[selinux-policy/f18] - Fix ecryptfs interfaces - Bootloader seems to be trolling around /dev/shm and /dev - init wants to
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Aug 9 11:42:41 UTC 2012
commit b6941f0852c359346adaa2a3114185ffcd399938
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Aug 9 07:41:50 2012 -0400
- Fix ecryptfs interfaces
- Bootloader seems to be trolling around /dev/shm and /dev
- init wants to create /etc/systemd/system-update.target.wants
- Fix systemd_filetrans call to move it out of tunable
- Fix up policy to work with systemd userspace manager
- Add secure_firmware capability and remove bogus epolwakeup
- Call seutil_*_login_config interfaces where should be needed
- Allow rhsmcertd to send signal to itself
- Allow thin domains to send signal to itself
- Allow Chrome_ChildIO to read dosfs_t
policy-rawhide.patch | 345 +++++++++++++++++++++++-------------------
policy_contrib-rawhide.patch | 25 +++-
selinux-policy.spec | 14 ++-
3 files changed, 223 insertions(+), 161 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 803caa9..ac16f1c 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -62010,7 +62010,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..f2026cd 100644
+index 28802c5..c73c1d2 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@@ -62032,7 +62032,7 @@ index 28802c5..f2026cd 100644
}
#
-@@ -443,9 +448,10 @@ class capability
+@@ -443,10 +448,11 @@ class capability
class capability2
{
mac_override # unused by SELinux
@@ -62040,10 +62040,11 @@ index 28802c5..f2026cd 100644
+ mac_admin
syslog
wake_alarm
-+ epollwakeup
block_suspend
++ secure_firmware
}
+ #
@@ -862,3 +868,20 @@ inherits database
implement
execute
@@ -62429,7 +62430,7 @@ index a778bb1..5e914db 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index ab0439a..4104b53 100644
+index ab0439a..594c7c6 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
@@ -62484,23 +62485,26 @@ index ab0439a..4104b53 100644
kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
-@@ -81,6 +89,7 @@ dev_rw_nvram(bootloader_t)
+@@ -81,6 +89,8 @@ dev_rw_nvram(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)
+fs_list_hugetlbfs(bootloader_t)
++fs_list_tmpfs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
#Needed for ia64
fs_manage_dos_files(bootloader_t)
-@@ -89,6 +98,7 @@ mls_file_read_all_levels(bootloader_t)
+@@ -89,7 +99,9 @@ mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
+term_getattr_all_ptys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)
++term_dontaudit_getattr_generic_ptys(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
-@@ -98,12 +108,14 @@ domain_use_interactive_fds(bootloader_t)
+
+@@ -98,12 +110,14 @@ domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
@@ -62515,7 +62519,7 @@ index ab0439a..4104b53 100644
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
-@@ -111,6 +123,7 @@ files_manage_etc_runtime_files(bootloader_t)
+@@ -111,6 +125,7 @@ files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
@@ -62523,7 +62527,7 @@ index ab0439a..4104b53 100644
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
-@@ -118,8 +131,10 @@ init_rw_script_pipes(bootloader_t)
+@@ -118,6 +133,9 @@ init_rw_script_pipes(bootloader_t)
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
@@ -62531,11 +62535,9 @@ index ab0439a..4104b53 100644
+
+auth_use_nsswitch(bootloader_t)
--logging_send_syslog_msg(bootloader_t)
+ logging_send_syslog_msg(bootloader_t)
logging_rw_generic_logs(bootloader_t)
-
- miscfiles_read_localization(bootloader_t)
-@@ -130,7 +145,8 @@ seutil_read_bin_policy(bootloader_t)
+@@ -130,7 +148,8 @@ seutil_read_bin_policy(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
@@ -62545,7 +62547,7 @@ index ab0439a..4104b53 100644
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -166,7 +182,8 @@ ifdef(`distro_redhat',`
+@@ -166,7 +185,8 @@ ifdef(`distro_redhat',`
files_manage_isid_type_chr_files(bootloader_t)
# for mke2fs
@@ -62555,7 +62557,7 @@ index ab0439a..4104b53 100644
optional_policy(`
unconfined_domain(bootloader_t)
-@@ -174,6 +191,10 @@ ifdef(`distro_redhat',`
+@@ -174,6 +194,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -62566,7 +62568,7 @@ index ab0439a..4104b53 100644
fstools_exec(bootloader_t)
')
-@@ -183,6 +204,10 @@ optional_policy(`
+@@ -183,6 +207,10 @@ optional_policy(`
')
optional_policy(`
@@ -62577,7 +62579,7 @@ index ab0439a..4104b53 100644
kudzu_domtrans(bootloader_t)
')
-@@ -195,15 +220,13 @@ optional_policy(`
+@@ -195,15 +223,13 @@ optional_policy(`
optional_policy(`
modutils_exec_insmod(bootloader_t)
@@ -63491,7 +63493,7 @@ index 98b8b2d..da75471 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 673180c..1187de6 100644
