[selinux-policy/f17] * Sun Apr 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-117 - Add policy for abrt-watch-log - Ad
Miroslav Grepl
mgrepl at fedoraproject.org
Sun Apr 22 12:08:51 UTC 2012
commit 7e43d696d20f6b3f8670e449e2ab798bb55c4feb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Sun Apr 22 14:08:25 2012 +0200
* Sun Apr 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-117
- Add policy for abrt-watch-log
- Add definitions for jboss_messaging ports
- Allow systemd_tmpfiles to manage printer devices
- Allow oddjob to use nsswitch
- Fix labeling of log files for postgresql
- Allow mozilla_plugin_t to execmem and execstack by default
- Allow firewalld to execute shell
- Fix /etc/wicd content files to get created with the correct label
- Allow mcelog to exec shell
- Add ~/.orc as a gstreamer_home_t
- /var/spool/postfix/lib64 should be labeled lib_t
- mpreaper should be able to list all file system labeled directories
- Add support for apache to use openstack
- Add labeling for /etc/zipl.conf and zipl binary
- Turn on allow_execstack and turn off telepathy transition for final release
policy-F16.patch | 1089 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 19 +-
2 files changed, 678 insertions(+), 430 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index cc32a50..81156f2 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58704,24 +58704,27 @@ index 0bfc958..af95b7a 100644
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..3cf6457 100644
+index 7a6f06f..530d2df 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,11 @@
+@@ -1,9 +1,14 @@
-
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
++/etc/zipl\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 63eb96b..d7a6063 100644
--- a/policy/modules/admin/bootloader.if
@@ -59748,10 +59751,11 @@ index 7090dae..51123b2 100644
+logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc
-index 3c7b1e8..1e155f5 100644
+index 3c7b1e8..084a576 100644
--- a/policy/modules/admin/logwatch.fc
+++ b/policy/modules/admin/logwatch.fc
-@@ -1,7 +1,11 @@
+@@ -1,7 +1,12 @@
++/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
@@ -59764,10 +59768,18 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..63310a1 100644
+index 75ce30f..671d4e1 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
-@@ -19,6 +19,12 @@ files_lock_file(logwatch_lock_t)
+@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
+
+ type logwatch_t;
+ type logwatch_exec_t;
++init_daemon_domain(logwatch_t, logwatch_exec_t)
+ application_domain(logwatch_t, logwatch_exec_t)
+ role system_r types logwatch_t;
+
+@@ -19,6 +20,12 @@ files_lock_file(logwatch_lock_t)
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -59780,7 +59792,7 @@ index 75ce30f..63310a1 100644
########################################
#
# Local policy
-@@ -39,6 +45,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+@@ -39,6 +46,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
@@ -59790,7 +59802,7 @@ index 75ce30f..63310a1 100644
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -58,6 +67,7 @@ files_list_var(logwatch_t)
+@@ -58,6 +68,7 @@ files_list_var(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_files(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
@@ -59798,7 +59810,7 @@ index 75ce30f..63310a1 100644
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
-@@ -70,6 +80,8 @@ fs_getattr_all_fs(logwatch_t)
+@@ -70,6 +81,8 @@ fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
@@ -59807,7 +59819,7 @@ index 75ce30f..63310a1 100644
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
-@@ -92,11 +104,14 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +105,14 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -59823,7 +59835,7 @@ index 75ce30f..63310a1 100644
files_getattr_all_file_type_fs(logwatch_t)
')
-@@ -145,3 +160,24 @@ optional_policy(`
+@@ -145,3 +161,24 @@ optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -59859,7 +59871,7 @@ index 56c43c0..409bbfc 100644
+
+/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..8ddc091 100644
+index 5671977..a4a5f20 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
@@ -59878,7 +59890,7 @@ index 5671977..8ddc091 100644
########################################
#
-@@ -17,16 +23,34 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
+@@ -17,16 +23,35 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
allow mcelog_t self:capability sys_admin;
@@ -59893,6 +59905,7 @@ index 5671977..8ddc091 100644
+
kernel_read_system_state(mcelog_t)
++corecmd_exec_shell(mcelog_t)
+corecmd_exec_bin(mcelog_t)
+
dev_read_raw_memory(mcelog_t)
@@ -60030,10 +60043,10 @@ index ec29391..28c9672 100644
optional_policy(`
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f..41c9b24 100644
+index 407078f..56cc947 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
-@@ -1,14 +1,18 @@
+@@ -1,15 +1,20 @@
/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
-/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
@@ -60053,7 +60066,9 @@ index 407078f..41c9b24 100644
+/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/sbin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index c6ca761..46e0767 100644
--- a/policy/modules/admin/netutils.if
@@ -62300,7 +62315,7 @@ index d5aaf0e..6b16aef 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..65681da 100644
+index 6a5004b..c687f14 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -62311,7 +62326,7 @@ index 6a5004b..65681da 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -18,6 +19,8 @@ role system_r types tmpreaper_t;
+@@ -18,18 +19,25 @@ role system_r types tmpreaper_t;
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
@@ -62320,7 +62335,8 @@ index 6a5004b..65681da 100644
dev_read_urand(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
-@@ -25,11 +28,15 @@ fs_getattr_xattr_fs(tmpreaper_t)
++fs_list_all(tmpreaper_t)
+
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
@@ -62336,7 +62352,7 @@ index 6a5004b..65681da 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -38,13 +45,17 @@ logging_send_syslog_msg(tmpreaper_t)
+@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -62358,7 +62374,7 @@ index 6a5004b..65681da 100644
')
optional_policy(`
-@@ -52,7 +63,9 @@ optional_policy(`
+@@ -52,7 +64,9 @@ optional_policy(`
')
optional_policy(`
@@ -62368,7 +62384,7 @@ index 6a5004b..65681da 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +79,13 @@ optional_policy(`
+@@ -66,9 +80,13 @@ optional_policy(`
')
optional_policy(`
@@ -63753,10 +63769,10 @@ index 4a2e63b..e964f12 100644
+ mta_send_mail(gitosis_t)
+')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..3681873 100644
+index 00a19e3..a6bcf1f 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,47 @@
+@@ -1,9 +1,48 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -63767,6 +63783,7 @@ index 00a19e3..3681873 100644
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -63807,7 +63824,7 @@ index 00a19e3..3681873 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..50068d6 100644
+index f5afe78..a19d881 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,900 @@
@@ -64941,7 +64958,7 @@ index f5afe78..50068d6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1088,301 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1088,303 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -65167,6 +65184,7 @@ index f5afe78..50068d6 100644
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
@@ -65210,6 +65228,7 @@ index f5afe78..50068d6 100644
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
++ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ # /root/.color/icc: legacy
@@ -66819,7 +66838,7 @@ index fbb5c5a..637eb37 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..b3e9826 100644
+index 2e9318b..04472f3 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -66935,7 +66954,7 @@ index 2e9318b..b3e9826 100644
-allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+dontaudit mozilla_plugin_t self:capability { sys_nice sys_tty_config };
+
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem setrlimit };
++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
allow mozilla_plugin_t self:udp_socket create_socket_perms;
@@ -67016,7 +67035,15 @@ index 2e9318b..b3e9826 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -383,35 +405,34 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -362,6 +384,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+ files_read_config_files(mozilla_plugin_t)
+ files_read_usr_files(mozilla_plugin_t)
+ files_list_mnt(mozilla_plugin_t)
++files_exec_usr_files(mozilla_plugin_t)
+
+ fs_getattr_all_fs(mozilla_plugin_t)
+ fs_list_dos(mozilla_plugin_t)
+@@ -383,35 +406,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -67042,11 +67069,9 @@ index 2e9318b..b3e9826 100644
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process { execmem execstack };
-+tunable_policy(`deny_execmem',`', `
-+ allow mozilla_plugin_t self:process execmem;
- ')
-
- tunable_policy(`allow_execstack',`
+-')
+-
+-tunable_policy(`allow_execstack',`
- allow mozilla_plugin_t self:process { execstack };
-')
-
@@ -67054,9 +67079,8 @@ index 2e9318b..b3e9826 100644
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
-+ allow mozilla_plugin_t self:process execstack;
- ')
-
+-')
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
@@ -67066,7 +67090,7 @@ index 2e9318b..b3e9826 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,11 +442,19 @@ optional_policy(`
+@@ -421,11 +435,19 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -67086,7 +67110,7 @@ index 2e9318b..b3e9826 100644
')
optional_policy(`
-@@ -438,18 +467,98 @@ optional_policy(`
+@@ -438,18 +460,98 @@ optional_policy(`
')
optional_policy(`
@@ -67128,7 +67152,7 @@ index 2e9318b..b3e9826 100644
+#
+
+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem };
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
@@ -68826,10 +68850,10 @@ index 4c091ca..a58f123 100644
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index f594e12..2025c1f 100644
+index f594e12..e8f731d 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
-@@ -27,11 +27,13 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,16 +27,20 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
@@ -68843,7 +68867,14 @@ index f594e12..2025c1f 100644
logging_send_syslog_msg(sambagui_t)
-@@ -56,6 +58,7 @@ optional_policy(`
+ miscfiles_read_localization(sambagui_t)
+
++sysnet_use_ldap(sambagui_t)
++
+ optional_policy(`
+ consoletype_exec(sambagui_t)
+ ')
+@@ -56,6 +60,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
@@ -72083,10 +72114,26 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..63f4e1c 100644
+index 4f3b542..0ebac89 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
-@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
+@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
+ ')
+
+ typeattribute $1 reserved_port_type;
++ corenet_port($1)
+ ')
+
+ ########################################
+@@ -82,6 +83,7 @@ interface(`corenet_rpc_port',`
+ ')
+
+ typeattribute $1 rpc_port_type;
++ corenet_port($1)
+ ')
