[selinux-policy] * Fri Aug 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11 - Fix saslauthd when it tries to read /etc/
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Aug 3 14:06:38 UTC 2012
commit e2915aed438b9ed456b6f9591a63308c4187e066
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Aug 3 16:06:03 2012 +0200
* Fri Aug 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11
- Fix saslauthd when it tries to read /etc/shadow
- Label gnome-boxes as a virt homedir
- Need to allow svirt_t ability to getattr on nfs_t file
- Update sanlock policy to solve all AVC's
- Change confined users can optionally manage virt conte
- Handle new directories under ~/.cache
- Add block suspend to appropriate domains
- More rules required for containers
- Allow login programs to read /run/ data created by sys
- Allow staff users to run svirt_t processes
policy-rawhide.patch | 304 ++++++++++++++++++++---------------
policy_contrib-rawhide.patch | 363 ++++++++++++++++++++++++++++--------------
selinux-policy.spec | 14 ++-
3 files changed, 427 insertions(+), 254 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index ce44aa4..cc2839a 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -62010,7 +62010,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..7ee62e0 100644
+index 28802c5..f2026cd 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@@ -62032,8 +62032,12 @@ index 28802c5..7ee62e0 100644
}
#
-@@ -446,6 +451,7 @@ class capability2
- mac_admin # unused by SELinux
+@@ -443,9 +448,10 @@ class capability
+ class capability2
+ {
+ mac_override # unused by SELinux
+- mac_admin # unused by SELinux
++ mac_admin
syslog
wake_alarm
+ epollwakeup
@@ -65958,7 +65962,7 @@ index 8e0f9cd..da3b374 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..8db5e47 100644
+index fe2ee5e..7f3dc50 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -14,12 +14,14 @@ attribute node_type;
@@ -66107,6 +66111,7 @@ index fe2ee5e..8db5e47 100644
-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+-network_port(kismet, tcp,2501,s0)
+network_port(jabber_router, tcp,5347,s0)
+network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
+network_port(jboss_debug, tcp,8787,s0)
@@ -66116,7 +66121,7 @@ index fe2ee5e..8db5e47 100644
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
+network_port(keystone, tcp,5000,s0, udp,5000,s0)
- network_port(kismet, tcp,2501,s0)
++network_port(rtsclient, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
@@ -74115,14 +74120,21 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..3d10b66 100644
+index e5aee97..681001d 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,57 @@ policy_module(staff, 2.3.0)
+@@ -8,12 +8,64 @@ policy_module(staff, 2.3.0)
role staff_r;
userdom_unpriv_user_template(staff)
+fs_exec_noxattr(staff_t)
++
++## <desc>
++## <p>
++## allow staff user to create and transition to svirt domains.
++## </p>
++## </desc>
++gen_tunable(staff_use_svirt, false)
########################################
#
@@ -74176,7 +74188,7 @@ index e5aee97..3d10b66 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +68,98 @@ optional_policy(`
+@@ -23,11 +75,98 @@ optional_policy(`
')
optional_policy(`
@@ -74276,7 +74288,7 @@ index e5aee97..3d10b66 100644
')
optional_policy(`
-@@ -35,15 +167,27 @@ optional_policy(`
+@@ -35,15 +174,27 @@ optional_policy(`
')
optional_policy(`
@@ -74306,7 +74318,7 @@ index e5aee97..3d10b66 100644
')
optional_policy(`
-@@ -52,10 +196,59 @@ optional_policy(`
+@@ -52,10 +203,59 @@ optional_policy(`
')
optional_policy(`
@@ -74366,7 +74378,7 @@ index e5aee97..3d10b66 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +258,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +265,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -74377,7 +74389,7 @@ index e5aee97..3d10b66 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -93,18 +282,10 @@ ifndef(`distro_redhat',`
+@@ -93,18 +289,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -74396,7 +74408,7 @@ index e5aee97..3d10b66 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +306,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +313,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -74407,7 +74419,7 @@ index e5aee97..3d10b66 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +318,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +325,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -74418,7 +74430,7 @@ index e5aee97..3d10b66 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +349,7 @@ ifndef(`distro_redhat',`
+@@ -176,3 +356,15 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -74426,6 +74438,14 @@ index e5aee97..3d10b66 100644
+tunable_policy(`selinuxuser_execmod',`
+ userdom_execmod_user_home_files(staff_t)
+')
++
++virt_transition_svirt(staff_t, staff_r)
++virt_filetrans_home_content(staff_t)
++tunable_policy(`staff_use_svirt',`
++ allow staff_t self:fifo_file relabelfrom;
++ dev_rw_kvm(staff_t)
++ virt_manage_images(staff_t)
++')
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
index ff92430..36740ea 100644
--- a/policy/modules/roles/sysadm.if
@@ -76050,10 +76070,23 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 9f6d4c3..cad6364 100644
+index 9f6d4c3..7852ae3 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,12 +12,90 @@ role user_r;
+@@ -1,5 +1,12 @@
+ policy_module(unprivuser, 2.3.0)
+
++## <desc>
++## <p>
++## Allow unprivledged user to create and transition to svirt domains.
++## </p>
++## </desc>
++gen_tunable(unprivuser_use_svirt, false)
++
+ # this module should be named user, but that is
+ # a compile error since user is a keyword.
