_sysfs(condor_domain)
++
++files_read_etc_files(condor_domain)
++
++logging_send_syslog_msg(condor_domain)
++
++miscfiles_read_localization(condor_domain)
++
++tunable_policy(`condor_domain_can_network_connect',`
++ corenet_tcp_connect_all_ports(condor_domain)
++')
++
++optional_policy(`
++ rhcs_stream_connect_cluster(condor_domain)
++')
++
++optional_policy(`
++ sysnet_dns_name_resolve(condor_domain)
++')
++
++#####################################
++#
++# condor master local policy
++#
++
++allow condor_master_t self:capability { setuid setgid dac_override };
++
++allow condor_master_t condor_domain:process signal;
++
++domain_read_all_domains_state(condor_master_t)
++
++auth_use_nsswitch(condor_master_t)
++
++######################################
++#
++# condor collector local policy
++#
++
++allow condor_collector_t self:capability { setuid setgid };
++
++allow condor_collector_t condor_master_t:tcp_socket { getopt getattr setopt accept };
++allow condor_collector_t condor_master_t:udp_socket { getopt getattr setopt };
++
++kernel_read_network_state(condor_collector_t)
++
++auth_use_nsswitch(condor_collector_t)
++
++#####################################
++#
++# condor negotiator local policy
++#
++allow condor_negotiator_t self:capability { setuid setgid };
++
++auth_use_nsswitch(condor_negotiator_t)
++
++######################################
++#
++# condor procd local policy
++#
++
++allow condor_procd_t self:capability { fowner chown dac_override };
++
++domain_read_all_domains_state(condor_procd_t)
++
++#######################################
++#
++# condor schedd local policy
++#
++
++domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
++
++# dac_override because of /var/log/condor
++allow condor_schedd_t self:capability { setuid chown setgid dac_override };
++
++auth_use_nsswitch(condor_schedd_t)
++
++#####################################
++#
++# condor startd local policy
++#
++
++# also needed by java
++allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
++allow condor_startd_t self:process execmem;
++
++manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
++manage_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
++files_tmp_filetrans(condor_startd_t, condor_startd_tmp_t, { file dir })
++allow condor_startd_t condor_startd_tmp_t:file { relabelfrom relabelto };
++
++manage_dirs_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
++manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
++fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file })
++
++kernel_read_kernel_sysctls(condor_startd_t)
++
++auth_use_nsswitch(condor_startd_t)
++
++init_domtrans_script(condor_startd_t)
++
++libs_exec_lib_files(condor_startd_t)
++
++files_read_usr_files(condor_startd_t)
++
++optional_policy(`
++ ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
++ ssh_domtrans(condor_startd_t)
++')
++
++optional_policy(`
++ unconfined_domain(condor_startd_t)
++')
++
diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc
index 32233ab..8a073d1 100644
--- a/policy/modules/services/consolekit.fc
@@ -92805,7 +93499,7 @@ index e67a003..cc813f3 100644
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
-index 3a6d7eb..4837d4d 100644
+index 3a6d7eb..945b4fa 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
@@ -1,8 +1,16 @@
@@ -92825,11 +93519,12 @@ index 3a6d7eb..4837d4d 100644
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
-@@ -10,3 +18,4 @@
+@@ -10,3 +18,5 @@
/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/hearbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
index 5220c9d..11e5dc4 100644
--- a/policy/modules/services/corosync.if
@@ -92918,7 +93613,7 @@ index 5220c9d..11e5dc4 100644
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..5ca259d 100644
+index 04969e5..a5d4e70 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
@@ -92929,7 +93624,7 @@ index 04969e5..5ca259d 100644
type corosync_initrc_exec_t;
init_script_file(corosync_initrc_exec_t)
-@@ -27,13 +28,16 @@ logging_log_file(corosync_var_log_t)
+@@ -27,23 +28,32 @@ logging_log_file(corosync_var_log_t)
type corosync_var_run_t;
files_pid_file(corosync_var_run_t)
@@ -92944,11 +93639,14 @@ index 04969e5..5ca259d 100644
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
+allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_resource ipc_lock };
++# for hearbeat
++allow corosync_t self:capability { net_raw chown };
+allow corosync_t self:process { setpgid setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
-@@ -41,9 +45,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
++allow corosync_t self:shm create_shm_perms;
+ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
@@ -92961,19 +93659,35 @@ index 04969e5..5ca259d 100644
manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
-@@ -63,8 +70,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
- files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
+@@ -52,7 +62,8 @@ fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file })
+ manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+ manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+ manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+-files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
++manage_fifo_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
++files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { file dir fifo_file sock_file })
+
+ manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+ manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+@@ -60,11 +71,16 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
+
+ manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+-files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
++manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t)
++files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir })
kernel_read_system_state(corosync_t)
+kernel_read_network_state(corosync_t)
+kernel_read_net_sysctls(corosync_t)
++kernel_read_kernel_sysctls(corosync_t)
corecmd_exec_bin(corosync_t)
+corecmd_exec_shell(corosync_t)
corenet_udp_bind_netsupport_port(corosync_t)
-@@ -73,9 +83,12 @@ dev_read_urand(corosync_t)
+@@ -73,9 +89,12 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
@@ -92986,7 +93700,7 @@ index 04969e5..5ca259d 100644
init_read_script_state(corosync_t)
init_rw_script_tmp_files(corosync_t)
-@@ -83,21 +96,51 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,21 +102,51 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -94168,7 +94882,7 @@ index 35241ed..2f6f038 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..86c5a58 100644
+index f7583ab..4545fb1 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -94608,11 +95322,12 @@ index f7583ab..86c5a58 100644
')
optional_policy(`
-@@ -502,7 +611,17 @@ optional_policy(`
+@@ -502,7 +611,18 @@ optional_policy(`
')
optional_policy(`
+ systemd_dbus_chat_logind(system_cronjob_t)
++ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
+optional_policy(`
@@ -94626,7 +95341,7 @@ index f7583ab..86c5a58 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +714,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +715,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -98757,7 +99472,7 @@ index e1d7dc5..13e4800 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..47969fe 100644
+index acf6d4f..f31286c 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -98849,7 +99564,7 @@ index acf6d4f..47969fe 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -160,6 +170,15 @@ optional_policy(`
+@@ -160,10 +170,24 @@ optional_policy(`
')
optional_policy(`
@@ -98865,7 +99580,16 @@ index acf6d4f..47969fe 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -180,8 +199,8 @@ optional_policy(`
+ optional_policy(`
++ # Handle sieve scripts
++ sendmail_domtrans(dovecot_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(dovecot_t)
+ ')
+
+@@ -180,8 +204,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -98876,7 +99600,7 @@ index acf6d4f..47969fe 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +209,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +214,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -98886,7 +99610,7 @@ index acf6d4f..47969fe 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +223,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +228,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -98899,7 +99623,7 @@ index acf6d4f..47969fe 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +241,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +246,8 @@ files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
@@ -98909,7 +99633,7 @@ index acf6d4f..47969fe 100644
init_rw_utmp(dovecot_auth_t)
-@@ -236,6 +262,8 @@ optional_policy(`
+@@ -236,6 +267,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -98918,7 +99642,7 @@ index acf6d4f..47969fe 100644
')
optional_policy(`
-@@ -243,6 +271,8 @@ optional_policy(`
+@@ -243,6 +276,8 @@ optional_policy(`
')
optional_policy(`
@@ -98927,7 +99651,7 @@ index acf6d4f..47969fe 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +280,42 @@ optional_policy(`
+@@ -250,23 +285,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -98972,7 +99696,7 @@ index acf6d4f..47969fe 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +332,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +337,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -102355,10 +103079,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..a6022e7 100644