+index 673180c..6274145 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0)
@@ -63859,13 +63861,14 @@ index 673180c..1187de6 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -507,31 +549,34 @@ logging_send_syslog_msg(useradd_t)
+@@ -507,31 +549,35 @@ logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
+seutil_semanage_policy(useradd_t)
+seutil_manage_file_contexts(useradd_t)
+seutil_manage_config(useradd_t)
++seutil_manage_login_config(useradd_t)
+seutil_manage_default_contexts(useradd_t)
+
seutil_read_config(useradd_t)
@@ -63907,7 +63910,7 @@ index 673180c..1187de6 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +587,8 @@ optional_policy(`
+@@ -542,7 +588,8 @@ optional_policy(`
')
optional_policy(`
@@ -63917,7 +63920,7 @@ index 673180c..1187de6 100644
')
optional_policy(`
-@@ -550,6 +596,11 @@ optional_policy(`
+@@ -550,6 +597,11 @@ optional_policy(`
')
optional_policy(`
@@ -63929,7 +63932,7 @@ index 673180c..1187de6 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +610,7 @@ optional_policy(`
+@@ -559,3 +611,7 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -68749,7 +68752,7 @@ index 8796ca3..38dcaf6 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..89379cc 100644
+index e1e814d..dc3148a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -70190,7 +70193,7 @@ index e1e814d..89379cc 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6467,3 +7309,343 @@ interface(`files_unconfined',`
+@@ -6467,3 +7309,345 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -70516,6 +70519,8 @@ index e1e814d..89379cc 100644
+ ')
+
+ files_pid_filetrans($1, mnt_t, dir, "media")
++ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
++ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
+ files_root_filetrans($1, mnt_t, dir, "afs")
+ files_root_filetrans($1, mnt_t, dir, "misc")
+ files_root_filetrans($1, mnt_t, dir, "net")
@@ -70640,7 +70645,7 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..b40a5a5 100644
+index 7c6b791..a2bf6a0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -70966,7 +70971,7 @@ index 7c6b791..b40a5a5 100644
+#
+interface(`fs_search_ecryptfs',`
+ gen_require(`
-+ type fusefs_t;
++ type ecryptfs_t;
+ ')
+
+ allow $1 ecryptfs_t:dir search_dir_perms;
@@ -71084,7 +71089,7 @@ index 7c6b791..b40a5a5 100644
+#
+interface(`fs_manage_ecryptfs_symlinks',`
+ gen_require(`
-+ type fusefs_t;
++ type ecryptfs_t;
+ ')
+
+ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
@@ -80434,7 +80439,7 @@ index 28ad538..47fdb65 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..1409940 100644
+index f416ce9..2fa575e 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -80559,8 +80564,11 @@ index f416ce9..1409940 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,9 +198,91 @@ interface(`auth_login_pgm_domain',`
+@@ -153,11 +196,94 @@ interface(`auth_login_pgm_domain',`
+ logging_set_tty_audit($1)
+
seutil_read_config($1)
++ seutil_read_login_config($1)
seutil_read_default_contexts($1)
- tunable_policy(`allow_polyinstantiation',`
@@ -80653,7 +80661,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -231,6 +356,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +357,25 @@ interface(`auth_domtrans_login_program',`
########################################
## <summary>
@@ -80679,7 +80687,7 @@ index f416ce9..1409940 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -395,13 +539,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -395,13 +540,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -80696,7 +80704,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -448,6 +594,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +595,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -80722,7 +80730,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -467,7 +632,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +633,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -80730,7 +80738,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -664,6 +828,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +829,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -80741,7 +80749,7 @@ index f416ce9..1409940 100644
')
#######################################
-@@ -763,7 +931,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +932,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -80793,7 +80801,7 @@ index f416ce9..1409940 100644
')
#######################################