+
+@@ -12,12 +19,90 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -76145,7 +76178,7 @@ index 9f6d4c3..cad6364 100644
')
optional_policy(`
-@@ -25,6 +103,18 @@ optional_policy(`
+@@ -25,6 +110,18 @@ optional_policy(`
')
optional_policy(`
@@ -76164,7 +76197,7 @@ index 9f6d4c3..cad6364 100644
vlock_run(user_t, user_r)
')
-@@ -66,10 +156,6 @@ ifndef(`distro_redhat',`
+@@ -66,10 +163,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -76175,7 +76208,7 @@ index 9f6d4c3..cad6364 100644
gpg_role(user_r, user_t)
')
-@@ -102,10 +188,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +195,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -76186,7 +76219,7 @@ index 9f6d4c3..cad6364 100644
postgresql_role(user_r, user_t)
')
-@@ -128,7 +210,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +217,6 @@ ifndef(`distro_redhat',`
optional_policy(`
ssh_role_template(user, user_r, user_t)
')
@@ -76194,11 +76227,17 @@ index 9f6d4c3..cad6364 100644
optional_policy(`
su_role_template(user, user_r, user_t)
')
-@@ -161,3 +242,4 @@ ifndef(`distro_redhat',`
+@@ -161,3 +249,10 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
+
++
++virt_transition_svirt(user_t, user_r)
++virt_filetrans_home_content(user_t)
++tunable_policy(`unprivuser_use_svirt',`
++ virt_manage_images(user_t)
++')
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f..4e52843 100644
--- a/policy/modules/services/postgresql.fc
@@ -79003,7 +79042,7 @@ index 130ced9..1b31c76 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..c7e6040 100644
+index d40f750..3711d39 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -79327,13 +79366,14 @@ index d40f750..c7e6040 100644
')
optional_policy(`
-@@ -299,64 +396,103 @@ optional_policy(`
+@@ -299,64 +396,104 @@ optional_policy(`
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
++allow xdm_t self:capability2 { block_suspend };
+dontaudit xdm_t self:capability sys_admin;
+
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
@@ -79441,7 +79481,7 @@ index d40f750..c7e6040 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +501,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +502,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -79471,7 +79511,7 @@ index d40f750..c7e6040 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +531,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +532,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -79524,7 +79564,7 @@ index d40f750..c7e6040 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +583,25 @@ files_list_mnt(xdm_t)
+@@ -430,9 +584,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -79550,7 +79590,7 @@ index d40f750..c7e6040 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +610,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +611,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -79592,7 +79632,7 @@ index d40f750..c7e6040 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +650,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +651,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -79642,7 +79682,7 @@ index d40f750..c7e6040 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +700,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +701,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -79664,7 +79704,7 @@ index d40f750..c7e6040 100644
')
optional_policy(`
-@@ -514,12 +722,64 @@ optional_policy(`
+@@ -514,12 +723,64 @@ optional_policy(`
')
optional_policy(`
@@ -79729,7 +79769,7 @@ index d40f750..c7e6040 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +797,69 @@ optional_policy(`
+@@ -537,28 +798,69 @@ optional_policy(`
')
optional_policy(`
@@ -79808,7 +79848,7 @@ index d40f750..c7e6040 100644
')
optional_policy(`
-@@ -570,6 +871,14 @@ optional_policy(`
+@@ -570,6 +872,14 @@ optional_policy(`
')
optional_policy(`
@@ -79823,7 +79863,7 @@ index d40f750..c7e6040 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +903,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,7 +904,8 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -79833,7 +79873,7 @@ index d40f750..c7e6040 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -608,8 +918,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -79849,7 +79889,7 @@ index d40f750..c7e6040 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +945,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -79871,7 +79911,7 @@ index d40f750..c7e6040 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +965,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +966,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -79885,7 +79925,7 @@ index d40f750..c7e6040 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +991,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +992,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -79917,7 +79957,7 @@ index d40f750..c7e6040 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1024,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -79931,7 +79971,7 @@ index d40f750..c7e6040 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,8 +1042,6 @@ init_getpgid(xserver_t)
+@@ -708,8 +1043,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -79940,7 +79980,7 @@ index d40f750..c7e6040 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -717,11 +1049,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -717,11 +1050,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -79955,7 +79995,7 @@ index d40f750..c7e6040 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1108,40 @@ optional_policy(`
+@@ -775,16 +1109,40 @@ optional_policy(`
')
optional_policy(`
@@ -79997,7 +80037,7 @@ index d40f750..c7e6040 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1150,10 @@ optional_policy(`
+@@ -793,6 +1151,10 @@ optional_policy(`
')
optional_policy(`
@@ -80008,7 +80048,7 @@ index d40f750..c7e6040 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1169,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1170,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -80022,7 +80062,7 @@ index d40f750..c7e6040 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1180,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1181,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -80031,7 +80071,7 @@ index d40f750..c7e6040 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1193,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1194,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -80066,7 +80106,7 @@ index d40f750..c7e6040 100644
')
optional_policy(`
-@@ -859,6 +1215,10 @@ optional_policy(`
+@@ -859,6 +1216,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -80077,7 +80117,7 @@ index d40f750..c7e6040 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1262,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1263,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -80086,7 +80126,7 @@ index d40f750..c7e6040 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1316,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1317,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -80118,7 +80158,7 @@ index d40f750..c7e6040 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1362,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1363,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -80375,7 +80415,7 @@ index 28ad538..47fdb65 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..25def3e 100644
+index f416ce9..1409940 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -80500,12 +80540,14 @@ index f416ce9..25def3e 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,9 +198,89 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +198,91 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
- tunable_policy(`allow_polyinstantiation',`
- files_polyinstantiate_all($1)
++ systemd_login_read_pid_files($1)
++
+ userdom_set_rlimitnh($1)
+ userdom_read_user_home_content_symlinks($1)
+ userdom_delete_user_tmp_files($1)
@@ -80592,7 +80634,7 @@ index f416ce9..25def3e 100644
')
########################################
-@@ -231,6 +354,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +356,25 @@ interface(`auth_domtrans_login_program',`
########################################