+index 4fde46b..e9fde69 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -14,19 +14,28 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -14,19 +14,30 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
# gnomeclock local policy
#
@@ -102376,6 +103100,8 @@ index 4fde46b..a6022e7 100644
+corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
+
++corenet_tcp_connect_time_port(gnomeclock_t)
++
+dev_read_sysfs(gnomeclock_t)
-files_read_etc_files(gnomeclock_t)
@@ -102391,7 +103117,7 @@ index 4fde46b..a6022e7 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +44,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +46,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -103303,7 +104029,7 @@ index df48e5e..878d9df 100644
type inetd_t;
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
-index c51a7b2..5b0226e 100644
+index c51a7b2..b07694c 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -89,6 +89,10 @@ corenet_tcp_bind_ftp_port(inetd_t)
@@ -103312,8 +104038,8 @@ index c51a7b2..5b0226e 100644
corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_echo_port(inetd_t)
+corenet_udp_bind_echo_port(inetd_t)
-+corenet_tcp_bind_rdate_port(inetd_t)
-+corenet_udp_bind_rdate_port(inetd_t)
++corenet_tcp_bind_time_port(inetd_t)
++corenet_udp_bind_time_port(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
@@ -124350,7 +125076,7 @@ index 7e94c7c..ca74cd9 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..75081a5 100644
+index 22dac1f..e2f2d7d 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -124389,7 +125115,18 @@ index 22dac1f..75081a5 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -128,7 +129,14 @@ optional_policy(`
+@@ -115,6 +116,10 @@ mta_manage_spool(sendmail_t)
+ mta_sendmail_exec(sendmail_t)
+
+ optional_policy(`
++ cfengine_dontaudit_write_log(sendmail_t)
++')
++
++optional_policy(`
+ cron_read_pipes(sendmail_t)
+ ')
+
+@@ -128,7 +133,14 @@ optional_policy(`
')
optional_policy(`
@@ -124404,7 +125141,7 @@ index 22dac1f..75081a5 100644
')
optional_policy(`
-@@ -149,7 +157,9 @@ optional_policy(`
+@@ -149,7 +161,9 @@ optional_policy(`
')
optional_policy(`
@@ -124414,7 +125151,7 @@ index 22dac1f..75081a5 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +178,13 @@ optional_policy(`
+@@ -168,20 +182,13 @@ optional_policy(`
')
optional_policy(`
@@ -126195,7 +126932,7 @@ index 078bcd7..21ff471 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..31b38b7 100644
+index 22adaca..60103b5 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -126689,7 +127426,7 @@ index 22adaca..31b38b7 100644
')
######################################
-@@ -735,3 +894,63 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +894,64 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -126711,6 +127448,7 @@ index 22adaca..31b38b7 100644
+
+ allow sshd_t $1:process dyntransition;
+ allow $1 sshd_t:process sigchld;
++ allow sshd_t $1:process { getattr sigkill sigstop signull signal };
+')
+
+########################################
@@ -126754,7 +127492,7 @@ index 22adaca..31b38b7 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..007838e 100644
+index 2dad3c8..322c050 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -127162,7 +127900,7 @@ index 2dad3c8..007838e 100644
')
optional_policy(`
-@@ -363,3 +411,77 @@ optional_policy(`
+@@ -363,3 +411,76 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -127197,7 +127935,6 @@ index 2dad3c8..007838e 100644
+# chroot_user_t local policy
+#
+
-+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
@@ -128044,7 +128781,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..6f172ac 100644
+index db9d2a5..d44ef1a 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -128098,16 +128835,18 @@ index db9d2a5..6f172ac 100644
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -47,6 +64,8 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +64,10 @@ files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
++fs_getattr_xattr_fs(tuned_t)
++
+auth_use_nsswitch(tuned_t)
+
logging_send_syslog_msg(tuned_t)
miscfiles_read_localization(tuned_t)
-@@ -58,6 +77,10 @@ optional_policy(`
+@@ -58,6 +79,10 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -129687,7 +130426,7 @@ index 7c5d8d8..c542fe7 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..38fb812 100644
+index 3eca020..794917a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -129895,7 +130634,7 @@ index 3eca020..38fb812 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +199,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +199,15 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -129905,11 +130644,13 @@ index 3eca020..38fb812 100644
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