+
+ ########################################
+@@ -615,6 +617,24 @@ interface(`corenet_raw_sendrecv_all_if',`
########################################
## <summary>
@@ -72111,7 +72158,7 @@ index 4f3b542..63f4e1c 100644
## Send and receive TCP network traffic on generic nodes.
## </summary>
## <desc>
-@@ -789,6 +807,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
+@@ -789,6 +809,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
########################################
## <summary>
@@ -72136,7 +72183,7 @@ index 4f3b542..63f4e1c 100644
## Bind TCP sockets to generic nodes.
## </summary>
## <desc>
-@@ -928,6 +964,24 @@ interface(`corenet_inout_generic_node',`
+@@ -928,6 +966,24 @@ interface(`corenet_inout_generic_node',`
########################################
## <summary>
@@ -72161,7 +72208,7 @@ index 4f3b542..63f4e1c 100644
## Send and receive TCP network traffic on all nodes.
## </summary>
## <param name="domain">
-@@ -1102,6 +1156,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
+@@ -1102,6 +1158,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
########################################
## <summary>
@@ -72186,7 +72233,7 @@ index 4f3b542..63f4e1c 100644
## Bind TCP sockets to all nodes.
## </summary>
## <param name="domain">
-@@ -1157,6 +1229,24 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1157,6 +1231,24 @@ interface(`corenet_raw_bind_all_nodes',`
########################################
## <summary>
@@ -72211,7 +72258,7 @@ index 4f3b542..63f4e1c 100644
## Send and receive TCP network traffic on generic ports.
## </summary>
## <param name="domain">
-@@ -1167,10 +1257,30 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1167,10 +1259,30 @@ interface(`corenet_raw_bind_all_nodes',`
#
interface(`corenet_tcp_sendrecv_generic_port',`
gen_require(`
@@ -72244,7 +72291,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -1185,10 +1295,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+@@ -1185,10 +1297,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
#
interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
gen_require(`
@@ -72257,7 +72304,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -1203,10 +1313,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+@@ -1203,10 +1315,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
#
interface(`corenet_udp_send_generic_port',`
gen_require(`
@@ -72270,7 +72317,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -1221,10 +1331,10 @@ interface(`corenet_udp_send_generic_port',`
+@@ -1221,10 +1333,10 @@ interface(`corenet_udp_send_generic_port',`
#
interface(`corenet_udp_receive_generic_port',`
gen_require(`
@@ -72283,7 +72330,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -1244,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1244,6 +1356,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
########################################
## <summary>
@@ -72310,7 +72357,7 @@ index 4f3b542..63f4e1c 100644
## Bind TCP sockets to generic ports.
## </summary>
## <param name="domain">
-@@ -1254,12 +1384,31 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1254,12 +1386,31 @@ interface(`corenet_udp_sendrecv_generic_port',`
#
interface(`corenet_tcp_bind_generic_port',`
gen_require(`
@@ -72346,7 +72393,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -1274,10 +1423,10 @@ interface(`corenet_tcp_bind_generic_port',`
+@@ -1274,10 +1425,10 @@ interface(`corenet_tcp_bind_generic_port',`
#
interface(`corenet_dontaudit_tcp_bind_generic_port',`
gen_require(`
@@ -72359,7 +72406,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -1292,12 +1441,30 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+@@ -1292,12 +1443,30 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
#
interface(`corenet_udp_bind_generic_port',`
gen_require(`
@@ -72394,7 +72441,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -1312,10 +1479,28 @@ interface(`corenet_udp_bind_generic_port',`
+@@ -1312,10 +1481,28 @@ interface(`corenet_udp_bind_generic_port',`
#
interface(`corenet_tcp_connect_generic_port',`
gen_require(`
@@ -72425,7 +72472,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -1439,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
+@@ -1439,6 +1626,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
########################################
## <summary>
@@ -72451,7 +72498,7 @@ index 4f3b542..63f4e1c 100644
## Bind TCP sockets to all ports.
## </summary>
## <param name="domain">
-@@ -1458,6 +1662,24 @@ interface(`corenet_tcp_bind_all_ports',`
+@@ -1458,6 +1664,24 @@ interface(`corenet_tcp_bind_all_ports',`
########################################
## <summary>
@@ -72476,7 +72523,7 @@ index 4f3b542..63f4e1c 100644
## Do not audit attepts to bind TCP sockets to any ports.
## </summary>
## <param name="domain">
-@@ -1513,6 +1735,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
+@@ -1513,6 +1737,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
########################################
## <summary>
@@ -72501,7 +72548,7 @@ index 4f3b542..63f4e1c 100644
## Connect TCP sockets to all ports.
## </summary>
## <desc>
-@@ -1559,6 +1799,25 @@ interface(`corenet_tcp_connect_all_ports',`
+@@ -1559,6 +1801,25 @@ interface(`corenet_tcp_connect_all_ports',`
########################################
## <summary>
@@ -72527,7 +72574,7 @@ index 4f3b542..63f4e1c 100644
## Do not audit attempts to connect TCP sockets
## to all ports.
## </summary>
-@@ -1578,6 +1837,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
+@@ -1578,6 +1839,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
########################################
## <summary>
@@ -72552,7 +72599,7 @@ index 4f3b542..63f4e1c 100644
## Send and receive TCP network traffic on generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1647,6 +1924,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,6 +1926,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
########################################
## <summary>
@@ -72578,7 +72625,7 @@ index 4f3b542..63f4e1c 100644
## Bind TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1685,6 +1981,24 @@ interface(`corenet_udp_bind_reserved_port',`
+@@ -1685,6 +1983,24 @@ interface(`corenet_udp_bind_reserved_port',`
########################################
## <summary>
@@ -72603,7 +72650,7 @@ index 4f3b542..63f4e1c 100644
## Connect TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1703,6 +2017,24 @@ interface(`corenet_tcp_connect_reserved_port',`
+@@ -1703,6 +2019,24 @@ interface(`corenet_tcp_connect_reserved_port',`
########################################
## <summary>
@@ -72628,7 +72675,7 @@ index 4f3b542..63f4e1c 100644
## Send and receive TCP network traffic on all reserved ports.
## </summary>
## <param name="domain">
-@@ -1749,15 +2081,213 @@ interface(`corenet_udp_send_all_reserved_ports',`
+@@ -1749,15 +2083,213 @@ interface(`corenet_udp_send_all_reserved_ports',`
#
interface(`corenet_udp_receive_all_reserved_ports',`
gen_require(`
@@ -72845,7 +72892,7 @@ index 4f3b542..63f4e1c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1765,14 +2295,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+@@ -1765,14 +2297,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
## </summary>
## </param>
#
@@ -72867,7 +72914,7 @@ index 4f3b542..63f4e1c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,36 +2313,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+@@ -1780,36 +2315,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
## </summary>
## </param>
#
@@ -72911,7 +72958,7 @@ index 4f3b542..63f4e1c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1817,36 +2349,53 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+@@ -1817,36 +2351,53 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
## </summary>
## </param>
#
@@ -72975,7 +73022,7 @@ index 4f3b542..63f4e1c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1854,53 +2403,55 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+@@ -1854,53 +2405,55 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
## </summary>
## </param>
#
@@ -73044,7 +73091,7 @@ index 4f3b542..63f4e1c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1908,49 +2459,49 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+@@ -1908,49 +2461,49 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
## </summary>
## </param>
#
@@ -73107,7 +73154,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -1993,6 +2544,24 @@ interface(`corenet_rw_tun_tap_dev',`
+@@ -1993,6 +2546,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
@@ -73132,7 +73179,7 @@ index 4f3b542..63f4e1c 100644
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
-@@ -2049,6 +2618,25 @@ interface(`corenet_rw_ppp_dev',`
+@@ -2049,6 +2620,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
## <summary>
@@ -73158,7 +73205,7 @@ index 4f3b542..63f4e1c 100644
## Bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2068,6 +2656,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2658,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
## <summary>
@@ -73183,7 +73230,7 @@ index 4f3b542..63f4e1c 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2194,6 +2800,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2802,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
## <summary>
@@ -73209,7 +73256,7 @@ index 4f3b542..63f4e1c 100644
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
-@@ -2213,6 +2838,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,6 +2840,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -73241,7 +73288,7 @@ index 4f3b542..63f4e1c 100644