## <summary>
@@ -80618,7 +80660,7 @@ index f416ce9..25def3e 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -395,13 +537,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -395,13 +539,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -80635,7 +80677,7 @@ index f416ce9..25def3e 100644
')
########################################
-@@ -448,6 +592,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +594,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -80661,7 +80703,7 @@ index f416ce9..25def3e 100644
')
########################################
-@@ -467,7 +630,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +632,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -80669,7 +80711,7 @@ index f416ce9..25def3e 100644
')
########################################
-@@ -664,6 +826,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +828,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -80680,7 +80722,7 @@ index f416ce9..25def3e 100644
')
#######################################
-@@ -763,7 +929,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +931,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -80732,7 +80774,7 @@ index f416ce9..25def3e 100644
')
#######################################
-@@ -959,9 +1168,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1170,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -80766,7 +80808,7 @@ index f416ce9..25def3e 100644
')
########################################
-@@ -1040,6 +1270,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1272,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -80777,7 +80819,7 @@ index f416ce9..25def3e 100644
')
########################################
-@@ -1157,6 +1391,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1393,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -80785,7 +80827,7 @@ index f416ce9..25def3e 100644
')
#######################################
-@@ -1526,6 +1761,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1763,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -80811,7 +80853,7 @@ index f416ce9..25def3e 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1676,24 +1930,7 @@ interface(`auth_manage_login_records',`
+@@ -1676,24 +1932,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -80837,7 +80879,7 @@ index f416ce9..25def3e 100644
')
########################################
-@@ -1717,9 +1954,9 @@ interface(`auth_relabel_login_records',`
+@@ -1717,9 +1956,9 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -80850,7 +80892,7 @@ index f416ce9..25def3e 100644
typeattribute $1 nsswitch_domain;
')
-@@ -1755,3 +1992,194 @@ interface(`auth_unconfined',`
+@@ -1755,3 +1994,194 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -82829,7 +82871,7 @@ index d26fe81..3f3a57f 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..2a13153 100644
+index 4a88fa1..582f563 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -82909,16 +82951,17 @@ index 4a88fa1..2a13153 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -95,7 +135,7 @@ ifdef(`enable_mls',`
+@@ -95,7 +135,8 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ sys_ptrace audit_control audit_write sys_module };
++allow init_t self:capability2 ~{ mac_admin mac_override };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -107,12 +147,26 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -107,12 +148,26 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -82951,7 +82994,7 @@ index 4a88fa1..2a13153 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -122,28 +176,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -122,28 +177,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -82991,7 +83034,7 @@ index 4a88fa1..2a13153 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -152,6 +216,8 @@ fs_list_inotifyfs(init_t)
+@@ -152,6 +217,8 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -83000,7 +83043,7 @@ index 4a88fa1..2a13153 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
-@@ -159,22 +225,41 @@ mls_file_read_all_levels(init_t)
+@@ -159,22 +226,41 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -83043,7 +83086,7 @@ index 4a88fa1..2a13153 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -183,12 +268,19 @@ ifdef(`distro_gentoo',`
+@@ -183,12 +269,19 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -83064,7 +83107,7 @@ index 4a88fa1..2a13153 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -196,16 +288,148 @@ tunable_policy(`init_upstart',`
+@@ -196,16 +289,148 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -83215,7 +83258,7 @@ index 4a88fa1..2a13153 100644
')
optional_policy(`
-@@ -213,6 +437,18 @@ optional_policy(`
+@@ -213,6 +438,18 @@ optional_policy(`
')
optional_policy(`
@@ -83234,7 +83277,7 @@ index 4a88fa1..2a13153 100644
unconfined_domain(init_t)
')
-@@ -222,8 +458,8 @@ optional_policy(`
+@@ -222,8 +459,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -83245,7 +83288,7 @@ index 4a88fa1..2a13153 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +487,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +488,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -83261,7 +83304,7 @@ index 4a88fa1..2a13153 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +511,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +512,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -83304,7 +83347,7 @@ index 4a88fa1..2a13153 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,6 +548,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,6 +549,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -83312,7 +83355,7 @@ index 4a88fa1..2a13153 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -306,8 +559,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +560,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -83323,7 +83366,7 @@ index 4a88fa1..2a13153 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +570,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +571,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -83343,7 +83386,7 @@ index 4a88fa1..2a13153 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +587,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +588,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -83351,7 +83394,7 @@ index 4a88fa1..2a13153 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +595,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +596,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -83363,7 +83406,7 @@ index 4a88fa1..2a13153 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +614,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +615,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -83377,7 +83420,7 @@ index 4a88fa1..2a13153 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +629,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +630,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -83391,7 +83434,7 @@ index 4a88fa1..2a13153 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +644,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +645,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -83399,7 +83442,7 @@ index 4a88fa1..2a13153 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +656,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +657,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -83407,7 +83450,7 @@ index 4a88fa1..2a13153 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -411,18 +677,17 @@ logging_read_audit_config(initrc_t)
+@@ -411,18 +678,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -83429,7 +83472,7 @@ index 4a88fa1..2a13153 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +741,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +742,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -83440,7 +83483,7 @@ index 4a88fa1..2a13153 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +765,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +766,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -83449,7 +83492,7 @@ index 4a88fa1..2a13153 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +780,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +781,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -83457,7 +83500,7 @@ index 4a88fa1..2a13153 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +801,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +802,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -83465,7 +83508,7 @@ index 4a88fa1..2a13153 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +811,35 @@ ifdef(`distro_redhat',`