+append_files_pattern(svirt_t, virt_home_t, virt_home_t)
++# needed for creating of monitors
++create_sock_files_pattern(svirt_t, virt_home_t, virt_home_t)
+stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t)
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +220,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +222,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -129925,7 +130666,7 @@ index 3eca020..38fb812 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +237,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +239,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -129954,7 +130695,7 @@ index 3eca020..38fb812 100644
xen_rw_image_files(svirt_t)
')
-@@ -173,22 +267,41 @@ optional_policy(`
+@@ -173,22 +269,41 @@ optional_policy(`
# virtd local policy
#
@@ -130003,7 +130744,7 @@ index 3eca020..38fb812 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +312,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,9 +314,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -130024,7 +130765,7 @@ index 3eca020..38fb812 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +339,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +341,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -130040,7 +130781,7 @@ index 3eca020..38fb812 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +367,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +369,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -130075,7 +130816,7 @@ index 3eca020..38fb812 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +401,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +403,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -130094,7 +130835,7 @@ index 3eca020..38fb812 100644
mcs_process_set_categories(virtd_t)
-@@ -276,6 +427,8 @@ term_use_ptmx(virtd_t)
+@@ -276,6 +429,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -130103,7 +130844,7 @@ index 3eca020..38fb812 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +438,31 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +440,31 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -130135,7 +130876,7 @@ index 3eca020..38fb812 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +481,10 @@ optional_policy(`
+@@ -313,6 +483,10 @@ optional_policy(`
')
optional_policy(`
@@ -130146,7 +130887,7 @@ index 3eca020..38fb812 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,6 +498,14 @@ optional_policy(`
+@@ -326,6 +500,14 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -130161,7 +130902,7 @@ index 3eca020..38fb812 100644
')
optional_policy(`
-@@ -334,11 +514,14 @@ optional_policy(`
+@@ -334,11 +516,14 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
@@ -130176,7 +130917,7 @@ index 3eca020..38fb812 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +543,11 @@ optional_policy(`
+@@ -360,11 +545,11 @@ optional_policy(`
')
optional_policy(`
@@ -130193,7 +130934,7 @@ index 3eca020..38fb812 100644
')
optional_policy(`
-@@ -394,20 +577,36 @@ optional_policy(`
+@@ -394,20 +579,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -130233,7 +130974,7 @@ index 3eca020..38fb812 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +617,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +619,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -130247,7 +130988,7 @@ index 3eca020..38fb812 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +630,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +632,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -130260,7 +131001,7 @@ index 3eca020..38fb812 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +643,393 @@ files_search_all(virt_domain)
+@@ -440,25 +645,393 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -134506,10 +135247,10 @@ index 1b6619e..c480ddd 100644
+ allow $1 application_domain_type:socket_class_set getattr;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..41198a4 100644
+index c6fdab7..32f45fa 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
-@@ -6,6 +6,24 @@ attribute application_domain_type;
+@@ -6,6 +6,28 @@ attribute application_domain_type;
# Executables to be run by user
attribute application_exec_type;
@@ -134527,6 +135268,10 @@ index c6fdab7..41198a4 100644
+')
+
+optional_policy(`
++ cfengine_append_inherited_log(application_domain_type)
++')
++
++optional_policy(`
+ cron_rw_inherited_user_spool_files(application_domain_type)
+ cron_sigchld(application_domain_type)
+')
@@ -137036,7 +137781,7 @@ index 94fd8dd..6acffdb 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..59ba914 100644
+index 29a9565..15a4099 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -137245,11 +137990,12 @@ index 29a9565..59ba914 100644
+storage_raw_rw_fixed_disk(init_t)