## Receive TCP packets from an unlabled connection.
## </summary>
## <param name="domain">
-@@ -2222,9 +2872,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2222,9 +2874,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </param>
#
interface(`corenet_tcp_recvfrom_unlabeled',`
@@ -73256,7 +73303,7 @@ index 4f3b542..63f4e1c 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2249,6 +2904,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2906,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
## <summary>
@@ -73283,7 +73330,7 @@ index 4f3b542..63f4e1c 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
-@@ -2269,6 +2944,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2946,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -73311,7 +73358,7 @@ index 4f3b542..63f4e1c 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2533,6 +3229,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,6 +3231,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -73319,7 +73366,7 @@ index 4f3b542..63f4e1c 100644
kernel_tcp_recvfrom_unlabeled($1)
kernel_udp_recvfrom_unlabeled($1)
kernel_raw_recvfrom_unlabeled($1)
-@@ -2571,7 +3268,31 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2571,7 +3270,31 @@ interface(`corenet_all_recvfrom_netlabel',`
')
allow $1 netlabel_peer_t:peer recv;
@@ -73352,7 +73399,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -2585,6 +3306,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3308,7 @@ interface(`corenet_all_recvfrom_netlabel',`
## </param>
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -73360,7 +73407,7 @@ index 4f3b542..63f4e1c 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3335,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3337,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -73397,7 +73444,7 @@ index 4f3b542..63f4e1c 100644
')
########################################
-@@ -2727,6 +3477,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3479,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
@@ -73405,7 +73452,7 @@ index 4f3b542..63f4e1c 100644
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3885,53 @@ interface(`corenet_unconfined',`
+@@ -3134,3 +3887,53 @@ interface(`corenet_unconfined',`
typeattribute $1 corenet_unconfined_type;
')
@@ -73460,7 +73507,7 @@ index 4f3b542..63f4e1c 100644
+ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..a8962b5 100644
+index 99b71cb..83554ff 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -73557,7 +73604,7 @@ index 99b71cb..a8962b5 100644
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
+network_port(cma, tcp,1050,s0, udp,1050,s0)
network_port(cobbler, tcp,25151,s0)
-+network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
++network_port(commplex, tcp,5001,s0, udp,5001,s0)
network_port(comsat, udp,512,s0)
+network_port(condor, tcp, 9618,s0, udp, 9618,s0)
+network_port(couchdb, tcp,5984,s0, udp,5984,s0)
@@ -73565,7 +73612,7 @@ index 99b71cb..a8962b5 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,14 +136,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,27 +136,39 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -73585,13 +73632,16 @@ index 99b71cb..a8962b5 100644
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
++network_port(glance, tcp,9292,s0, udp,9292,s0)
+network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -115,11 +161,13 @@ network_port(hddtemp, tcp,7634,s0)
+ network_port(hadoop_namenode, tcp,8020,s0)
+ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
- network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
++network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
@@ -73605,7 +73655,7 @@ index 99b71cb..a8962b5 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +177,28 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +178,30 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -73614,10 +73664,12 @@ index 99b71cb..a8962b5 100644
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
+network_port(jboss_debug, tcp,8787,s0)
++network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
+network_port(jboss_management, tcp,4712,s0, tcp,4447,s0, udp,4712,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
++network_port(keystone, tcp,5000,s0, udp,5000,s0)
network_port(kismet, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
@@ -73637,7 +73689,7 @@ index 99b71cb..a8962b5 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +208,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +211,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -73670,7 +73722,7 @@ index 99b71cb..a8962b5 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -175,38 +241,46 @@ network_port(pulseaudio, tcp,4713,s0)
+@@ -175,38 +244,46 @@ network_port(pulseaudio, tcp,4713,s0)
network_port(puppet, tcp, 8140, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
@@ -73723,7 +73775,7 @@ index 99b71cb..a8962b5 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +289,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +292,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -73737,7 +73789,7 @@ index 99b71cb..a8962b5 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +306,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +309,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -73745,7 +73797,7 @@ index 99b71cb..a8962b5 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +316,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +319,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -73758,7 +73810,7 @@ index 99b71cb..a8962b5 100644
########################################
#
-@@ -282,9 +366,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +369,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -73893,7 +73945,7 @@ index 6cf8784..21a5923 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..790494f 100644
+index f820f3b..31a502b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -74335,32 +74387,33 @@ index f820f3b..790494f 100644
')
########################################
-@@ -3210,24 +3466,6 @@ interface(`dev_rw_printer',`
+@@ -3210,7 +3466,7 @@ interface(`dev_rw_printer',`
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Read and write the printer device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3218,12 +3474,13 @@ interface(`dev_rw_printer',`
+ ## </summary>
+ ## </param>
+ #
-interface(`dev_read_printk',`
-- gen_require(`
++interface(`dev_manage_printer',`
+ gen_require(`
- type device_t, printk_device_t;
-- ')
--
++ type device_t, printer_device_t;
+ ')
+
- read_chr_files_pattern($1, device_t, printk_device_t)
--')
--
--########################################
--## <summary>
- ## Get the attributes of the QEMU
- ## microcode and id interfaces.
- ## </summary>
-@@ -3811,6 +4049,42 @@ interface(`dev_getattr_sysfs_dirs',`
++ manage_chr_files_pattern($1, device_t, printer_device_t)
++ dev_filetrans_printer_named_dev($1)
+ ')
+
+ ########################################
+@@ -3811,6 +4068,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -74403,7 +74456,7 @@ index f820f3b..790494f 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3860,6 +4134,7 @@ interface(`dev_list_sysfs',`
+@@ -3860,6 +4153,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -74411,7 +74464,7 @@ index f820f3b..790494f 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3902,23 +4177,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3902,23 +4196,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -74465,7 +74518,7 @@ index f820f3b..790494f 100644