+@@ -540,8 +812,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -83501,7 +83544,7 @@ index 4a88fa1..2a13153 100644
')
optional_policy(`
-@@ -549,14 +847,27 @@ ifdef(`distro_redhat',`
+@@ -549,14 +848,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -83529,7 +83572,7 @@ index 4a88fa1..2a13153 100644
')
')
-@@ -567,6 +878,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +879,39 @@ ifdef(`distro_suse',`
')
')
@@ -83569,7 +83612,7 @@ index 4a88fa1..2a13153 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +923,8 @@ optional_policy(`
+@@ -579,6 +924,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -83578,7 +83621,7 @@ index 4a88fa1..2a13153 100644
')
optional_policy(`
-@@ -600,6 +946,7 @@ optional_policy(`
+@@ -600,6 +947,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -83586,7 +83629,7 @@ index 4a88fa1..2a13153 100644
')
optional_policy(`
-@@ -612,6 +959,17 @@ optional_policy(`
+@@ -612,6 +960,17 @@ optional_policy(`
')
optional_policy(`
@@ -83604,7 +83647,7 @@ index 4a88fa1..2a13153 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +986,13 @@ optional_policy(`
+@@ -628,9 +987,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -83618,7 +83661,7 @@ index 4a88fa1..2a13153 100644
')
optional_policy(`
-@@ -655,6 +1017,10 @@ optional_policy(`
+@@ -655,6 +1018,10 @@ optional_policy(`
')
optional_policy(`
@@ -83629,7 +83672,7 @@ index 4a88fa1..2a13153 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1038,15 @@ optional_policy(`
+@@ -672,6 +1039,15 @@ optional_policy(`
')
optional_policy(`
@@ -83645,7 +83688,7 @@ index 4a88fa1..2a13153 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1087,7 @@ optional_policy(`
+@@ -712,6 +1088,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -83653,7 +83696,7 @@ index 4a88fa1..2a13153 100644
')
optional_policy(`
-@@ -729,7 +1105,13 @@ optional_policy(`
+@@ -729,7 +1106,13 @@ optional_policy(`
')
optional_policy(`
@@ -83667,7 +83710,7 @@ index 4a88fa1..2a13153 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1134,10 @@ optional_policy(`
+@@ -752,6 +1135,10 @@ optional_policy(`
')
optional_policy(`
@@ -83678,7 +83721,7 @@ index 4a88fa1..2a13153 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1147,20 @@ optional_policy(`
+@@ -761,10 +1148,20 @@ optional_policy(`
')
optional_policy(`
@@ -83699,7 +83742,7 @@ index 4a88fa1..2a13153 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1169,10 @@ optional_policy(`
+@@ -773,6 +1170,10 @@ optional_policy(`
')
optional_policy(`
@@ -83710,7 +83753,7 @@ index 4a88fa1..2a13153 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1194,6 @@ optional_policy(`
+@@ -794,8 +1195,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -83719,7 +83762,7 @@ index 4a88fa1..2a13153 100644
')
optional_policy(`
-@@ -804,6 +1202,10 @@ optional_policy(`
+@@ -804,6 +1203,10 @@ optional_policy(`
')
optional_policy(`
@@ -83730,7 +83773,7 @@ index 4a88fa1..2a13153 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1215,12 @@ optional_policy(`
+@@ -813,10 +1216,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -83743,7 +83786,7 @@ index 4a88fa1..2a13153 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1232,6 @@ optional_policy(`
+@@ -828,8 +1233,6 @@ optional_policy(`
')
optional_policy(`
@@ -83752,7 +83795,7 @@ index 4a88fa1..2a13153 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1242,30 @@ optional_policy(`
+@@ -840,12 +1243,30 @@ optional_policy(`
')
optional_policy(`
@@ -83785,7 +83828,7 @@ index 4a88fa1..2a13153 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1275,18 @@ optional_policy(`
+@@ -855,6 +1276,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -83804,7 +83847,7 @@ index 4a88fa1..2a13153 100644
')
optional_policy(`
-@@ -870,6 +1302,10 @@ optional_policy(`
+@@ -870,6 +1303,10 @@ optional_policy(`
')
optional_policy(`
@@ -83815,7 +83858,7 @@ index 4a88fa1..2a13153 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1316,165 @@ optional_policy(`
+@@ -880,3 +1317,165 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -91027,7 +91070,7 @@ index 77a13a5..9a5a73f 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 29075b3..6ee8c74 100644
+index 29075b3..13f3949 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -91046,12 +91089,13 @@ index 29075b3..6ee8c74 100644
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -36,9 +34,10 @@ ifdef(`enable_mcs',`
+@@ -36,9 +34,11 @@ ifdef(`enable_mcs',`
# Local policy
#
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
++allow udev_t self:capability2 { block_suspend };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
@@ -91059,7 +91103,7 @@ index 29075b3..6ee8c74 100644
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -52,6 +51,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -91067,7 +91111,7 @@ index 29075b3..6ee8c74 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -62,31 +62,35 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -62,31 +63,35 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -91110,7 +91154,7 @@ index 29075b3..6ee8c74 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -97,6 +101,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -97,6 +102,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -91118,7 +91162,7 @@ index 29075b3..6ee8c74 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,23 +110,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,23 +111,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -91154,7 +91198,7 @@ index 29075b3..6ee8c74 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
-@@ -143,10 +156,12 @@ auth_use_nsswitch(udev_t)
+@@ -143,10 +157,12 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -91167,7 +91211,7 @@ index 29075b3..6ee8c74 100644
miscfiles_read_localization(udev_t)
miscfiles_read_hwdata(udev_t)
-@@ -154,6 +169,8 @@ miscfiles_read_hwdata(udev_t)
+@@ -154,6 +170,8 @@ miscfiles_read_hwdata(udev_t)
modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
modutils_read_module_deps(udev_t)
@@ -91176,7 +91220,7 @@ index 29075b3..6ee8c74 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +187,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -91185,7 +91229,7 @@ index 29075b3..6ee8c74 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -178,16 +197,9 @@ ifdef(`distro_gentoo',`
+@@ -178,16 +198,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -91204,7 +91248,7 @@ index 29075b3..6ee8c74 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +228,16 @@ optional_policy(`
+@@ -216,11 +229,16 @@ optional_policy(`
')
optional_policy(`
@@ -91221,7 +91265,7 @@ index 29075b3..6ee8c74 100644
')
optional_policy(`
-@@ -230,10 +247,20 @@ optional_policy(`
+@@ -230,10 +248,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -91242,7 +91286,7 @@ index 29075b3..6ee8c74 100644
')
optional_policy(`
-@@ -259,6 +286,10 @@ optional_policy(`
+@@ -259,6 +287,10 @@ optional_policy(`
')
optional_policy(`
@@ -91253,7 +91297,7 @@ index 29075b3..6ee8c74 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +304,11 @@ optional_policy(`
+@@ -273,6 +305,11 @@ optional_policy(`
')
optional_policy(`
@@ -91265,7 +91309,7 @@ index 29075b3..6ee8c74 100644
unconfined_signal(udev_t)
')
-@@ -285,6 +321,7 @@ optional_policy(`
+@@ -285,6 +322,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -92098,7 +92142,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..7ce85d3 100644
+index e720dcd..c4ae660 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -93406,7 +93450,7 @@ index e720dcd..7ce85d3 100644
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
-+ allow $1_t self:capability2 syslog;
++ allow $1_t self:capability2 { block_suspend syslog };
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index e9ed480..4924769 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -13392,7 +13392,7 @@ index 305ddf4..11d010a 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/cups.te b/cups.te