-@@ -959,9 +1170,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1171,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -80827,7 +80835,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -1040,6 +1272,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1273,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -80838,7 +80846,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -1157,6 +1393,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1394,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -80846,7 +80854,7 @@ index f416ce9..1409940 100644
')
#######################################
-@@ -1526,6 +1763,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1764,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -80872,7 +80880,7 @@ index f416ce9..1409940 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1676,24 +1932,7 @@ interface(`auth_manage_login_records',`
+@@ -1676,24 +1933,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -80898,7 +80906,7 @@ index f416ce9..1409940 100644
')
########################################
-@@ -1717,9 +1956,9 @@ interface(`auth_relabel_login_records',`
+@@ -1717,9 +1957,9 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -80911,7 +80919,7 @@ index f416ce9..1409940 100644
typeattribute $1 nsswitch_domain;
')
-@@ -1755,3 +1994,194 @@ interface(`auth_unconfined',`
+@@ -1755,3 +1995,194 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -82890,7 +82898,7 @@ index d26fe81..3f3a57f 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..582f563 100644
+index 4a88fa1..203cc34 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -83126,7 +83134,7 @@ index 4a88fa1..582f563 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -196,16 +289,148 @@ tunable_policy(`init_upstart',`
+@@ -196,16 +289,152 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -83143,11 +83151,13 @@ index 4a88fa1..582f563 100644
+')
+
+tunable_policy(`init_systemd',`
++ allow init_t self:system all_system_perms;
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate setrlimit };
+ allow init_t self:process { getcap setcap };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
++ allow init_t self:netlink_selinux_socket create_socket_perms;
+ # Until systemd is fixed
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+ allow init_t self:udp_socket create_socket_perms;
@@ -83182,6 +83192,7 @@ index 4a88fa1..582f563 100644
+ files_mounton_all_mountpoints(init_t)
+ files_unmount_all_file_type_fs(init_t)
+ files_manage_all_pid_dirs(init_t)
++ files_manage_etc_dirs(init_t)
+ files_manage_generic_tmp_dirs(init_t)
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
@@ -83214,6 +83225,8 @@ index 4a88fa1..582f563 100644
+ fs_relabel_cgroup_dirs(init_t)
+ fs_search_cgroup_dirs(daemon)
+
++
++ selinux_compute_access_vector(init_t)
+ selinux_compute_create_context(init_t)
+ selinux_validate_context(init_t)
+ selinux_unmount_fs(init_t)
@@ -83235,6 +83248,9 @@ index 4a88fa1..582f563 100644
+ systemd_manage_unit_dirs(init_t)
+ systemd_manage_all_unit_files(init_t)
+ systemd_logger_stream_connect(init_t)
++ systemd_config_all_services(init_t)
++
++ systemd_config_all_services(initrc_t)
+
+ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
@@ -83243,20 +83259,16 @@ index 4a88fa1..582f563 100644
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
-+optional_policy(`
-+ systemd_filetrans_named_content(init_t)
-+')
-+
-+optional_policy(`
-+ lvm_rw_pipes(init_t)
-+')
-+
optional_policy(`
- auth_rw_login_records(init_t)
-+ consolekit_manage_log(init_t)
++ lvm_rw_pipes(init_t)
')
optional_policy(`
++ consolekit_manage_log(init_t)
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -83277,10 +83289,14 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -213,6 +438,18 @@ optional_policy(`
+@@ -213,6 +442,22 @@ optional_policy(`
')
optional_policy(`
++ systemd_filetrans_named_content(init_t)
++')
++
++optional_policy(`
+ udev_read_db(init_t)
+ udev_relabelto_db(init_t)
+ udev_create_kobject_uevent_socket(init_t)
@@ -83296,18 +83312,19 @@ index 4a88fa1..582f563 100644
unconfined_domain(init_t)
')
-@@ -222,8 +459,8 @@ optional_policy(`
+@@ -222,8 +467,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
++allow initrc_t self:capability2 block_suspend;
+dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +488,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +497,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -83323,7 +83340,7 @@ index 4a88fa1..582f563 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +512,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +521,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -83366,7 +83383,7 @@ index 4a88fa1..582f563 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,6 +549,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,6 +558,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -83374,7 +83391,7 @@ index 4a88fa1..582f563 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -306,8 +560,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +569,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -83385,7 +83402,7 @@ index 4a88fa1..582f563 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +571,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +580,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -83405,7 +83422,7 @@ index 4a88fa1..582f563 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +588,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +597,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -83413,7 +83430,7 @@ index 4a88fa1..582f563 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +596,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +605,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -83425,7 +83442,7 @@ index 4a88fa1..582f563 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +615,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +624,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -83439,7 +83456,7 @@ index 4a88fa1..582f563 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +630,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +639,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -83453,7 +83470,7 @@ index 4a88fa1..582f563 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +645,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +654,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -83461,7 +83478,7 @@ index 4a88fa1..582f563 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +657,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +666,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -83469,7 +83486,7 @@ index 4a88fa1..582f563 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -411,18 +678,17 @@ logging_read_audit_config(initrc_t)
+@@ -411,18 +687,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -83491,7 +83508,7 @@ index 4a88fa1..582f563 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +742,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +751,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -83502,7 +83519,7 @@ index 4a88fa1..582f563 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +766,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +775,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -83511,7 +83528,7 @@ index 4a88fa1..582f563 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +781,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +790,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -83519,7 +83536,7 @@ index 4a88fa1..582f563 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +802,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +811,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -83527,7 +83544,7 @@ index 4a88fa1..582f563 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +812,35 @@ ifdef(`distro_redhat',`
+@@ -540,8 +821,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -83563,7 +83580,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -549,14 +848,27 @@ ifdef(`distro_redhat',`
+@@ -549,14 +857,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -83591,7 +83608,7 @@ index 4a88fa1..582f563 100644
')
')
-@@ -567,6 +879,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +888,39 @@ ifdef(`distro_suse',`
')
')
@@ -83631,7 +83648,7 @@ index 4a88fa1..582f563 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +924,8 @@ optional_policy(`
+@@ -579,6 +933,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -83640,7 +83657,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -600,6 +947,7 @@ optional_policy(`
+@@ -600,6 +956,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -83648,7 +83665,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -612,6 +960,17 @@ optional_policy(`
+@@ -612,6 +969,17 @@ optional_policy(`
')
optional_policy(`
@@ -83666,7 +83683,7 @@ index 4a88fa1..582f563 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +987,13 @@ optional_policy(`
+@@ -628,9 +996,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -83680,7 +83697,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -655,6 +1018,10 @@ optional_policy(`
+@@ -655,6 +1027,10 @@ optional_policy(`
')
optional_policy(`
@@ -83691,7 +83708,7 @@ index 4a88fa1..582f563 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1039,15 @@ optional_policy(`
+@@ -672,6 +1048,15 @@ optional_policy(`
')
optional_policy(`
@@ -83707,7 +83724,7 @@ index 4a88fa1..582f563 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1088,7 @@ optional_policy(`
+@@ -712,6 +1097,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -83715,7 +83732,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -729,7 +1106,13 @@ optional_policy(`