########################################
## <summary>
## Read hardware state information.
-@@ -3972,6 +4273,62 @@ interface(`dev_rw_sysfs',`
+@@ -3972,6 +4292,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -74528,7 +74581,7 @@ index f820f3b..790494f 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4069,6 +4426,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4445,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -74554,7 +74607,7 @@ index f820f3b..790494f 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4103,6 +4479,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4103,6 +4498,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -74579,7 +74632,7 @@ index f820f3b..790494f 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4495,6 +4889,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4908,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -74604,7 +74657,7 @@ index f820f3b..790494f 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4695,6 +5107,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4695,6 +5126,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -74631,7 +74684,7 @@ index f820f3b..790494f 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4784,3 +5216,843 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5235,861 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -74665,6 +74718,64 @@ index f820f3b..790494f 100644
+## </summary>
+## </param>
+#
++interface(`dev_filetrans_printer_named_dev',`
++
++ gen_require(`
++ type printer_device_t;
++
++ ')
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
++')
++
++########################################
++## <summary>
++## Create all named devices with the correct label
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`dev_filetrans_all_named_dev',`
+
+gen_require(`
@@ -74686,7 +74797,6 @@ index f820f3b..790494f 100644
+ type random_device_t;
+ type dri_device_t;
+ type ipmi_device_t;
-+ type printer_device_t;
+ type memory_device_t;
+ type kmsg_device_t;
+ type qemu_device_t;
@@ -74713,6 +74823,7 @@ index f820f3b..790494f 100644
+ type mtrr_device_t;
+')
+
++ dev_filetrans_printer_named_dev($1)
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
@@ -74950,16 +75061,6 @@ index f820f3b..790494f 100644
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
@@ -75008,16 +75109,6 @@ index f820f3b..790494f 100644
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
@@ -75081,16 +75172,6 @@ index f820f3b..790494f 100644
+ filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
+ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
@@ -75196,16 +75277,6 @@ index f820f3b..790494f 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
@@ -75647,7 +75718,7 @@ index 6a1e4d1..ffaa90a 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..6d455ba 100644
+index fae1ab1..28b8105 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -75748,7 +75819,7 @@ index fae1ab1..6d455ba 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,256 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,260 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -75875,6 +75946,10 @@ index fae1ab1..6d455ba 100644
+')
+
+optional_policy(`
++ tftp_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
+ userdom_filetrans_home_content(unconfined_domain_type)
+')
@@ -81493,7 +81568,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..2ea9a72 100644
+index e14b961..f40dcef 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,69 @@ policy_module(sysadm, 2.2.1)
@@ -81834,7 +81909,7 @@ index e14b961..2ea9a72 100644
')
optional_policy(`
-@@ -332,7 +417,14 @@ optional_policy(`
+@@ -332,7 +417,18 @@ optional_policy(`
')
optional_policy(`
@@ -81847,10 +81922,14 @@ index e14b961..2ea9a72 100644
+ systemd_login_reboot(sysadm_t)
+ systemd_login_halt(sysadm_t)
+ systemd_login_undefined(sysadm_t)
++')
++
++optional_policy(`
++ tftp_filetrans_named_content(sysadm_t)
')
optional_policy(`
-@@ -343,19 +435,15 @@ optional_policy(`
+@@ -343,19 +439,15 @@ optional_policy(`
')
optional_policy(`
@@ -81872,7 +81951,7 @@ index e14b961..2ea9a72 100644
')
optional_policy(`
-@@ -367,45 +455,45 @@ optional_policy(`
+@@ -367,45 +459,45 @@ optional_policy(`
')
optional_policy(`
@@ -81929,7 +82008,7 @@ index e14b961..2ea9a72 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +506,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +510,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -81940,7 +82019,7 @@ index e14b961..2ea9a72 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +523,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +527,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -81948,7 +82027,7 @@ index e14b961..2ea9a72 100644
')
optional_policy(`
-@@ -446,11 +531,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +535,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -81967,8 +82046,9 @@ index e14b961..2ea9a72 100644
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
@@ -81987,9 +82067,8 @@ index e14b961..2ea9a72 100644
+
+ optional_policy(`
+ spamassassin_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
+ ')
@@ -83448,10 +83527,10 @@ index e88b95f..9b6536a 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..2e52710 100644
+index 1bd5812..d17ee73 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -1,13 +1,15 @@
+@@ -1,13 +1,16 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -83462,6 +83541,7 @@ index 1bd5812..2e52710 100644
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
@@ -83470,7 +83550,7 @@ index 1bd5812..2e52710 100644
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-@@ -15,6 +17,19 @@
+@@ -15,6 +18,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -83764,7 +83844,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..07f46bc 100644
+index 30861ec..ec4a1db 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -83825,7 +83905,7 @@ index 30861ec..07f46bc 100644
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,22 +75,42 @@ ifdef(`enable_mcs',`
+@@ -43,22 +75,46 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -83849,6 +83929,10 @@ index 30861ec..07f46bc 100644
+type abrt_retrace_spool_t;
+files_spool_file(abrt_retrace_spool_t)
+
++type abrt_watch_log_t;
++type abrt_watch_log_exec_t;
++init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
++
########################################
#
# abrt local policy
@@ -83871,7 +83955,7 @@ index 30861ec..07f46bc 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -68,7 +120,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +124,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -83881,7 +83965,7 @@ index 30861ec..07f46bc 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +136,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +140,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -83894,7 +83978,7 @@ index 30861ec..07f46bc 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +158,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +162,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -83903,7 +83987,7 @@ index 30861ec..07f46bc 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +169,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +173,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -83913,7 +83997,7 @@ index 30861ec..07f46bc 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +178,9 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +182,9 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -83923,7 +84007,7 @@ index 30861ec..07f46bc 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +191,26 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +195,26 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -83956,7 +84040,7 @@ index 30861ec..07f46bc 100644
')
optional_policy(`
-@@ -167,6 +231,7 @@ optional_policy(`
+@@ -167,6 +235,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -83964,7 +84048,7 @@ index 30861ec..07f46bc 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +243,35 @@ optional_policy(`
+@@ -178,12 +247,35 @@ optional_policy(`
')
optional_policy(`
@@ -84001,7 +84085,7 @@ index 30861ec..07f46bc 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +288,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +292,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -84030,7 +84114,7 @@ index 30861ec..07f46bc 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +311,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +315,146 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -84048,7 +84132,7 @@ index 30861ec..07f46bc 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
-+')
+ ')
+
+#######################################
+#
@@ -84116,7 +84200,7 @@ index 30861ec..07f46bc 100644
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
- ')
++')
+
+########################################
+#
@@ -84149,6 +84233,24 @@ index 30861ec..07f46bc 100644
+
+#######################################
+#
++# abrt_watch_log local policy
++#
++
++allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
++allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
++
++domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
++
++logging_read_all_logs(abrt_watch_log_t)
++
++optional_policy(`
++ unconfined_domain(abrt_watch_log_t)
++')
++
++#######################################
++#
+# Local policy for all abrt domain
+#
+
@@ -85672,10 +85774,10 @@ index 6480167..4fc1968 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..80880c0 100644
+index 3136c6a..3ee87ed 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,136 +18,254 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,261 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -85929,6 +86031,13 @@ index 3136c6a..80880c0 100644
-## Allow httpd to access cifs file systems
-## </p>
+## <p>
++## Allow httpd to access openstack ports
++## </p>
++## </desc>
++gen_tunable(httpd_use_openstack, false)
++
++## <desc>
++## <p>
+## Allow httpd to access cifs file systems
+## </p>
## </desc>
@@ -85986,7 +86095,7 @@ index 3136c6a..80880c0 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -166,7 +284,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +291,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -85995,7 +86104,7 @@ index 3136c6a..80880c0 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +295,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +302,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -86005,7 +86114,7 @@ index 3136c6a..80880c0 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +337,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +344,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -86028,7 +86137,7 @@ index 3136c6a..80880c0 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +361,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +368,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -86039,7 +86148,7 @@ index 3136c6a..80880c0 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +372,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +379,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -86047,7 +86156,7 @@ index 3136c6a..80880c0 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +394,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +401,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -86071,7 +86180,7 @@ index 3136c6a..80880c0 100644