-index e5a8924..abb85c3 100644
+index e5a8924..4965460 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -13413,7 +13413,15 @@ index e5a8924..abb85c3 100644
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
-@@ -123,6 +127,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -104,6 +108,7 @@ ifdef(`enable_mls',`
+ # /usr/lib/cups/backend/serial needs sys_admin(?!)
+ allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+ dontaudit cupsd_t self:capability { sys_tty_config net_admin };
++allow cupsd_t self:capability2 { block_suspend };
+ allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+ allow cupsd_t self:fifo_file rw_fifo_file_perms;
+ allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -123,6 +128,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -13421,7 +13429,7 @@ index e5a8924..abb85c3 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -137,6 +142,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+@@ -137,6 +143,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
@@ -13429,7 +13437,7 @@ index e5a8924..abb85c3 100644
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
-@@ -146,11 +152,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -146,11 +153,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -13444,7 +13452,7 @@ index e5a8924..abb85c3 100644
allow cupsd_t hplip_t:process { signal sigkill };
-@@ -159,14 +166,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+@@ -159,14 +167,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -13460,7 +13468,7 @@ index e5a8924..abb85c3 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -211,6 +217,7 @@ mls_rangetrans_target(cupsd_t)
+@@ -211,6 +218,7 @@ mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
@@ -13468,7 +13476,7 @@ index e5a8924..abb85c3 100644
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-@@ -220,11 +227,12 @@ corecmd_exec_bin(cupsd_t)
+@@ -220,11 +228,12 @@ corecmd_exec_bin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
@@ -13482,7 +13490,7 @@ index e5a8924..abb85c3 100644
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
files_list_world_readable(cupsd_t)
-@@ -270,12 +278,6 @@ files_dontaudit_list_home(cupsd_t)
+@@ -270,12 +279,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
@@ -13495,7 +13503,7 @@ index e5a8924..abb85c3 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -287,6 +289,8 @@ optional_policy(`
+@@ -287,6 +290,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -13504,7 +13512,7 @@ index e5a8924..abb85c3 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -297,8 +301,10 @@ optional_policy(`
+@@ -297,8 +302,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -13515,7 +13523,7 @@ index e5a8924..abb85c3 100644
')
')
-@@ -311,10 +317,23 @@ optional_policy(`
+@@ -311,10 +318,23 @@ optional_policy(`
')
optional_policy(`
@@ -13539,7 +13547,7 @@ index e5a8924..abb85c3 100644
mta_send_mail(cupsd_t)
')
-@@ -322,6 +341,8 @@ optional_policy(`
+@@ -322,6 +342,8 @@ optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -13548,7 +13556,7 @@ index e5a8924..abb85c3 100644
')
optional_policy(`
-@@ -371,8 +392,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -13559,7 +13567,7 @@ index e5a8924..abb85c3 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -381,7 +403,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+@@ -381,7 +404,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
@@ -13567,7 +13575,7 @@ index e5a8924..abb85c3 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -407,7 +428,6 @@ domain_use_interactive_fds(cupsd_config_t)
+@@ -407,7 +429,6 @@ domain_use_interactive_fds(cupsd_config_t)
domain_dontaudit_search_all_domains_state(cupsd_config_t)
files_read_usr_files(cupsd_config_t)
@@ -13575,7 +13583,7 @@ index e5a8924..abb85c3 100644
files_read_etc_runtime_files(cupsd_config_t)
files_read_var_symlinks(cupsd_config_t)
-@@ -425,11 +445,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +446,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -13589,7 +13597,7 @@ index e5a8924..abb85c3 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +473,10 @@ optional_policy(`
+@@ -453,6 +474,10 @@ optional_policy(`
')
optional_policy(`
@@ -13600,7 +13608,7 @@ index e5a8924..abb85c3 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +491,10 @@ optional_policy(`
+@@ -467,6 +492,10 @@ optional_policy(`
')
optional_policy(`
@@ -13611,7 +13619,7 @@ index e5a8924..abb85c3 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -526,7 +554,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+@@ -526,7 +555,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
@@ -13619,7 +13627,7 @@ index e5a8924..abb85c3 100644
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
-@@ -537,13 +564,13 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,13 +565,13 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -13634,7 +13642,7 @@ index e5a8924..abb85c3 100644
auth_use_nsswitch(cupsd_lpd_t)
-@@ -577,7 +604,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
+@@ -577,7 +605,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -13642,7 +13650,7 @@ index e5a8924..abb85c3 100644
files_read_usr_files(cups_pdf_t)
corecmd_exec_shell(cups_pdf_t)
-@@ -587,23 +613,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +614,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -13675,7 +13683,7 @@ index e5a8924..abb85c3 100644
')
########################################
-@@ -647,7 +672,6 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -647,7 +673,6 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
@@ -13683,7 +13691,7 @@ index e5a8924..abb85c3 100644
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +685,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +686,10 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -13697,7 +13705,7 @@ index e5a8924..abb85c3 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -682,9 +706,11 @@ corecmd_exec_bin(hplip_t)
+@@ -682,9 +707,11 @@ corecmd_exec_bin(hplip_t)
domain_use_interactive_fds(hplip_t)
@@ -13710,7 +13718,7 @@ index e5a8924..abb85c3 100644
logging_send_syslog_msg(hplip_t)
-@@ -695,9 +721,12 @@ sysnet_read_config(hplip_t)
+@@ -695,9 +722,12 @@ sysnet_read_config(hplip_t)
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -13725,7 +13733,7 @@ index e5a8924..abb85c3 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -743,7 +772,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,7 +773,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -13733,7 +13741,7 @@ index e5a8924..abb85c3 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,7 +788,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -760,7 +789,6 @@ fs_search_auto_mountpoints(ptal_t)
domain_use_interactive_fds(ptal_t)
@@ -14442,7 +14450,7 @@ index fb4bf82..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 625cb32..ac27bd9 100644
+index 625cb32..cfe6dbd 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -14548,7 +14556,7 @@ index 625cb32..ac27bd9 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -150,12 +178,160 @@ optional_policy(`
+@@ -150,12 +178,161 @@ optional_policy(`
')
optional_policy(`
@@ -14607,6 +14615,7 @@ index 625cb32..ac27bd9 100644
+#
+# session_bus_type rules
+#
++allow session_bus_type self:capability2 block_suspend;
+dontaudit session_bus_type self:capability sys_resource;
+allow session_bus_type self:process { getattr sigkill signal };
+dontaudit session_bus_type self:process setrlimit;
@@ -17025,7 +17034,7 @@ index fdaeeba..ec15389 100644
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
diff --git a/dnssec.fc b/dnssec.fc
-new file mode 100755
+new file mode 100644
index 0000000..9e231a8
--- /dev/null
+++ b/dnssec.fc
@@ -17034,7 +17043,7 @@ index 0000000..9e231a8
+
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
-new file mode 100755
+new file mode 100644
index 0000000..a952041
--- /dev/null
+++ b/dnssec.if
@@ -17104,7 +17113,7 @@ index 0000000..a952041
+ admin_pattern($1, dnssec_trigger_var_run_t)
+')
diff --git a/dnssec.te b/dnssec.te
-new file mode 100755
+new file mode 100644