+@@ -729,7 +1115,14 @@ optional_policy(`
')
optional_policy(`
@@ -83724,12 +83741,13 @@ index 4a88fa1..582f563 100644
+')
+
+optional_policy(`
++ mta_manage_aliases(initrc_t)
mta_read_config(initrc_t)
+ mta_write_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1135,10 @@ optional_policy(`
+@@ -752,6 +1145,10 @@ optional_policy(`
')
optional_policy(`
@@ -83740,7 +83758,7 @@ index 4a88fa1..582f563 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1148,20 @@ optional_policy(`
+@@ -761,10 +1158,20 @@ optional_policy(`
')
optional_policy(`
@@ -83761,7 +83779,7 @@ index 4a88fa1..582f563 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1170,10 @@ optional_policy(`
+@@ -773,6 +1180,10 @@ optional_policy(`
')
optional_policy(`
@@ -83772,7 +83790,7 @@ index 4a88fa1..582f563 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1195,6 @@ optional_policy(`
+@@ -794,8 +1205,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -83781,7 +83799,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -804,6 +1203,10 @@ optional_policy(`
+@@ -804,6 +1213,10 @@ optional_policy(`
')
optional_policy(`
@@ -83792,7 +83810,7 @@ index 4a88fa1..582f563 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1216,12 @@ optional_policy(`
+@@ -813,10 +1226,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -83805,7 +83823,7 @@ index 4a88fa1..582f563 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1233,6 @@ optional_policy(`
+@@ -828,8 +1243,6 @@ optional_policy(`
')
optional_policy(`
@@ -83814,7 +83832,7 @@ index 4a88fa1..582f563 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1243,30 @@ optional_policy(`
+@@ -840,12 +1253,30 @@ optional_policy(`
')
optional_policy(`
@@ -83847,7 +83865,7 @@ index 4a88fa1..582f563 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1276,18 @@ optional_policy(`
+@@ -855,6 +1286,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -83866,7 +83884,7 @@ index 4a88fa1..582f563 100644
')
optional_policy(`
-@@ -870,6 +1303,10 @@ optional_policy(`
+@@ -870,6 +1313,10 @@ optional_policy(`
')
optional_policy(`
@@ -83877,7 +83895,7 @@ index 4a88fa1..582f563 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1317,165 @@ optional_policy(`
+@@ -880,3 +1327,164 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -84042,7 +84060,6 @@ index 4a88fa1..582f563 100644
+#ifdef(`enable_mls',`
+# mls_rangetrans_target(systemprocess)
+#')
-+
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index ec85acb..662e79b 100644
--- a/policy/modules/system/ipsec.fc
@@ -86241,7 +86258,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index f8eeecd..310893f 100644
+index f8eeecd..7b9437a 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -86433,7 +86450,7 @@ index f8eeecd..310893f 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,14 +364,27 @@ optional_policy(`
+@@ -331,14 +364,26 @@ optional_policy(`
')
optional_policy(`
@@ -86453,7 +86470,6 @@ index f8eeecd..310893f 100644
')
optional_policy(`
-+ #systemd_passwd_agent_dev_template(lvm)
+ systemd_manage_passwd_run(lvm_t)
+')
+
@@ -87762,7 +87778,7 @@ index d43f3b1..c4182e8 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..beae2dc 100644
+index 3822072..239ab62 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@@ -87919,7 +87935,7 @@ index 3822072..beae2dc 100644
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -680,10 +776,94 @@ interface(`seutil_manage_config',`
+@@ -680,10 +776,115 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -87928,6 +87944,27 @@ index 3822072..beae2dc 100644
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
++######################################
++## <summary>
++## Create, read, write, and delete
++## the general selinux configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`seutil_manage_config_dirs',`
++ gen_require(`
++ type selinux_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir manage_dir_perms;
++')
++
+########################################
+## <summary>
+## Do not audit attempts to search the SELinux
@@ -88014,7 +88051,7 @@ index 3822072..beae2dc 100644
#######################################
## <summary>
## Create, read, write, and delete
-@@ -694,15 +874,62 @@ interface(`seutil_manage_config',`
+@@ -694,15 +895,62 @@ interface(`seutil_manage_config',`
## Domain allowed access.
## </summary>
## </param>
@@ -88080,7 +88117,7 @@ index 3822072..beae2dc 100644
')
########################################
-@@ -746,6 +973,29 @@ interface(`seutil_read_default_contexts',`
+@@ -746,6 +994,29 @@ interface(`seutil_read_default_contexts',`
read_files_pattern($1, default_context_t, default_context_t)
')