########################################
#
# Apache server local policy
-@@ -281,11 +430,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +437,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -86085,7 +86194,7 @@ index 3136c6a..80880c0 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +480,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +487,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -86096,7 +86205,7 @@ index 3136c6a..80880c0 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +491,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +498,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -86107,7 +86216,7 @@ index 3136c6a..80880c0 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +508,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +515,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -86117,7 +86226,7 @@ index 3136c6a..80880c0 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +521,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +528,17 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -86127,6 +86236,7 @@ index 3136c6a..80880c0 100644
corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
++corenet_tcp_bind_jboss_messaging_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
# Signal self for shutdown
@@ -86135,7 +86245,7 @@ index 3136c6a..80880c0 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +539,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +547,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -86151,7 +86261,7 @@ index 3136c6a..80880c0 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +552,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +560,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -86159,7 +86269,7 @@ index 3136c6a..80880c0 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +564,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +572,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -86263,7 +86373,7 @@ index 3136c6a..80880c0 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -454,27 +669,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +677,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -86327,7 +86437,7 @@ index 3136c6a..80880c0 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +733,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +741,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -86350,7 +86460,7 @@ index 3136c6a..80880c0 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +763,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +771,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -86371,7 +86481,7 @@ index 3136c6a..80880c0 100644
')
optional_policy(`
-@@ -513,7 +787,13 @@ optional_policy(`
+@@ -513,7 +795,13 @@ optional_policy(`
')
optional_policy(`
@@ -86386,7 +86496,7 @@ index 3136c6a..80880c0 100644
')
optional_policy(`
-@@ -528,7 +808,19 @@ optional_policy(`
+@@ -528,7 +816,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -86407,7 +86517,7 @@ index 3136c6a..80880c0 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +829,13 @@ optional_policy(`
+@@ -537,8 +837,13 @@ optional_policy(`
')
optional_policy(`
@@ -86422,7 +86532,7 @@ index 3136c6a..80880c0 100644
')
')
-@@ -556,7 +853,21 @@ optional_policy(`
+@@ -556,7 +861,21 @@ optional_policy(`
')
optional_policy(`
@@ -86444,7 +86554,7 @@ index 3136c6a..80880c0 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +878,7 @@ optional_policy(`
+@@ -567,6 +886,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -86452,7 +86562,7 @@ index 3136c6a..80880c0 100644
')
optional_policy(`
-@@ -577,6 +889,29 @@ optional_policy(`
+@@ -577,6 +897,29 @@ optional_policy(`
')
optional_policy(`
@@ -86482,7 +86592,7 @@ index 3136c6a..80880c0 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +926,11 @@ optional_policy(`
+@@ -591,6 +934,11 @@ optional_policy(`
')
optional_policy(`
@@ -86494,7 +86604,7 @@ index 3136c6a..80880c0 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +943,12 @@ optional_policy(`
+@@ -603,6 +951,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -86507,7 +86617,7 @@ index 3136c6a..80880c0 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +962,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +970,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -86520,7 +86630,7 @@ index 3136c6a..80880c0 100644
########################################
#
-@@ -654,28 +1004,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1012,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -86564,7 +86674,7 @@ index 3136c6a..80880c0 100644
')
########################################
-@@ -685,6 +1037,8 @@ optional_policy(`
+@@ -685,6 +1045,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -86573,7 +86683,7 @@ index 3136c6a..80880c0 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1053,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1061,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -86599,7 +86709,7 @@ index 3136c6a..80880c0 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1099,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1107,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -86632,7 +86742,7 @@ index 3136c6a..80880c0 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1146,25 @@ optional_policy(`
+@@ -769,6 +1154,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -86658,7 +86768,7 @@ index 3136c6a..80880c0 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1185,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1193,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -86676,7 +86786,7 @@ index 3136c6a..80880c0 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1204,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1212,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -86733,7 +86843,7 @@ index 3136c6a..80880c0 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1255,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1263,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -86774,7 +86884,7 @@ index 3136c6a..80880c0 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1300,20 @@ optional_policy(`
+@@ -842,10 +1308,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -86795,7 +86905,7 @@ index 3136c6a..80880c0 100644
')
########################################
-@@ -891,11 +1359,135 @@ optional_policy(`
+@@ -891,11 +1367,142 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -86819,7 +86929,7 @@ index 3136c6a..80880c0 100644
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
-+')
+ ')
+
+########################################
+#
@@ -86933,7 +87043,14 @@ index 3136c6a..80880c0 100644
+ allow httpd_t httpd_content_type:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
- ')
++')
++
++tunable_policy(`httpd_use_openstack',`
++ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
++ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
++ corenet_tcp_connect_glance_port(httpd_sys_script_t)
++')
++
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
index cd07b96..f5298af 100644
--- a/policy/modules/services/apcupsd.fc
@@ -90612,10 +90729,10 @@ index 0000000..2972c77
+')
diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te
new file mode 100644
-index 0000000..02d8a13
+index 0000000..0de6133
--- /dev/null
+++ b/policy/modules/services/cfengine.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,101 @@
+policy_module(cfengine, 1.0.0)
+
+########################################
@@ -90693,6 +90810,8 @@ index 0000000..02d8a13
+allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
+allow cfengine_execd_t self:process { fork setfscreate signal };
+
++kernel_read_sysctl(cfengine_execd_t)
++
+domain_read_all_domains_state(cfengine_execd_t)
+domain_use_interactive_fds(cfengine_execd_t)
+
@@ -92174,7 +92293,7 @@ index 116d60f..e2c6ec6 100644
+ allow $1 cobblerd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..5fe2f77 100644
+index 0258b48..f114e78 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -92391,7 +92510,7 @@ index 0258b48..5fe2f77 100644
')
optional_policy(`
-@@ -110,12 +222,20 @@ optional_policy(`
+@@ -110,12 +222,21 @@ optional_policy(`
')
optional_policy(`
@@ -92412,10 +92531,11 @@ index 0258b48..5fe2f77 100644
+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
+ # are any of those hard linked?
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
++ tftp_manage_config(cobblerd_t)
')
########################################
-@@ -124,5 +244,6 @@ optional_policy(`
+@@ -124,5 +245,6 @@ optional_policy(`
#
apache_content_template(cobbler)
@@ -92922,10 +93042,10 @@ index 0000000..a9ad037
+/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0)
diff --git a/policy/modules/services/condor.if b/policy/modules/services/condor.if
new file mode 100644
-index 0000000..d509142
+index 0000000..88a0b5d
--- /dev/null
+++ b/policy/modules/services/condor.if
-@@ -0,0 +1,278 @@
+@@ -0,0 +1,272 @@
+
+## <summary>policy for condor</summary>
+
@@ -93168,12 +93288,6 @@ index 0000000..d509142
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`condor_admin',`
+ gen_require(`
@@ -96152,7 +96266,7 @@ index 305ddf4..4d70951 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..a1527a7 100644
+index 0f28095..085e634 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -96408,7 +96522,16 @@ index 0f28095..a1527a7 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +720,9 @@ domain_use_interactive_fds(hplip_t)
+@@ -661,6 +696,8 @@ corenet_tcp_bind_generic_node(hplip_t)
+ corenet_udp_bind_generic_node(hplip_t)
+ corenet_tcp_bind_hplip_port(hplip_t)
+ corenet_tcp_connect_hplip_port(hplip_t)
++corenet_tcp_bind_glance_port(hplip_t)
++corenet_tcp_connect_glance_port(hplip_t)
+ corenet_tcp_connect_ipp_port(hplip_t)
+ corenet_sendrecv_hplip_client_packets(hplip_t)
+ corenet_receive_hplip_server_packets(hplip_t)
+@@ -685,6 +722,9 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -96418,7 +96541,7 @@ index 0f28095..a1527a7 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +734,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +736,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -101540,10 +101663,10 @@ index 0000000..c4c7510
+')
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
new file mode 100644
-index 0000000..3b2ff3b
+index 0000000..3e016c3
--- /dev/null
+++ b/policy/modules/services/firewalld.te
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,86 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -101596,6 +101719,7 @@ index 0000000..3b2ff3b
+kernel_read_system_state(firewalld_t)
+
+corecmd_exec_bin(firewalld_t)
++corecmd_exec_shell(firewalld_t)
+
+dev_read_urand(firewalld_t)
+
@@ -103148,7 +103272,7 @@ index 0000000..ebe1dde
+')
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..941c652