index 0000000..98ba6e1
--- /dev/null
+++ b/dnssec.te
@@ -27434,10 +27443,10 @@ index c18c920..582f7f3 100644
kismet_manage_pid_files($1)
kismet_manage_lib($1)
diff --git a/kismet.te b/kismet.te
-index 9dd6880..ab842bd 100644
+index 9dd6880..ba8021c 100644
--- a/kismet.te
+++ b/kismet.te
-@@ -74,7 +74,6 @@ kernel_read_network_state(kismet_t)
+@@ -74,24 +74,22 @@ kernel_read_network_state(kismet_t)
corecmd_exec_bin(kismet_t)
@@ -27445,7 +27454,13 @@ index 9dd6880..ab842bd 100644
corenet_all_recvfrom_netlabel(kismet_t)
corenet_tcp_sendrecv_generic_if(kismet_t)
corenet_tcp_sendrecv_generic_node(kismet_t)
-@@ -86,12 +85,11 @@ corenet_tcp_connect_pulseaudio_port(kismet_t)
+ corenet_tcp_sendrecv_all_ports(kismet_t)
+ corenet_tcp_bind_generic_node(kismet_t)
+-corenet_tcp_bind_kismet_port(kismet_t)
+-corenet_tcp_connect_kismet_port(kismet_t)
++corenet_tcp_bind_rtsclient_port(kismet_t)
++corenet_tcp_connect_rtsclient_port(kismet_t)
+ corenet_tcp_connect_pulseaudio_port(kismet_t)
auth_use_nsswitch(kismet_t)
@@ -30523,26 +30538,32 @@ index b681608..27460d5 100644
term_dontaudit_use_all_ptys(memcached_t)
term_dontaudit_use_all_ttys(memcached_t)
diff --git a/milter.fc b/milter.fc
-index 1ec5a6c..cbcad00 100644
+index 1ec5a6c..06beeb2 100644
--- a/milter.fc
+++ b/milter.fc
-@@ -1,10 +1,15 @@
+@@ -1,13 +1,21 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
++/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/lib/sqlgrey(/.*)? -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+ /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+
diff --git a/milter.if b/milter.if
index ee72cbe..bf5fc09 100644
--- a/milter.if
@@ -30628,7 +30649,7 @@ index ee72cbe..bf5fc09 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 26101cb..7393387 100644
+index 26101cb..01ef5a5 100644
--- a/milter.te
+++ b/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
@@ -30670,7 +30691,7 @@ index 26101cb..7393387 100644
########################################
#
# milter-greylist local policy
-@@ -33,11 +58,19 @@ files_type(spamass_milter_state_t)
+@@ -33,11 +58,25 @@ files_type(spamass_milter_state_t)
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched };
@@ -30681,15 +30702,37 @@ index 26101cb..7393387 100644
kernel_read_kernel_sysctls(greylist_milter_t)
++dev_read_rand(greylist_milter_t)
++dev_read_urand(greylist_milter_t)
++
+corecmd_exec_bin(greylist_milter_t)
+corecmd_exec_shell(greylist_milter_t)
+
+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
++corenet_tcp_bind_rtsclient_port(greylist_milter_t)
+
++# perl getgroups() reads a bunch of files in /etc
++files_read_etc_files(greylist_milter_t)
# Allow the milter to read a GeoIP database in /usr/share
files_read_usr_files(greylist_milter_t)
# The milter runs from /var/lib/milter-greylist and maintains files there
+@@ -49,6 +88,15 @@ auth_use_nsswitch(greylist_milter_t)
+ # Config is in /etc/mail/greylist.conf
+ mta_read_config(greylist_milter_t)
+
++miscfiles_read_localization(greylist_milter_t)
++
++sysnet_read_config(greylist_milter_t)
++
++
++optional_policy(`
++ mysql_stream_connect(greylist_milter_t)
++')
++
+ ########################################
+ #
+ # milter-regex local policy
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000..8d0e473
@@ -42473,7 +42516,7 @@ index 46bee12..61cc81a 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..4baf9a4 100644
+index a1e0f60..ec5fc31 100644
--- a/postfix.te
+++ b/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -42643,7 +42686,7 @@ index a1e0f60..4baf9a4 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -237,18 +264,24 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -237,22 +264,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
#
allow postfix_cleanup_t self:process setrlimit;
@@ -42668,7 +42711,14 @@ index a1e0f60..4baf9a4 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,7 +297,6 @@ optional_policy(`
+
++# allow postfix to connect to sqlgrey
++corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
++
+ mta_read_aliases(postfix_cleanup_t)
+
+ optional_policy(`
+@@ -264,7 +300,6 @@ optional_policy(`
# Postfix local local policy
#
@@ -42676,7 +42726,7 @@ index a1e0f60..4baf9a4 100644
allow postfix_local_t self:process { setsched setrlimit };
# connect to master process
-@@ -273,12 +305,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,12 +308,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -42691,7 +42741,7 @@ index a1e0f60..4baf9a4 100644
logging_dontaudit_search_logs(postfix_local_t)
-@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +322,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -42710,7 +42760,7 @@ index a1e0f60..4baf9a4 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +335,14 @@ optional_policy(`
+@@ -297,6 +338,14 @@ optional_policy(`
')
optional_policy(`
@@ -42725,7 +42775,7 @@ index a1e0f60..4baf9a4 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +350,22 @@ optional_policy(`
+@@ -304,9 +353,22 @@ optional_policy(`
')
optional_policy(`
@@ -42748,7 +42798,7 @@ index a1e0f60..4baf9a4 100644
########################################
#
# Postfix map local policy
-@@ -329,7 +388,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -329,7 +391,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -42756,7 +42806,7 @@ index a1e0f60..4baf9a4 100644
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +406,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+@@ -348,7 +409,6 @@ corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
@@ -42764,7 +42814,7 @@ index a1e0f60..4baf9a4 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -379,18 +436,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +439,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -42790,7 +42840,7 @@ index a1e0f60..4baf9a4 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +467,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -42799,7 +42849,7 @@ index a1e0f60..4baf9a4 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +485,7 @@ optional_policy(`
+@@ -420,6 +488,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -42807,7 +42857,7 @@ index a1e0f60..4baf9a4 100644
')
optional_policy(`
-@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +505,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -42825,7 +42875,7 @@ index a1e0f60..4baf9a4 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +562,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -42836,7 +42886,7 @@ index a1e0f60..4baf9a4 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +591,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +594,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -42849,7 +42899,7 @@ index a1e0f60..4baf9a4 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +615,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +618,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -42860,7 +42910,7 @@ index a1e0f60..4baf9a4 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +636,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +639,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -42872,7 +42922,7 @@ index a1e0f60..4baf9a4 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +648,14 @@ optional_policy(`
+@@ -565,6 +651,14 @@ optional_policy(`
')
optional_policy(`
@@ -42887,7 +42937,7 @@ index a1e0f60..4baf9a4 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +672,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +675,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -42914,7 +42964,7 @@ index a1e0f60..4baf9a4 100644
')
optional_policy(`
-@@ -599,6 +698,12 @@ optional_policy(`
+@@ -599,6 +701,12 @@ optional_policy(`
')
optional_policy(`
@@ -42927,7 +42977,7 @@ index a1e0f60..4baf9a4 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +716,6 @@ optional_policy(`
+@@ -611,7 +719,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -42935,7 +42985,7 @@ index a1e0f60..4baf9a4 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +726,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +729,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -42943,7 +42993,7 @@ index a1e0f60..4baf9a4 100644