@@ -88110,7 +88147,7 @@ index 3822072..beae2dc 100644
########################################
## <summary>
## Create, read, write, and delete the default_contexts files.
-@@ -999,6 +1249,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1270,26 @@ interface(`seutil_domtrans_semanage',`
########################################
## <summary>
@@ -88137,7 +88174,7 @@ index 3822072..beae2dc 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1287,66 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1308,66 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -88206,7 +88243,7 @@ index 3822072..beae2dc 100644
')
########################################
-@@ -1044,6 +1369,9 @@ interface(`seutil_manage_module_store',`
+@@ -1044,6 +1390,9 @@ interface(`seutil_manage_module_store',`
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
@@ -88216,7 +88253,7 @@ index 3822072..beae2dc 100644
')
#######################################
-@@ -1137,3 +1465,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1486,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -89816,10 +89853,10 @@ index 0000000..7da5bf6
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..40fe8f5
+index 0000000..6d1582c
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,734 @@
+@@ -0,0 +1,735 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -89877,6 +89914,7 @@ index 0000000..40fe8f5
+
+ systemd_login_list_pid_dirs($1)
+ systemd_login_read_pid_files($1)
++ systemd_passwd_agent_exec($1)
+')
+
+#######################################
@@ -90177,11 +90215,12 @@ index 0000000..40fe8f5
+## </param>
+#
+interface(`systemd_passwd_agent_exec',`
-+ gen_require(`
-+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
-+ ')
++ gen_require(`
++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
++ ')
+
+ can_exec($1, systemd_passwd_agent_exec_t)
++ systemd_manage_passwd_run($1)
+')
+
+########################################
@@ -90309,8 +90348,7 @@ index 0000000..40fe8f5
+ ')
+
+ init_search_pid_dirs($1)
-+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
-+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++ manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+ allow systemd_passwd_agent_t $1:process signull;
+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
@@ -92347,7 +92385,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..c4ae660 100644
+index e720dcd..512678a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -93775,7 +93813,7 @@ index e720dcd..c4ae660 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,13 +1592,18 @@ template(`userdom_security_admin_template',`
+@@ -1235,13 +1592,19 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -93786,6 +93824,7 @@ index e720dcd..c4ae660 100644
+ seutil_manage_file_contexts($1)
+ seutil_manage_module_store($1)
+ seutil_manage_config($1)
++ seutil_manage_login_config($1)
+ seutil_run_checkpolicy($1,$2)
+ seutil_run_loadpolicy($1,$2)
+ seutil_run_semanage($1,$2)
@@ -93798,7 +93837,7 @@ index e720dcd..c4ae660 100644
')
optional_policy(`
-@@ -1252,12 +1614,12 @@ template(`userdom_security_admin_template',`
+@@ -1252,12 +1615,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -93814,7 +93853,7 @@ index e720dcd..c4ae660 100644
')
optional_policy(`
-@@ -1317,12 +1679,15 @@ interface(`userdom_user_application_domain',`
+@@ -1317,12 +1680,15 @@ interface(`userdom_user_application_domain',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -93831,7 +93870,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1363,13 +1728,58 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1363,13 +1729,58 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -93893,7 +93932,7 @@ index e720dcd..c4ae660 100644
gen_require(`
attribute admindomain;
')
-@@ -1467,11 +1877,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1467,11 +1878,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -93925,7 +93964,7 @@ index e720dcd..c4ae660 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1943,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1513,6 +1944,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -93940,7 +93979,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1528,9 +1966,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1528,9 +1967,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -93952,7 +93991,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1587,6 +2027,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1587,6 +2028,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -93995,7 +94034,7 @@ index e720dcd..c4ae660 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2142,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1666,6 +2143,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -94004,7 +94043,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1680,10 +2158,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1680,10 +2159,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -94019,7 +94058,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1726,6 +2206,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1726,6 +2207,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -94063,7 +94102,7 @@ index e720dcd..c4ae660 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1745,6 +2262,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1745,6 +2263,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -94089,7 +94128,7 @@ index e720dcd..c4ae660 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2311,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1775,14 +2312,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -94127,7 +94166,7 @@ index e720dcd..c4ae660 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2351,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1793,11 +2352,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -94145,7 +94184,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1856,6 +2417,78 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,6 +2418,78 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -94224,7 +94263,7 @@ index e720dcd..c4ae660 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1887,8 +2520,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1887,8 +2521,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -94234,7 +94273,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -1904,20 +2536,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1904,20 +2537,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -94259,7 +94298,7 @@ index e720dcd..c4ae660 100644
########################################
## <summary>
-@@ -2018,6 +2644,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -2018,6 +2645,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -94284,7 +94323,7 @@ index e720dcd..c4ae660 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2894,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2895,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -94299,7 +94338,7 @@ index e720dcd..c4ae660 100644
files_search_tmp($1)
')