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -137358,12 +138104,11 @@ index 29a9565..59ba914 100644
+ systemd_filetrans_named_content(init_t)
+')
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ lvm_rw_pipes(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -137914,7 +138659,7 @@ index 29a9565..59ba914 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1192,25 @@ optional_policy(`
+@@ -815,11 +1192,29 @@ optional_policy(`
')
optional_policy(`
@@ -137927,6 +138672,10 @@ index 29a9565..59ba914 100644
+optional_policy(`
+ cron_rw_pipes(daemon)
+ cron_rw_inherited_user_spool_files(daemon)
++')
++
++optional_policy(`
++ cfengine_append_inherited_log(daemon)
')
optional_policy(`
@@ -137941,7 +138690,7 @@ index 29a9565..59ba914 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1220,18 @@ optional_policy(`
+@@ -829,6 +1224,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -137960,7 +138709,7 @@ index 29a9565..59ba914 100644
')
optional_policy(`
-@@ -844,6 +1247,10 @@ optional_policy(`
+@@ -844,6 +1251,10 @@ optional_policy(`
')
optional_policy(`
@@ -137971,7 +138720,7 @@ index 29a9565..59ba914 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1261,161 @@ optional_policy(`
+@@ -854,3 +1265,165 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -138107,6 +138856,10 @@ index 29a9565..59ba914 100644
+')
+
+optional_policy(`
++ cfengine_append_inherited_log(systemprocess)
++')
++
++optional_policy(`
+ cron_rw_pipes(systemprocess)
+')
+
@@ -139563,7 +140316,7 @@ index a0b379d..95bf920 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..f9f3c56 100644
+index 02f4c97..8520fb2 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -6,6 +6,8 @@
@@ -139605,7 +140358,12 @@ index 02f4c97..f9f3c56 100644
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,7 +56,7 @@ ifdef(`distro_suse', `
+@@ -34,11 +52,11 @@ ifdef(`distro_suse', `
+
+ /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+-/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++#/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -143301,7 +144059,7 @@ index ff80d0a..22c9f0d 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..cd52cdd 100644
+index 34d0ec5..92fa1e9 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -143550,7 +144308,7 @@ index 34d0ec5..cd52cdd 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +374,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +374,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -143559,6 +144317,10 @@ index 34d0ec5..cd52cdd 100644
+')
+
+optional_policy(`
++ cfengine_dontaudit_write_log(ifconfig_t)
++')
++
++optional_policy(`
+ ctdbd_read_lib_files(ifconfig_t)
+')
+
@@ -143569,7 +144331,7 @@ index 34d0ec5..cd52cdd 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +396,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +400,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -143584,7 +144346,7 @@ index 34d0ec5..cd52cdd 100644
')
optional_policy(`
-@@ -335,7 +412,15 @@ optional_policy(`
+@@ -335,7 +416,15 @@ optional_policy(`
')
optional_policy(`
@@ -143601,7 +144363,7 @@ index 34d0ec5..cd52cdd 100644
')
optional_policy(`
-@@ -356,3 +441,9 @@ optional_policy(`
+@@ -356,3 +445,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -144328,10 +145090,10 @@ index 0000000..a7e3666
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..de488ad
+index 0000000..f4dd2ab
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,400 @@
+@@ -0,0 +1,402 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -144572,6 +145334,8 @@ index 0000000..de488ad
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
+files_delete_boot_flag(systemd_tmpfiles_t)
+files_delete_all_non_security_files(systemd_tmpfiles_t)
++files_delete_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_pipes(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a230686..f194a4f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 110%{?dist}
+Release: 111%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -489,6 +489,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Apr 6 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-111
+- Rename rdate port to time port, and allow gnomeclock to connect to it
+- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda
+- /etc/auto.* should be labeled bin_t
+- Add httpd_use_fusefs boolean
+- Add fixes for heartbeat
+- Allow sshd_t to signal processes that it transitions to
+- Add condor policy
+- Allow svirt to create monitors in ~/.libvirt
+- Allow dovecot to domtrans sendmail to handle sieve scripts
+- Lot of fixes for cfengine
+
* Tue Apr 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-110
- /var/run/postmaster.* labeling is no longer needed
- Alllow drbdadmin to read /dev/urandom
More information about the scm-commits
mailing list