files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +733,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +736,75 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -53366,7 +53416,7 @@ index cfe3172..3eb745d 100644
+
')
diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..6491450 100644
+index e02eb6c..d015830 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -53404,8 +53454,8 @@ index e02eb6c..6491450 100644
#
-allow sanlock_t self:capability { sys_nice ipc_lock };
-allow sanlock_t self:process { setsched signull };
-+allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice };
-+allow sanlock_t self:process { setsched signull signal sigkill };
++allow sanlock_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice sys_resource };
++allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
+
allow sanlock_t self:fifo_file rw_fifo_file_perms;
allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
@@ -53495,7 +53545,7 @@ index f1aea88..3e6a93f 100644
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/sasl.te b/sasl.te
-index 9d9f8ce..c68cdf4 100644
+index 9d9f8ce..4ad9ef7 100644
--- a/sasl.te
+++ b/sasl.te
@@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0)
@@ -53517,7 +53567,17 @@ index 9d9f8ce..c68cdf4 100644
type saslauthd_var_run_t;
files_pid_file(saslauthd_var_run_t)
-@@ -38,23 +35,24 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+@@ -30,31 +27,32 @@ files_pid_file(saslauthd_var_run_t)
+ # Local policy
+ #
+
+-allow saslauthd_t self:capability { setgid setuid };
++allow saslauthd_t self:capability { setgid setuid sys_nice };
+ dontaudit saslauthd_t self:capability sys_tty_config;
+-allow saslauthd_t self:process signal_perms;
++allow saslauthd_t self:process { setsched signal_perms };
+ allow saslauthd_t self:fifo_file rw_fifo_file_perms;
+ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;
@@ -53548,12 +53608,13 @@ index 9d9f8ce..c68cdf4 100644
corenet_sendrecv_pop_client_packets(saslauthd_t)
dev_read_urand(saslauthd_t)
-@@ -88,11 +86,12 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+@@ -88,11 +86,13 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t)
# cjp: typeattribute doesnt work in conditionals
auth_can_read_shadow_passwords(saslauthd_t)
-tunable_policy(`allow_saslauthd_read_shadow',`
+tunable_policy(`saslauthd_read_shadow',`
++ allow saslauthd_t self:capability dac_override;
auth_tunable_read_shadow(saslauthd_t)
')
@@ -54280,7 +54341,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..67fd48d 100644
+index 086cd5f..6bc7784 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -54303,7 +54364,7 @@ index 086cd5f..67fd48d 100644
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -49,19 +52,22 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
+@@ -49,19 +52,23 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
# pid file
@@ -54318,6 +54379,7 @@ index 086cd5f..67fd48d 100644
kernel_read_net_sysctls(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
++kernel_read_irq_sysctls(setroubleshootd_t)
+kernel_read_unlabeled_state(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
@@ -54328,7 +54390,13 @@ index 086cd5f..67fd48d 100644
corenet_all_recvfrom_netlabel(setroubleshootd_t)
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
-@@ -79,12 +85,12 @@ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+@@ -74,17 +81,18 @@ dev_read_urand(setroubleshootd_t)
+ dev_read_sysfs(setroubleshootd_t)
+ dev_getattr_all_blk_files(setroubleshootd_t)
+ dev_getattr_all_chr_files(setroubleshootd_t)
++dev_getattr_mtrr_dev(setroubleshootd_t)
+
+ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
domain_signull_all_domains(setroubleshootd_t)
files_read_usr_files(setroubleshootd_t)
@@ -54342,7 +54410,7 @@ index 086cd5f..67fd48d 100644
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
-@@ -95,6 +101,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
+@@ -95,6 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
@@ -54350,7 +54418,7 @@ index 086cd5f..67fd48d 100644
term_dontaudit_use_all_ptys(setroubleshootd_t)
term_dontaudit_use_all_ttys(setroubleshootd_t)
-@@ -104,6 +111,8 @@ auth_use_nsswitch(setroubleshootd_t)
+@@ -104,6 +113,8 @@ auth_use_nsswitch(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
@@ -54359,7 +54427,7 @@ index 086cd5f..67fd48d 100644
miscfiles_read_localization(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
-@@ -112,8 +121,6 @@ logging_send_audit_msgs(setroubleshootd_t)
+@@ -112,8 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -54368,7 +54436,7 @@ index 086cd5f..67fd48d 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,10 +128,23 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,10 +130,23 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -54392,7 +54460,7 @@ index 086cd5f..67fd48d 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,10 +171,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -151,10 +173,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -54408,7 +54476,7 @@ index 086cd5f..67fd48d 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -164,6 +188,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +190,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -58585,11 +58653,12 @@ index 0000000..1ed278e
+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
diff --git a/thumb.fc b/thumb.fc
new file mode 100644
-index 0000000..34d6c89
+index 0000000..17544ee
--- /dev/null
+++ b/thumb.fc
-@@ -0,0 +1,15 @@
+@@ -0,0 +1,16 @@
+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
++HOME_DIR/.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0)
+
+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
@@ -58737,10 +58806,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..389ccab
+index 0000000..be861ba
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -58850,6 +58919,7 @@ index 0000000..389ccab
+ gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t)
+ gnome_exec_gstreamer_home_files(thumb_t)
++ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
+')
diff --git a/thunderbird.te b/thunderbird.te
index bf37d98..9456124 100644
@@ -60865,20 +60935,27 @@ index 32a3c13..759f08c 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index 2124b6a..37e03e4 100644
+index 2124b6a..b52dc56 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,5 +1,7 @@
+@@ -1,6 +1,14 @@
-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
-+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-+HOME_DIR/.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +14,52 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+ /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+@@ -12,18 +20,52 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -60935,7 +61012,7 @@ index 2124b6a..37e03e4 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..2d43a63 100644
+index 6f0736b..3e6749b 100644
--- a/virt.if
+++ b/virt.if
@@ -13,39 +13,45 @@
@@ -61342,15 +61419,27 @@ index 6f0736b..2d43a63 100644
')
########################################
-@@ -468,6 +642,7 @@ interface(`virt_manage_images',`
+@@ -468,18 +642,7 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+-
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_read_nfs_symlinks($1)
+- ')
+-
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+- ')
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ ')
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
-@@ -502,10 +677,19 @@ interface(`virt_manage_images',`
+ ########################################
+@@ -502,10 +665,19 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -61371,7 +61460,7 @@ index 6f0736b..2d43a63 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +701,278 @@ interface(`virt_admin',`
+@@ -517,4 +689,290 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -61402,12 +61491,18 @@ index 6f0736b..2d43a63 100644
+ gen_require(`
+ type svirt_t;
+ type virt_bridgehelper_t;
++ type svirt_image_t;
+ ')
+
+ allow $1 svirt_t:process transition;
+ role $2 types svirt_t;
+ role $2 types virt_bridgehelper_t;
+
++ allow $1 svirt_image_t:file { relabelfrom relabelto };
++ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
++
++ virt_signal_svirt($1)
++