-@@ -2274,7 +2918,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2919,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -94308,7 +94347,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -2521,6 +3165,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,6 +3166,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -94334,7 +94373,7 @@ index e720dcd..c4ae660 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3200,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3201,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -94350,7 +94389,7 @@ index e720dcd..c4ae660 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3228,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3229,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -94359,7 +94398,7 @@ index e720dcd..c4ae660 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,19 +3236,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,19 +3237,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -94382,7 +94421,7 @@ index e720dcd..c4ae660 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2592,9 +3254,27 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2592,9 +3255,27 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -94412,7 +94451,7 @@ index e720dcd..c4ae660 100644
')
allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
-@@ -2674,6 +3354,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2674,6 +3355,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -94437,7 +94476,7 @@ index e720dcd..c4ae660 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3390,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3391,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -94480,7 +94519,7 @@ index e720dcd..c4ae660 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3426,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3427,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -94518,7 +94557,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -2742,8 +3471,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3472,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -94548,7 +94587,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -2815,69 +3563,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3564,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -94649,7 +94688,7 @@ index e720dcd..c4ae660 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3632,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3633,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -94664,7 +94703,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -2954,7 +3701,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3702,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -94673,7 +94712,7 @@ index e720dcd..c4ae660 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3717,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3718,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -94707,7 +94746,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -3074,7 +3805,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3806,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -94716,7 +94755,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -3129,7 +3860,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,7 +3861,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -94763,7 +94802,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -3147,7 +3916,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3147,7 +3917,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -94772,7 +94811,7 @@ index e720dcd..c4ae660 100644
')
########################################
-@@ -3166,6 +3935,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3166,6 +3936,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -94780,7 +94819,7 @@ index e720dcd..c4ae660 100644
kernel_search_proc($1)
')
-@@ -3242,6 +4012,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4013,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -94823,7 +94862,7 @@ index e720dcd..c4ae660 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4068,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4069,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -94848,7 +94887,7 @@ index e720dcd..c4ae660 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4120,1282 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4121,1282 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 0bafcb3..49dc44f 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -7824,10 +7824,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..dc13756
+index 0000000..60809ba
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,182 @@
+@@ -0,0 +1,183 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -7880,6 +7880,7 @@ index 0000000..dc13756
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
++fs_read_dos_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
@@ -49229,7 +49230,7 @@ index 137605a..7624759 100644
+ ')
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..f82fdec 100644
+index 783f678..a94c367 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -49237,7 +49238,7 @@ index 783f678..f82fdec 100644
#
+allow rhsmcertd_t self:capability sys_nice;
-+allow rhsmcertd_t self:process setsched;
++allow rhsmcertd_t self:process { signal setsched };
+
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
@@ -58660,10 +58661,10 @@ index 0000000..6de86e5
+')
diff --git a/thin.te b/thin.te
new file mode 100644
-index 0000000..1ed278e
+index 0000000..892a300
--- /dev/null
+++ b/thin.te
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,108 @@
+policy_module(thin, 1.0)
+
+########################################
@@ -58697,6 +58698,8 @@ index 0000000..1ed278e
+# thin_domain local policy
+#
+
++allow thin_domain self:process signal;
++
+allow thin_domain self:fifo_file rw_fifo_file_perms;
+allow thin_domain self:tcp_socket create_stream_socket_perms;
+
@@ -63450,7 +63453,7 @@ index 0000000..14c5c0a
+
+miscfiles_read_localization(wdmd_t)
diff --git a/webadm.te b/webadm.te
-index 0ecc786..e0f21c3 100644
+index 0ecc786..3e7e984 100644
--- a/webadm.te
+++ b/webadm.te
@@ -28,7 +28,7 @@ userdom_base_user_template(webadm)
@@ -63462,6 +63465,14 @@ index 0ecc786..e0f21c3 100644
files_dontaudit_search_all_dirs(webadm_t)
files_manage_generic_locks(webadm_t)
+@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
+ seutil_domtrans_setfiles(webadm_t)
+
+ logging_send_syslog_msg(webadm_t)
++logging_send_audit_msgs(webadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(webadm_t)
+
diff --git a/webalizer.te b/webalizer.te
index 32b4f76..ea008d8 100644
--- a/webalizer.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4d986fe..d0dd8ce 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Aug 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-4
+- Fix ecryptfs interfaces
+- Bootloader seems to be trolling around /dev/shm and /dev
+- init wants to create /etc/systemd/system-update.target.wants
+- Fix systemd_filetrans call to move it out of tunable
+- Fix up policy to work with systemd userspace manager
+- Add secure_firmware capability and remove bogus epolwakeup
+- Call seutil_*_login_config interfaces where should be needed
+- Allow rhsmcertd to send signal to itself
+- Allow thin domains to send signal to itself
+- Allow Chrome_ChildIO to read dosfs_t
+
* Tue Aug 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-3
- Add role rules for realmd, sambagui
More information about the scm-commits
mailing list