+index 0000000..883a846
--- /dev/null
+++ b/policy/modules/services/glance.te
@@ -0,0 +1,105 @@
@@ -103248,7 +103372,7 @@ index 0000000..941c652
+corecmd_exec_shell(glance_api_t)
+
+corenet_tcp_bind_generic_node(glance_api_t)
-+corenet_tcp_bind_hplip_port(glance_api_t)
++corenet_tcp_bind_glance_port(glance_api_t)
+corenet_tcp_connect_glance_registry_port(glance_api_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+
@@ -104248,7 +104372,7 @@ index df48e5e..878d9df 100644
type inetd_t;
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
-index c51a7b2..b07694c 100644
+index c51a7b2..afc68dc 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -89,6 +89,10 @@ corenet_tcp_bind_ftp_port(inetd_t)
@@ -104273,6 +104397,17 @@ index c51a7b2..b07694c 100644
sysnet_read_config(inetd_t)
+@@ -176,6 +183,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ tftp_read_config(inetd_t)
++')
++
++optional_policy(`
+ udev_read_db(inetd_t)
+ ')
+
diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc
index 8ca038d..8507ee2 100644
--- a/policy/modules/services/inn.fc
@@ -105692,7 +105827,7 @@ index 0000000..c7a5aeb
+')
diff --git a/policy/modules/services/keystone.te b/policy/modules/services/keystone.te
new file mode 100644
-index 0000000..d73c319
+index 0000000..1b3d4d9
--- /dev/null
+++ b/policy/modules/services/keystone.te
@@ -0,0 +1,69 @@
@@ -105746,7 +105881,7 @@ index 0000000..d73c319
+corecmd_exec_bin(keystone_t)
+corecmd_exec_shell(keystone_t)
+
-+corenet_tcp_bind_commplex_port(keystone_t)
++corenet_tcp_bind_keystone_port(keystone_t)
+corenet_tcp_bind_generic_node(keystone_t)
+
+dev_read_urand(keystone_t)
@@ -111241,10 +111376,10 @@ index 74da57f..b94bb3b 100644
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..ea4e5e6 100644
+index 386543b..0f1f9c4 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
-@@ -1,6 +1,17 @@
+@@ -1,6 +1,21 @@
/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -111253,6 +111388,10 @@ index 386543b..ea4e5e6 100644
+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
++/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
@@ -111263,7 +111402,7 @@ index 386543b..ea4e5e6 100644
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-@@ -12,15 +23,19 @@
+@@ -12,15 +27,19 @@
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -111285,7 +111424,7 @@ index 386543b..ea4e5e6 100644
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
-index 2324d9e..6717db4 100644
+index 2324d9e..69db955 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -111360,7 +111499,7 @@ index 2324d9e..6717db4 100644
## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
-@@ -191,3 +236,77 @@ interface(`networkmanager_read_pid_files',`
+@@ -191,3 +236,81 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -111425,6 +111564,7 @@ index 2324d9e..6717db4 100644
+interface(`networkmanager_filetrans_named_content',`
+ gen_require(`
+ type NetworkManager_var_run_t;
++ type NetworkManager_var_lib_t;
+ ')
+
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf")
@@ -111437,9 +111577,12 @@ index 2324d9e..6717db4 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..71b47c8 100644
+index 0619395..103f6f8 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -111458,7 +111601,7 @@ index 0619395..71b47c8 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -35,16 +44,25 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -35,16 +44,26 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -111473,6 +111616,7 @@ index 0619395..71b47c8 100644
+')
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
+tunable_policy(`deny_ptrace',`',`
++ allow NetworkManager_t self:capability sys_ptrace;
+ allow NetworkManager_t self:process ptrace;
+')
+
@@ -111488,7 +111632,7 @@ index 0619395..71b47c8 100644
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -52,9 +70,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+@@ -52,9 +71,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
can_exec(NetworkManager_t, NetworkManager_exec_t)
@@ -111509,7 +111653,7 @@ index 0619395..71b47c8 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -95,11 +124,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
+@@ -95,11 +125,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_rw_tun_tap_dev(NetworkManager_t)
corenet_getattr_ppp_dev(NetworkManager_t)
@@ -111523,7 +111667,7 @@ index 0619395..71b47c8 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,10 +143,11 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,10 +144,11 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
@@ -111536,7 +111680,7 @@ index 0619395..71b47c8 100644
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
-@@ -133,30 +164,37 @@ logging_send_syslog_msg(NetworkManager_t)
+@@ -133,30 +165,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -111576,7 +111720,7 @@ index 0619395..71b47c8 100644
')
optional_policy(`
-@@ -176,10 +214,17 @@ optional_policy(`
+@@ -176,10 +215,17 @@ optional_policy(`
')
optional_policy(`
@@ -111594,7 +111738,7 @@ index 0619395..71b47c8 100644
')
')
-@@ -191,6 +236,7 @@ optional_policy(`
+@@ -191,6 +237,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -111602,7 +111746,7 @@ index 0619395..71b47c8 100644
')
optional_policy(`
-@@ -202,23 +248,45 @@ optional_policy(`
+@@ -202,23 +249,45 @@ optional_policy(`
')
optional_policy(`
@@ -111648,7 +111792,7 @@ index 0619395..71b47c8 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +302,10 @@ optional_policy(`
+@@ -234,6 +303,10 @@ optional_policy(`
')
optional_policy(`
@@ -111659,7 +111803,7 @@ index 0619395..71b47c8 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +313,7 @@ optional_policy(`
+@@ -241,6 +314,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -111667,7 +111811,7 @@ index 0619395..71b47c8 100644
')
optional_policy(`
-@@ -254,6 +327,10 @@ optional_policy(`
+@@ -254,6 +328,10 @@ optional_policy(`
')
optional_policy(`
@@ -111678,7 +111822,7 @@ index 0619395..71b47c8 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +340,7 @@ optional_policy(`
+@@ -263,6 +341,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -113549,7 +113693,7 @@ index bd76ec2..ca6517b 100644
## <summary>
## Execute a domain transition to run oddjob_mkhomedir.
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
-index cadfc63..c8f4d64 100644
+index cadfc63..e056e78 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -7,7 +7,6 @@ policy_module(oddjob, 1.7.0)
@@ -113568,7 +113712,16 @@ index cadfc63..c8f4d64 100644
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-@@ -99,8 +97,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
+@@ -53,6 +51,8 @@ selinux_compute_create_context(oddjob_t)
+
+ files_read_etc_files(oddjob_t)
+
++auth_use_nsswitch(oddjob_t)
++
+ miscfiles_read_localization(oddjob_t)
+
+ locallogin_dontaudit_use_fds(oddjob_t)
+@@ -99,8 +99,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
@@ -114242,7 +114395,7 @@ index 8ac407e..45673ad 100644
admin_pattern($1, pads_config_t)
')
diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
-index b246bdd..07baada 100644
+index b246bdd..84afa7a 100644
--- a/policy/modules/services/pads.te
+++ b/policy/modules/services/pads.te
@@ -1,4 +1,4 @@
@@ -114259,7 +114412,7 @@ index b246bdd..07baada 100644
type pads_initrc_exec_t;
init_script_file(pads_initrc_exec_t)
-@@ -25,10 +24,10 @@ files_pid_file(pads_var_run_t)
+@@ -25,10 +24,11 @@ files_pid_file(pads_var_run_t)
#
allow pads_t self:capability { dac_override net_raw };
@@ -114269,12 +114422,13 @@ index b246bdd..07baada 100644
-allow pads_t self:unix_dgram_socket { write create connect };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
+allow pads_t self:packet_socket create_socket_perms;
++allow pads_t self:socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
-@@ -48,6 +47,7 @@ corenet_tcp_connect_prelude_port(pads_t)
+@@ -48,6 +48,7 @@ corenet_tcp_connect_prelude_port(pads_t)
dev_read_rand(pads_t)
dev_read_urand(pads_t)
@@ -117427,7 +117581,7 @@ index 7257526..7d73656 100644
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index f03fad4..668467d 100644
+index f03fad4..df9f22b 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -11,9 +11,9 @@
@@ -117443,6 +117597,18 @@ index f03fad4..668467d 100644
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+@@ -28,9 +28,9 @@ ifdef(`distro_redhat', `
+ #
+ /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+
+-/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
++/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
@@ -45,4 +45,4 @@ ifdef(`distro_redhat', `
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
@@ -122339,10 +122505,10 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..d0aef10
+index 0000000..5653d39
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,66 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -122403,6 +122569,8 @@ index 0000000..d0aef10
+files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
+
++auth_read_passwd(rhsmcertd_t)
++
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_certs(rhsmcertd_t)
+
@@ -124226,7 +124394,7 @@ index 82cb169..0ed7e14 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..e7e7187 100644
+index e30bb63..ef60f40 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false)
@@ -124272,11 +124440,13 @@ index e30bb63..e7e7187 100644
kernel_read_proc_symlinks(samba_net_t)
kernel_read_system_state(samba_net_t)
-@@ -215,22 +222,28 @@ miscfiles_read_localization(samba_net_t)
+@@ -215,22 +222,30 @@ miscfiles_read_localization(samba_net_t)
samba_read_var_files(samba_net_t)
-userdom_use_user_terminals(samba_net_t)
++sysnet_use_ldap(samba_net_t)
++
+userdom_use_inherited_user_terminals(samba_net_t)
userdom_list_user_home_dirs(samba_net_t)
@@ -124303,7 +124473,7 @@ index e30bb63..e7e7187 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -248,7 +261,9 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -248,7 +263,9 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow smbd_t nmbd_t:process { signal signull };
@@ -124313,7 +124483,7 @@ index e30bb63..e7e7187 100644
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-@@ -263,12 +278,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -263,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -124328,7 +124498,7 @@ index e30bb63..e7e7187 100644
allow smbd_t smbcontrol_t:process { signal signull };
-@@ -279,7 +295,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -279,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -124337,7 +124507,7 @@ index e30bb63..e7e7187 100644
allow smbd_t swat_t:process signal;
-@@ -316,6 +332,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
+@@ -316,6 +334,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
@@ -124345,7 +124515,7 @@ index e30bb63..e7e7187 100644
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
# For redhat bug 566984
-@@ -323,15 +340,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,15 +342,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -124364,7 +124534,7 @@ index e30bb63..e7e7187 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +363,7 @@ files_read_usr_files(smbd_t)