+ optional_policy(`
+ ptchown_run(svirt_t, $2)
+ ')
@@ -61539,10 +61634,16 @@ index 6f0736b..2d43a63 100644
+interface(`virt_filetrans_home_content',`
+ gen_require(`
+ type virt_home_t;
++ type svirt_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++ gnome_data_filetrans($1, svirt_home_t, dir, "images")
+')
+
+########################################
@@ -61651,7 +61752,7 @@ index 6f0736b..2d43a63 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..b9f5601 100644
+index 947bbc6..d0b1ae9 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
@@ -61874,12 +61975,13 @@ index 947bbc6..b9f5601 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -150,11 +231,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -150,11 +231,17 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
+ fs_manage_nfs_named_sockets(svirt_t)
+ fs_read_nfs_symlinks(svirt_t)
++ fs_getattr_nfs(svirt_t)
')
tunable_policy(`virt_use_samba',`
@@ -61887,10 +61989,11 @@ index 947bbc6..b9f5601 100644
fs_manage_cifs_files(svirt_t)
+ fs_manage_cifs_named_sockets(svirt_t)
+ fs_read_cifs_symlinks(virtd_t)
++ fs_getattr_cifs(svirt_t)
')
tunable_policy(`virt_use_sysfs',`
-@@ -163,11 +248,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -163,11 +250,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -61919,7 +62022,7 @@ index 947bbc6..b9f5601 100644
xen_rw_image_files(svirt_t)
')
-@@ -176,22 +278,41 @@ optional_policy(`
+@@ -176,22 +280,41 @@ optional_policy(`
# virtd local policy
#
@@ -61968,7 +62071,7 @@ index 947bbc6..b9f5601 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +323,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +325,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -62003,7 +62106,7 @@ index 947bbc6..b9f5601 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +355,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +357,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -62026,7 +62129,7 @@ index 947bbc6..b9f5601 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +382,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +384,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -62060,7 +62163,7 @@ index 947bbc6..b9f5601 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +414,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +416,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -62079,7 +62182,7 @@ index 947bbc6..b9f5601 100644
mcs_process_set_categories(virtd_t)
-@@ -284,6 +440,8 @@ term_use_ptmx(virtd_t)
+@@ -284,6 +442,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -62088,7 +62191,7 @@ index 947bbc6..b9f5601 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +451,32 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +453,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -62121,7 +62224,7 @@ index 947bbc6..b9f5601 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +495,10 @@ optional_policy(`
+@@ -322,6 +497,10 @@ optional_policy(`
')
optional_policy(`
@@ -62132,7 +62235,7 @@ index 947bbc6..b9f5601 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +512,30 @@ optional_policy(`
+@@ -335,19 +514,30 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -62164,7 +62267,7 @@ index 947bbc6..b9f5601 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +550,12 @@ optional_policy(`
+@@ -362,6 +552,12 @@ optional_policy(`
')
optional_policy(`
@@ -62177,7 +62280,7 @@ index 947bbc6..b9f5601 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +563,11 @@ optional_policy(`
+@@ -369,11 +565,11 @@ optional_policy(`
')
optional_policy(`
@@ -62194,7 +62297,7 @@ index 947bbc6..b9f5601 100644
')
optional_policy(`
-@@ -384,6 +578,7 @@ optional_policy(`
+@@ -384,6 +580,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -62202,7 +62305,7 @@ index 947bbc6..b9f5601 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -403,34 +598,51 @@ optional_policy(`
+@@ -403,34 +600,51 @@ optional_policy(`
# virtual domains common policy
#
@@ -62259,7 +62362,7 @@ index 947bbc6..b9f5601 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,10 +650,11 @@ dev_write_sound(virt_domain)
+@@ -438,10 +652,11 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -62272,7 +62375,7 @@ index 947bbc6..b9f5601 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,8 +662,16 @@ files_search_all(virt_domain)
+@@ -449,8 +664,16 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -62290,7 +62393,7 @@ index 947bbc6..b9f5601 100644
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-@@ -459,13 +680,447 @@ logging_send_syslog_msg(virt_domain)
+@@ -459,13 +682,461 @@ logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
@@ -62330,6 +62433,10 @@ index 947bbc6..b9f5601 100644
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(virsh_t, virsh_exec_t)
++virt_domtrans(virsh_t)
++virt_manage_images(virsh_t)
++virt_manage_config(virsh_t)
++virt_stream_connect(virsh_t)
+
+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
@@ -62389,6 +62496,18 @@ index 947bbc6..b9f5601 100644
+
+sysnet_dns_name_resolve(virsh_t)
+
++tunable_policy(`virt_use_nfs',`
++ fs_manage_nfs_dirs(virsh_t)
++ fs_manage_nfs_files(virsh_t)
++ fs_read_nfs_symlinks(virsh_t)
++')
++
++tunable_policy(`virt_use_samba',`
++ fs_manage_cifs_files(virsh_t)
++ fs_manage_cifs_files(virsh_t)
++ fs_read_cifs_symlinks(virsh_t)
++')
++
+optional_policy(`
+ cron_system_entry(virsh_t, virsh_exec_t)
+')
@@ -62421,13 +62540,6 @@ index 947bbc6..b9f5601 100644
+')
+
+optional_policy(`
-+ virt_domtrans(virsh_t)
-+ virt_manage_images(virsh_t)
-+ virt_manage_config(virsh_t)
-+ virt_stream_connect(virsh_t)
-+')
-+
-+optional_policy(`
+ ssh_basic_client_template(virsh, virsh_t, system_r)
+
+ kernel_read_xen_state(virsh_ssh_t)
@@ -62581,6 +62693,7 @@ index 947bbc6..b9f5601 100644
+allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+
+kernel_getattr_proc(svirt_lxc_domain)
++kernel_list_all_proc(svirt_lxc_domain)
+kernel_read_kernel_sysctls(svirt_lxc_domain)
+kernel_read_net_sysctls(svirt_lxc_domain)
+kernel_read_system_state(svirt_lxc_domain)
@@ -62640,6 +62753,8 @@ index 947bbc6..b9f5601 100644
+virt_lxc_domain_template(svirt_lxc_net)
+
+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
++dontaudit svirt_lxc_net_t self:capability2 { block_suspend };
++
+allow svirt_lxc_net_t self:process setrlimit;
+
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
@@ -62651,17 +62766,19 @@ index 947bbc6..b9f5601 100644
+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
+allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
-+corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-+corenet_udp_bind_generic_node(svirt_lxc_net_t)
++kernel_read_network_state(svirt_lxc_net_t)
++kernel_read_irq_sysctls(svirt_lxc_net_t)
+
+dev_read_sysfs(svirt_lxc_net_t)
++dev_getattr_mtrr_dev(svirt_lxc_net_t)
+
++corenet_tcp_bind_generic_node(svirt_lxc_net_t)
++corenet_udp_bind_generic_node(svirt_lxc_net_t)
+corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
+corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
+corenet_udp_bind_all_ports(svirt_lxc_net_t)
+corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+corenet_tcp_connect_all_ports(svirt_lxc_net_t)
-+kernel_read_network_state(svirt_lxc_net_t)
+
+fs_noxattr_type(svirt_lxc_file_t)
+term_pty(svirt_lxc_file_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c0b2f08..cea5aa0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 0%{?dist}
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Aug 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-1
+- Fix saslauthd when it tries to read /etc/shadow
+- Label gnome-boxes as a virt homedir
+- Need to allow svirt_t ability to getattr on nfs_t file systems
+- Update sanlock policy to solve all AVC's
+- Change confined users can optionally manage virt content
+- Handle new directories under ~/.cache
+- Add block suspend to appropriate domains
+- More rules required for containers
+- Allow login programs to read /run/ data created by systemd_logind
+- Allow staff users to run svirt_t processes
+
* Thu Aug 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-0
- Update to upstream
More information about the scm-commits
mailing list