+@@ -343,6 +365,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -124372,7 +124542,7 @@ index e30bb63..e7e7187 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -354,6 +375,8 @@ logging_send_syslog_msg(smbd_t)
+@@ -354,6 +377,8 @@ logging_send_syslog_msg(smbd_t)
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -124381,7 +124551,7 @@ index e30bb63..e7e7187 100644
userdom_use_unpriv_users_fds(smbd_t)
userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
-@@ -372,6 +395,11 @@ tunable_policy(`allow_smbd_anon_write',`
+@@ -372,6 +397,11 @@ tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
')
@@ -124393,7 +124563,7 @@ index e30bb63..e7e7187 100644
tunable_policy(`samba_domain_controller',`
gen_require(`
class passwd passwd;
-@@ -385,12 +413,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +415,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -124407,7 +124577,7 @@ index e30bb63..e7e7187 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +433,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +435,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -124418,7 +124588,7 @@ index e30bb63..e7e7187 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -422,6 +449,11 @@ optional_policy(`
+@@ -422,6 +451,11 @@ optional_policy(`
')
optional_policy(`
@@ -124430,7 +124600,7 @@ index e30bb63..e7e7187 100644
lpd_exec_lpr(smbd_t)
')
-@@ -445,26 +477,25 @@ optional_policy(`
+@@ -445,26 +479,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -124464,7 +124634,7 @@ index e30bb63..e7e7187 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +515,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +517,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -124476,7 +124646,7 @@ index e30bb63..e7e7187 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -555,18 +588,21 @@ optional_policy(`
+@@ -555,18 +590,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -124502,7 +124672,7 @@ index e30bb63..e7e7187 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +610,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +612,21 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -124515,6 +124685,8 @@ index e30bb63..e7e7187 100644
miscfiles_read_localization(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
++sysnet_use_ldap(smbcontrol_t)
++
+userdom_use_inherited_user_terminals(smbcontrol_t)
+
+optional_policy(`
@@ -124523,7 +124695,7 @@ index e30bb63..e7e7187 100644
########################################
#
-@@ -644,19 +688,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +692,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -124548,7 +124720,7 @@ index e30bb63..e7e7187 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +723,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +727,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -124558,7 +124730,7 @@ index e30bb63..e7e7187 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +739,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +743,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -124573,7 +124745,7 @@ index e30bb63..e7e7187 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +759,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +763,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -124581,8 +124753,12 @@ index e30bb63..e7e7187 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +804,8 @@ logging_search_logs(swat_t)
+@@ -752,8 +806,12 @@ logging_send_syslog_msg(swat_t)
+ logging_send_audit_msgs(swat_t)
+ logging_search_logs(swat_t)
++sysnet_use_ldap(swat_t)
++
miscfiles_read_localization(swat_t)
+userdom_dontaudit_search_admin_dir(swat_t)
@@ -124590,7 +124766,7 @@ index e30bb63..e7e7187 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +835,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +841,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -124600,7 +124776,7 @@ index e30bb63..e7e7187 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +859,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +865,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -124622,7 +124798,7 @@ index e30bb63..e7e7187 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +887,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +893,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -124630,7 +124806,7 @@ index e30bb63..e7e7187 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +905,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +911,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -124645,7 +124821,7 @@ index e30bb63..e7e7187 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +922,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +928,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -124658,7 +124834,7 @@ index e30bb63..e7e7187 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +969,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +975,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -124667,7 +124843,7 @@ index e30bb63..e7e7187 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,19 +987,34 @@ optional_policy(`
+@@ -922,19 +993,34 @@ optional_policy(`
#
optional_policy(`
@@ -127829,7 +128005,7 @@ index 22adaca..60103b5 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..322c050 100644
+index 2dad3c8..a67b643 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -128058,7 +128234,7 @@ index 2dad3c8..322c050 100644
#################################
#
# sshd local policy
-@@ -232,33 +243,39 @@ optional_policy(`
+@@ -232,33 +243,40 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -128088,6 +128264,7 @@ index 2dad3c8..322c050 100644
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
++userdom_dyntransition_admin_users(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
@@ -128107,7 +128284,7 @@ index 2dad3c8..322c050 100644
')
optional_policy(`
-@@ -266,11 +283,24 @@ optional_policy(`
+@@ -266,11 +284,24 @@ optional_policy(`
')
optional_policy(`
@@ -128133,7 +128310,7 @@ index 2dad3c8..322c050 100644
')
optional_policy(`
-@@ -284,6 +314,15 @@ optional_policy(`
+@@ -284,6 +315,15 @@ optional_policy(`
')
optional_policy(`
@@ -128149,7 +128326,7 @@ index 2dad3c8..322c050 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +331,26 @@ optional_policy(`
+@@ -292,26 +332,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -128195,7 +128372,7 @@ index 2dad3c8..322c050 100644
') dnl endif TODO
########################################
-@@ -322,19 +361,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +362,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -128223,7 +128400,7 @@ index 2dad3c8..322c050 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +397,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +398,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -128237,7 +128414,7 @@ index 2dad3c8..322c050 100644
')
optional_policy(`
-@@ -363,3 +411,76 @@ optional_policy(`
+@@ -363,3 +412,76 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -128808,8 +128985,17 @@ index f40e67b..8d1e658 100644
+optional_policy(`
+ remotelogin_domtrans(telnetd_t)
+')
+diff --git a/policy/modules/services/tftp.fc b/policy/modules/services/tftp.fc
+index 25eee43..621f343 100644
+--- a/policy/modules/services/tftp.fc
++++ b/policy/modules/services/tftp.fc
+@@ -1,3 +1,4 @@
++/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0)
+
+ /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+ /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
-index 38bb312..0fee098 100644
+index 38bb312..4b691ac 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -13,9 +13,33 @@
@@ -128846,10 +129032,47 @@ index 38bb312..0fee098 100644
')
########################################
-@@ -40,6 +64,36 @@ interface(`tftp_manage_rw_content',`
+@@ -40,6 +64,91 @@ interface(`tftp_manage_rw_content',`
########################################
## <summary>
++## Read tftp config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tftp_read_config',`
++ gen_require(`
++ type tftpd_etc_t;
++ ')
++
++ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
++')
++
++########################################
++## <summary>
++## Manage tftp config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tftp_manage_config',`
++ gen_require(`
++ type tftpd_etc_t;
++ ')
++
++ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
++ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
++')
++
++########################################
++## <summary>
+## Create objects in tftpdir directories
+## with specified types.
+## </summary>
@@ -128880,10 +129103,28 @@ index 38bb312..0fee098 100644
+
+########################################
+## <summary>
++## Transition to tftp named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tftp_filetrans_named_content',`
++ gen_require(`
++ type tftpd_etc_t;
++ ')
++
++ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
++')
++
++########################################
++## <summary>
## All of the rules required to administrate
## an tftp environment
## </summary>
-@@ -55,9 +109,13 @@ interface(`tftp_admin',`
+@@ -55,13 +164,19 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
@@ -128898,8 +129139,14 @@ index 38bb312..0fee098 100644
admin_pattern($1, tftpdir_rw_t)
admin_pattern($1, tftpdir_t)
+
+ files_list_pids($1)
+ admin_pattern($1, tftpd_var_run_t)
++
++ tftp_manage_config($1)
+ ')
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
-index d50c10d..97ce79e 100644
+index d50c10d..e0c6d19 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0)
@@ -128917,7 +129164,16 @@ index d50c10d..97ce79e 100644
## </desc>
gen_tunable(tftp_anon_write, false)
-@@ -32,15 +32,15 @@ files_type(tftpdir_rw_t)
+@@ -26,21 +26,26 @@ files_type(tftpdir_t)
+ type tftpdir_rw_t;
+ files_type(tftpdir_rw_t)
+
++type tftpd_etc_t;
++files_config_file(tftpd_etc_t)
++
+ ########################################
+ #
+ # Local policy
#
allow tftpd_t self:capability { setgid setuid sys_chroot };
@@ -128932,10 +129188,12 @@ index d50c10d..97ce79e 100644
allow tftpd_t tftpdir_t:file read_file_perms;
-allow tftpd_t tftpdir_t:lnk_file { getattr read };
+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
++
++read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t)
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
-@@ -94,6 +94,10 @@ tunable_policy(`tftp_anon_write',`
+@@ -94,6 +99,10 @@ tunable_policy(`tftp_anon_write',`
')
optional_policy(`
@@ -130765,7 +131023,7 @@ index 7c5d8d8..c542fe7 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..b1d885a 100644
+index 3eca020..9ad0913 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -131345,7 +131603,7 @@ index 3eca020..b1d885a 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +650,412 @@ files_search_all(virt_domain)
+@@ -440,25 +650,409 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -131691,9 +131949,6 @@ index 3eca020..b1d885a 100644
+corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+kernel_read_network_state(svirt_lxc_net_t)
+
-+domain_entry_file(svirt_lxc_net_t, svirt_lxc_file_t)
-+domtrans_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_net_t)
-+corecmd_shell_domtrans(virtd_lxc_t, svirt_lxc_net_t)
+fs_noxattr_type(svirt_lxc_file_t)
+term_pty(svirt_lxc_file_t)
+
@@ -139822,7 +140077,7 @@ index ddbd8be..fad18e0 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..989999b 100644
+index 560dc48..e644b1e 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -28,26 +28,24 @@ ifdef(`distro_redhat',`
@@ -140143,7 +140398,7 @@ index 560dc48..989999b 100644
') dnl end distro_redhat
#
-@@ -312,17 +313,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +313,157 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -140170,6 +140425,7 @@ index 560dc48..989999b 100644
+/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -145539,10 +145795,10 @@ index 0000000..a7e3666
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..609e0e1
+index 0000000..b8f7f45
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,411 @@
+@@ -0,0 +1,412 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -145761,7 +146017,7 @@ index 0000000..609e0e1
+# Local policy
+#
+
-+allow systemd_tmpfiles_t self:capability { dac_override fowner chown fsetid };
++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@@ -145772,6 +146028,7 @@ index 0000000..609e0e1
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
+dev_relabel_cpu_online(systemd_tmpfiles_t)
+dev_read_cpu_online(systemd_tmpfiles_t)
++dev_manage_printer(systemd_tmpfiles_t)
+
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
+
@@ -145880,7 +146137,7 @@ index 0000000..609e0e1
+#
+# systemd_notify local policy
+#
-+allow systemd_notify_t self:capability { chown };
++allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
@@ -145955,7 +146212,7 @@ index 0000000..609e0e1
+
+miscfiles_read_localization(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..741f594 100644
+index 0291685..2c9eba5 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,8 @@
@@ -145978,11 +146235,13 @@ index 0291685..741f594 100644
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -20,5 +23,19 @@
+@@ -20,5 +23,21 @@
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
++/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -147237,7 +147496,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..2361c4e 100644
+index 4b2878a..3b7131a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -149234,7 +149493,7 @@ index 4b2878a..2361c4e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,96 +3221,141 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,83 +3221,151 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -149344,15 +149603,10 @@ index 4b2878a..2361c4e 100644
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
- gen_require(`
-- attribute userdomain;
++ gen_require(`
+ type user_tty_device_t, user_devpts_t;
- ')
-
-- corecmd_shell_spec_domtrans($1, userdomain)
-- allow userdomain $1:fd use;
-- allow userdomain $1:fifo_file rw_file_perms;
-- allow userdomain $1:process sigchld;
++ ')
++
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
@@ -149375,11 +149629,10 @@ index 4b2878a..2361c4e 100644
+
+ allow $1 user_tty_device_t:chr_file rw_term_perms;
+ allow $1 user_devpts_t:chr_file rw_term_perms;
- ')
-
- ########################################
- ## <summary>
--## Execute an Xserver session in all unprivileged user domains. This
++')
++
++########################################
++## <summary>
+## Do not audit attempts to read and write
+## a user domain tty and pty.
+## </summary>
@@ -149420,83 +149673,61 @@ index 4b2878a..2361c4e 100644
+########################################
+## <summary>
+## Execute a shell in all user domains. This
- ## is an explicit transition, requiring the
- ## caller to use setexeccon().
- ## </summary>
-@@ -2679,12 +3365,12 @@ interface(`userdom_spec_domtrans_all_users',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_xsession_spec_domtrans_all_users',`
++## is an explicit transition, requiring the
++## caller to use setexeccon().
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
+interface(`userdom_spec_domtrans_all_users',`
gen_require(`
attribute userdomain;
')
-
-- xserver_xsession_spec_domtrans($1, userdomain)
-+ corecmd_shell_spec_domtrans($1, userdomain)
- allow userdomain $1:fd use;
- allow userdomain $1:fifo_file rw_file_perms;
- allow userdomain $1:process sigchld;
-@@ -2692,7 +3378,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
-
- ########################################
- ## <summary>
--## Execute a shell in all unprivileged user domains. This
-+## Execute an Xserver session in all unprivileged user domains. This
- ## is an explicit transition, requiring the
- ## caller to use setexeccon().
- ## </summary>
-@@ -2702,20 +3388,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_spec_domtrans_unpriv_users',`
-+interface(`userdom_xsession_spec_domtrans_all_users',`
- gen_require(`
-- attribute unpriv_userdomain;
-+ attribute userdomain;
- ')
-
-- corecmd_shell_spec_domtrans($1, unpriv_userdomain)
-- allow unpriv_userdomain $1:fd use;
-- allow unpriv_userdomain $1:fifo_file rw_file_perms;
-- allow unpriv_userdomain $1:process sigchld;
-+ xserver_xsession_spec_domtrans($1, userdomain)
-+ allow userdomain $1:fd use;
-+ allow userdomain $1:fifo_file rw_file_perms;
-+ allow userdomain $1:process sigchld;
+@@ -2713,69 +3422,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ allow unpriv_userdomain $1:process sigchld;
')
- ########################################
+-########################################
++#####################################
## <summary>
-## Execute an Xserver session in all unprivileged user domains. This
-+## Execute a shell in all unprivileged user domains. This
- ## is an explicit transition, requiring the
- ## caller to use setexeccon().
+-## is an explicit transition, requiring the
+-## caller to use setexeccon().
++## Allow domain dyntrans to unpriv userdomain.
## </summary>
-@@ -2725,57 +3411,61 @@ interface(`userdom_spec_domtrans_unpriv_users',`
- ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
## </param>
#
-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
-+interface(`userdom_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
++interface(`userdom_dyntransition_unpriv_users',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
-+ corecmd_shell_spec_domtrans($1, unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
+- allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+- allow unpriv_userdomain $1:process sigchld;
++ allow $1 unpriv_userdomain:process dyntransition;
')
-#######################################
-+#####################################
++####################################
## <summary>
-## Read and write unpriviledged user SysV sempaphores.
-+## Allow domain dyntrans to unpriv userdomain.
++## Allow domain dyntrans to admin userdomain.
## </summary>
## <param name="domain">
-## <summary>
@@ -149511,13 +149742,13 @@ index 4b2878a..2361c4e 100644
- gen_require(`
- attribute unpriv_userdomain;
- ')
-+interface(`userdom_dyntransition_unpriv_users',`
++interface(`userdom_dyntransition_admin_users',`
+ gen_require(`
-+ attribute unpriv_userdomain;
++ attribute admindomain;
+ ')
- allow $1 unpriv_userdomain:sem rw_sem_perms;
-+ allow $1 unpriv_userdomain:process dyntransition;
++ allow $1 admindomain:process dyntransition;
')
########################################
@@ -149556,7 +149787,7 @@ index 4b2878a..2361c4e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2783,12 +3473,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3491,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -149571,7 +149802,7 @@ index 4b2878a..2361c4e 100644
')
########################################
-@@ -2852,7 +3542,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3560,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -149580,7 +149811,7 @@ index 4b2878a..2361c4e 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3558,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3576,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -149614,7 +149845,7 @@ index 4b2878a..2361c4e 100644
')
########################################
-@@ -2972,7 +3646,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3664,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -149623,7 +149854,7 @@ index 4b2878a..2361c4e 100644
')
########################################
-@@ -3027,7 +3701,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3719,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -149670,7 +149901,7 @@ index 4b2878a..2361c4e 100644
')
########################################
-@@ -3045,7 +3757,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3775,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -149679,7 +149910,7 @@ index 4b2878a..2361c4e 100644
')
########################################
-@@ -3064,6 +3776,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3794,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -149687,7 +149918,7 @@ index 4b2878a..2361c4e 100644
kernel_search_proc($1)
')
-@@ -3140,6 +3853,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3871,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -149730,7 +149961,7 @@ index 4b2878a..2361c4e 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +3909,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3927,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -149755,7 +149986,7 @@ index 4b2878a..2361c4e 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3961,1291 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3979,1291 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 67c134f..3b704d0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 116%{?dist}
+Release: 117%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -490,6 +490,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Sun Apr 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-117
+- Add policy for abrt-watch-log
+- Add definitions for jboss_messaging ports
+- Allow systemd_tmpfiles to manage printer devices
+- Allow oddjob to use nsswitch
+- Fix labeling of log files for postgresql
+- Allow mozilla_plugin_t to execmem and execstack by default
+- Allow firewalld to execute shell
+- Fix /etc/wicd content files to get created with the correct label
+- Allow mcelog to exec shell
+- Add ~/.orc as a gstreamer_home_t
+- /var/spool/postfix/lib64 should be labeled lib_t
+- mpreaper should be able to list all file system labeled directories
+- Add support for apache to use openstack
+- Add labeling for /etc/zipl.conf and zipl binary
+- Turn on allow_execstack and turn off telepathy transition for final release
+
* Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-116
- More access required for virt_qmf_t
- Additional assess required for systemd-logind to support multi-seat
More information about the scm-commits
mailing list